What’s New in Conjur 4.7


June 13, 2016 | DevOps | Dustin Collins

We are proud to announce the release of Conjur 4.7! Conjur is privileged access management and security software that helps digital businesses secure access to the thousands of system resources that compose modern applications.

This release focuses on enhancing Conjur’s core functionality with several new features and improving the scalability of existing systems. Highlights include:

Please see the full 4.7.0 release notes for more details and the full list of changes in this release.

Read on to learn more about the major new features in Conjur 4.7.

Built-in rotators for secrets

The longer a secret remains unchanged, the more vulnerable it becomes. The way to mitigate any risk of compromise is to use a complex secret and to change it often. The Conjur rotator service meets this requirement by automatically generating and rotating the secrets used to access an underlying system.

Rotation in the Conjur UI

Rotators released in Conjur 4.7 enable rotation of these targets:

Rotation is enabled by annotating variables with the rotator to use and a TTL (how often to rotate).
For example, setting up rotation of AWS credentials with Conjur policy:

- !policy
id: aws
- !variable region
- !variable access_key_id
- !variable
id: secret_access_key
rotation/rotator: aws/secret_key
rotation/ttl: P1D # 1 day

Future releases of Conjur will include rotators for more targets.

Read more about rotation on our developer site.

LDAP Sync in the Conjur UI

LDAP Sync imports corporate Active Directory or POSIX LDAP structure into the Conjur environment. When users are added to or removed from AD/LDAP, these changes are reflected automatically in Conjur. AD/LDAP serves as the system of record for users and group, while Conjur is the master source of machine identity, privileges and secrets.

LDAP Sync in Conjur UI

LDAP Sync can now be configured and triggered in the Conjur UI. A connection to an existing LDAP/AD system can be established and saved in the Conjur UI for later use. Users and groups can be filtered so that only the entities you want are synced to Conjur. Additionally, public keys can be synced as well. This makes it easy to start governing SSH access with Conjur.

Read more about LDAP Sync on our developer site.

Forwarding audit events to external systems like Splunk and ELK

Conjur’s audit log contains events detailing everything that happens in the Conjur environment. The Conjur audit log tells a complete audit and compliance story. Shipping audit events to a centralized logging platform (Splunk, ELK, etc) is a new capability in Conjur v4.7.0. This allows you to use your existing log management systems to inspect, and alert on, events happening in Conjur.

Conjur audit event in Splunk

Conjur 4.7 exposes a logrotated JSON file `audit.messages` that can be forwarded to any log aggregation platform. Since the logs are JSON, fields are parsed on ingestion and easily searchable. Alerts and notifications can then be triggered on events in Conjur. For example, an alert can be sent to your InfoSec team if a user is repeatedly denied `sudo` access on a host. A second example: a notification can be sent to a Slack room on policy updates, increasing the visibility into how your organization’s security policy changes over time.

Read more about audit forwarding on our developer site.
Also, see our Splunk integration page for an illustrated example.

See the release notes for Conjur 4.7 for a full list of all changes in this new release.

Contact us for release access and upgrade instructions, or if you have any questions. We hope you enjoy this new release of Conjur! 




Keep up-to-date on security best practices, events and webinars.

Share This