This session will discuss the implementation tasks needed to deploy Novell Privileged User Manager. It will particularly emphasize considerations for determining requirements for the initial phase and a roadmap for subsequent phases. We will also share tips on design and approaches for implementing Privileged User Manager based on implementations from Novell Services. We will discuss specifics of Privileged User Manager implementation in a service provider environment. The session will include technical details of integration with Novell Identity Manager and Novell Sentinel. These products will help you create a full solution for managing the lifecycle of privileged users, providing accountability to meet compliance requirements, and practicing solid corporate IT governance.

1. Creating a Full Privileged User Solution with
Novell Privileged User Manager,
®
Novell Identity Manager and Novell Sentinel
®
™
Warren Alkire
Senior Technology Specialist
Novell, Inc. /warren.alkire@novell.com

2. Agenda
Session Focus
• Novell Privileged User Manager Implementation Steps
®
– Scope
– Requirements Assessment
– Design
– Develop/Build
– Testing
– Training
– Deployment
• Integration with Novell Identity Manager
®
• Integration with Novell Sentinel ™
2 © Novell, Inc. All rights reserved.

3. Session Focus
• Primary steps to successfully implement Novell ®
Privileged User Manager
• Not training on Novell Privileged User Manager
• Share implementation tips and strategies
• Adding Novell Identity Manager for a full privileged user
life cycle solution
• Integration with Novell Sentinel ™
• Context is privileged user management implementation
– phase 1
3 © Novell, Inc. All rights reserved.

4. Architecture Review
1
Agent 4 Manager
Summit Host 2
5 3
Rules
Agent 6
Run Host
Event Log I/O Log
4 © Novell, Inc. All rights reserved.

5. Compliance Audit Review
Session event and
keystroke log
Command Control
Validate and secure Add audit group
User Activity 1 user session 2 and risk rating
Audit
Rules
Log
Automated rules pull
events into Compliance
Manager notified by e-mail 3 Auditor database
according to pre-
4 each night of events defined risk filters
waiting to be authorized
Compliance
Auditor
Manager logs into
Manager 5 Compliance Auditor and
authorizes events
Each event record is color-coded according to the highest rated command risk
5 © Novell, Inc. All rights reserved.

6. Novell Privileged User Manager
®
Implementation Steps – Scope and Time Line

7. Scope
Approach for phase 1
– Just audit
> Authorize crush shell from sample commands and set as default
> May need to authorize switch to root or other privileged accounts
– Audit and analyze
> Above plus reporting – use for future privilege segregation
– Reduce sudoers file maintenance – one place
> Likely require identity management integration
– Segregate privileges
> Requires grouping/role definition of privileged users
– Full scale implementation
> Usually not phase 1
7 © Novell, Inc. All rights reserved.

8. Scope
Phase 1 considerations
– Environments to manage
> Number of systems to manage
> Number of different platforms (operating systems)
– Initial target systems
> Non-production systems may be initial target
– Initial user population
> Limited administrators – such as print queue creators
> Administrators implementing Privileged User Manager
– Phasing implementation
> Roll out by groups of privileged users
> Roll out by groups of managed platforms
8 © Novell, Inc. All rights reserved.

9. Environment Approach
Three Environments
– Development, quality assurance/testing, production
– Enables testing of roll-out procedures
– Set-up for future solution expansion with minimal impact
– May be driven by identity management co-project
• Two Environments
– Development and production
– Gives up testing of roll-out procedures
• Single Environment
– Use built-in testing mechanisms
– Extra caution doing future upgrades
9 © Novell, Inc. All rights reserved.

10. How Long Will This Take?
• Obviously dependent on scope
• Sample implementation assumptions
– No integration with identity management systems
– Three environments – development, quality
assurance/testing, production
– All Unix/Linux computers patched to required level
– All Unix/Linux computers standardized as much as
possible – enables rapid deployment of Novell ®
Privileged User Manager
– Use existing software distribution mechanism
– No more than 5 command control rules required
– No more than 2 compliance reports required
10 © Novell, Inc. All rights reserved.

11. Sample Project Time Estimate
• Requirements and design phase – 2 weeks
– These phases often combined for Novell Privileged User
®
Manager-only engagement
– May not be critical path when combined with identity
management implementation
• Develop/Build/Unit Test – 3 weeks
• User Acceptance/System Integration Testing – 2 weeks
– Lengthened if part of identity management project
• Deployment to Production/Go live/Support – 2 weeks
11 © Novell, Inc. All rights reserved.

12. Sample Project Team
• Novell Privileged User Manager Specialist – 9 weeks
®
• Project Manager – 9 weeks for 8 hours per week
• Architect/Senior Specialist – 2 to 3 weeks
– Provides additional experience to requirements and design
– Design of Novell Privileged User Manager server requirements
®
– Design of managed hosts structure
– Validation of design
12 © Novell, Inc. All rights reserved.

13. Novell Privileged User Manager
®
Implementation Steps – Requirements

14. Requirements Assessment Tasks
• Determine Novell Privileged User Manager
®
administration – auditors and administrators
• Determine command control requirements
– Based on approach determined in scope
– May require grouping users into roles
14 © Novell, Inc. All rights reserved.

15. Requirements Assessment Tasks
15 © Novell, Inc. All rights reserved.

16. Requirements Assessment Tasks
• Determine Novell Privileged User Manager
®
administration – auditors and administrators
• Determine command control requirements
– Based on approach determined in scope
– May require grouping users into roles
• Determine auditing requirements
– Audit logs fed to a syslog manager?
– Report requirements
– Audit rules
– Access control within Novell Privileged User Manager
– Archiving
16 © Novell, Inc. All rights reserved.

17. Requirements Assessment Tasks
(cont.)
17 © Novell, Inc. All rights reserved.

18. Requirements Assessment Tasks
(cont.)
• Determine account provisioning strategy for
target systems
– Manual or existing account provisioning process
– Integration with identity management system providing
account provisioning
• Determine host structure, data center, fail over
requirements
– Platform inventory
– Platform location – data center structure
– Command Control Manager requirements
– Audit Manager requirements – auditing sent
separately
18 © Novell, Inc. All rights reserved.

19. Novell Privileged User Manager
®
Implementation Steps – Design

20. Design Tasks
Design host structure
20 © Novell, Inc. All rights reserved.

21. Host Structure Design Example
Bad Design
Data Center 1
Domain
Non-Production
Framework Domain
Manager
Agent 1
Production
Command Domain
Audit Control
Manager 1 Manager 1
Command
Control
Command Manager 2
Control
? Manager 3
Command
(future)
Control
Manager 4
(future)
21 © Novell, Inc. All rights reserved.

22. Design Tasks
Design host structure
– Previous example shows sample host design
– Not a good design
> Production domain is a child of non-production domain
> Updates to parent domain perpetrate to child domains
> Upgrade to non-production domain updates production domain immediately
> No way to test upgrades in non-production environment prior to deployment
– Better design
> Make the “?” server a fail-over Command Control Manager
> Make production and non-production domains peers
22 © Novell, Inc. All rights reserved.

23. Design Tasks
(cont.)
• Design host structure
• Design command control rules
• Design provisioning of access within Novell Privileged
®
User Manager
– Novell Privileged User Manager administrators
– Novell Privileged User Manager auditors
• Design compliance manager reports
• Solution design review
23 © Novell, Inc. All rights reserved.

24. Novell Privileged User Manager
®
Implementation Steps – Develop/Build

25. Development/Build Tasks
• Install Framework Manager
• Create host structure
• Install Framework Agent on all servers managed by
Novell Privileged User Manager (by environment)
®
• Push packages
– Audit Managers
– Command Control Managers
– Possibly some packages to all managed servers
• Build and test Command Control rules
• Set up SYSLOG if required
25 © Novell, Inc. All rights reserved.

26. Development/Build Tasks
(cont.)
• Set up audit rules
• Configure/develop audit reports
• Set up access control within Novell Privileged User
®
Manager
• Develop aliases or functions for managed systems
• Customer requirements checkpoint
• Unit test solution
– Testing by the developer
– Include positive and negative tests
26 © Novell, Inc. All rights reserved.

