Start session recording when performing privilege elevation

Start session recording when performing privilege elevation

By Centrify ‎05-18-2018 02:34 PM

[How to] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part1 - Start session recording when performing privilege elevation

 

Spanish Version 


Summary
We will made the configuration of a profile to start the recordings of the sessions from the elevation of privileges and the Splunk integration with Infrastructure Service (Auditing and Monitoring Service) so the auditing sessions can be viewed directly from the Splunk Portal.

 

Requirements - Part 1
- A server with Infrastructure Services (Privilege Elevation Service and Auditing and Monitoring Service) pre-installed.
- A Windows 7 station with Centrify agent running
 
Development
This laboratory will be divided into 2 parts. Initially we will make the configurations in Centrify to create a profile that allows elevation of privileges and start recording the session once the applications within the profile are accessed. After verifying the operation of the above, we will proceed to perform the installation of Splunk and its integration with Centrify.

 

    1. To start, within Centrify Access manager, we will create 2 applications that require administrator privileges for execution, in this case the Services application and the Firewall with Advanced Security for a Windows machine.
    2. For the Windows Services application (services.msc) we will use the following configuration.
       
      0CCD0B1A-8211-4FBB-8643-D08D83F8FE9D.png

      We will create 3 profiles, one for versions before Windows 2003 or higher, another profile by default and finally for the MMC console.

      6D5D9C99-71D4-4F9F-881A-474A80E56FD8.png

       

      18C298C2-F86D-4A5C-A4D4-BA5F63C68716.png

       

      32A0C50A-738C-42FD-96EF-ACE1D68A0BD4.png

      76B0869A-B188-4348-B948-F301080F7515.png

    3. We configure the RunAs tab to perform the execution as a local administrator user.

    4. For the Firewall with Advanced Security application (WF.msc), we have the following configuration.
      9B2B82DF-526C-4294-A5A1-20323A407D3A.png

       

      B2518911-94A2-4124-B065-A095ADD63896.png

       

      8FE4FC3F-48E6-430E-932D-BC86415554A5.png

       

    5. We create a role definition for users that require auditing when elevating privileges.
      F40A51A7-2EB9-44A7-AEFF-8D84394A05A7.png

       

      0C837418-B2B8-42E5-A4BF-9893B5BE7A93.png

       

    6. We assign the applications created in the previous steps to the new role. (Services and Windows Firewall)73F3ED43-E9CB-46E6-9C20-F3D3974311E2.png
    7. Then we will create another role that allows the login to the systems without having to audit them. E6ADB249-02E1-4BCD-8E11-361C5FE2BEE1.png

       

      9672A515-6DE3-4935-9A1A-C67900FCADF5.png

       

      Screen Shot 2018-05-18 at 3.35.17 PM.png

       

    8. To complete the configuration, we will assign an Active Directory group to the created roles.
      94126A14-EC5B-4CED-BCE3-7E70C7B0448D.png

       

    9. We verify that the roles are assigned to one of the users within the selected AD group.
      4E824365-A3A0-4212-A256-A6E96BB494C8.png

       

    10. We will perform the tests by entering one of the systems within the Zone where we created the role and we will elevate the privileges to verify the operation of the configuration made.7C2C0E8F-B843-4552-82FB-19CE00C0B4CC.png  6A0831B9-B2F0-4C7A-AB29-5AC2BD46B6D0.png
    11. We verified the audit session in the Audit Analyzer and observed that the session is interrupted when the configured application is closed.
      DCCE469B-7799-4BCF-A7E7-A95C01CFADF0.png

       

Once the audit session was confirmed, we finalized the configuration of part 1 of this article. Visit the following link Part 2.

 [HOW TO] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel