SlideShare a Scribd company logo

Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2

Novell, profile picture
Novell

The document provides an overview of Novell Privileged User Manager, highlighting its role in securing Novell Open Enterprise Server by managing superuser privileges, ensuring compliance, and conducting audits. It outlines the framework components, deployment steps, command control, and auditing features designed to enhance security in Linux/Unix environments. Additionally, it details configuration options and rules for managing user access while preventing unauthorized actions.

1 of 45
Downloaded 58 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Intro to Novell ® Privileged User Manager and Securing Novell Open Enterprise Server 2 Brett A. Berger Aaron Burgemeister Global Technical Support Global Technical Support Novell, Inc/bberger@novell.com Novell, Inc/ab@novell.com
Novell Privileged User Manager ® • Introduction to Novell Privileged User Manager – Business Challenges – Novell Privileged User Manager solutions • The Framework – Framework Components – Framework Deployment • Command Control – Configuration - Rules – Configuration - Commands – Configuration - Scripts 2 © Novell, Inc. All rights reserved.
Novell Privileged User Manager ® (cont.) • Audit, Compliance, and Reporting – Overview • Demo – Agent installation and registration – Patching Agents and Managers – Using NPUM to secure OES2 > eDirectory ™ > Novell-tomcat > etc. • Questions and Answers 3 © Novell, Inc. All rights reserved.
Intro to Novell ® Privileged User Manager
The IT Landscape is Changing The risks and challenges of computing across multiple Linux/Unix environments must be eliminated. Users should have unimpeded, secure and compliant access to the computing services they need to do their jobs right. Computing should be secure and compliant. 5 © Novell, Inc. All rights reserved.
Business challenges Linux/UNIX Administrators require elevated (superuser) privileges to do their job Uncontrolled superuser access leaves the data center open to back door entries Audit Weakness – Rogue admins/users covering their tracks Compliance and Reporting 6 © Novell, Inc. All rights reserved.
Delegating Superuser Privileges • Linux/UNIX admins require elevated (Superuser) privileges to do their jobs IT Manager System Admin root root DBA App Developer Admin Security Admin Novell Privileged User Manager ® can solve this 7 © Novell, Inc. All rights reserved.
Uncontrolled Superuser Access Uncontrolled Superuser access leaves the data center open to Backdoor entry. Novell Privileged User Manager ® can solve this 8 © Novell, Inc. All rights reserved.
Audit Weakness Audit weakness – users covering their tracks. Novell Privileged User Manager ® can solve this 9 © Novell, Inc. All rights reserved.
Compliance and Reporting Compliance and reporting user access. Novell Privileged User Manager ® can solve this 10 © Novell, Inc. All rights reserved.
Novell Privileged User Manager ®
Novell Privileged User Manager ® • Control user access to root privileges • Audit all user activity with 100% keystroke logging • Simplify audit activity with the most relevant, context-based information • Analyze potential threats based on policy-based risk ratings 12 © Novell, Inc. All rights reserved.
The Framework
The Framework • The Framework is made up of three primary components: Framework Framework Framework Manager Console Agent 1 2 3 14 © Novell, Inc. All rights reserved.
Framework Manager Audit Novell Privileged Use Manager Command Control Agent Compliance Back Up Manager Reporting Agent ® Package Manager Primary Manager Agent 15 © Novell, Inc. All rights reserved.
Framework Console 16 © Novell, Inc. All rights reserved.
Framework Agent Command Novell Privileged Use Manager Control Registry Agent Distribution Back Up Manager Store and Forward Agent ® System Information (optional) Primary Manager Agent 17 © Novell, Inc. All rights reserved.
Underlying Modular Architecture Audit databases can be placed in multiple Multiple Managers provide fail-over Internet locations for redundancy and security capability and load-balancing. Audit Manager Command Control Framework Console Audit Manager Command Control Port Agent Agent Agent 443 Web Browser (Administrative Access) Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications Command Control Groups of Agents can be added to Agent Agent Agent Agent logical domains for load-balancing, redundancy and traffic segregation Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications 18 © Novell, Inc. All rights reserved.
Deploying Novell Privileged User Manager ®
NPUM Prerequisites Admin Console requires Browser with Adobe Flash installed Open ports 443 (manager) and 29120 (agents and manager) Servers must be resolvable (DNS/hosts/etc) Time in sync (use ntp) For SUSE Linux Enterprise Server (SLES) – See ® TID#7003992 - usrun reports /bin/ls: cannot read symbolic link /proc/$$/exe: Permission denied 20 © Novell, Inc. All rights reserved.
Configuration Manager • Novell Privileged User Manager 2.2.1 - ® – rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm – Verify install in /opt/novell/npum/logs/unifid.log • Login to https://ipaddress_of_framework_manager – User: admin – Pwd: novell – Default port of Framework Manager is 443 – /opt/novell/npum/service/local/admin/connector.xml – <Connector ssl_ctx="https" port="443"mode="https"/> 21 © Novell, Inc. All rights reserved.
Simple Deployment Step 1 Install Framework Manager • Only one Framework Manager Manager is installed • Framework Manager can be installed on any supported host operating SLES 11 OES2 SP2 system RedHat AIX Solaris 22 © Novell, Inc. All rights reserved.
Simple Deployment Step 2 Pre-register Agents • Log onto Web Console Manager • Enter the names of the agents that will be added to this Framework. SLES 11 OES2 SP2 RedHat AIX Solaris 23 © Novell, Inc. All rights reserved.
Configuration Agents • Installing and registering an NPUM Agent – rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm – Register the Agent > sd145:/ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.128.68 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: (sd145) Please provide the registered agent name for this agent: (sd145) 24 © Novell, Inc. All rights reserved.
Simple Deployment Step 3 Install Framework Agents • Each Framework Agent has a unique installer for the Manager Agent platform. • During the install process the Framework Manager address SLES 11 OES2 SP2 is entered together with valid Framework credentials to register the new Agent into the Agent Agent Framework. • The Agent and Manager Agent handshake and a trust RedHat AIX relationship is established. Solaris 25 © Novell, Inc. All rights reserved.
Command Control
Novell Privileged User Manager ® Non- Log in as root submit user: root controlled runuser: root submit user: aaron Command Control authorization DB NPUM Log in as aaron remote shell controlled remote shell runuser: root – User logs in with own non-privileged account – Commands authorized before being executed remotely – Known as ‘root delegation’ 27 © Novell, Inc. All rights reserved.
Configuration Setting up Rules • Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run. • Optional rule conditions. – The command being submitted – The user and host submitting the command – The user and host assigned to run the command – The time the command is submitted – etc. 28 © Novell, Inc. All rights reserved.
Configuration Setting up Commands • Commands – Commands > novell-tomcat5* » Would allow all options after novell-tomcat5 » Examples: novell-tomcat5 start or novell-tomcat5 stop, etc – Commands, using regular expressions > =~#^(|/etc/init.d/)novell-tomcat5(s+|$)# » Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with any options afterwards. » Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5 stop, etc 29 © Novell, Inc. All rights reserved.
Configuration Setting up Scripts • Scripts – In addition to commands, perl scripts can be added to rules to do additional processing such as: > Send an email when a command is run > Execute Run users profile > Define Illegal commands > Truncate stdin/stdout/sterr captured by KB 30 © Novell, Inc. All rights reserved.
Configuration Running Commands • usrun – usrun [command] – usrun passes the command to the Command Control Manager and for authorization. Command is allowed or denied based on configured rules. – Examples: > usrun /etc/init.d/ndsd stop > usrun novell-tomcat5 restart • Rush – usrun rush – Rush shell is based off the Korn (ksh) shell. Rush allows for complete session capture. Configure Command risk. • Crush - Change users logon shell to /usr/bin/crush. Crush allows for complete session capture, without granting superuser privileges. 31 © Novell, Inc. All rights reserved.
Audit, Compliance, and Reporting
Audit/Reporting • Independent audit events are sent to the configured Audit servers from each agent • Audit events include the following – Capture (Full keystroke session playback) – Start time/End time – User, Host, Command – Authorized/Unauthorized 33 © Novell, Inc. All rights reserved.
Compliance • Compliance Auditor collects, filters and generates reports of audit data for analysis and sign-off by authorized personnel. • Rules can be configured to pull any number of audit events matching a given filter at a specific interval. • When an audit event is viewed, auditors can authorize the event, mark it as unauthorized, escalate it, or assign it to someone else for further review. – Each change is recorded as an “Audit trail” • Automatic reports can be generated and e-mailed to appropriate personnel 34 © Novell, Inc. All rights reserved.
Workflow for Novell Privileged User Manager ® Session event and keystroke log Command Control Validate and secure Add audit group User Activity 1 user session 2 and risk rating Audit Rules Log Automated rules pull events into Compliance Manager notified by e-mail 3 Auditor database according to pre- 4 each night of events defined risk filters waiting to be authorized Compliance Auditor Manager logs into Manager 5 Compliance Auditor and authorizes events Each event record is color-coded according to the highest rated command risk 35 © Novell, Inc. All rights reserved.
Demo
Demo Agent install and registration • Agent installation – rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm • Agent must be entered into the GUI – Host | Select the desired domain | “Add Hosts” • Agent registration – Please remember to register this installation with the Novell Privileged User Manager using the command: /opt/novell/npum/sbin/unifi regclnt register 37 © Novell, Inc. All rights reserved.
Demo Agent install and registration • Agent registration (client side) sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.130.142 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: () 151.155.128.131 Please provide the registered agent name for this agent: (sles11-npum2) Framework manager: 151.155.130.142:29120 Agent hostname or address : 151.155.128.131 Agent name : sles11-npum2 Is this correct: (y) Please enter the name and password of an account with permission to register this host. User name: (admin) Password: 38 © Novell, Inc. All rights reserved.
Demo Patching Hosts • Once the Agent has been installed, patches can be deployed through GUI to all registered hosts. • Login to GUI | Hosts | select the desired host | Update Packages • Patches may be applied on a single host or by domain, or by all hosts in the environment 39 © Novell, Inc. All rights reserved.
Demo Securing OES2 Services • On OES2 Linux, most of the “services” such as eDirectory , novell-tomcat5, LUM, etc must be ™ configured and administered as root • With Novell Privileged User Manager, simple rules can ® be created to allow administrators of these services to run their commands with root privileges WITHOUT knowing roots password or logging in as root. 40 © Novell, Inc. All rights reserved.
Demo Securing OES2 Services (cont.) • Sample rule to Start/Stop eDirectory ™ • Begin Rule: eDirectory Stop/Start If (command IN eDir Start/Stop AND user IN eDirAdminFull) Then Set Authorize: yes Set runUser = "root" Run Script: Execute RunUsers Profile() Stop if authorized End If End Rule: eDirectory Stop/Start 41 © Novell, Inc. All rights reserved.
Demo Securing OES2 Services (cont.) From this example, user “bergerbr” which is apart of the eDirAdminFull group, logged in with normal privileges would be able to run “usrun /etc/init.d/ndsd stop” or “usrun /etc/init.d/ndsd start” 42 © Novell, Inc. All rights reserved.
Question and Answers
Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

More Related Content

PDF
Novell Success Stories: Endpoint Management in Education
Novell
 
PDF
Novell Success Stories: Endpoint Management in High Tech and Professional Ser...
Novell
 
PDF
Migrating from Novell ZENworks 7 Desktop Management to Novell ZENworks Config...
Novell
 
PDF
Novell Success Stories: Endpoint Management for Nonprofits
Novell
 
PDF
Novell Success Stories: Endpoint Management in Government
Novell
 
PDF
Novell Success Stories: Endpoint Management in Healthcare
Novell
 
PDF
Novell Support Revealed! An Insider's Peek and Feedback Opportunity
Novell
 
PDF
Novell Success Stories: Collaboration in Travel and Hospitality
Novell
 
Novell Success Stories: Endpoint Management in Education
Novell
 
Novell Success Stories: Endpoint Management in High Tech and Professional Ser...
Novell
 
Migrating from Novell ZENworks 7 Desktop Management to Novell ZENworks Config...
Novell
 
Novell Success Stories: Endpoint Management for Nonprofits
Novell
 
Novell Success Stories: Endpoint Management in Government
Novell
 
Novell Success Stories: Endpoint Management in Healthcare
Novell
 
Novell Support Revealed! An Insider's Peek and Feedback Opportunity
Novell
 
Novell Success Stories: Collaboration in Travel and Hospitality
Novell
 

What's hot (19)

PDF
Custom Development with Novell Teaming
Novell
 
PDF
Avoiding Common Novell ZENworks Configuration Management Implementation Pitfalls
Novell
 
PDF
Novell ZENworks Advanced Application Management
Novell
 
PDF
Best Practices for Administering Novell GroupWise 8
Novell
 
ODP
Introducing Novell Conferencing
Novell
 
PDF
How to Maintain Software Appliances
Novell
 
PDF
Novell Success Stories: Endpoint Management in Retail and Manufacturing
Novell
 
PDF
Novell Success Stories: Collaboration in Government
Novell
 
PDF
Adaptive Computing Using PlateSpin Orchestrate
Novell
 
PDF
Novell Success Stories: Collaboration in Education
Novell
 
PDF
BSM201.pdf
Novell
 
PDF
IDC Says, Don't Move To The Cloud
Novell
 
PDF
What an Enterprise Should Look for in a Cloud Provider
Novell
 
PDF
Integrating Novell Teaming within Your Existing Infrastructure
Novell
 
ODP
Windows and Linux Interopability
Novell
 
PDF
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Novell
 
PDF
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
Novell
 
PDF
Finding Virtual Coins in the Couch
Novell
 
PDF
Run Book Automation with PlateSpin Orchestrate
Novell
 
Custom Development with Novell Teaming
Novell
 
Avoiding Common Novell ZENworks Configuration Management Implementation Pitfalls
Novell
 
Novell ZENworks Advanced Application Management
Novell
 
Best Practices for Administering Novell GroupWise 8
Novell
 
Introducing Novell Conferencing
Novell
 
How to Maintain Software Appliances
Novell
 
Novell Success Stories: Endpoint Management in Retail and Manufacturing
Novell
 
Novell Success Stories: Collaboration in Government
Novell
 
Adaptive Computing Using PlateSpin Orchestrate
Novell
 
Novell Success Stories: Collaboration in Education
Novell
 
BSM201.pdf
Novell
 
IDC Says, Don't Move To The Cloud
Novell
 
What an Enterprise Should Look for in a Cloud Provider
Novell
 
Integrating Novell Teaming within Your Existing Infrastructure
Novell
 
Windows and Linux Interopability
Novell
 
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Novell
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
Novell
 
Finding Virtual Coins in the Couch
Novell
 
Run Book Automation with PlateSpin Orchestrate
Novell
 
Ad

Similar to Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2 (20)

PDF
Improve Your Compliance across UNIX and Linux Environments
Novell
 
PDF
Overview of Identity and Access Management Product Line
Novell
 
PDF
What's New in Novell Identity Manager 4.0
Novell
 
PDF
Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Novell
 
PDF
20th March Session Four by Rod Grigson
Sharath Kumar
 
PDF
Advanced persistent threats
Network Intelligence India
 
PDF
Who will guard the guards
Network Intelligence India
 
PDF
An Identity-focused Approach to Compliance
Novell
 
PDF
An Identity-focused Approach to Compliance
Novell
 
PDF
Wallix AdminBastion - Privileged User Management &amp; Access Control
zayedalji
 
