The concept of least privilege states that all users should have the lowest level of access privileges required to effectively conduct their jobs. However, many basic OS, management, application and software functions (e.g. configuration utilities) for Unix and Linux platforms require more than just basic privileges. This traditionally requires end users to possess elevated privileges in the form of root or administrative usernames and passwords. To overcome this inherent security and compliance risk, organizations must remove the need to distribute and maintain root and administrative credentials – or even reveal these credentials to end users at all – without impacting user or administrator productivity. That’s where third-party commercial solutions come in. Third-party solutions offer multiple benefits over built-in capabilities such as sudo.
But where do you start? How do you know what to tackle first?
Our 25+ years in pioneering the Unix/Linux least privilege market tells us that you can reduce Unix/Linux attack surfaces and improve compliance by doing five basic things really well. I’ve mapped certain capabilities in PowerBroker for Unix & Linux into these use cases. How well are you performing these activities now?
1) Removing the need to log in as root
Many system and application users of Unix and Linux use the phrase, “I need root,” indicating that they can only perform their daily job functions if they can logon using the most powerful user on the system, named “root”. Root is often referred to as the “God” user as there is practically nothing that the root user cannot do. Allowing the usage of this account removes the ability to audit an individual’s actions (promoting account sharing) and inhibits the use of a strong, changeable password for the root account due to the need of multiple persons using the account at any given time. This behavior dramatically increases the risk posed to the organization from both the insider threat via malicious and accidental behaviors as well as additional exposure from external threats due to weak and non-changing passwords.
PowerBroker for Unix & Linux implements a true least privilege delegation model, allowing users to run any command at a higher privilege level so long as allowed by the centralized policy. Removing the need for users to logon as root allows the root user account to have much tighter security controls or be moved to a password management system such as PowerBroker Password Safe.
2) Achieving compliance for the root account – indelible audit trail, unimpeachable logs
The most senior admins will, from time to time, have a legitimate need to use the root account due to the types of system level changes being made or just because of the ad-hoc nature of the commands they may need to issue. However, the compliance team needs to monitor ALL activity and ensure accountability for actions, especially considering the privilege level being used during these sessions. Allowing system administrators access to such an account, the compliance teams needs to identify who was using the root account, when they were using the root account and what changes were made by the root account. In addition, it is very important that log files are fully protected from any sort of tampering.
PowerBroker for Unix & Linux allows standard named user accounts to elevate to a root level with full session logging, providing a centralized indelible audit trail and ultimate accountability for each individual system administrator.
3) Consolidating event logs, and making reporting and analytics readable
It’s no secret that, by their command line nature, Unix and Linux systems don’t lend themselves to easily-consumed reporting. However, reporting is essential – especially when conducting forensic investigations on logs, or detecting anomalies.
BeyondTrust has solved this problem with integration between PowerBroker for Unix & Linux and our central privileged access management platform. PowerBroker sends event log data to BeyondInsight for presentation on the dashboard; specifically, the who, what, where and when of events. This data can then be presented in easy-to-consume reports, with access to the data cube for building custom reporting as well. This data can be correlated with other threat analytic data in BeyondInsight for anomaly detection and reporting.
This report provides detailed events for PowerBroker for Unix & Linux and the corresponding Threat Level based on the number of application launches and risk.
This integration makes reporting on Unix and Linux events simpler, faster and easier to read so stakeholders can have a more accurate picture of their privilege risks.
4) Faster forensics when time is of the essence
Logging all Unix/Linux user activity can quickly become overwhelming. When a forensic investigation needs to be performed, organizations can waste time and manpower performing investigations.
With PowerBroker for Unix & Linux, event logs can be dynamically named, centrally located, and access controlled in the PowerBroker central console. PowerBroker utilizes SOLR to index all recorded sessions, with all information accessible via command line or REST API.
5) Session recording – everything typed, everything seen
Least privilege is an ideal for most security groups, but sometimes you just need to turn over a privileged shell, such as a root level shell. Strict auditing is a good way to keep honest people honest, so for trusted admins, a full root shell is often no issue so long as their activity is recorded in a tamperproof way to meet compliance needs.
One simple line in PowerBroker for Unix & Linux policy turns on full session recording which is then dynamically named and automatically indexed using SOLR. This capability enables organizations to view the session in many different ways: by interactive playback, video style playback, view session transcript, view the command history, or in a searchable index. This capability provides flexibility to quickly turn on and search use activity, reducing risk.
Sudo has been around for a long time, but as the number of systems and users has grown, management of sudo has become very time consuming. Coupled with limitations of the controls available in sudo, systems now seem overly exposed to an increasing number of internal and external security threats. PowerBroker for Unix & Linux provides a far more flexible policy language allowing for infinitely more granular policies to be created at both the command and system level. PowerBroker for Unix & Linux increases security in several ways, including moving the policy and log data off the users’ workstation or server, utilizing the latest encryption technology for data both in transit and at rest.
The compliance and security benefits of using a commercial least privilege solution such as PowerBroker vs. native sudo capabilities is significant. As you consider how to improve the maturity of your Unix/Linux compliance and security, consider the five use cases I discussed here. If you would like to learn more about PowerBroker for Unix & Linux, or to schedule a one-on-one demo of these capabilities, contact us today.
Paul Harper, Product Manager, BeyondTrust
Paul Harper is product manager for Unix and Linux solutions at BeyondTrust, guiding the product strategy, go-to-market and development for PowerBroker for Unix & Linux, PowerBroker for Sudo and PowerBroker Identity Services. Prior to joining BeyondTrust, Paul was a senior architect at Quest Software/Dell. Paul has more than 20 years of experience in Unix/Linux operations and deployments.