Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

HOWTO: Use the dzdo validator to add aditional information in UNIX/Linux privilege elevation

18 December,19 at 11:47 AM

What is the dzdo validator?

It's a way to customize the behavior of Centrify-enhanced sudo.


How is it implemented?

Via the dzdo.validator parameter in /etc/centrifydc/centrifydc.conf

Via the GPO "Require dzdo command validation check" in  with Computer Configuration/Policies/Centrify


Sample Validator - Provide a Change Control Number

Centrify provides a sample validator located under /usr/share/centrifydc/sbin, it's called dzcheck.sample.  It prompts for a change control number when elevating.  Example:


$ dzdo tail /var/log/messages
Enter the change control ticket number:1255

 The validator, sends the following data to syslog:

Nov  7 15:04:39 engcen6 dzcheck.sample[35173]: User "dwirth@centrify.vms" will run "/usr/bin/tail /var/log/messages" as "root" with ticket number "1255"

 If you're running DirectAudit, the Audit Analyzer displays the following event:

DirectAudit Analyzer - dzdo.validator event.jpg

The benefit here is that you could search for al DA sessions related to a particular change control number.



With the configuration file

  1. Open the /etc/centrifydc/centrifydc.conf file for editing
  2. Uncomment the dzdo.validator and set it to your script.  E.g.
    dzdo.validator: /usr/share/centrifydc/sbin/dzcheck
  3.  Perform and adreload (or restart the agent)

With group policy:

  1. Edit a group policy that is in the scope of the target system(s)
  2. Navigate to Computer Configuration/Policies/Centrify Settings/DirectControl Settings/Dzdo Settings
  3. Enable the Require dzdo command validation check and point it to the destination of your script.  For example:
    Group Policy - dzdo validator.jpg
  4. On the target system, issue the adgpupdate command




Related Articles: 

[Labs] Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator