[FAQ] What is DirectAuthorize? (dzdo/dzwin)

Showing results for 
Search instead for 
Do you mean 
Reply
Centrify Guru I
Posts: 2,295
Registered: ‎07-26-2012
#1 of 1 25,976

[FAQ] What is DirectAuthorize? (dzdo/dzwin)

[ Edited ]

What is DirectAuthorize?

DirectAuthorize is Centrify's on-premise Super User Privilege Management solution based on the principles of least access, least privilege that uses RBAC to deliver granular access controls to UNIX, Linux and Windows platforms.  It's core features are:

  • Allows organizations to leverage AD principals (users/groups) to grant access/privileges across UNIX, Linux and Windows platforms.  This allows for ease of administration.
  • Closed by default - users need to be explicitly-granted access to systesms
  • Time-fencing:  Roles can have privileges effective at certain times, plus they can be assigned temporarily (e.g. change control window)
  • Multi-factor Authentication:  As of Suite 2016, access and privilege elevation can be configured to require multifactor authentication (requires Centrify Identity Service or Privilege Service)
  • Audit trails:  All access and privilege elevation events are logged in syslog (UNIX/Linux) and event log (Windows)
  • Session/Capture and Replay aware:  Roles can be created with recording capabilities enabled by Centrify Enterprise Edition.
  • DevOps ready:  DirectAuthorize's roles, assignments and definitions can be performed using PowerShell or the UNIX CLI.

 

What is dzdo? 

dzdo is Centrify-enhanced sudo.  Instead of using a sudoers file, it uses RBAC information highly-available in the Centrify zone in Active Directory (dzdo is a component of DirectAuthorize).  As of Centrify 5.2.x, it is based on sudo 1.8x and it's part of the Centrify adclient agent.

 

$ adinfo -v
adinfo (CentrifyDC 5.2.3-429)
$ dzdo -V
Dzdo version 5.2.3-429(based on Sudo version 1.8.10p3 )
DZ policy plugin version DZv2.0
Sudoers file grammar version 43
Sudoers I/O plugin version 5.2.3-429

 

The Windows privilege elevation mechanism is referred as dzwin and has to be installed separately on Windows systems.

 

Can dzdo be used in express mode?

No. You must have a commercial version (Standard Edition and up) to use dzdo.

 

What's the benefit of DirectAuthorize?

DirectAuthorize provides the ability leverage Active Directory and Centrify Hierarchical zones to:

  • Limit access only to authorized AD users in a very granular way (PAM access rights on UNIX/Linux and Console or Remote on Windows)
  • Provide users with a role to perform their functions
  • Provides the means for quick attestation and reporting of access and privileges
  • Does not get in the way of the user experience (non-password centric); users use their own AD credential
  • Helps protects the systems  (DZ will make sure only authorized people have access to systems)
  • Allows granular definition of access rights (Global, RegEx, etc) and in Windows (Desktop, application or network rights)
  • Works on UNIX, Linux and Windows

 

How are roles constructed in DirectAthorize?

Roles can be constructed using Access Manager, Centrify PowerShell, adedit or any other ADSI interface.  In UNIX, they can be broken down in PAM Rights, Commands and SSH rights.  For example, here's a Oracle DBA role created in DirecAuthorize:

Access Manager - DBA Role.jpg

Here's a sample Windows role created in DirectAuthorize

Access Manager - Win mixed role.jpg

 

What if I need to combine DirectAuthorize with ITSM, Workflow or DevOps tools?

Centrify DirectAuthorize operations can be automated using PowerShell and the adedit UNIX tool.  This allows for orchestration or any other tools to perform operations. 

AWS-CSS-powershell.png

 

How can I use DirectAuthorize?

In Unix/Linux, check your rights with the dzinfo command (or use dzdo -l), and use your rights with the dzdo command.

 

$ dzdo -l
AD Password:
User lisa.simpson may run the following commands on this host:
    (root) service oracle-xe*
    (oracle) sqlplus *
    (root) su oracle
    (root) su - oracle
    (root) adflush

 

In Windows, you can use the Run As Role (Run with Privilege on 2016 and up) shell extension, elevate to a new desktop or use the runasrole.exe command utility:

dzwin - run as role.jpg

How can I generate access/privilege or attestation reports using DirectAuthorize?

You can use Access Manager's Report Center, PowerShell, or addbloader/adreport

Access Manager - User effective NIX.jpg

 

Advanced Controls

 Temporary Access Control

Access Manager - time bound combos.png

Require Multifactor Authentication for Access and Privilege Elevation

Access Manager - MFA combos.png

MFA options include:  push, OTP, e-mail, phone factor, security question and OATH-compliant device:

MFA - NIX-approval.png

MFA - Win.png

 methods.PNG

How do I troubleshoot dzdo on UNIX?

You have to start with the basics, the first thing I would check is if the AD user has

a) A UNIX identity (login, UID, GID, Gecos, Home, Shell) in the zone that the system belongs to, you can use adquery user or getent to find out.

adquery user lisa.simpson
lisa:x:1099:1099:Lisa Simpson:/home/lisa:/bin/bash

 This tells me that Lisa has an identity in the system.

 

b) A role that allows them to log in.  You have to check using dzinfo.  The notes in RED explain the output of the dzinfo command.

 

$ dzdo dzinfo lisa.simpson
# I used dzdo to use dzinfo because I was not lisa when I ran the command
# to view another user's rights, you have to elevate.
AD Password:
# I was prompted by my AD password because the way the dzdo command was set up
# required that the user authenticated. This will last for 5 minutes, just
# like traditional sudo.
User: lisa
Forced into restricted environment: No
# This previous line is important because DirectAuthorize can
# implement a whitelist shell. This user has a regular shell.

  Role Name        Avail Restricted Env
  ---------------  ----- --------------
  SSH              Yes   None
  Login/Global

# The line above describes the name of the role and if it's available
# this is important because you can have roles with privileges available
# certain days or hours during the week. Think as an example, a backup operator
# that should only run the tar command as root from 5pm to 4am.

    Effective rights:
        Password login
        Non password login
        Allow normal shell

    Audit level:
        AuditIfPossible

    Always permit login:
        false

# The lines above are also important, effective rights define how the user
# can log in (eg. with a password or just with a smart card, as well as
# another indication of the shell. The always permit login, is designed to
# allow disabled AD accounts still run batch jobs. The audit line is related
# to Centrify's session capture and replay capability (DirectAudit) and this
# allows for admins to trigger audits only when privileges are used.


  PAM Application  Avail Source Roles
  ---------------  ----- --------------------
  sshd             Yes   SSH Login/Global

# The section above defines how the user can log in. In this case this user
# can only log in to the system via SSH which is granted by that role.

Privileged commands:
  Name             Avail Command               Source Roles
  ---------------  ----- --------------------  --------------------
  SU to Oracle      Yes   su - oracle          UNIX - Oracle
with profile

# Finally, this shows the privileged commands of the user. In this case
# the ability to switch to the oracle account has been given, and the user
# does not need to know the root or oracle password.

 

Authentication

dzdo (like sudo) does have a PAM module, it typically looks like this in a RHEL derivative:

 

#%PAM-1.0
auth     include        system-auth
account  include        system-auth
password include        system-auth
session    required     pam_limits.so

As you know, Centrify includes its directives in the system PAM configuration and they are included here.

 

Logging

Just like sudo, dzdo will log to the security log

 

Aug 18 10:37:37 engcen6 sshd[73772]: pam_unix(sshd:session): session opened for
user dwirth by (uid=0)
Aug 18 10:56:35 engcen6 dzdo: dwirth : TTY=pts/1 ; PWD=/home/dwirth ; USER=root;
COMMAND=/bin/vi /etc/passwd Aug 18 14:07:14 engcen6 dzdo: dwirth : TTY=pts/1 ; PWD=/home/dwirth ; USER=root;
COMMAND=validate

and to messages log using syslog facility

Aug 18 23:16:15 engcen6 adclient[33809]: INFO  AUDIT_TRAIL|Centrify Suite|
PAM|1.0|100|PAM authentication granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS)
pid=77516 utc=1439957775601 centrifyEventID=24100 status=GRANTED service=dzdo tty=/dev/pts/1
client=(none) Aug 18 23:17:09 engcen6 adclient[33809]: INFO AUDIT_TRAIL|Centrify Suite|
dzdo|1.0|0|dzdo granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS)
pid=77520 utc=1439957829442 centrifyEventID=30000 status=GRANTED
service=dzdo command=/usr/bin/tail runas=root role=UNIX Sysadmin/Global env=(none)

You can also turn on debugging with addebug, set the level and see more information.

 

On Windows, it logs to the Application Event Log with a source Centrify AuditTrail.

dzwin -eventsm.jpg

 

Why it may not work in a single host?

  • The host is not in zone mode (perhaps autozone or express mode)
  • The host's PAM configuration is corrupted (or perhaps reverted by Puppet after a join)
  • The system is not in a zone that has any rights defined (if you're using classic zones) 
  • The system is not in the proper child zone or computer role

 

What is the dzshell (Centrify DirectAuthorize Restricted Shell)?

dzshell is a whitelist shell. Only the command that are set up by the Centrify zone administrator are available for the user to execute.

dzsh homer.simpson $ ps -ef
ps -ef : command not allowed
dzsh homer.simpson $ ls -l
ls -l : command not allowed
dzsh homer.simpson $ tail /var/log/secure
Role changed to: Mixed PCI Auditor/Global
Aug 20 15:56:02 engcen6 sshd[89832]: pam_unix(sshd:session): session closed for user lisa
Aug 20 15:56:02 engcen6 sshd[89878]: pam_unix(sshd:session): session closed for user dwirth
[output truncated]

 

How do I troubleshoot DirectAuthorize for Windows (dzwin)?

Use the authorization center:

DZWin - AuthCenterTShoot.jpg

Use the Centrify DirectAuthorize Agent Control Panel Desktop App

DZWin - Applet TShoot.jpg

Or use the Application Event Log:

dzwin -event.jpg

 

I'm intrigued, can I see more?

If you want to see how powerful DirectAuthorize is, watch the 10 minute PCI Challenge:

Blog: http://centrifying.blogspot.com/2014/09/security-corner-pci-dss-30-requirement.html

Video

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: