This is a series of articles showcasing what's new with Centrify Infrastructure Services (formerly Centrify Server Suite) version 2017.3. For additional articles in the series, review these links:
In this article, we'll discuss Centrify's support for Container Linux by CoreOS.
About Container Linux by CoreOS
"Container Linux by CoreOS (formerly CoreOS Linux) is an open-source lightweight operating system based on the Linux kernel and designed for providing infrastructure to clustered deployments, while focusing on automation, ease of application deployment, security, reliability and scalability. As an operating system, Container Linux provides only the minimal functionality required for deploying applications inside software containers, together with built-in mechanisms for service discovery and configuration sharing." - Source: Wikipedia.
We had to overcome some challenges based on how Container Linux is architected.
- No package manager (required to deploy our solutions).
- Read-only /usr filesystem (Centrify usually installs under /usr/share/centrifydc and audit under /usr/share/centrifyda).
- No Perl (required by group policy and other utilities).
- Kernel not compiled with auditd support (required for file/monitoring).
Needless to say, our Engineering team was up to the task and was able to provide a solution that enabled our capabilities and maintained the ease-of-use that is common with Centrify solutions.
- Centrify provides an installation tarball with the 2017.3 agent bundle that includes Access and Audit components.
- A special version of the install.sh utility will allow for interactive or automatic installations.
- Centrify software is installed in the /opt/centrify folder.
- Limitations: Express mode, deployment manager installation and monitoring service are not available.
- Increased accountability - Container Linux users can sign-in with their Active Directory account. We provide identity assurance with Multi-Factor Authentication.
In AWS deployments, organizations don't need to rely on the shared SSH Key-based credential called "core"
- Centralized administration - Organizations don't have to duplicate effort and continue to leverage Active Directory as the directory of record. No modifications required.
- Identity Management - Leverage Centrify zones to maintain a consistent UNIX namespace.
You can leverage AD groups to control the memberships in the docker secondary UNIX group.
- Role-based Access Control - Use Centrify zones to control who can access a system, and what commands can be run with privilege. For example:
- You can create a role that defines who can elevate to root or the core accounts.
- You can use Active Directory group membership to define who is a member of the docker(233) secondary group.
- You can define very granular docker commands that can be granted to minimize risk or enforce separation of duties.
- Attestation and Security Operations - Leverage Centrify Reports to facilitate attestation and Centrify Audit Trail to enrich security operations.
- Advanced Auditing - Enjoy audit trail events as well as session capture and replay.
- Extend host-based security to Linux Containers (LXC) - Centrify "bridges" capabilities to Linux Containers to enjoy the same level of accountability at the container level.
- Shared Account Password Management - if you need to use shared credentials, use the Centrify Privilege Service vault and enjoy the deployment flexibility and traditional password-related controls.
- Secure Access - privilege Service connector infrastructure allows for Web, Native or SSH jumpbox client access regardless of on-premises or IaaS deployments.
- Session Proctoring, termination and recording - Enjoy the benefits of session control as well as auditing without the need to add local capabilities.
- Identity Assurance - Centrify offers built-in Multi-factor authentication a the vault level for session access or password checkout.
Videos: Centrify + Container Linux in action
What's different in Container Linux
Host-based Access Control, Identity Assurance and Role-Based Privilege Management
Vault-based Access Control, Shared Accounts and Secure Access
Using Role-based Access Control to manage and establish accountability for Docker operations
Centrify and Linux Containers (LXC)
Centrify continues to extend the ability to reuse existing infrastructure in the hybrid enterprise. Microservices, container-based virtualization, and modern apps are not excempt from the need to establish reliable accountability, centralized administration and strong access controls. Continue exploring the other articles to find out what's new with Infrastructure Services 2017.3 and don't forget to give us feedback.