What’s New in Conjur 4.7
June 13, 2016 | DevOps | Dustin Collins
We are proud to announce the release of Conjur 4.7! Conjur is privileged access management and security software that helps digital businesses secure access to the thousands of system resources that compose modern applications.
This release focuses on enhancing Conjur’s core functionality with several new features and improving the scalability of existing systems. Highlights include:
- Built-in rotators for secrets
- LDAP Sync in the Conjur UI
- Forwarding audit events to external systems like Splunk and ELK
Please see the full 4.7.0 release notes for more details and the full list of changes in this release.
Read on to learn more about the major new features in Conjur 4.7.
Built-in rotators for secrets
The longer a secret remains unchanged, the more vulnerable it becomes. The way to mitigate any risk of compromise is to use a complex secret and to change it often. The Conjur rotator service meets this requirement by automatically generating and rotating the secrets used to access an underlying system.
Rotators released in Conjur 4.7 enable rotation of these targets:
- AWS secret access keys
- PostgreSQL database passwords
- Conjur Host Factory tokens stored in S3
Rotation is enabled by annotating variables with the rotator to use and a TTL (how often to rotate).
For example, setting up rotation of AWS credentials with Conjur policy:
- !variable region
- !variable access_key_id
rotation/ttl: P1D # 1 day
Future releases of Conjur will include rotators for more targets.
Read more about rotation on our developer site.
LDAP Sync in the Conjur UI
LDAP Sync imports corporate Active Directory or POSIX LDAP structure into the Conjur environment. When users are added to or removed from AD/LDAP, these changes are reflected automatically in Conjur. AD/LDAP serves as the system of record for users and group, while Conjur is the master source of machine identity, privileges and secrets.
LDAP Sync can now be configured and triggered in the Conjur UI. A connection to an existing LDAP/AD system can be established and saved in the Conjur UI for later use. Users and groups can be filtered so that only the entities you want are synced to Conjur. Additionally, public keys can be synced as well. This makes it easy to start governing SSH access with Conjur.
Read more about LDAP Sync on our developer site.
Forwarding audit events to external systems like Splunk and ELK
Conjur’s audit log contains events detailing everything that happens in the Conjur environment. The Conjur audit log tells a complete audit and compliance story. Shipping audit events to a centralized logging platform (Splunk, ELK, etc) is a new capability in Conjur v4.7.0. This allows you to use your existing log management systems to inspect, and alert on, events happening in Conjur.
Conjur 4.7 exposes a logrotated JSON file `audit.messages` that can be forwarded to any log aggregation platform. Since the logs are JSON, fields are parsed on ingestion and easily searchable. Alerts and notifications can then be triggered on events in Conjur. For example, an alert can be sent to your InfoSec team if a user is repeatedly denied `sudo` access on a host. A second example: a notification can be sent to a Slack room on policy updates, increasing the visibility into how your organization’s security policy changes over time.
See the release notes for Conjur 4.7 for a full list of all changes in this new release.
Contact us for release access and upgrade instructions, or if you have any questions. We hope you enjoy this new release of Conjur!