...ntegrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator http://community.centrify.com/t5/TechBlog/Labs-Integrating-ServiceNow-Approvals-to-Centrify-enhanced-sudo/ba-p/24850
What is the dzdo validator?
It's a way to customize the behavior of Centrify-enhanced sudo.
How is it implemented?
Via the dzdo.validator parameter in /etc/centrifydc/centrifydc.conf
Via the GPO "Require dzdo command validation check" in with Computer Configuration/Policies/Centrify
Sample Validator - Provide a Change Control Number
Centrify provides a sample validator located under /usr/share/centrifydc/sbin, it's called dzcheck.sample. It prompts for a change control number when elevating. Example:
$ dzdo tail /var/log/messages
Enter the change control ticket number:1255
The validator, sends the following data to syslog:
Nov 7 15:04:39 engcen6 dzcheck.sample: User "email@example.com" will run "/usr/bin/tail /var/log/messages" as "root" with ticket number "1255"
If you're running DirectAudit, the Audit Analyzer displays the following event:
The benefit here is that you could search for al DA sessions related to a particular change control number.
With the configuration file
Open the /etc/centrifydc/centrifydc.conf file for editing
Uncomment the dzdo.validator and set it to your script. E.g.