WHAT'S NEW

What’s New in Centrify Infrastructure Services 2018

What’s New in Centrify Infrastructure Services 2018

Centrify Infrastructure Services combines comprehensive bridging of Linux and UNIX systems to Active Directory with powerful privilege management, multi-factor authentication and session monitoring across Windows, Linux and UNIX systems.  The net result for thousands of customers who have deployed Infrastructure Services is increased security, improved compliance and comprehensive reporting and auditing.

Centrify Infrastructure Services 2018 is a feature release and contains new product features and enhancements to security and functionality. 

Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

  • Centrify Identity Broker Service
  • Centrify Privilege Elevation Service
  • Centrify Auditing & Monitoring Service

The Centrify Infrastructure Services is an integrated family of Active-Directory-based auditing, access control and identity management solutions that secure your cross-platform environment and strengthen regulatory compliance initiatives.

  • Centrify Identity Broker Service secures your platforms using the same authentication and Group Policy services deployed for your Windows environment.
  • Centrify Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Centrify Auditing & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux system.
  • Centrify Management Services is an integrated set of administration and management tools that centralize the discovery, management and user administration of UNIX and Linux systems through integration into Active-Directory-based tools and processes.
  • Centrify Isolation & Encryption Service is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.

Built on a common architecture, the seamlessly solution of integrated Centrify Infrastructure Services helps you improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure your heterogeneous computing environment.

This Centrify Infrastructure Services release includes packages for Windows, UNIX, Linux, and Mac OS X operating system environments.

Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.5.0 (2018)

Product packaging changes

Due to the product name changes described above, install.sh now uses the new product component names. Please check your scripts if you parse its outputs.

All user documentation is now posted on the Web at http://docs.centrify.com. User documentation is no longer included within software installers and bundles. This change enables Centrify customers to have the most up-to-date documentation on all products, accessible from a single location.

Solaris x86 and Sparc

On Solaris x86 and SPARC platforms, Centrify DirectControl package set and its add-on packages (openssh, nis and ldapproxy) are changed to 64-bit. Hence for compatibility reason, you must upgrade both DirectControl and DirectAudit packages together in this release.

DirectSecure

Because of this, previous versions of DirectSecure Agent for Solaris will not work with this release.

.NET Requirement

The required .NET framework is upgraded to version 4.6.2 in this release. (Ref: CS-44070, CS-44209, CS-45110, CS-45299)

Note:

CoreOS

The CoreOS packages are now available for download via wget. The adcheck CLI feature is now also available on CoreOS.

Centrify Express

Centrify Express packages are no longer available on UNIX platforms, which include, AIX, HPUX, and Solaris.

Centrify Agent™ for Windows 3.5.0

New features and enhancements

  • Audit Trail support is added to Windows Feature Manager, Application Manager and Network Manager.
  • A new Group Policy "Enable setup Centrify offline passcode" is added to enable or disable configuration of offline passcode. By default, it is enabled.
  • A new Group Policy "Specify offline passcode desktop notification message" is added to show, hide or customize the message text of the offline passcode pop-up.
  • The zero sign on (ZSO) feature is now immediately available when a user enrolls their device. It is no longer necessary for a Cloud Administrator to enable the "External CA Certificate Feature."
  • A shortcut is added to the Windows desktop to access 'User Portal' after the device has been enrolled.
  • The group policy "Override a web proxy URL" has been removed as of this release. Centrify suggests using the new group policy "Specify a web proxy URL" instead.
  • Starting with this release, command line arguments, by default, will not be displayed in the "Run With Privilege" Audit Trail Events. Disable the Group Policy "Hide Command Line Arguments in Analytics" to display the command line arguments.
  • A new group policy "Enable enrollment as personal device" is added to enable or disable enrolling the machine as personal device which is disabled by default. Prior to this release, enrollment as personal device was always enabled.

Note: The required .NET framework is version 4.6.2 in this release.

Centrify Agent for Linux – Centrify DirectControl™ 5.5.0

Product and component names and package content

The DirectControl Agent provides services for Identity Broker Service and Privilege Elevation Service and are contained in the CentrifyDC packages.

The DirectAudit Agent provides services for Auditing & Monitoring Service and is contained in the CentrifyDA packages.

Compatibility

This release of Centrify DirectControl Agent for *NIX will work with the following products and components:

  • The latest released version of Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO.
  • Centrify DirectSecure Agent of Release 2017.2 or later, except that:
    • On Solaris x86 and SPARC platforms, DirectSecure Agent must be of Release 2018 or later.
  • Centrify DirectAudit Agent of Release 2017 or later, except that:
    • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
    • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH and Centrify OpenSSL of Release 2017 or later, except that:
    • On Linux PowerPC platforms, all packages must be of Release 2017.3 or later.
    • On Solaris x86 and SPARC platforms, Centrify OpenSSH and Centrify OpenSSL must be of Release 2018 or later.

New features and enhancements

New Use My Account feature

A new feature 'Use My Account' is introduced in the Centrify Admin Portal.  The feature allows a user to access a DirectControl-managed system using his/her currently logged-in account without entering the credential again. The feature is particularly useful in a smartcard use case where the user does not even know his/her password.

Configuration is required on both on the target machine(s) and within the portal to enable the feature. Please refer to the user documentation for details.

Enhancements for Microsoft Azure Active Directory

  • Centrify DirectControl Agent now supports Microsoft Azure Active Directory Domain Service.

Enhancements for AIX

  • Active Directory users can now run the 'chsec' command to update attributes of a local user.

Enhancements for CoreOS

  • Additional Centrify DirectControl Agent functionality is supported inside the CoreOS container. Please refer to KB-9565 and the user documentation for details.

Enhancements for local account management

  • New options for Centrify DirectControl determine how strict the enforcement of local account management should be. Please see the Configuration Parameters section in this document for details or the user documentation.

Enhancements for command-line tools

  • The command 'adjoin' is enhanced with the following improvements:
    • A new option '-d, --forceDeleteObjWithDupSpn' will delete existing object(s) with duplicate Service Principal Name (SPN).
    • A new option '-r, --useConf enctype' controls whether to respect the encryption type(s) defined in 'msDS-SupportedEncryptionTypes' in Active Directory, or in the setting ‘adclient.krb5.permitted.encryption.types' in centrifydc.conf, in this order, when performing self-serve join.
    • A new option '-r, --useConf spn' controls whether to respect the Service Principal Name (SPN) defined in the setting 'adclient.krb5.service.principals' in centrifydc.conf when performing self-serve join.

Centrify PuTTY

  • Centrify PuTTY 5.5.0 is upgraded based on stock PuTTY 0.70.
    • This includes all fixes for CVE-2016-6167 potential malicious code execution via indirect DLL hijacking.

Centrify OpenSSL

  • Centrify OpenSSL 5.5.0 is upgraded based on stock OpenSSL 1.0.2n.
    • This includes security fixes for CVE-2017-3735, CVE-2017-3736, CVE-2017-3737 and CVE-2017-3738.

Centrify OpenSSH

  • Centrify OpenSSH 5.5.0 is upgraded based on stock OpenSSH 7.6p1.
    • This includes security fixes in stock OpenSSH.
    • This release removes support for the RSA1 key.

Centrify libcurl

  • Centrify libcurl is upgraded based on stock curl 7.58.0.
    • This includes security fixes for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000005, CVE-2018-1000007, CVE-2017-1000257.

Configuration parameters

centrifydc.conf

The following parameters are added in centrifydc.conf.

adclient.binding.dc.failover.delay: This parameter specifies the waiting time in minutes before the DirectControl Agent determines that a Domain Controller is no longer responding and needs a failover. The default is 0 meaning no waiting time.

adclient.local.account.manage.strict: This parameter turns on/off the strict enforcement mode for local account management. The default is false, meaning no strict enforcement. There are two sub-parameters, adclient.local.account.manage.strict.passwd and adclient.local.account.manage.strict.group, to further define if the enforcement applies to users and/or groups. When strict enforcement is turned on, unmanaged local user/group entries will be removed. However, switching back to no strict enforcement of local account management will not restore the unmanaged local user/group.

adclient.local.account.manage.strict.passwd: This parameter specifies if the strict enforcement of local account management applies to user entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If strict enforcement mode is enabled for user entries, any unmanaged local user entries, except the entry with uid 0, will be removed from /etc/passwd, as well as /etc/shadow if it exists, and any unmanaged users' extended attributes will be removed as well.

adclient.local.account.manage.strict.group: This parameter specifies if the strict enforcement of local account management applies to group entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If strict enforcement mode is enabled for group entries, any unmanaged local group entries, except the entry with gid 0, will be removed from /etc/group, and any unmanaged groups' extended attributes will be removed as well.

adclient.skip.inbound.trusts: This parameter controls if the DirectControl Agent sends network queries to inbound trusts or not. If it is set to true, all inbound trusts will not be built in domaininfomap and the probing of inbound trusts is skipped. The default is false.

queueable.random.delay.interval: This parameter controls whether or not to introduce a randomized delay in scheduling background tasks on a DirectControl-managed machine. This is to avoid multiple machines from overloading the Active Directory server due to a common event occurring at the same time, such as joining to the same domain. The default is '0' (maximum randomized delay in minutes) meaning no delay.

No existing parameters are updated in or removed from centrifydc.conf in this release.

Please refer to the Configuration and Tuning Reference Guide for details.

Centrify OpenSSH

A new configuration parameter, 'RloginControlSsh', is added in 'sshd_config', to indicate if the setting 'rlogin = false' for normal user in '/etc/security/user' should also disallow SSH access or not. The default is 'yes', meaning that SSH access will be denied in such case.

Centrify OpenLDAP Proxy

Significant performance enhancements are made in this release.

Centrify OpenLDAP Proxy now provides performance statistics data gathering and reporting controlled by a new configuration parameter 'ldapproxy.performance.log.interval'. This parameter controls the number of seconds between log events that dump useful information about the statistics of search cache and authentication. The summary information (hits, misses, etc.) are DEBUG level events. The default is '0' meaning no statistics enabled.

A new authentication cache is added to improve the LDAP Proxy authentication performance. The validity of this new cache is controlled by a new configuration parameter, 'ldapproxy.cache.credential.expires 300', in slapd.conf. The default expiration is 300 seconds.

Centrify Access Manager and Report Center

  • Report Center has been deprecated by Centrify Report Services since Release 2016. Report Center is no longer accessible from Access Manager. Please see the user documentation for Centrify Report Services, which replaces and improves the functionality formerly found in Report Center.

Centrify Licensing Service

Licensing Service and Licensing Report now support vault-based systems.

In this release, vault-based audited UNIX systems are counted as 'UNIX without license type' whereas vault-based audited Windows systems are counted as 'Windows Server'.

Note: You should use the new Licensing Service and Licensing Report if you use vault-based systems, or else both UNIX and Windows vault-based audited systems may all be counted as 'UNIX without license type' and may be treated as orphan systems, as the previous versions of Licensing Service and Licensing Report do not support vault-based systems.

Centrify Group Policy Management

The SSH group policy 'Match Block' now supports Match block directives that have sub-directives.

Centrify Zone Provisioning Agent

The tool 'CopyGroupNested' now has better logging.

The command-line tool 'zoneupdate' now supports event logging.

Centrify Infrastructure Services 2018 Auditing & Monitoring Service 3.5.0

Auditing and Session Monitoring – Centrify DirectAudit™ 3.5.0

Prerequisites for upgrading your Infrastructure Services 2018 deployment

Centrify DirectControl™ is a pre-requisite for Centrify DirectAudit on Linux and UNIX.  Customers who use Centrify DirectControl for identity consolidation and privilege elevation on Linux and UNIX along with Centrify DirectAudit should always run the same relative versions of these components.

