Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5314: Running dzdo commands with -i parameter and Direct Audit enabled

Auditing and Monitoring Service ,   Authentication Service ,  

26 February,19 at 08:47 PM

Problem: 
When running a privlege command on UNIX terminal using dzdo with -i parameter and Direct Audit enabled, it failed stating that it has changed to use a different shell.

The UNIX machine has the following script file available:
[root@RHEL64Frank frank12test2]# ls -al test.sh
-rwxr--r--. 1 root root 176 May 12 23:22 test.sh

The following privilege command is setup at Centrify DirectManage Access Manager:
Original privilege command properties


In Cenrify DirectAudit up to 3.1.0 (from Centrify Server Suite up to 2013 update 2):

frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank12test2 is not allowed to execute '/da/cdashmod -c /home/frank12test2/test.sh' as root on RHEL64Frank.

In Centrify DirectAuthorize from 5.1.1 up to 5.2.1 (from Centrify Server Suite 2013 update 3 up to 2014 update 1):
[frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank.test.2 is not allowed to execute '/bin/centrifyda -c /home/frank12test2/test_dzdo.sh' as root on RHEL64Frank.

In Cenrify DirectAuthorize 5.2.2 (from Centrify Server Suite 2015):
frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank12test2 is not allowed to execute '/bin/bash -c /home/frank12test2/test.sh' as root on RHEL64Frank.


Workaround:


When dzdo is used with "-i" switch, it uses the user login shell to run the command. If the user is under auditing, the user login shell will be replaced by DirectAudit audit shell. In Suite 2013.2 and older, the DirectAudit audit shell is /da/cdashmod, in Suite 2013.3, 2014 and 2014.1, the DirectAudit audit shell is /bin/centrifyda and on Suite 2015 onwards, it is retrieved from the SHELL environment variable (eg. /bin/bash). When configuring command definitions in Access Manager or adedit, the user needs to specify the command using the DirectAudit audit shell in order to ensure correct match of the command expression. 
For example, if user wants to run "dzdo -i ./test.sh", he needs to define the privilege command definitions as following:


For Centrify DirectAudit up to 3.1.0 (from Centrify Server Suite up to 2013 update 2):
/da/cdashmod -c /<absolute_path>/test.sh


For Centrify DirectAudit from 3.1.1 up to 3.2.1 (from Centrify Server Suite 2013 update 3 up to 2014 update 1):

/bin/centrifyda -c /<absolute_path>/test.sh

For Centrify DirectAudit 3.2.2 onwards (from Centrify Server Suite 2015 onwards) with /bin/bash as their SHELL environment variable:

/bin/bash -c /<absolute_path>/test.sh
Privilege command configuration for Suite 2015

Command output with privilege commands configured:
Command Output

Related Articles

 No related Articles