Hello, everybody, and welcome. My name is Holger Weihe. I'm working for the One Identity Pre-Sales department. And I'm coming today to you in the wonderful city of Berlin. I'll be hosting this session. So stay tuned for the latest news. I hope you enjoy it. So let's start.
So let's talk a little bit about the Safeguard for authentification services. I named this session, to do or sudo is not an option. And this is really true. Because if you would have the choice to do in the same way as you have done before, or to use sudo instead to increase the security of your system and environments, that's not really an option. Not in these days. So let's have a look into the details.
So what is the thing that Safeguard Authentification Services can do for you? First of all, it helps to eliminate complexity. It helps you to bring all these different types of systems together, coming from the Unix world, and coming from the Windows world. And the centralized point of it will be Active Directory.
Active Directory then will provide all the information you need to work with these systems, like user IDs, group IDs, passwords, policies, and all the other stuff. If you're still using this very robust and excellent system, and you want to migrate from that, yeah, we have some kind of tools included in our suite as well that will help you to do this migration.
And of course, it will simplify compliance. Because all the management of your users and identities and access based on groups and IDs, and passwords, and access rights, and policies, they all will be provided by Active Directory from a centralized point.
This will make auditing and change tracking very easy. And of course, alerting comes along with that. And it will increase and enhance security.
You're going to be using Kerberos authentification. So you don't have any passwords anymore. So you have tickets that will be granted from a centralized server. In this case, more or less Active Directory, or some other Kerberos server who will be responsible for that.
And you can use this ticket for doing Single Sign On between the various applications or operating system which support Kerberos Single Sign On. This is often referred to as Windows-based authentification, or Windows integrated authentification.
And of course, if a password is not enough, and this is a very good question to ask-- you may want to have additional two factors support for authentification. And you can use multiple systems or mechanisms for this, like security keys, certificates, smart cards, whatever, you name it. Radio Systems and so on and so on.
There are so many on the market. But Safeguard Authentification Services will support these types of authentification.
So just to give you a short graphical overview based on the typical Unix environment, you can see on the left side, this is more or less some kind of isolated box management. You always have your own users, your own admins. You have logging. You have reporting and all the other ones. But this is only a box-centric approach.
And Safeguard of all Authentification Services will allow you to move this box-based approach to a more centralized approach. So you will have a Active Directory in the middle, who provides all the centralized administration and policy files and reporting. And all the users will be located in Active Directory as well. And of course, then, [INAUDIBLE] Active Directory, the complete control is implemented how you will access the appropriate services in your consolidated environment for standard regular user access, and of course, least privileged access.
If we are talking about Unix security, we have to talk about sudo. Sudo is one of the cornerstones of Unix security. And it is commonly available on any Unix-based system in the market.
What the Safeguard for Sudo will provide to you is a centralized policy management, and of course, centralized event and keystroke logging. And [INAUDIBLE] a centralized approach, in contrast to the ones we have seen in the slides before, in the box and isolated approach. We're going to provide something that can help you and support you and keep your systems up and running and secure, of course, when the centralized repository or the centralized management is not available. What to do then?
In this case, we provide the capability that the policy can be evaluated offline. You can define how long this can happen. And then [INAUDIBLE] you have enough time to repair your centralized repository.
Of course, sudo is evolving. And the latest version is the sudo in version 1.9. I will not cover all the details. There is a specialized session on sudo, with the maintainer, who is an employee of Quest.
And you're going to have all the details, and the more technical, sophisticated things here in his session. I just want to cover or touch briefly one of the new things that have been introduced in that version.
So the first thing is you have recording services. So you can implement something that will allow you to collect all your sudo IO-logs on a central box. For this, you can have a special plugin that is part of the new version.
And if we talk about plugins, we have a new audit plugin for custom logging, where you can customize the log format and [INAUDIBLE] information you want to log. You can have an approval plugin, where you can include additional conditions, and not only the password that makes you then allowed to run a command with elevated privileges.
And of course, all these plugins are based on a common framework that is due to the sudo 1.9. And for this framework, we're going to support to write your own plugins in the Python programming language.
So if you fire up your PuTTY. And you may load your connection profile. Or you have it as your default profile as you want. And you type in the hostname you want to connect to. In this case, I'm using my standard client I use for this demo. Oh, the sun's coming up.
So it is-- pas4uclient dot my domain, 1q2w.tech. Generic name, just for demo. And I have it as an SSH session. And I have special settings here in my profile. And you're going to find them here under the connection settings, when you expand the PuTTY configuration node.
So the first fun one is data. And for data, you should enable Use the system username. In this case, PuTTY will just type the user name for you. In this case, it will use the one that is already locked into your Windows client, or to the Windows system here.
And the next one, more important one, is the SSH setting. And there is the off node. Please expand this. And you're going to find something that is GSS API. And you may want to show to have this one selected. Attempt GSS API authentification. And attempt GSS API key exchange. That's all.
So once this is in your profile, you should be able to connect to your end system in this phase. And this is important. Use the fully qualified domain name. Otherwise your Kerberos configuration may fail.
So let's open up this. And you'll see, I'm instantly logged in using my username, alice. And I did not have to enter a password, because I'm now being authentificated by my Kerberos ticket. And the Kerberos ticket is the one I got automatically when I log into my Windows desktop here, which is a member of the domain.
So, very easy. Straightforward.
So let's hop on to other features of authentification services. So let's close this one.
So open up your PuTTY. Log in with something like the-- oh, why not use alice again. So let's use the same mechanism again. Or maybe just use a different one. I will just use a different one.
So in this case, I'm logging in as this one here. And I have to type in my username. And again, yep. Single sign on. As shown before. It doesn't matter.
If I now want to know what I'm allowed to do sudo, I simply can sudo what's configured for me. So in this case, I'll just have to type in sudo -l. Put the password.
And the k in this command line was just a typo. But it doesn't hurt. OK. I'll let that pass.
OK. So here we go. So you see that the user alice is allowed to run two commands. One is usr/bin/cat var/log/secure, a usually secured file. Nobody is allowed to look in without the appropriate permissions. For instance, root.
And the other one is to have a look on the etc/shado file. And the etc/shadow file holds the more important configurations for users. For instance, the password hashes and all this encryption stuff and whatever it is.
In this case, this is a very secured file as well. So in the usual use case, nobody except root should be allowed to look into it. Otherwise, you can copy it over and crack it. And then you may want to-- you may be allowed to log into that system.
So in this case, if I now want to try to execute this, I just have to type sudo. And then say, OK. usr/bin/id, for instance. Password.
And you see that this command now comes back with the user ID root. And the group ID root and the groups data root. So I was running this command as root and not as alice, because otherwise I would say, if I just execute the same command without it-- it gives me the definitions for alice.
So the first one was run by root, via sudo. And the other one was just the standard execution of that command via my standard user account. I'm logged in here with alice. So you're now in the second go you see all the information that is linked to alice, like this nice group ID, and this user ID, and the groups.
And one thing to mention-- it is a very cryptic high number. And the group ID is SG.PAS4U. This is coming from Active Directory. And again, this is a feature of the authentification services for Safeguard, or the Safeguard Authentication Services.
So I'm still confused. Because it was so-- it was renamed recently. I'm just a little bit in the old world. But I try to stick to the new names.
So in this case, you see that the SG.PAS4U is a group. And this group is not provided by the local group system. It is coming from Active Directory. For instance, if you just give it a look into the group file--
And you're going to find something like-- you want to look for something like sg. It's not found. Because it's not in there. It's coming via the authentification services from your Active Directory. Here we go. OK.
So just to show you that you can log in with a identity and able to use, and this identity is from Active Directory. Because we don't have [INAUDIBLE]. We don't have the group ID in our group files. And of course, we don't have the user ID in our password file. So if you want to grep alice in the etc password file, there's no entry.
Again, this is provided by Active Directory via the Safeguard Authentification Services. That's how it goes.
So the next one I want to show you is a different thing. And if you want to log in with a different user, in this case, it is Bob. Pretty much the same. But when I issue sudo -l for this user-- and compare this with the one before, this is here. And the other one is here.
So you see that the out print of that command is a little bit different. Because Bob has less capabilities as defined in the sudo configuration file, as the one that I allowed for alice.
And usually this is defined in a file called [INAUDIBLE]. And [INAUDIBLE] is, of course, only editable by root. And you sometimes have a special editor for this. [INAUDIBLE] usually called that helps you to maintain the syntax of the file.
Because otherwise, if you do some kind of typos in your file, your sudo configuration may not work in the way as expected. So there's a little bit of guidance.
OK. With the Safeguard for Authentification Services, we're going to follow a different approach. Because we are providing this sudo file, or this policy file, how is it called. We provide that policy file from a centralized server. We don't have it locally on the box. Of course, we have it somehow local on the box as a secure-- as a copy in terms that you want to have validations required in situations that you cannot reach your centralized server. Just to keep the service up and running and maintain the security.
To look on this, we're going to have a couple of things like some kind of management interfaces. Or you of course can use the command line to configure it all. But I will be a lazy guy. So I'm going to use the management interface. And the management interface is the Management Console for Unix.
And this is a web-based interface. Just log in to my Management Console for Unix. That may take a time because the performance of my systems in this virtual testing lab I'm using is not the best, I would say.
OK. So that takes a little time. Here we go.
And the first things I usually have when I'm setting up this, I can follow this type of wizard [INAUDIBLE] configuration will be complete. I will just click on my host, because I have most of these things done already.
And looking on my demo environment, it's pretty small. Because it just consists of one server and the client. The first one you have already seen. That is the system [INAUDIBLE] usually connecting to. And the other one is my server. And the server is the one that holds my policy, and is providing that policy to the attached clients.