The minimum version of the .NET Framework required by this version of DirectAudit is 4.6.2.
Enhancements
  • The Audit Analyzer and Centrify Audit Module for PowerShell allow searching audited sessions by Account name.
  • Video capture performance is improved by ignoring non-screen update system messages.
Centrify DirectAudit Collector and systems managed by Centrify Infrastructure Services

The DirectAudit Collector now records details of audited Windows/Unix systems and network devices that are managed by Centrify Infrastructure Service. The DirectAudit Collector will periodically register the heartbeat of these devices into the active Audit Store database so these devices can be later viewed and managed using the Audit Manager console.

Centrify DirectAudit Audit Analyzer and Session Player

A new built-in query "Infrastructure Services - Privileged Sessions" is added to the Audit Analyzer console, enabling search and display of audited activity from the Windows/Unix systems and network devices that are currently managed by Centrify Infrastructure Service.

A new node "Audited Systems(Vault-based)" is added in the Audit Manager console to list out the audited Windows/Unix systems and network devices that are currently managed by Centrify Infrastructure Service.

The Zone Administration Report is enhanced to display the client name of the corresponding session.

Centrify UNIX Agent for Audit

In previous releases, if an audited command was terminated by a signal, the exit status would incorrectly return 0. In Release 2018, the exit status is set to the signal number of the terminating signal plus 128, which is the expected value for most command shells. For example, ft the command is killed by SIGKILL (signal 9), the exit status is now 137 (128 + 9).

Compatibility

The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Server Suite 2017) with the following exceptions:

  • On AIX, Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2018 or later because the Solaris x86 packages have been changed to 64-bit in this release - The packages still provide 32-bit libraries to work with 32-bit programs.
Database

The Auditing & Monitoring Service now supports the Audit Store Database in Amazon RDS with Multi-AZ deployments for SQL Server by using Database Mirroring.

Centrify DirectControl Agent for Mac (2018)

New Features and Enhancements

Centrify Keychain Sync for Mac

Released as a preview feature in 2017.3, the Centrify Keychain Sync utility is now available to all customers in this release. This feature was created to help Mac users avoid the frustration that occurs in most organizations that use Active Directory accounts to log in to their Macs, but do not change their Active Directory passwords through the change password interface built-in to macOS System Preferences. The common result is that the user’s login keychain remains locked with the user’s previous password.

To help keep things in sync, we have introduced the Centrify Keychain Sync utility which will keep a watch for password changes in Active Directory while the user is connected to the network and notify the user when it is time to get things back in sync. There is an option to enable the utility to store the user’s old password in their login keychain, which if enabled means the user will only need to provide their new password to get things in sync. Otherwise, they can provide both their old and new passwords to get things aligned. This feature is disabled by default, so as not to change current behavior, and must be enabled via a Group Policy or a setting in the agent configuration file.

To see more details on this feature, please read the “enable keychain synchronization” section in the documentation found here.

Notable Fixes

  • Smart Card screen unlock for RHEL 7
  • There was an issue with unlocking the screen with a CAC smart card after it has been locked on RHEL 7 systems.
  • Improved log pack collection by including opendirectoryd and authorization logs as a part of our debug logs.
  • Changes to MCX based user policies no longer require the user to logout and login again to have the policies applied.
  • Fix for USB-C smart card readers. There was an issue reading smart cards from some USB-C smart card readers that has been addressed in this release.
  • Fixed several issues with network mounted file shares where the same share was being added multiple times, or the share could not be deleted.

Centrify Deployment Manager 5.5.0 (2018)

Centrify PuTTY 5.5.0 bundled in Centrify Deployment Manager.

Additional new OS platforms are supported for deployment of Centrify Infrastructure Services. For a list of the supported platforms in this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

Note: Amazon Linux is not supported by Deployment Manager as AWS has its own deployment method.

Supported Platforms

Support is added for the following operating system platforms in this release:

  • Amazon Linux 2 - latest version (x86_64)
  • CoreOS – latest version (x86_64)
  • Debian 8.10, 9.3, 9.4 (x86_64)
  • Fedora 28 (x86_64)
  • Ubuntu 16.04, 18.04 (ppc64el)
  • Ubuntu 18.04 (x86_64)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Website Login for this page.)

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Fedora 25
  • Oracle Solaris x86
  • SUSE 11 SP1 or below
  • Ubuntu 17.04

This is the last release of Centrify Infrastructure Services in which the following operating system platforms will be supported:

  • Citrix XenServer 6.5
  • Debian 7.x
  • Ubuntu 17.10

Support is removed from the following Domain Functional Level (DFL) and Forest Functional Level (FFL) in this release:

  • Windows 2003

The next release will be the last release in which the following operating system platforms will be supported:

  • Mac 10.11.

Security Advisories

Centrify has established product security policies documented in the web page www.centrify.com/product-policy. You may also find the details of all the published security advisories there.

Security Fixes

Fixed a security vulnerability in installation and upgrade of the Centrify DirectControl Agent package.

What’s New in Centrify Infrastructure Services 2017.3

Centrify Infrastructure Services combines comprehensive bridging of Linux and UNIX systems to Active Directory with powerful privilege management, multi-factor authentication and session monitoring across Windows, Linux and UNIX systems. The net result for thousands of customers who have deployed Server Suite is increased security, improved compliance and comprehensive reporting and auditing.

Centrify Infrastructure Services 2017.3 is a maintenance release, and contains new product features and enhancements to security and functionality.

Centrify Server Suite has been renamed in version 2017.2 and is now a part of Centrify Infrastructure Services. It offers the following services:

  • Centrify Identity Broker Service
  • Centrify Privilege Elevation Service
  • Centrify Auditing & Monitoring Service

The Centrify Infrastructure Services is an integrated family of Active-Directory-based auditing, access control and identity management solutions that secure your cross-platform environment and strengthen regulatory compliance initiatives.

  • Centrify Identity Broker Service secures your platforms using the same authentication and Group Policy services deployed for your Windows environment.
  • Centrify Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Centrify Auditing & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux system.
  • Centrify Management Services is an integrated set of administration and management tools that centralize the discovery, management and user administration of UNIX and Linux systems through integration into Active-Directory-based tools and processes.
  • Centrify Isolation & Encryption Service is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.

Built on a common architecture, the seamlessly solution of integrated Centrify Infrastructure Services helps you improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure your heterogeneous computing environment.

This Centrify Infrastructure Services release includes packages for Windows, UNIX, Linux, and Mac OS X operating system environments.

Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.3 (2017.3)

General enhancements and changes

On Solaris SPARC and Linux PPC (not PPC64le), if you want to upgrade from Suite 2017.1 or older, you must upgrade all installed packages to Release 2017.3 or later.

This release of Centrify DirectControl Agent for *NIX will work with the latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO.

Open Source component upgrades

  • Centrify curl is upgraded based on stock cURL 7.55.1.
  • This includes several security fixes, e.g. CVE-2017-9502, CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-1000101. Please refer to https://curl.haxx.se/changes.html for details.

Product packaging changes

Due to the product name changes in version 2017.2, install.sh now uses the new product component names. Please check your scripts if you parse its outputs.

All user documentation is now posted on the Web at http://docs.centrify.com. User documentation is no longer included within software installers and bundles. This change enables Centrify customers to have the most up-to-date documentation on all products, accessible from a single location.

Centrify DirectControl Agent for *NIX

CoreOS is supported. Due to the CoreOS architecture, only a subset of the DirectControl agent’s functionality is supported; for example, there is no adcheck utility.

Note:

  • Centrify packages on CoreOS are installed in a different location: /opt/ instead of /usr/share/.
  • It has its own installation tarball as CoreOS has no package manager of its own.
  • The Centrify Express edition is not supported on CoreOS.
  • For details of this new feature, please refer to user documentation.