PDF
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Novell
 
PDF
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
PDF
Integrating Novell Access Governance Suite with Novell Identity Manager
Novell
 
PDF
Novell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell
 
PDF
Novell Storage Manager: Your Secret Weapon for Simplified File and User Manag...
Novell
 
PDF
Novell ZENworks Overview and Futures
Novell
 
PDF
Novell ZENworks Overview and Futures
Novell
 
PDF
Sccm 2012 overview - chris_estonina
Microsoft Singapore
 
PPT
Enterprise Security & SSO
Ambareesh Kulkarni
 
PDF
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Novell
 
Improve Your Compliance across UNIX and Linux Environments
Novell
 
Overview of Identity and Access Management Product Line
Novell
 
What's New in Novell Identity Manager 4.0
Novell
 
Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Novell
 
20th March Session Four by Rod Grigson
Sharath Kumar
 
Advanced persistent threats
Network Intelligence India
 
Who will guard the guards
Network Intelligence India
 
An Identity-focused Approach to Compliance
Novell
 
An Identity-focused Approach to Compliance
Novell
 
Wallix AdminBastion - Privileged User Management &amp; Access Control
zayedalji
 
Implementing and Proving Compliance Tactics with Novell Compliance Management...
Novell
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Novell
 
Novell SecureLogin 7 and Your Microsoft Active Directory Setup
Novell
 
Novell Storage Manager: Your Secret Weapon for Simplified File and User Manag...
Novell
 
Novell ZENworks Overview and Futures
Novell
 
Novell ZENworks Overview and Futures
Novell
 
Sccm 2012 overview - chris_estonina
Microsoft Singapore
 
Enterprise Security & SSO
Ambareesh Kulkarni
 
Simplified, Robust and Speedy Novell Identity Manager Implementation with Des...
Novell
 
Ad

More from Novell (20)

PDF
Filr white paper
Novell
 
PDF
Social media class 4 v2
Novell
 
PDF
Social media class 3
Novell
 
PDF
Social media class 2
Novell
 
PDF
Social media class 1
Novell
 
PDF
Social media class 2 v2
Novell
 
PDF
LinkedIn training presentation
Novell
 
PDF
Twitter training presentation
Novell
 
PDF
Getting started with social media
Novell
 
PDF
Strategies for sharing and commenting in social media
Novell
 
PPT
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Novell
 
PPT
Workload iq final
Novell
 
PDF
The Identity-infused Enterprise
Novell
 
PDF
Shining the Enterprise Light on Shades of Social
Novell
 
PDF
Accelerate to the Cloud
Novell
 
PDF
The New Business Value of Today’s Collaboration Trends
Novell
 
PDF
Preventing The Next Data Breach Through Log Management
Novell
 
PDF
Iaas for a demanding business
Novell
 
PDF
Workload IQ: A Differentiated Approach
Novell
 
PDF
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Novell
 
Filr white paper
Novell
 
Social media class 4 v2
Novell
 
Social media class 3
Novell
 
Social media class 2
Novell
 
Social media class 1
Novell
 
Social media class 2 v2
Novell
 
LinkedIn training presentation
Novell
 
Twitter training presentation
Novell
 
Getting started with social media
Novell
 
Strategies for sharing and commenting in social media
Novell
 
Information Security & Compliance in Healthcare: Beyond HIPAA and HITECH
Novell
 
Workload iq final
Novell
 
The Identity-infused Enterprise
Novell
 
Shining the Enterprise Light on Shades of Social
Novell
 
Accelerate to the Cloud
Novell
 
The New Business Value of Today’s Collaboration Trends
Novell
 
Preventing The Next Data Breach Through Log Management
Novell
 
Iaas for a demanding business
Novell
 
Workload IQ: A Differentiated Approach
Novell
 
Virtual Appliances: Simplifying Application Deployment and Accelerating Your ...
Novell
 

Introducing Novell Privileged User Manager and Securing Novell Open Enterprise Server 2

  • 1. Intro to Novell ® Privileged User Manager and Securing Novell Open Enterprise Server 2 Brett A. Berger Aaron Burgemeister Global Technical Support Global Technical Support Novell, Inc/bberger@novell.com Novell, Inc/ab@novell.com
  • 2. Novell Privileged User Manager ® • Introduction to Novell Privileged User Manager – Business Challenges – Novell Privileged User Manager solutions • The Framework – Framework Components – Framework Deployment • Command Control – Configuration - Rules – Configuration - Commands – Configuration - Scripts 2 © Novell, Inc. All rights reserved.
  • 3. Novell Privileged User Manager ® (cont.) • Audit, Compliance, and Reporting – Overview • Demo – Agent installation and registration – Patching Agents and Managers – Using NPUM to secure OES2 > eDirectory ™ > Novell-tomcat > etc. • Questions and Answers 3 © Novell, Inc. All rights reserved.
  • 4. Intro to Novell ® Privileged User Manager
  • 5. The IT Landscape is Changing The risks and challenges of computing across multiple Linux/Unix environments must be eliminated. Users should have unimpeded, secure and compliant access to the computing services they need to do their jobs right. Computing should be secure and compliant. 5 © Novell, Inc. All rights reserved.
  • 6. Business challenges Linux/UNIX Administrators require elevated (superuser) privileges to do their job Uncontrolled superuser access leaves the data center open to back door entries Audit Weakness – Rogue admins/users covering their tracks Compliance and Reporting 6 © Novell, Inc. All rights reserved.
  • 7. Delegating Superuser Privileges • Linux/UNIX admins require elevated (Superuser) privileges to do their jobs IT Manager System Admin root root DBA App Developer Admin Security Admin Novell Privileged User Manager ® can solve this 7 © Novell, Inc. All rights reserved.
  • 8. Uncontrolled Superuser Access Uncontrolled Superuser access leaves the data center open to Backdoor entry. Novell Privileged User Manager ® can solve this 8 © Novell, Inc. All rights reserved.
  • 9. Audit Weakness Audit weakness – users covering their tracks. Novell Privileged User Manager ® can solve this 9 © Novell, Inc. All rights reserved.
  • 10. Compliance and Reporting Compliance and reporting user access. Novell Privileged User Manager ® can solve this 10 © Novell, Inc. All rights reserved.
  • 12. Novell Privileged User Manager ® • Control user access to root privileges • Audit all user activity with 100% keystroke logging • Simplify audit activity with the most relevant, context-based information • Analyze potential threats based on policy-based risk ratings 12 © Novell, Inc. All rights reserved.
  • 14. The Framework • The Framework is made up of three primary components: Framework Framework Framework Manager Console Agent 1 2 3 14 © Novell, Inc. All rights reserved.
  • 15. Framework Manager Audit Novell Privileged Use Manager Command Control Agent Compliance Back Up Manager Reporting Agent ® Package Manager Primary Manager Agent 15 © Novell, Inc. All rights reserved.
  • 16. Framework Console 16 © Novell, Inc. All rights reserved.
  • 17. Framework Agent Command Novell Privileged Use Manager Control Registry Agent Distribution Back Up Manager Store and Forward Agent ® System Information (optional) Primary Manager Agent 17 © Novell, Inc. All rights reserved.
  • 18. Underlying Modular Architecture Audit databases can be placed in multiple Multiple Managers provide fail-over Internet locations for redundancy and security capability and load-balancing. Audit Manager Command Control Framework Console Audit Manager Command Control Port Agent Agent Agent 443 Web Browser (Administrative Access) Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications Command Control Groups of Agents can be added to Agent Agent Agent Agent logical domains for load-balancing, redundancy and traffic segregation Port Port Port Port Port 29120 29120 29120 29120 29120 Host to host communications 18 © Novell, Inc. All rights reserved.