And you see that [INAUDIBLE] is here, flagged as a primary server. And the other one that are using that policy, they are here with that installed mechanism flagged as sudo plugin. And if you remember the slides I was showing before I went onto the demo here, you know that sudo supports plugins.
It is doing this since version 1.8. And now with the new version 1.9, it has even more capabilities in terms of plugins. Before 1.9, more or less, the only plugins available in the market were coming from Quest. [INAUDIBLE] matter.
You have now more of the capability to write your own plugins very easily. But at the current moment, we just use this sudo plugin to link to our policy server.
And this is just configured via this interface here. And if you want to look-- or if you want to look into that policy file that is provided to my clients, you can simply go to Policy. And open the current version of the policy.
The policy here in this case is just named as my policy server. So it is just not to confuse [INAUDIBLE] hostname. This is just the name of my policy file.
So now, the management interface will reach out to the server and pull a copy of that file into this editor. And the editor is pretty much the same as you have in your [INAUDIBLE] sudo or [INAUDIBLE] or [INAUDIBLE] whatever you want to use it, or-- there are so many things on the market as well.
And there are a couple of things that you may need to configure. So one of the things is, here, something like the group. Group plugin. The group plugin is something that is coming [INAUDIBLE] Quest as well, or with the authentification services for Safeguard.
And this is the secure path. That's a common sudo configuration that tells sudo where is your standard path to look for commands that are executed under sudo control.
And the other one that is Safeguard for Authentification Service or Safeguard for sudo specific thing, is the thing here, log input and log output. Because the [INAUDIBLE] the plugins that we are delivering with the authentification services, they are also able to provide keystroke logging and keystroke replay. And [INAUDIBLE] that you need to put into your sudo file to make that work.
OK. And then the other one is simply the same stuff as usual. It is about groups. This is user definitions. You have this percentage sign that says, OK, this is some kind of group definition. Or you have a standard user that you want to define something for, and so on, and so on.
So in this case, it is pretty much everything here. And you see, [INAUDIBLE] has no definition for Bob. No, it's not, because Bob is part of SG.PAS4U group.
And in this terms, all the things that are defined for this group will apply to the eventual user as well. And if you have a special one for a definite user, this can be defined on top of the group membership.
So it's very flexible. It's very powerful. And in the end, you just need to know what you would like to allow your users to run. So which commands they need to execute to whatever complete the task they are assigned for.
OK. And that's more or less it. [INAUDIBLE] So you have your centralized policy file. You have all the definitions in there. And then the plug-in in Safeguard for sudo, or in the sudo program, then will do the appropriate stuff.
It will take the command that it should be run under sudo control. And then sudo will go through this plugin. And the plugin will relay the evaluation request to the centralized server.
So if the plugin is installed, if the server is up and running, there is no need anymore to go for the local policy file, like the [INAUDIBLE].
Yeah. That's so easy. And very straightforward, as usual.
So that was the stuff here. And if you go on for the event logs, as I said, it is possible to capture event logs. You could just go for something like here. Maybe just make it a very-- maybe [INAUDIBLE] let's have a look on something that was recorded after the [INAUDIBLE] June of 2020. Let's see if we can find something.
And you can say what's the policy group, or maybe you want to have a specific user to be filtered out. Whatever. You just give it a try, what we can find.
I may take a look. So that may take a second. And you see there are a couple of things that have been executed. And there you see that there's these little red bullets that are rejected commands.
So maybe there was an attempt to execute something that was even not allowed. Or you have typed the wrong password, something like that.
And if you want to see about-- if you want to look into it, what was recorded, you can simply click on the replay keystroke. Link that is in this management interface.
And you see all the information on top of it. So what user it was, what was the run identity, what was the execution date, which host was it logged to, which host was [INAUDIBLE] to, what was the command. And where is the log file stored. And the log file is also stored on the Central Policy server.
And if you simply click on that Start button, you're going to see all output that was produced by the command.
[INAUDIBLE] a little bit longer output here because I'm just browsing some kind of log file. The [INAUDIBLE] file. So that was the thing that was executed and visible on the screen.
OK. To have a little bit more, of course you can do some kind of reporting here. There are a couple of predefined reports available in that product. Like, for instance, let's see about the license usage, or the policy changes. For instance, if you click on the policy changes-- simply execute it.
I'll give it a preview. Now it's generating the PDF file for that. It's collecting the data. It talks to the centralized server. [INAUDIBLE] the database. It collects all the data that you need to.
Here it goes. And now you see the changes, or you see the policy changes that is the modification that has been made to the policy file.
So you see [INAUDIBLE] screen, what was added, other things would be shown in a different color what was removed. So you have a very nice report, and the complete evidence how your policy file was changed. OK.
That's it so far. For very, very quick and fast overview on the Safeguard for sudo and Safeguard for Authentification Services.
If you want to know more, get in touch with us. [INAUDIBLE] we are here to help you and support you. Thank you for listening and goodbye.