DevOps

Jenkins – Matrix access control, Active Directory, and Audit Compliance Logging

For Jenkins 1.x (tested with 1.656)

Jenkins and plugins provide a pretty good way to have granular access control to the system and individual projects.

This setup will allow you to:

  • Log in via an Active Directory user (individual or member of an AD group)
  • Granular access and visibility control to projects, Jenkins system, and more
  • ISO27k/ITHC compliant audit logging to syslog server
    • A copy of every change made and of the system configuration will be logged with the job config history plugin

You can download Jenkins from here: https://jenkins.io/

I recommend adding the Yum/Apt repository entries to the OS, this will help with keeping Jenkins updated.

Install the following plugins:

You can install them via the UI via the Manage Jenkins -> Manage Plugins option, or copy the downloaded hpi files into the Jenkins plugins directory and restart the service.

Configuration

Active Directory

Manage Jenkins -> Configure Global Security -> Access Control -> Security Realm -> Active Directory -> Domain Name

Configure the base domain name. For example – directlyops.com. Hitting Test should result in a Success message. If it doesn’t, you may have to configure more settings under Advanced.

Manage Jenkins -> Configure Global Security -> Access Control -> Authorization -> Project-based Matrix Authorization Strategy

Under user/group to add, enter the name of the AD user or group you want to control access for. The domain prefix is not required.

From here, you can also assign permissions to specific items such as the ability to Run, and View a job. Anyone with the Administer permission will have the ability to see all jobs and do anything in the environment. It’s recommended you have a user in here with this permission that is tested before you remove the anonymous access rights.

That’s it! You should be able to log into Jenkins with the domain username and password (no prefix or SPN form required).

Within a Jenkins job, you can now enable Project-based security and then add the AD group or usernames to limit visibility/control to specific groups or users.

Audit Trail

If you’re in an environment where you need or want to have a reliable audit trail for compliance reasons, then you’re likely using Redhat or Centos (selinux!). The audit trail plugin can provide a similar audit trail output to a file or syslog server.

Manage Jenkins -> Configure System -> Audit Trail

Here is where to add logger. If you want to test it, add a Syslog server logger and write to localhost port 514. The audit trail will likely show up in /var/log/messages. If you’re using rsyslog server, adding in a config to /etc/rsyslog.d/jenkins_audit.conf will provide advanced capabilities to separate out the log from the main log.

I prefer using the syslog server output, and then chaining syslog out to Logstash for ElasticSearch logging.

Job Config History

This plugin adds exact tracking of what the config changes are. It will maintain version control for system config and job configs. The audit trail is good to tell you what was modified and who modified it, this will keep track of what the changes were.

System configuration tracking is not enabled by default, and you can only restore previous Job configuration, not system (however you can see system changes).

 

Advertisements