What is the dzdo validator?

It's a way to customize the behavior of Centrify-enhanced sudo.

How is it implemented?

Via the dzdo.validator parameter in /etc/centrifydc/centrifydc.conf

Via the GPO "Require dzdo command validation check" in  with Computer Configuration/Policies/Centrify

Sample Validator - Provide a Change Control Number

Centrify provides a sample validator located under /usr/share/centrifydc/sbin, it's called dzcheck.sample.  It prompts for a change control number when elevating.  Example:

$ dzdo tail /var/log/messages
Enter the change control ticket number:1255

 The validator, sends the following data to syslog:

Nov  7 15:04:39 engcen6 dzcheck.sample[35173]: User "dwirth@centrify.vms" will run "/usr/bin/tail /var/log/messages" as "root" with ticket number "1255"

 If you're running DirectAudit, the Audit Analyzer displays the following event:

The benefit here is that you could search for al DA sessions related to a particular change control number.

Implementation

With the configuration file

1. Open the /etc/centrifydc/centrifydc.conf file for editing
2. Uncomment the dzdo.validator and set it to your script.  E.g.

   dzdo.validator: /usr/share/centrifydc/sbin/dzcheck

3.  Perform and adreload (or restart the agent)

With group policy:

1. Edit a group policy that is in the scope of the target system(s)
2. Navigate to Computer Configuration/Policies/Centrify Settings/DirectControl Settings/Dzdo Settings
3. Enable the Require dzdo command validation check and point it to the destination of your script.  For example:
   
4. On the target system, issue the adgpupdate command

Video

Related Articles: 

[Labs] Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator

http://community.centrify.com/t5/TechBlog/Labs-Integrating-ServiceNow-Approvals-to-Centrify-enhanced-sudo/ba-p/24850