[FAQ] What is DirectAuthorize? (dzdo/dzwin)
08-20-2015 03:20 PM
What is DirectAuthorize?
DirectAuthorize is Centrify's on-premise Super User Privilege Management solution based on the principles of least access, least privilege that uses RBAC to deliver granular access controls to UNIX, Linux and Windows platforms. It's core features are:
- Allows organizations to leverage AD principals (users/groups) to grant access/privileges across UNIX, Linux and Windows platforms. This allows for ease of administration.
- Closed by default - users need to be explicitly-granted access to systesms
- Time-fencing: Roles can have privileges effective at certain times, plus they can be assigned temporarily (e.g. change control window)
- Multi-factor Authentication: As of Suite 2016, access and privilege elevation can be configured to require multifactor authentication (requires Centrify Identity Service or Privilege Service)
- Audit trails: All access and privilege elevation events are logged in syslog (UNIX/Linux) and event log (Windows)
- Session/Capture and Replay aware: Roles can be created with recording capabilities enabled by Centrify Enterprise Edition.
- DevOps ready: DirectAuthorize's roles, assignments and definitions can be performed using PowerShell or the UNIX CLI.
What is dzdo?
dzdo is Centrify-enhanced sudo. Instead of using a sudoers file, it uses RBAC information highly-available in the Centrify zone in Active Directory (dzdo is a component of DirectAuthorize). As of Centrify 5.2.x, it is based on sudo 1.8x and it's part of the Centrify adclient agent.
$ adinfo -v adinfo (CentrifyDC 5.2.3-429) $ dzdo -V Dzdo version 5.2.3-429(based on Sudo version 1.8.10p3 ) DZ policy plugin version DZv2.0 Sudoers file grammar version 43 Sudoers I/O plugin version 5.2.3-429
The Windows privilege elevation mechanism is referred as dzwin and has to be installed separately on Windows systems.
Can dzdo be used in express mode?
No. You must have a commercial version (Standard Edition and up) to use dzdo.
What's the benefit of DirectAuthorize?
DirectAuthorize provides the ability leverage Active Directory and Centrify Hierarchical zones to:
- Limit access only to authorized AD users in a very granular way (PAM access rights on UNIX/Linux and Console or Remote on Windows)
- Provide users with a role to perform their functions
- Provides the means for quick attestation and reporting of access and privileges
- Does not get in the way of the user experience (non-password centric); users use their own AD credential
- Helps protects the systems (DZ will make sure only authorized people have access to systems)
- Allows granular definition of access rights (Global, RegEx, etc) and in Windows (Desktop, application or network rights)
- Works on UNIX, Linux and Windows
How are roles constructed in DirectAthorize?
Roles can be constructed using Access Manager, Centrify PowerShell, adedit or any other ADSI interface. In UNIX, they can be broken down in PAM Rights, Commands and SSH rights. For example, here's a Oracle DBA role created in DirecAuthorize:
Here's a sample Windows role created in DirectAuthorize
What if I need to combine DirectAuthorize with ITSM, Workflow or DevOps tools?
Centrify DirectAuthorize operations can be automated using PowerShell and the adedit UNIX tool. This allows for orchestration or any other tools to perform operations.
How can I use DirectAuthorize?
In Unix/Linux, check your rights with the dzinfo command (or use dzdo -l), and use your rights with the dzdo command.
$ dzdo -l AD Password: User lisa.simpson may run the following commands on this host: (root) service oracle-xe* (oracle) sqlplus * (root) su oracle (root) su - oracle (root) adflush
In Windows, you can use the Run As Role (Run with Privilege on 2016 and up) shell extension, elevate to a new desktop or use the runasrole.exe command utility:
How can I generate access/privilege or attestation reports using DirectAuthorize?
You can use Access Manager's Report Center, PowerShell, or addbloader/adreport
Temporary Access Control
Require Multifactor Authentication for Access and Privilege Elevation
MFA options include: push, OTP, e-mail, phone factor, security question and OATH-compliant device:
How do I troubleshoot dzdo on UNIX?
You have to start with the basics, the first thing I would check is if the AD user has
a) A UNIX identity (login, UID, GID, Gecos, Home, Shell) in the zone that the system belongs to, you can use adquery user or getent to find out.
adquery user lisa.simpson lisa:x:1099:1099:Lisa Simpson:/home/lisa:/bin/bash
This tells me that Lisa has an identity in the system.
b) A role that allows them to log in. You have to check using dzinfo. The notes in RED explain the output of the dzinfo command.
$ dzdo dzinfo lisa.simpson
# I used dzdo to use dzinfo because I was not lisa when I ran the command
# to view another user's rights, you have to elevate.
# I was prompted by my AD password because the way the dzdo command was set up
# required that the user authenticated. This will last for 5 minutes, just
# like traditional sudo.
Forced into restricted environment: No
# This previous line is important because DirectAuthorize can
# implement a whitelist shell. This user has a regular shell.
Role Name Avail Restricted Env
--------------- ----- --------------
SSH Yes None
# The line above describes the name of the role and if it's available
# this is important because you can have roles with privileges available
# certain days or hours during the week. Think as an example, a backup operator
# that should only run the tar command as root from 5pm to 4am.
Non password login
Allow normal shell
Always permit login:
# The lines above are also important, effective rights define how the user
# can log in (eg. with a password or just with a smart card, as well as
# another indication of the shell. The always permit login, is designed to
# allow disabled AD accounts still run batch jobs. The audit line is related
# to Centrify's session capture and replay capability (DirectAudit) and this
# allows for admins to trigger audits only when privileges are used.
PAM Application Avail Source Roles
--------------- ----- --------------------
sshd Yes SSH Login/Global
# The section above defines how the user can log in. In this case this user
# can only log in to the system via SSH which is granted by that role.
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
SU to Oracle Yes su - oracle UNIX - Oracle
# Finally, this shows the privileged commands of the user. In this case
# the ability to switch to the oracle account has been given, and the user
# does not need to know the root or oracle password.
dzdo (like sudo) does have a PAM module, it typically looks like this in a RHEL derivative:
#%PAM-1.0 auth include system-auth account include system-auth password include system-auth session required pam_limits.so
As you know, Centrify includes its directives in the system PAM configuration and they are included here.
Just like sudo, dzdo will log to the security log
Aug 18 10:37:37 engcen6 sshd: pam_unix(sshd:session): session opened for
user dwirth by (uid=0)
Aug 18 10:56:35 engcen6 dzdo: dwirth : TTY=pts/1 ; PWD=/home/dwirth ; USER=root;
COMMAND=/bin/vi /etc/passwd Aug 18 14:07:14 engcen6 dzdo: dwirth : TTY=pts/1 ; PWD=/home/dwirth ; USER=root;
and to messages log using syslog facility
Aug 18 23:16:15 engcen6 adclient: INFO AUDIT_TRAIL|Centrify Suite|
PAM|1.0|100|PAM authentication granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS)
pid=77516 utc=1439957775601 centrifyEventID=24100 status=GRANTED service=dzdo tty=/dev/pts/1
client=(none) Aug 18 23:17:09 engcen6 adclient: INFO AUDIT_TRAIL|Centrify Suite|
pid=77520 utc=1439957829442 centrifyEventID=30000 status=GRANTED
service=dzdo command=/usr/bin/tail runas=root role=UNIX Sysadmin/Global env=(none)
You can also turn on debugging with addebug, set the level and see more information.
On Windows, it logs to the Application Event Log with a source Centrify AuditTrail.
Why it may not work in a single host?
- The host is not in zone mode (perhaps autozone or express mode)
- The host's PAM configuration is corrupted (or perhaps reverted by Puppet after a join)
- The system is not in a zone that has any rights defined (if you're using classic zones)
- The system is not in the proper child zone or computer role
What is the dzshell (Centrify DirectAuthorize Restricted Shell)?
dzshell is a whitelist shell. Only the command that are set up by the Centrify zone administrator are available for the user to execute.
dzsh homer.simpson $ ps -ef ps -ef : command not allowed dzsh homer.simpson $ ls -l ls -l : command not allowed dzsh homer.simpson $ tail /var/log/secure Role changed to: Mixed PCI Auditor/Global Aug 20 15:56:02 engcen6 sshd: pam_unix(sshd:session): session closed for user lisa Aug 20 15:56:02 engcen6 sshd: pam_unix(sshd:session): session closed for user dwirth [output truncated]
How do I troubleshoot DirectAuthorize for Windows (dzwin)?
Use the authorization center:
Use the Centrify DirectAuthorize Agent Control Panel Desktop App
Or use the Application Event Log:
I'm intrigued, can I see more?
If you want to see how powerful DirectAuthorize is, watch the 10 minute PCI Challenge: