Managing Unix service accounts
12-03-2018 08:05 AM
i see there are basically two options to build service accounts management process:
- Map local accounts to AD (i.e. migrate accounts to AD)
- Enroll local accounts to the Vault and manage (in broad sense) 'em with cloud.
What is the recomended approach?
Solved! Go to Solution.
12-03-2018 08:33 AM
Assuming UNIX-like systems here. For AD, different story.
In reality, this depends.
What you need to use is this statement: Do we really need this service account?
In modern security, you want to get rid of static privileges; unfortunately, service accounts happen to have static or even (worse) internal entitlements (e.g. oracle account). Here are some aspects to consider
- Impact to Ops/SLA/Uptime: general problem with the password management approach is that you have to assess the impact of operations for swapping/changing passwords.
- Impact to audit/attestation: static, commonly-named service accounts are always targeted. Auditors may want to know secops activity or even know what entitlements if using least access.
- Environment: on prem, vs dmz, vs IaaS may have different tooling. Depending on your toolbox, maybe even Chef/Puppet/Ansible may do a good job here.
I would try to always eliminate the account first, Kerberize or make it into a small-scope OAUTH2 account if modern app.
Let's see what I've seen (any other readers, feel free to chime-in):
- Map to AD account - if the service supports the UNIX PAM or NSS framework.
- Sync with AD account - this implies using a password sync (generally not a best practice - requires schema extension).
- Kerberos Keytab - very common with load balancing, Hadoop, etc.
- Zone-based local account - the zone becomes the authoritative data source for the local account.
This can be combined with the vault approach: The zone defines the status (enabled, disabled) and the password is managed by the vault.
- Manage the password with the vault (cloud and on-premises) - e.g. if the account must be local.
- Manage the API Key with back-end rotation.
- Use OAUTH2 client.
- Use SAML.
Bottom-line, what you use, really depends.