DirectControl Agent for *NIX now supports Web Proxy Authentication for MFA. It also allows users to specify which Web Proxy Server MFA authentication should go through. A new CLI adwebproxyconf is also added for configuring this feature. For details of this new feature, please refer to user documentation.

dzdo now supports Role-based Access Control (RBAC) in SELinux. Two new fields 'selinux_role' and 'selinux_type' are provided for users to specify the default role and type for privileged command execution when creating SELinux context. These settings can be overridden by the '-r'/'-t' command-line options respectively. Note that the settings are currently supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. Access Manager console, Access Module for Powershell, adedit, and Sudoers Import have also been enhanced to support these settings.

The adkeytab command has added a new optional parameter -y or --set-acct-enctype for the --new / --adopt commands, to restrict the encryption types to those specified in the "msDS-SupportedEncryptionTypes" attribute. If set, the adkeytab command will respect the encryption types defined in this attribute when it adds new Service Principal Name (SPN) or changes account password for this account.

A new command-line option "-T, --command-timeout" is added for the dzdo command to specify the command timeout in seconds. The command will be terminated if the specified timeout expires. This setting works only if the parameter 'dzdo.user.command.timeout' is enabled in centrifydc.conf.

Audit trail events have been enhanced as follows:

  • Login and dzdo privilege elevation events now show whether multi-factor authentication (MFA) is required or not. Note: This new field is always set to "N/A" on MacOS.
  • MFA now shows only one summarized event per Centrify Identity Platform MFA transaction regardless of how many MFA challenges have been executed within a single login or privilege elevation event.
  • The DirectAudit session ID is now available in MFA challenge events.
  • Note: New versions of dzdo and PAM authentication audit trail events introduced in Version 2017.3 cannot be reported by older versions of DirectAudit Audit Manager or PowerShell cmdlets. Please upgrade DirectAudit backend components (Audit Manager, collector, and databases) to Version 2017.3 or later. If you cannot upgrade the DirectAudit backend components, please contact Centrify Technical Support on information about patching the DirectAudit databases to support these new audit trail events.

The Centrify curl command now supports SPNEGO authentication.

The Login and Privilege Elevation profiles in previous "Settings>Authentication>Server and Workstation" tab in the Centrify Admin Portal are now regrouped under "Core Services>Login Policies" and "Core Services>Privilege Elevation Policies". Please note that not all the options are valid for MFA Login or Privilege Elevation:

  • If you have previously created custom profiles in the Admin Portal, the new Admin Portal UI will provide an auto-generated policy set "Infrastructure Policy (Auto generated)".
  • However, some of the new options are supported only by 2017.3 agents, or 2017.2 agents (November 2017 update). For example, irrespective of the "Windows Workstation" setting, older agents will still use the "Unix and Windows Servers" policy even though the machine is a Workstation. Also, older agents do not support new options, such as "Device OS" and "Identity Cookie" in the authentication profiles for Login or Privilege Elevation.

Configuration Parameters

The following parameters are added in centrifydc.conf:

adclient.tcp.connect.timeout: This parameter specifies the timeout of all TCP port probing used in the DirectControl Agent. The default is 10 seconds.

adclient.user.name.max.exceed.disallow: This parameter specifies if the length of a UNIX user name can exceed the system defined login name maximum length. The default is false which means allow. Note this parameter only applies to hierarchical zones.

dzdo.user.command.timeout: This parameter allows a user to specify dzdo command execution timeout, with the new "-T, --command-timeout" option. The default is false.

Please refer to the Configuration and Tuning Reference Guide for details. 

Centrify Agent™ for Windows 3.4.3

New features and enhancements

  • New Group Policy settings are added:
    • Windows Settings\MFA Settings: "Configure multi-factor authentication lock screen grace period" and "Configure multi-factor authentication user privilege elevation grace period" to support grace periods for multi-factor authentication. The respective grace periods apply to the Windows lock screen and the Run with Privilege feature.
  • A new feature is added that enables self-service password reset for end users. Note that this feature works on all supported Windows operating systems, both endpoint (e.g. Windows 10) and server (e.g. Windows Server 2016).
  • The Centrify group policy "Specify a web proxy URL" now supports a disable feature. When disabled, the agent will not use any proxy server URL setting.
  • Starting with this release of the Centrify Agent, Centrify supports Mobile Device Management (MDM) on Windows 10. When the agent is enabled with the Centrify Identity Services Platform, administrative users can perform MDM enrollment on this device with Centrify Identity Services Platform through context menus in the Centrify system tray icon.
  • A new command-line interface utility "dzleave" is added for leaving a machine's current zone. A machine restart is required for the agent feature to be fully disabled after leaving a zone.
  • Analytics Audit Trail data now includes multi-factor authentication (MFA) Success/Failure events. In addition, MFA success/failure events are now one per MFA Session. In previous versions, the DirectAudit Session ID was always displayed as "N/A". With this release, the DirectAudit Session ID will display the correct value.
  • The Login and Privilege Elevation profiles in the "Settings>Authentication>Server and Workstation" tab in the Centrify Admin Portal is previous versions are now regrouped under "Core Services>Login Policies" and "Core Services>Privilege Elevation Policies". Please note that not all the options are valid for MFA Login or Privilege Elevation.
    • If you have previously created custom profiles in the Admin Portal, the new Admin Portal UI will provide auto generated policies noted as "Infrastructure Policy (Auto generated)".
    • However, some of the new options are supported only by 2017.3 agents, or 2017.2 agents (November 2017 update). For example, irrespective of the "Windows Workstation" setting, older agents will still use the "Unix and Windows Servers" policy even though the machine is identified as a workstation. Also, older agents do not support new options, such as "Device OS" and "Identity Cookie" in the authentication profiles for Login or Privilege Elevation.

Centrify Agent for Windows – Audit

  • Starting with this release, Audit Trail event data is per multi-factor authentication (MFA) session. For example, If a user enters a two-level MFA challenge and one of the challenges is answered incorrectly, only one MFA Failure event is created. With previous releases, Audit Trail event data (MFASuccess/MFAFailure) created were per challenge.

Centrify OpenLDAP Proxy

  • OpenLDAP Proxy now supports anonymous query for rootDSE.
  • OpenLDAP Proxy now supports the filter "(&(objectClass=posixGroup)(memberUid=*))".

Centrify Report Services

  • Report Services now includes the new Delegation and Effective Delegation reports, which provide information of who can do what as defined in Centrify Access Manager. Note you need to provide additional permission in the service account to read ACE for the report.
  • The performance of the Right Summary Report is optimized by leveraging newly added views. The new views are:
    • EffectiveAuthorizedUserPrivilegesSummary
    • EffectiveAuthorizedUserPrivilegesSummary_Classic
    • EffectiveAuthorizedUserPrivilegesSummary_Hierarchical
    • EffectiveLocalUserPrivilegesSummary
  • Microsoft SQL Server 2012 SP3 – Express is now bundled in the Centrify Report Services package. This version of SQL server supports TLS 1.2. The resulting size of the installer ISO has increased by ~1 GB.

Centrify Access Manager

  • Added support in the console and the sudoers import feature for SELinux Role-based Access Control (RBAC). Users can now set SELinux role and type by using the SELinux Setting button in Access Manager> Property page of the Command Right object> Attributes tab, or using the ROLE and TYPE fields in the Import Sudoers file. These settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone.

Centrify Access Module for PowerShell

  • Added support for SELinux RBAC. Users can now set SELinux role and type using SELinuxRole and SELinuxType with New-CdmCommandRight and Set-CdmCommandRight cmdlets. Note such settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone.

Centrify adedit

  • Added a new switch "-nonisserversgroup" to adedit command "create_zone" to allow users to create a hierarchical/classic zone without generating the corresponding zone_nis_servers group.
  • The adedit commands "set_dzc_field" and "get_dzc_field" are enhanced to support the new fields selinux_role and selinuz_type for SELinux RBAC.

Centrify Zone Provisioning Agent

  • The registry option SkipOfflineDomain was previously used to skip only the "server not operational" error in order to continue provisioning. It now skips other errors as well.
  • Logging in the CopyGroup tool is improved in this release.

