Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2
Upcoming SlideShare
Loading in...5
×
 

Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2

on

  • 2,193 views

Come to this session and see how Novell Privileged User Manager can help your organization reduce the cost, complexity and risk associated with managing superusers across the enterprise. Find out how ...

Come to this session and see how Novell Privileged User Manager can help your organization reduce the cost, complexity and risk associated with managing superusers across the enterprise. Find out how to rapidly deploy superuser management for Novell Open Enterprise Server 2. You will see a live demo of how Novell Privileged User Manager allows you to control what commands users are authorized to run, at what time and from what location.

Statistics

Views

Total Views
2,193
Views on SlideShare
2,181
Embed Views
12

Actions

Likes
1
Downloads
67
Comments
0

1 Embed 12

http://www.slideshare.net 12

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2 Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2 Presentation Transcript

  • Intro to Novell ® Privileged User Manager and Securing Novell Open Enterprise Server 2 Brett A. Berger Aaron Burgemeister Global Technical Support Global Technical Support Novell, Inc/bberger@novell.com Novell, Inc/ab@novell.com
  • Novell Privileged User Manager ® • Introduction to Novell Privileged User Manager – Business Challenges – Novell Privileged User Manager solutions • The Framework – Framework Components – Framework Deployment • Command Control – Configuration - Rules – Configuration - Commands – Configuration - Scripts 2 © Novell, Inc. All rights reserved.
  • Novell Privileged User Manager ® (cont.) • Audit, Compliance, and Reporting – Overview • Demo – Agent installation and registration – Patching Agents and Managers – Using NPUM to secure OES2 > eDirectory ™ > Novell-tomcat > etc. • Questions and Answers 3 © Novell, Inc. All rights reserved.
  • Intro to Novell ® Privileged User Manager
  • The IT Landscape is Changing The risks and challenges of computing across multiple Linux/Unix environments must be eliminated. Users should have unimpeded, secure and compliant access to the computing services they need to do their jobs right. Computing should be secure and compliant. 5 © Novell, Inc. All rights reserved.
  • Business challenges Linux/UNIX Administrators require elevated (superuser) privileges to do their job Uncontrolled superuser access leaves the data center open to back door entries Audit Weakness – Rogue admins/users covering their tracks Compliance and Reporting 6 © Novell, Inc. All rights reserved.
  • Delegating Superuser Privileges • Linux/UNIX admins require elevated (Superuser) privileges to do their jobs IT Manager System Admin root root DBA App Developer Admin Security Admin Novell Privileged User Manager ® can solve this 7 © Novell, Inc. All rights reserved.
  • Uncontrolled Superuser Access Uncontrolled Superuser access leaves the data center open to Backdoor entry. Novell Privileged User Manager ® can solve this 8 © Novell, Inc. All rights reserved.
  • Audit Weakness Audit weakness – users covering their tracks. Novell Privileged User Manager ® can solve this 9 © Novell, Inc. All rights reserved.
  • Compliance and Reporting Compliance and reporting user access. Novell Privileged User Manager ® can solve this 10 © Novell, Inc. All rights reserved.
  • Novell Privileged User Manager ®
  • Novell Privileged User Manager ® • Control user access to root privileges • Audit all user activity with 100% keystroke logging • Simplify audit activity with the most relevant, context-based information • Analyze potential threats based on policy-based risk ratings 12 © Novell, Inc. All rights reserved.
  • The Framework
  • The Framework • The Framework is made up of three primary components: Framework Framework Framework Manager Console Agent 1 2 3 14 © Novell, Inc. All rights reserved.
  • Framework Manager Audit Novell Privileged Use Manager Command Control Agent Compliance Back Up Manager Reporting Agent ® Package Manager Primary Manager Agent 15 © Novell, Inc. All rights reserved.
  • Framework Console 16 © Novell, Inc. All rights reserved.
  • Framework Agent Command Novell Privileged Use Manager Control Registry Agent Distribution Back Up Manager Store and Forward Agent ® System Information (optional) Primary Manager Agent 17 © Novell, Inc. All rights reserved.
  • Underlying Modular Architecture Audit databases can be placed in multiple Multiple Managers provide fail-over Internet locations for redundancy and security capability and load-balancing. Audit Manager Command Control Framework Console Audit Manager Command Control Port Agent Agent Agent 443 Web Browser (Administrative Access) Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications Command Control Groups of Agents can be added to Agent Agent Agent Agent logical domains for load-balancing, redundancy and traffic segregation Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications 18 © Novell, Inc. All rights reserved.
  • Deploying Novell Privileged User Manager ®
  • NPUM Prerequisites Admin Console requires Browser with Adobe Flash installed Open ports 443 (manager) and 29120 (agents and manager) Servers must be resolvable (DNS/hosts/etc) Time in sync (use ntp) For SUSE Linux Enterprise Server (SLES) – See ® TID#7003992 - usrun reports /bin/ls: cannot read symbolic link /proc/$$/exe: Permission denied 20 © Novell, Inc. All rights reserved.
  • Configuration Manager • Novell Privileged User Manager 2.2.1 - ® – rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm – Verify install in /opt/novell/npum/logs/unifid.log • Login to https://ipaddress_of_framework_manager – User: admin – Pwd: novell – Default port of Framework Manager is 443 – /opt/novell/npum/service/local/admin/connector.xml – <Connector ssl_ctx="https" port="443"mode="https"/> 21 © Novell, Inc. All rights reserved.
  • Simple Deployment Step 1 Install Framework Manager • Only one Framework Manager Manager is installed • Framework Manager can be installed on any supported host operating SLES 11 OES2 SP2 system RedHat AIX Solaris 22 © Novell, Inc. All rights reserved.
  • Simple Deployment Step 2 Pre-register Agents • Log onto Web Console Manager • Enter the names of the agents that will be added to this Framework. SLES 11 OES2 SP2 RedHat AIX Solaris 23 © Novell, Inc. All rights reserved.
  • Configuration Agents • Installing and registering an NPUM Agent – rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm – Register the Agent > sd145:/ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.128.68 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: (sd145) Please provide the registered agent name for this agent: (sd145) 24 © Novell, Inc. All rights reserved.
  • Simple Deployment Step 3 Install Framework Agents • Each Framework Agent has a unique installer for the Manager Agent platform. • During the install process the Framework Manager address SLES 11 OES2 SP2 is entered together with valid Framework credentials to register the new Agent into the Agent Agent Framework. • The Agent and Manager Agent handshake and a trust RedHat AIX relationship is established. Solaris 25 © Novell, Inc. All rights reserved.
  • Command Control
  • Novell Privileged User Manager ® Non- Log in as root submit user: root controlled runuser: root submit user: aaron Command Control authorization DB NPUM Log in as aaron remote shell controlled remote shell runuser: root – User logs in with own non-privileged account – Commands authorized before being executed remotely – Known as ‘root delegation’ 27 © Novell, Inc. All rights reserved.
  • Configuration Setting up Rules • Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run. • Optional rule conditions. – The command being submitted – The user and host submitting the command – The user and host assigned to run the command – The time the command is submitted – etc. 28 © Novell, Inc. All rights reserved.
  • Configuration Setting up Commands • Commands – Commands > novell-tomcat5* » Would allow all options after novell-tomcat5 » Examples: novell-tomcat5 start or novell-tomcat5 stop, etc – Commands, using regular expressions > =~#^(|/etc/init.d/)novell-tomcat5(s+|$)# » Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with any options afterwards. » Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5 stop, etc 29 © Novell, Inc. All rights reserved.
  • Configuration Setting up Scripts • Scripts – In addition to commands, perl scripts can be added to rules to do additional processing such as: > Send an email when a command is run > Execute Run users profile > Define Illegal commands > Truncate stdin/stdout/sterr captured by KB 30 © Novell, Inc. All rights reserved.
  • Configuration Running Commands • usrun – usrun [command] – usrun passes the command to the Command Control Manager and for authorization. Command is allowed or denied based on configured rules. – Examples: > usrun /etc/init.d/ndsd stop > usrun novell-tomcat5 restart • Rush – usrun rush – Rush shell is based off the Korn (ksh) shell. Rush allows for complete session capture. Configure Command risk. • Crush - Change users logon shell to /usr/bin/crush. Crush allows for complete session capture, without granting superuser privileges. 31 © Novell, Inc. All rights reserved.
  • Audit, Compliance, and Reporting
  • Audit/Reporting • Independent audit events are sent to the configured Audit servers from each agent • Audit events include the following – Capture (Full keystroke session playback) – Start time/End time – User, Host, Command – Authorized/Unauthorized 33 © Novell, Inc. All rights reserved.
  • Compliance • Compliance Auditor collects, filters and generates reports of audit data for analysis and sign-off by authorized personnel. • Rules can be configured to pull any number of audit events matching a given filter at a specific interval. • When an audit event is viewed, auditors can authorize the event, mark it as unauthorized, escalate it, or assign it to someone else for further review. – Each change is recorded as an “Audit trail” • Automatic reports can be generated and e-mailed to appropriate personnel 34 © Novell, Inc. All rights reserved.
  • Workflow for Novell Privileged User Manager ® Session event and keystroke log Command Control Validate and secure Add audit group User Activity 1 user session 2 and risk rating Audit Rules Log Automated rules pull events into Compliance Manager notified by e-mail 3 Auditor database according to pre- 4 each night of events defined risk filters waiting to be authorized Compliance Auditor Manager logs into Manager 5 Compliance Auditor and authorizes events Each event record is color-coded according to the highest rated command risk 35 © Novell, Inc. All rights reserved.
  • Demo
  • Demo Agent install and registration • Agent installation – rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm • Agent must be entered into the GUI – Host | Select the desired domain | “Add Hosts” • Agent registration – Please remember to register this installation with the Novell Privileged User Manager using the command: /opt/novell/npum/sbin/unifi regclnt register 37 © Novell, Inc. All rights reserved.
  • Demo Agent install and registration • Agent registration (client side) sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.130.142 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: () 151.155.128.131 Please provide the registered agent name for this agent: (sles11-npum2) Framework manager: 151.155.130.142:29120 Agent hostname or address : 151.155.128.131 Agent name : sles11-npum2 Is this correct: (y) Please enter the name and password of an account with permission to register this host. User name: (admin) Password: 38 © Novell, Inc. All rights reserved.
  • Demo Patching Hosts • Once the Agent has been installed, patches can be deployed through GUI to all registered hosts. • Login to GUI | Hosts | select the desired host | Update Packages • Patches may be applied on a single host or by domain, or by all hosts in the environment 39 © Novell, Inc. All rights reserved.
  • Demo Securing OES2 Services • On OES2 Linux, most of the “services” such as eDirectory , novell-tomcat5, LUM, etc must be ™ configured and administered as root • With Novell Privileged User Manager, simple rules can ® be created to allow administrators of these services to run their commands with root privileges WITHOUT knowing roots password or logging in as root. 40 © Novell, Inc. All rights reserved.
  • Demo Securing OES2 Services (cont.) • Sample rule to Start/Stop eDirectory ™ • Begin Rule: eDirectory Stop/Start If (command IN eDir Start/Stop AND user IN eDirAdminFull) Then Set Authorize: yes Set runUser = "root" Run Script: Execute RunUsers Profile() Stop if authorized End If End Rule: eDirectory Stop/Start 41 © Novell, Inc. All rights reserved.
  • Demo Securing OES2 Services (cont.) From this example, user “bergerbr” which is apart of the eDirAdminFull group, logged in with normal privileges would be able to run “usrun /etc/init.d/ndsd stop” or “usrun /etc/init.d/ndsd start” 42 © Novell, Inc. All rights reserved.
  • Question and Answers
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.