At a high level what is the process for RSA NetWitness to integrate at the command line with Active Directory? We have the web UI configured for this but the command line (ssh) itself is a bit of a stretch and it seems there are several routes you can take to accomplishing this task.
In the end my goal is to disable root logins to all my appliances via SSH and have all the users login to each system using their AD credentials.
We have a requirement to maintain traceability back to the individual user. We'll then enable sudo, setup auditd/sudo logging and go from there.
However it seems after reviewing the following document I have two choices.
Sec/User Mgmt: Configure PAM Login Capability
1. Add all the appliances to AD as computer objects, join them to the domain (with DA account) and install additional packages and enable SMB/CIFS ports to/from the AD servers.
2. Native LDAP queries via nss, openldap and pam. *Requires uidNumber and gidNumber attributes for AD user/group objects.
I'm looking to limit as much as possible on my internal AD groups as this will end up being a 3 month process internally.
Anybody completed this and have an idea of the obstacles/hurdles you've run into?
Thanks,
I would not recommend this AT ALL. Think about it, AD is the shortest path of compromise in the majority of intrusions. Adding AD to Linux hosts, and adding sudo for priv escalation, just ensures that if AD is compromised, they also have a direct line to root on your Linux hosts. That being bad enough, you are now including the very toolset that your analysts are going to trust and rely on in that straight-line path from Domain Admin/User directly to root. I recommend advising your client that this is the very opposite of Principle of Least Privilege and Principle of Separation of Duties, making it definitively bad security practice.
Thanks,
Wes
Sent from my iPhone