Identity Management, Authentication and Access Control
“In a world where You can be Anything - Be Kind; In a world where You can Access Anything - Be Ethical.”
NIST PR.AC-1: A Hands-On Guide to Identity Management, Authentication and Access Control
1. Introduction
NIST PR.AC-1 emphasizes the essential aspects of the creation, management, and thorough verification of identities and credentials specifically for authorized devices, users, and processes. This comprehensive guide will provide a variety of practical examples and detailed commands to help you effectively implement robust identity management, secure authentication, and stringent access control practices within your organization.
2. Identity Management
2.1 User Account Creation
Linux Example
To create a new user account:
sudo useradd -m -s /bin/bash newuser sudo passwd newuser
Active Directory Example
Using PowerShell to create a new AD user:
New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@domain.com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true
2.2 Group Management
Linux Example
Create a new group and add a user
sudo groupadd developers sudo usermod -aG developers newuser
Active Directory Example
Create a new group and add a user using PowerShell
New-ADGroup -Name "Developers" -GroupScope Global Add-ADGroupMember -Identity "Developers" -Members "jdoe"
2.3 Identity Lifecycle Management
Implement scripts for onboarding, role changes, and offboarding. Example offboarding script (bash)
#!/bin/bash # Offboarding script USER=$1 # Disable user account sudo usermod -L $USER # Remove from all groups except primary sudo usermod -G "" $USER # Archive home directory sudo tar -czf /archive/${USER}_home.tar.gz /home/$USER # Delete user's cron jobs sudo crontab -r -u $USER # Revoke all user's sudo privileges sudo sed -i "/^$USER/d" /etc/sudoers
3. Authentication
3.1 Password Policies
Linux Example (using PAM)
Edit /etc/security/pwquality.conf:
minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
Active Directory Example
Set password policy using PowerShell
Set-ADDefaultDomainPasswordPolicy -Identity yourdomain.com -MinPasswordLength 14 -ComplexityEnabled $true -PasswordHistoryCount 24
3.2 Multi-Factor Authentication (MFA)
Example using Google Authenticator on Linux
Install Google Authenticator:
sudo apt-get install libpam-google-authenticator
Configure PAM by editing /etc/pam.d/sshd:
auth required pam_google_authenticator.so
Edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
Restart SSH service:
sudo systemctl restart sshd
3.3 Certificate-Based Authentication
Example for Apache
Generate a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Configure Apache (in /etc/apache2/sites-available/default-ssl.conf):
SSLEngine on SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
4. Access Control
4.1 Discretionary Access Control (DAC)
Linux Example
Set file permissions
chmod 750 /path/to/file chown user:group /path/to/file
Windows Example (using icacls)
icacls "C:\path\to\file" /grant "username:(OI)(CI)F"
4.2 Mandatory Access Control (MAC)
SELinux Example
Check SELinux status
sestatus
Set SELinux mode to enforcing:
sudo setenforce 1
4.3 Role-Based Access Control (RBAC)
Kubernetes RBAC Example
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]
Bind the role to a user:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Apply these YAML files:
kubectl apply -f role.yaml kubectl apply -f rolebinding.yaml
4.4 Attribute-Based Access Control (ABAC)
AWS IAM Policy Example
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEquals": { "aws:PrincipalTag/Department": "HR" } } } ] }
5. Monitoring and Auditing
5.1 User Activity Monitoring
Linux Example (using auditd)
Install auditd:
sudo apt-get install auditd
Configure audit rules in /etc/audit/audit.rules:
-w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity
Restart auditd:
sudo systemctl restart auditd
5.2 Access Logs Analysis
Example using ELK Stack
Install Filebeat:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.13.0-amd64.deb sudo dpkg -i filebeat-7.13.0-amd64.deb
Configure Filebeat to ship Apache logs (/etc/filebeat/filebeat.yml):
filebeat.inputs: - type: log enabled: true paths: - /var/log/apache2/access.log output.elasticsearch: hosts: ["localhost:9200"]
Start Filebeat:
sudo systemctl start filebeat
6. Best Practices
Implement the principle of least privilege
Regularly review and audit access rights
Use strong, unique passwords for each account
Implement and enforce MFA wherever possible
Keep all systems and software up to date
Use centralized identity management solutions (e.g., LDAP, Active Directory)
Implement network segmentation to limit access
Use encryption for data at rest and in transit
Conduct regular security awareness training
Implement and test an incident response plan
