26 February,19 at 08:47 PM
When running a privlege command on UNIX terminal using dzdo with -i parameter and Direct Audit enabled, it failed stating that it has changed to use a different shell.
The UNIX machine has the following script file available:
[root@RHEL64Frank frank12test2]# ls -al test.sh
-rwxr--r--. 1 root root 176 May 12 23:22 test.sh
The following privilege command is setup at Centrify DirectManage Access Manager:
In Cenrify DirectAudit up to 3.1.0 (from Centrify Server Suite up to 2013 update 2):
frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank12test2 is not allowed to execute '/da/cdashmod -c /home/frank12test2/test.sh' as root on RHEL64Frank.
In Centrify DirectAuthorize from 5.1.1 up to 5.2.1 (from Centrify Server Suite 2013 update 3 up to 2014 update 1):
[frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank.test.2 is not allowed to execute '/bin/centrifyda -c /home/frank12test2/test_dzdo.sh' as root on RHEL64Frank.
In Cenrify DirectAuthorize 5.2.2 (from Centrify Server Suite 2015):
frank12test2@RHEL64Frank ~]$ dzdo -i /home/frank12test2/test.sh
Sorry, user frank12test2 is not allowed to execute '/bin/bash -c /home/frank12test2/test.sh' as root on RHEL64Frank.
Workaround:
When dzdo is used with "-i" switch, it uses the user login shell to run the command. If the user is under auditing, the user login shell will be replaced by DirectAudit audit shell. In Suite 2013.2 and older, the DirectAudit audit shell is /da/cdashmod, in Suite 2013.3, 2014 and 2014.1, the DirectAudit audit shell is /bin/centrifyda and on Suite 2015 onwards, it is retrieved from the SHELL environment variable (eg. /bin/bash). When configuring command definitions in Access Manager or adedit, the user needs to specify the command using the DirectAudit audit shell in order to ensure correct match of the command expression.
For example, if user wants to run "dzdo -i ./test.sh", he needs to define the privilege command definitions as following:
For Centrify DirectAudit up to 3.1.0 (from Centrify Server Suite up to 2013 update 2):
/da/cdashmod -c /<absolute_path>/test.sh
For Centrify DirectAudit from 3.1.1 up to 3.2.1 (from Centrify Server Suite 2013 update 3 up to 2014 update 1):
/bin/centrifyda -c /<absolute_path>/test.sh
For Centrify DirectAudit 3.2.2 onwards (from Centrify Server Suite 2015 onwards) with /bin/bash as their SHELL environment variable:
/bin/bash -c /<absolute_path>/test.sh
Command output with privilege commands configured: