novell dynamic file services: intelligent tiering in microsoft active directory environments
DESCRIPTION
Novell technology for file tiering—without impact to end users—has been a game changer for Novell Open Enterprise Server customers. Attend this session, delivered by the technology's architect and lead developer, to learn how a new offering brings this same efficiency to Active Directory storage environments. Known as Novell Dynamic File Services, it automatically tiers Windows-based files using relevance and policy. Find out how this technology can help you manage file system chaos today.TRANSCRIPT
Intro to Novell® Privileged User Managerand Securing Novell Open Enterprise Server 2
Brett A. Berger Global Technical SupportNovell, Inc/[email protected]
Aaron Burgemeister Global Technical SupportNovell, Inc/[email protected]
© Novell, Inc. All rights reserved.2
• Introduction to Novell Privileged User Manager– Business Challenges– Novell Privileged User Manager solutions
• The Framework– Framework Components– Framework Deployment
• Command Control– Configuration - Rules– Configuration - Commands– Configuration - Scripts
Novell® Privileged User Manager
© Novell, Inc. All rights reserved.3
• Audit, Compliance, and Reporting– Overview
• Demo – Agent installation and registration– Patching Agents and Managers– Using NPUM to secure OES2
> eDirectory™
> Novell-tomcat> etc.
• Questions and Answers
Novell® Privileged User Manager(cont.)
© Novell, Inc. All rights reserved.5
The IT Landscape is Changing
The risks and challenges of computing across multiple Linux/Unix environments must be eliminated.
Users should have unimpeded, secure and compliant access to the computing services they need to do their jobs right.
Computing should be secure and compliant.
© Novell, Inc. All rights reserved.6
Business challenges
Linux/UNIX Administrators require elevated (superuser) privileges to do their job
Uncontrolled superuser access leaves the data center open to back door entries
Audit Weakness– Rogue admins/users covering their tracks
Compliance and Reporting
© Novell, Inc. All rights reserved.7
App DeveloperDBA
Admin
Delegating Superuser Privileges
• Linux/UNIX admins require elevated (Superuser) privileges to do their jobs
Novell® Privileged User Manager can solve this
IT Manager System Admin
rootroo t
Security Admin
© Novell, Inc. All rights reserved.8
Uncontrolled Superuser Access
Uncontrolled Superuser access leaves the data center open to
Backdoor entry.
Novell® Privileged User Managercan solve this
© Novell, Inc. All rights reserved.9
Audit Weakness
Audit weakness – users covering their tracks.
Novell® Privileged User Managercan solve this
© Novell, Inc. All rights reserved.10
Compliance and Reporting
Compliance and reporting user access.
Novell® Privileged User Managercan solve this
© Novell, Inc. All rights reserved.12
Novell® Privileged User Manager
• Control user access to root privileges
• Audit all user activity with 100% keystroke logging
• Simplify audit activity with the most relevant, context-based information
• Analyze potential threats based on policy-based risk ratings
© Novell, Inc. All rights reserved.14
The Framework
• The Framework is made up of three primary components:
Framework Manager
1
Framework Console
2
Framework Agent
3
© Novell, Inc. All rights reserved.15
Framework Manager
Back Up Manager
Primary Manager
Agent
Agent
Agent
Audit
CommandControl
Compliance
Reporting
PackageManagerNov
ell ®
Priv
ilege
d U
se M
anag
er
© Novell, Inc. All rights reserved.17
Framework Agent
Back Up Manager
Primary Manager
Agent
Agent
Agent
System Information(optional)
CommandControl
Registry
Distribution
Store and Forward
Nov
ell ®
Priv
ilege
d U
se M
anag
er
© Novell, Inc. All rights reserved.18
Underlying Modular Architecture
Groups of Agents can be added to logical domains for load-balancing, redundancy and traffic segregation
Audit databases can be placed in multiple locations for redundancy and security
Multiple Managers provide fail-over capability and load-balancing.Internet
Command Control
Framework Console
Audit Manager
Port 443
Web Browser(Administrative Access) Port