27. Novell Privileged User Manager
®
Implementation Steps –
Testing User Acceptance and System Integration

28. System Integration Testing
• Required if Novell Privileged User Manager part of
®
larger project for privileged user management
• Test with identity management system
– Test full user life cycle
– Test privileged access managed by Novell Privileged User
Manager granted when privileged account active
– Test privileged access managed by Novell Privileged User
Manager revoked when privilege account is disabled/deleted
28 © Novell, Inc. All rights reserved.

29. Deployment to Test Environment
• Prior to system integration or user acceptance testing –
whichever done in Quality Assurance environment
• Software installation on Novell Privileged User
®
Manager servers and target systems
• Testing of any automated installation mechanisms –
ZENworks , scripts, jump boxes, Tivoli, etc.
®
• Migration of configuration from development
environment
• Configuration of Mail (SMTP) server if used
29 © Novell, Inc. All rights reserved.

30. User Acceptance/Go-Live Preparation
User (customer) acceptance testing
– Customer testing to ensure stated requirements met
– Change management important here
End user training
– Part of testing for end users involved in project
– Training for privileged users that will use the new solution
– Communication!
30 © Novell, Inc. All rights reserved.

31. Novell Privileged User Manager
®
Implementation Steps – Go-Live

32. Deployment to Production Tasks
• Software installation on Novell Privileged User
®
Manager servers and target systems
– Novell Privileged User Manager servers (Command Control,
Audit) – may use manual installation prior to go-live
– Novell Privileged User Manager Agent on managed servers –
use automated process tested prior to Quality Assurance testing
• End user communications
• Configuration migration from Quality Assurance Testing
environment
• Configure production host structure
• Customer additional go-live tasks
32 © Novell, Inc. All rights reserved.

33. Integration with Novell Identity Manager
®

34. Novell Identity Manager Integration
®
Novell method to create a full privileged user solution
• Account provisioning if root accounts currently shared
• Novell Identity Manager tasks likely the critical path
• Novell Identity Manager driver options
– Fan-out for Unix/Linux
– Nx Settings driver
– Unix/Linux bi-directional driver
• Fan-out and Nx Settings drivers most likely
– Strength is managing large number of Unix/Linux systems
– Few user account attributes to manage
34 © Novell, Inc. All rights reserved.

35. Novell Identity Manager Integration
®
(cont.)
Sample Novell privileged user solution
®
– Novell Privileged User Manager
®
– Novell Identity Manager/Roles Based Provisioning Module
> Fan-Out driver
> Nx Settings driver
> eDirectory driver to Identity Vault
™
> Scripting driver for Novell Privileged User Manager provisioning
– Novell Sentinel ™
• Non-privileged account usual starting point for Novell
Privileged User Manager granted privileges
• Need account and access provisioning/management
35 © Novell, Inc. All rights reserved.

36. Novell Identity Manager Integration
®
(cont.)
• Unprivileged account provisioning options
– Provision to etc/passwd and etc/shadow
– Fan-out PAM re-direction – requires solution for home directory
– Other PAM (non-Novell) – requires solution for home directory
– “Brand X” provisioning (non-Novell)
• Password synchronization often desirable
• Provisioning to Novell Privileged User Manager
®
– May facilitate Command Control Manager authorization for
privileged access using user account groups
– Done by scripting driver or fan-out driver scripts
36 © Novell, Inc. All rights reserved.

37. Example Provisioning to Novell ®
Privileged User Manager
37 © Novell, Inc. All rights reserved.

38. Testing
• Novell Identity Manager and Novell Privileged User
® ®
Manager should be integration tested together
• Test full user life cycle
• Test privileged command authorization
• Ensure Novell Privileged User Manager does not allow
privileged access when rights revoked – negative tests
• Test password synchronization
38 © Novell, Inc. All rights reserved.

39. Integration with Novell Identity Manager
®
Account Group Provisioning

40. User Account Group Provisioning
• Method of adding/removing entries in a Privileged User
manager “Account Group”
• Interface actually designed for importing/exporting
Command Control policies
• Best available interface for current product versions
• Implemented with scripts – scripting driver or fan-out
driver scripts
• Not easy to create new groups – new group's key
needed for later update
• Manipulate existing groups easily
40 © Novell, Inc. All rights reserved.

41. User Account Group Provisioning
(cont.)
• Command line tool to call CLI methods on certain
modules
– /opt/novell/npum/sbin/unifi
• Uses the XML used by Command Control to export and
update policies
• Two authentication methods
– Pass admin user and password with -u and -p
– Use the -n option and native maps in the Framework User
Manager to associate a native user on a Framework Manager
computer with an admin user
• Following examples assume native maps option
41 © Novell, Inc. All rights reserved.

42. User Account Group Provisioning
(cont.)
• Export the Command Control policy
– unifi -n cmdctrl export -c -f ccout.xml
• Exports the Command Control policy as XML
• Look for UserGroup entity and get key value
• Following example has a key value of “2214”
42 © Novell, Inc. All rights reserved.

43. User Account Group Provisioning
(cont.)
<UserGroup name="Entitlement" I.disabled="0" I.id="2214">
<UserGroup name="Entitlement" I.key="2214">
<Disabled b.value="0"/>
<Description value=""/>
<MgrName value=""/>
<MgrTel value=""/>
<MgrEmail value=""/>
<UserList>
<a.User value="admin1@host1:root,newgrp"/>
</UserList>
</UserGroup>
</UserGroup>
43 © Novell, Inc. All rights reserved.

44. User Account Group Provisioning
(cont.)
• Create a file that contains XML similar to the following
<UserGroup I.key="2214">
<UserList>
<a.User value="admin2@host1:root" action="add"/>
</UserList>
</UserGroup>
• Pass above XML into Command Control import function
to load updates to the policy referenced by the key
– unifi -n cmdctrl import -f ccin.xml
• File named ccin.xml for this example
44 © Novell, Inc. All rights reserved.

45. User Account Group Provisioning
(cont.)
• Use action='del' to remove an entry
<UserGroup I.key="2214">
<UserList>
<a.User value="admin2@host1:root" action="del"/>
</UserList>
</UserGroup>
45 © Novell, Inc. All rights reserved.

46. User Account Group Provisioning
(cont.)
• Use action='set' to set the entire list
<UserGroup I.key="2214">
<UserList action="set">
<a.User value="admin1@host1:root"/>
<a.User value="admin2@host1:root"/>
<a.User value="admin3@host1:root"/>
</UserList>
</UserGroup>
46 © Novell, Inc. All rights reserved.

47. User Account Group Provisioning
(cont.)
• Example of using Novell Identity Manager to provide
®
authorization within Novell Privileged User Manager
®
• Places entry in the Novell Privileged User Manager
User Account Groups
• Conditional script checks for entry to authorize
execution of privileged commands
• Scripts run on the Novell Privileged User Manager
server running the master Command Control Manager
47 © Novell, Inc. All rights reserved.

48. Integration with Novell Sentinel
®
™

49. Integration with Novell Sentinel ®
™
• Novell Privileged User Manager audit options
®
– Built in logging and compliance reporting
– SYSLOG emitter
– Novell Sentinel
• Novell Sentinel provides auditing of Novell Identity
®
Manager and Novell Privileged User Manager together
• Correlations can be developed
49 © Novell, Inc. All rights reserved.

50. Integration with Novell Sentinel ®
™
(cont.)
• Home > Reporting > Syslog Settings
• Set DNS name or IP address of Novell Sentinel Server
• Default Novell Sentinel port is 1468
– Default syslog port is 514
• Do not change the format strings – ${}$
– Novell Sentinel instrumented for the full Novell Privileged User
Manager strings
• Standard events shown in following slide
50 © Novell, Inc. All rights reserved.

51. Novell Sentinel Configuration
®
™
51 © Novell, Inc. All rights reserved.

52. Questions and Answers

54. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.