Centrify Auditing & Monitoring Service 3.4.3 (version 2017.3)

General enhancements and changes

  • Added a group policy named "Enable DirectAudit session auditing" to enable/disable DirectAudit on Linux machines.
  • DirectAudit will now display a warning on the command line if there are audit rules to monitor specific files under the DA monitored directory trees with another rule key. Conflicting rules are found in audit.rules system configuration file to specify that not all files accessing the monitored directories will generate audit trail events and be reported.
  • Command auditing is not currently supported on CoreOS.
  • Updated dainfo -t to support CoreOS.

Centrify DirectAudit Audit Analyzer and Session Player

Added new Audit Trail events in the following categories:

  • DirectAuthorize - Windows
  • PAM
  • Centrify sshd
  • dzdo
  • dzsh
  • One or more of these newly introduced events supersede existing events in order to log additional information such as whether Multi-Factor Authentication (MFA) is required or not. Please refer to the Centrify Infrastructure Services - Audit Events Administrator’s Guide for more information on the deprecated Audit Trail events.

New Audit Trail events are added to track successful or failed actions when enabling or disabling Centrify Identity Services Platform, Centrify Privilege Elevation Service or Centrify Auditing and Monitoring Service using the Agent Configuration panel.

A new report is added to the Audit Analyzer console to display all Centrify Multi-Factor Authentication (MFA) failure events captured in the environment.

Because of changes from 32-bit to 64-bit binaries, it is required to upgrade both DirectControl and DirectAudit to Suite 2017.3 or later for the following upgrades:

  • Upgrade from Suite 2016.1 (or earlier releases) on AIX
  • Upgrade from Suite 2017.1 (or earlier releases) on RHEL PowerPC
  • Upgrade from Suite 2017.1 (or earlier releases) on SUSE PowerPC
  • Upgrade from Suite 2017.1 (or earlier releases) on Solaris Sparc

If these upgrades are not performed, audit trail events will not be sent to DirectAudit.

Centrify UNIX Agent for Audit

Please note that if a DirectAudit installation has not been set up, "dacontrol -m" will not enable "Advanced Monitoring".

Database

The Centrify Infrastructure Services ISO now packages Microsoft SQL Server 2012 Express SP3 in order to support TLS 1.2.

Centrify Audit Module for PowerShell

Added a new cmdlet "Get-CdaMonitoredExecution" to get the monitored commands being executed on audited machines.

Added a new cmdlet "Get-CdaDetailedExecution" to get the commands being executed on the audited machines iincluding commands that are run as part of scripts or other commands.

Added a new cmdlet "Get-CdaMonitoredFile" to get the sensitive files being modified by users on the audited machines.

Centrify Agent, Centrify Identity Service, Mac OS Edition for Server Suite 2017.3

  • Please see the release notes file for information on new and enhanced features for the Centrify Agent for Mac. 

Supported Platforms

Support is added for the following operating system platforms in this release:

  • Amazon Linux AMI - latest version (x86_64)
  • CentOS 7.4 (x86_64)
  • CoreOS – latest version (x86_64)
  • Debian 9.2 (x86_64)
  • Fedora 27 (x86_64)
  • Mac 10.13 (x86_64)
  • Oracle Linux 7.4 (x86_64)
  • Ubuntu 17.10 (x86_64)

To see all platforms in the Centrify Server Suites within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Website Login for this page.)

Termination of Support

Support is removed for the following operating system platforms in this release:

  • Mac 10.10

This is the last release of Centrify Infrastructure Services in which the following operating system platforms are supported:

  • Fedora 25
  • SUSE 11 SP1 or below
  • Ubuntu 17.04

This is the last release of Centrify Infrastructure Services in which the following Domain Functional Level (DFL) and Forest Functional Level (FFL) is supported:

  • Windows 2003

Security Advisories

Centrify has established product security policies documented in the web page www.centrify.com/product-policy. You may also find the details of all the published security advisories there.

Security Fixes

A security vulnerability in the Centrify-modified open source command line utility “ksu” was fixed.