29120Port29120
Port29120
Port29120
Port29120
Command ControlAudit Manager
Agent Agent Agent
Host to host communications
Agent
Port29120
Port29120
Port29120 Port
29120Port29120
Agent Agent Agent
Host to host communications
Command Control
© Novell, Inc. All rights reserved.20
NPUM PrerequisitesAdmin Console requires Browser with Adobe Flash installed
Open ports 443 (manager) and 29120 (agents and manager)
Servers must be resolvable (DNS/hosts/etc)
Time in sync (use ntp)
For SUSE® Linux Enterprise Server (SLES) – See TID#7003992 - usrun reports /bin/ls: cannot read symbolic link /proc/$$/exe: Permission denied
© Novell, Inc. All rights reserved.21
ConfigurationManager
• Novell® Privileged User Manager 2.2.1 -– rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm – Verify install in /opt/novell/npum/logs/unifid.log
• Login to https://ipaddress_of_framework_manager– User: admin– Pwd: novell– Default port of Framework Manager is 443– /opt/novell/npum/service/local/admin/connector.xml– <Connector ssl_ctx="https" port="443"mode="https"/>
© Novell, Inc. All rights reserved.22
Simple Deployment
AIXRedHat
OES2 SP2
Solaris
SLES 11
Step 1Install Framework Manager• Only one Framework
Manager is installed• Framework Manager can
be installed on any supported host operating system
Manager
© Novell, Inc. All rights reserved.23
Simple Deployment
AIXRedHat
OES2 SP2
Solaris
SLES 11
Manager
AIX
Step 2Pre-register Agents• Log onto Web Console• Enter the names of the
agents that will be added to this Framework.
© Novell, Inc. All rights reserved.24
ConfigurationAgents
• Installing and registering an NPUM Agent– rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm – Register the Agent
> sd145:/ # /opt/novell/npum/sbin/unifi regclnt register
Please provide the hostname or address for the framework manager : () 151.155.128.68Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: (sd145) Please provide the registered agent name for this agent: (sd145)
© Novell, Inc. All rights reserved.25
OES2 SP2
AIXRedHat
OES2 SP2
Solaris
SLES 11
Step 3Install Framework Agents• Each Framework Agent has a
unique installer for the platform.
• During the install process the Framework Manager address is entered together with valid Framework credentials to register the new Agent into the Framework.
• The Agent and Manager handshake and a trust relationship is established.
Manager Agent
Agent
Agent
Agent
Simple Deployment
© Novell, Inc. All rights reserved.27
Novell® Privileged User Manager
NPUMcontrolled
– User logs in with own non-privileged account– Commands authorized before being executed remotely– Known as ‘root delegation’
Non-controlled
Log in as root
Log in as aaron
submit user: rootrunuser: root
Command Controlauthorization DB
remote shell
remote shell
submit user: aaron
runuser: root
© Novell, Inc. All rights reserved.28
ConfigurationSetting up Rules
• Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run.
• Optional rule conditions. – The command being submitted– The user and host submitting the command– The user and host assigned to run the command– The time the command is submitted– etc.
© Novell, Inc. All rights reserved.29
ConfigurationSetting up Commands
• Commands– Commands
> novell-tomcat5*» Would allow all options after novell-tomcat5 » Examples: novell-tomcat5 start or novell-tomcat5 stop, etc
– Commands, using regular expressions> =~#^(|/etc/init.d/)novell-tomcat5(\s+|$)#
» Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with any options afterwards.
» Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5 stop, etc
© Novell, Inc. All rights reserved.30
ConfigurationSetting up Scripts
• Scripts– In addition to commands, perl scripts can be added to rules to
do additional processing such as:
> Send an email when a command is run> Execute Run users profile> Define Illegal commands> Truncate stdin/stdout/sterr captured by KB
© Novell, Inc. All rights reserved.31
ConfigurationRunning Commands
• usrun – usrun [command]– usrun passes the command to the Command Control Manager and for
authorization. Command is allowed or denied based on configured rules.
