2017-09-15 05:48 PM
At a high level what is the process for RSA NetWitness to integrate at the command line with Active Directory? We have the web UI configured for this but the command line (ssh) itself is a bit of a stretch and it seems there are several routes you can take to accomplishing this task.
In the end my goal is to disable root logins to all my appliances via SSH and have all the users login to each system using their AD credentials.
We have a requirement to maintain traceability back to the individual user. We'll then enable sudo, setup auditd/sudo logging and go from there.
However it seems after reviewing the following document I have two choices.
https://community.rsa.com/docs/DOC-78415
1. Add all the appliances to AD as computer objects, join them to the domain (with DA account) and install additional packages and enable SMB/CIFS ports to/from the AD servers.
2. Native LDAP queries via nss, openldap and pam. *Requires uidNumber and gidNumber attributes for AD user/group objects.
I'm looking to limit as much as possible on my internal AD groups as this will end up being a 3 month process internally.
Anybody completed this and have an idea of the obstacles/hurdles you've run into?
Thanks,
2017-09-15 06:48 PM
I would not recommend this AT ALL. Think about it, AD is the shortest path of compromise in the majority of intrusions. Adding AD to Linux hosts, and adding sudo for priv escalation, just ensures that if AD is compromised, they also have a direct line to root on your Linux hosts. That being bad enough, you are now including the very toolset that your analysts are going to trust and rely on in that straight-line path from Domain Admin/User directly to root. I recommend advising your client that this is the very opposite of Principle of Least Privilege and Principle of Separation of Duties, making it definitively bad security practice.
Thanks,
Wes
Sent from my iPhone
2017-09-16 10:39 AM
Still leaves me without a reliable way to audit activities on my security critical monitoring appliances. How can I find a method to monitor the actual users on my appliances doing what? Everyone logging in as root is a problem for auditing.
We have around 20 different people today who can access the command line and need to for their day to day job.
I could setup local accounts, but now, with around 150+ CentOS hosts I have to manage 20 users on each one and hope to never run into inconsistencies.
Puppet here would be great but as this is a vendor puppet implementation I'm not comfortable adding a puppet forge user module or creating my own and hoping for the best.
2017-09-16 11:37 AM
So, for what you are wanting to do, you will need at least +2 servers for authentication (primary + backup). You have some options here: Kerberos, OpenLDAP, 389, FreeIPA. You can run Linux-side centralized authentication with auditing (and even non-repudiation if you are looking to go that way), but you just want to do it independently of Windows Active Directory. I personally always use Kerberos anytime I have systems and users in double digits. Only tricky part being keytab management, but that is easily fixed with some thought to the re-key requirements. Have a look at those, as they are other (better) methods of doing what you are wanting to do.
Sent from my iPhone