1

I'm currently working on a project in my internship at an organisation, and it is honestly a bit of challenge, so I hope you guys can help me out.

Background:

The organisation I'm working in has a production environment of 120+ servers, mostly Redhat and a few Windows machines, managed with Puppet. The Windows machines are basically just loadbalancers, so they are outside the scope of this project. As it is now, everyone logs in with the root account, which should be self-explanatory why that's a huge problem for various reasons.

So, the goal of my project is setup an authentication and log system that uses the existing Active Directory user accounts, to grant users access to the production environment. I've chosen to do this with realmd/sssd. My plan is to setup two servers to handle authentication and logs, and let the rest of the servers authenticate against those, and send logs to them.

Question 1:

As already mentioned, I want to setup two servers to handle authentication, and my question is; how do I configure the rest of the servers to authenticate against those? For example; if someone SSH into a machine, that machine should contact the auth servers for authentication, and if they doesn't have the credentials stored in the cache, the auth servers should authenticate against the Active Directory.

Question 2:

What are the best practices and software to monitor logs? I want to log login attempts, succesful logins and the commands users are executing.

Question 3:

I want to manage what the users can do in the environment, what commands they can execute and resources they can access. What are the best practices for this?

I know it's a lot of questions, and I hope I've explained myself clearly, english is not my primary language. I'm working completely alone on this, and my manager/coworkers are not really of any help. I feel a bit lost at this point, so I would really appreciate any inputs.

Frisbee57
  • 27

1 Answers1

0

I'd rather suggest setting up auditd, beats and sssd on all your boxes than creating a dedicated entryway setup. There's no need to introduce a dependency on those boxes for your admin process.

Q1: Let your boxes query AD for users and authenticate against AD with sssd directly.

Q2: Set up auditd on all your boxes to audit user logins and executed commands, and set up servers for ELK or Graylog or use Splunk to aggregate your logs. Use Elastic's beats to send all kinds of logs to your favourite log aggregator.

Q3: Authentication restriction can be done in several ways, I'm using LDAP group memberships. To restrict resource access, use SELinux and sudo.

Side note: depending on how protocol aware your load balancing needs to be, you might be better off using HAProxy - might want to take a look at that.

Side note (2), from the comments: If load on AD is a concern, replicate (AD-wise or with LSC) and load balance - HAProxy can help here too.

fuero
  • 9,739
  • Thanks for your answers! Just to be clear, you suggest to install sssd on all the boxes and let them query AD, instead of having two servers for that?

    The problem with that solution as I see it, is that every machine has to communicate with the AD, which are managed by another organisation, and I would really like to keep that communication at a bare minimum. Would it be a better solution to have them deploy a RODC in our network, which the boxes can authenticate against?

     – Frisbee57 Sep 19 '18 at 12:35
  • If you fear load, replicate and load balance or have your partner org do that. Without any other motivation, I can't think of a reason not to lean on your AD. – fuero Sep 19 '18 at 15:05