At the End of Day You Can’t Control What Privileged Users Do: It's about Detective/Deterrent Controls and Accountability

Like so many other technologies that help you implement least privilege over admins, sudo can be awesome. At the end of the day you are getting more granular with the risks, but the risks are still there.

Take a help desk staffer who needs to handle forgotten password resets for end users. Giving a privileged user like that just the authority she needs to get her job done is way less risky than giving her full root authority. But there’s still risk, right? If she is dishonest or becomes disgruntled, she can reset the password of your chief engineer or CEO and access some heavy duty information.

So with any trusted user (whether a privileged admin or end user whose responsibilities require access to sensitive resources) you are ultimately left with detective/deterrent controls. You can’t prevent a user from trying to use whatever authority they have for evil but at least you can audit their activity. Ideally, this gives you the chance to detect it and respond and at the very least ensure accountability which is an important deterrent control. After all, if you know everything you do is being recorded and subject to review, you’ll probably think more than twice about doing something bad.

Besides being a control against malicious insiders, a privileged user audit trail is irreplaceable in today’s environment of advanced and persistent attackers. Such attackers actively try to gain privileged access so you also need the ability to actively monitor privileged user activity for quick detection of suspicious events.

In past webinars with BeyondTrust I’ve talked about how to use sudo to control what admins can do. In this webinar I’ll look at how to audit what admins do inside Linux and UNIX with sudo’s logging capabilities. Then, the BeyondTrust team will walk through how to augment sudo for complete control and auditing over UNIX and Linux user activity.