  • 20. NPUM Prerequisites Admin Console requires Browser with Adobe Flash installed Open ports 443 (manager) and 29120 (agents and manager) Servers must be resolvable (DNS/hosts/etc) Time in sync (use ntp) For SUSE Linux Enterprise Server (SLES) – See ® TID#7003992 - usrun reports /bin/ls: cannot read symbolic link /proc/$$/exe: Permission denied 20 © Novell, Inc. All rights reserved.
  • 21. Configuration Manager • Novell Privileged User Manager 2.2.1 - ® – rpm -ivh novell-npum-manager-2.2.1-linux-2.X-XXX.rpm – Verify install in /opt/novell/npum/logs/unifid.log • Login to https://ipaddress_of_framework_manager – User: admin – Pwd: novell – Default port of Framework Manager is 443 – /opt/novell/npum/service/local/admin/connector.xml – <Connector ssl_ctx="https" port="443"mode="https"/> 21 © Novell, Inc. All rights reserved.
  • 22. Simple Deployment Step 1 Install Framework Manager • Only one Framework Manager Manager is installed • Framework Manager can be installed on any supported host operating SLES 11 OES2 SP2 system RedHat AIX Solaris 22 © Novell, Inc. All rights reserved.
  • 23. Simple Deployment Step 2 Pre-register Agents • Log onto Web Console Manager • Enter the names of the agents that will be added to this Framework. SLES 11 OES2 SP2 RedHat AIX Solaris 23 © Novell, Inc. All rights reserved.
  • 24. Configuration Agents • Installing and registering an NPUM Agent – rpm -ivh novell-npum-agent-2.2.1-linux-2.X-XXXX.rpm – Register the Agent > sd145:/ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.128.68 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: (sd145) Please provide the registered agent name for this agent: (sd145) 24 © Novell, Inc. All rights reserved.
  • 25. Simple Deployment Step 3 Install Framework Agents • Each Framework Agent has a unique installer for the Manager Agent platform. • During the install process the Framework Manager address SLES 11 OES2 SP2 is entered together with valid Framework credentials to register the new Agent into the Agent Agent Framework. • The Agent and Manager Agent handshake and a trust RedHat AIX relationship is established. Solaris 25 © Novell, Inc. All rights reserved.
  • 27. Novell Privileged User Manager ® Non- Log in as root submit user: root controlled runuser: root submit user: aaron Command Control authorization DB NPUM Log in as aaron remote shell controlled remote shell runuser: root – User logs in with own non-privileged account – Commands authorized before being executed remotely – Known as ‘root delegation’ 27 © Novell, Inc. All rights reserved.
  • 28. Configuration Setting up Rules • Rules provide the means by which you can control commands. Commands can be authorized to run, or not authorized to run. • Optional rule conditions. – The command being submitted – The user and host submitting the command – The user and host assigned to run the command – The time the command is submitted – etc. 28 © Novell, Inc. All rights reserved.
  • 29. Configuration Setting up Commands • Commands – Commands > novell-tomcat5* » Would allow all options after novell-tomcat5 » Examples: novell-tomcat5 start or novell-tomcat5 stop, etc – Commands, using regular expressions > =~#^(|/etc/init.d/)novell-tomcat5(s+|$)# » Would allow /etc/init.d/novell-tomcat5 or novell-tomcat5 with any options afterwards. » Examples: /etc/init.d/novell-tomcat5 start or novell-tomcat5 stop, etc 29 © Novell, Inc. All rights reserved.
  • 30. Configuration Setting up Scripts • Scripts – In addition to commands, perl scripts can be added to rules to do additional processing such as: > Send an email when a command is run > Execute Run users profile > Define Illegal commands > Truncate stdin/stdout/sterr captured by KB 30 © Novell, Inc. All rights reserved.
  • 31. Configuration Running Commands • usrun – usrun [command] – usrun passes the command to the Command Control Manager and for authorization. Command is allowed or denied based on configured rules. – Examples: > usrun /etc/init.d/ndsd stop > usrun novell-tomcat5 restart • Rush – usrun rush – Rush shell is based off the Korn (ksh) shell. Rush allows for complete session capture. Configure Command risk. • Crush - Change users logon shell to /usr/bin/crush. Crush allows for complete session capture, without granting superuser privileges. 31 © Novell, Inc. All rights reserved.
  • 33. Audit/Reporting • Independent audit events are sent to the configured Audit servers from each agent • Audit events include the following – Capture (Full keystroke session playback) – Start time/End time – User, Host, Command – Authorized/Unauthorized 33 © Novell, Inc. All rights reserved.
  • 34. Compliance • Compliance Auditor collects, filters and generates reports of audit data for analysis and sign-off by authorized personnel. • Rules can be configured to pull any number of audit events matching a given filter at a specific interval. • When an audit event is viewed, auditors can authorize the event, mark it as unauthorized, escalate it, or assign it to someone else for further review. – Each change is recorded as an “Audit trail” • Automatic reports can be generated and e-mailed to appropriate personnel 34 © Novell, Inc. All rights reserved.
  • 35. Workflow for Novell Privileged User Manager ® Session event and keystroke log Command Control Validate and secure Add audit group User Activity 1 user session 2 and risk rating Audit Rules Log Automated rules pull events into Compliance Manager notified by e-mail 3 Auditor database according to pre- 4 each night of events defined risk filters waiting to be authorized Compliance Auditor Manager logs into Manager 5 Compliance Auditor and authorizes events Each event record is color-coded according to the highest rated command risk 35 © Novell, Inc. All rights reserved.
  • 36. Demo
  • 37. Demo Agent install and registration • Agent installation – rpm -ivh novell-npum-agent-2.2.1-linux-2.4-intel.rpm • Agent must be entered into the GUI – Host | Select the desired domain | “Add Hosts” • Agent registration – Please remember to register this installation with the Novell Privileged User Manager using the command: /opt/novell/npum/sbin/unifi regclnt register 37 © Novell, Inc. All rights reserved.
  • 38. Demo Agent install and registration • Agent registration (client side) sles11-npum2:~ # /opt/novell/npum/sbin/unifi regclnt register Please provide the hostname or address for the framework manager : () 151.155.130.142 Please provide the port number for the framework manager: (29120) Please provide the hostname or address for this agent: () 151.155.128.131 Please provide the registered agent name for this agent: (sles11-npum2) Framework manager: 151.155.130.142:29120 Agent hostname or address : 151.155.128.131 Agent name : sles11-npum2 Is this correct: (y) Please enter the name and password of an account with permission to register this host. User name: (admin) Password: 38 © Novell, Inc. All rights reserved.
  • 39. Demo Patching Hosts • Once the Agent has been installed, patches can be deployed through GUI to all registered hosts. • Login to GUI | Hosts | select the desired host | Update Packages • Patches may be applied on a single host or by domain, or by all hosts in the environment 39 © Novell, Inc. All rights reserved.
  • 40. Demo Securing OES2 Services • On OES2 Linux, most of the “services” such as eDirectory , novell-tomcat5, LUM, etc must be ™ configured and administered as root • With Novell Privileged User Manager, simple rules can ® be created to allow administrators of these services to run their commands with root privileges WITHOUT knowing roots password or logging in as root. 40 © Novell, Inc. All rights reserved.
  • 41. Demo Securing OES2 Services (cont.) • Sample rule to Start/Stop eDirectory ™ • Begin Rule: eDirectory Stop/Start If (command IN eDir Start/Stop AND user IN eDirAdminFull) Then Set Authorize: yes Set runUser = "root" Run Script: Execute RunUsers Profile() Stop if authorized End If End Rule: eDirectory Stop/Start 41 © Novell, Inc. All rights reserved.
  • 42. Demo Securing OES2 Services (cont.) From this example, user “bergerbr” which is apart of the eDirAdminFull group, logged in with normal privileges would be able to run “usrun /etc/init.d/ndsd stop” or “usrun /etc/init.d/ndsd start” 42 © Novell, Inc. All rights reserved.
  • 45. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.