– Examples: > usrun /etc/init.d/ndsd stop> usrun novell-tomcat5 restart
• Rush – usrun rush– Rush shell is based off the Korn (ksh) shell. Rush allows for complete
session capture. Configure Command risk.• Crush - Change users logon shell to /usr/bin/crush. Crush allows for
complete session capture, without granting superuser privileges.
© Novell, Inc. All rights reserved.33
Audit/Reporting
• Independent audit events are sent to the configured Audit servers from each agent
• Audit events include the following– Capture (Full keystroke session playback)– Start time/End time– User, Host, Command– Authorized/Unauthorized
© Novell, Inc. All rights reserved.34
Compliance
• Compliance Auditor collects, filters and generates reports of audit data for analysis and sign-off by authorized personnel.
• Rules can be configured to pull any number of audit events matching a given filter at a specific interval.
• When an audit event is viewed, auditors can authorize the event, mark it as unauthorized, escalate it, or assign it to someone else for further review.
– Each change is recorded as an “Audit trail”• Automatic reports can be generated and e-mailed to
appropriate personnel
© Novell, Inc. All rights reserved.35
Workflow forNovell® Privileged User Manager
Each event record is color-coded according to the highest rated command risk
User ActivityValidate and secure user session
Add audit group and risk rating
Session event and keystroke log
Automated rules pull events into Compliance Auditor database according to pre-defined risk filters
Manager notified by e-mail each night of events waiting to be authorized
Manager logs into Compliance Auditor and authorizes events
Manager
Command Control
1
Rules AuditLog
ComplianceAuditor
2
34
5
© Novell, Inc. All rights reserved.37
DemoAgent install and registration
• Agent installation– rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm
• Agent must be entered into the GUI– Host | Select the desired domain | “Add Hosts”
• Agent registration – Please remember to register this installation with the
Novell Privileged User Manager using the command:
/opt/novell/npum/sbin/unifi regclnt register
© Novell, Inc. All rights reserved.38
DemoAgent install and registration
• Agent registration (client side)sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register
Please provide the hostname or address for the framework manager : () 151.155.130.142
Please provide the port number for the framework manager: (29120)
Please provide the hostname or address for this agent: () 151.155.128.131
Please provide the registered agent name for this agent: (sles11-npum2)
Framework manager: 151.155.130.142:29120
Agent hostname or address : 151.155.128.131
Agent name : sles11-npum2
Is this correct: (y)
Please enter the name and password of an account with permission to register this host.
User name: (admin)
Password:
© Novell, Inc. All rights reserved.39
DemoPatching Hosts
• Once the Agent has been installed, patches can be deployed through GUI to all registered hosts.
• Login to GUI | Hosts | select the desired host | Update Packages
• Patches may be applied on a single host or by domain, or by all hosts in the environment
© Novell, Inc. All rights reserved.40
DemoSecuring OES2 Services
• On OES2 Linux, most of the “services” such as eDirectory™, novell-tomcat5, LUM, etc must be configured and administered as root
• With Novell® Privileged User Manager, simple rules can be created to allow administrators of these services to run their commands with root privileges WITHOUT knowing roots password or logging in as root.
© Novell, Inc. All rights reserved.41
DemoSecuring OES2 Services (cont.)
• Sample rule to Start/Stop eDirectory™
• Begin Rule: eDirectory Stop/StartIf (command IN eDir Start/Stop AND user IN eDirAdminFull)Then Set Authorize: yes Set runUser = "root" Run Script: Execute RunUsers Profile() Stop if authorizedEnd IfEnd Rule: eDirectory Stop/Start
© Novell, Inc. All rights reserved.42
DemoSecuring OES2 Services (cont.)
From this example, user “bergerbr” which is apart of the eDirAdminFull group, logged in with normal privileges would be able to run “usrun /etc/init.d/ndsd stop” or “usrun /etc/init.d/ndsd start”
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.