Sudo is an application for Unix and Linux operating systems that allows users to run programs with the security privileges of another user. In its basic form, it is by definition a least privilege application for controlling privileged access management. By default, sudo runs all elevated commands as ‘superuser.’ Modern versions of sudo have support for running commands not only as the superuser but also as other (restricted) users, thus creating a limited least privilege solution. Sudo is often used for administrative tasks only.
Sudo’s Challenges
For most administrators, sudo is good enough in terms ofleast privilege functionality, but the management falters in terms of scalability. Administrators must maintain individual sudoers files on each host, and coupled with the headache of trying to consolidate log data, this can create a large burden on daily administration and maintenance of the tool. Often times this problem just creates new issues on its own with referential integrity of files and poor change management.
What’s Needed to Improve Sudo
For any environment with multiple Unix and Linux systems, whether physical, virtual, or cloud, sudo users have a need to centralize the management of many different sudoers policy files to solve these inherent problems. In addition, to ensure the integrity of the log data, the log information needs to be stored in a location other than where commands are being elevated for security and to prevent potential tampering.
BeyondTrust provides a quick and easy way to move multiple suoders files to one server and at the same enforces both eventlog and session log to be created and stored on a centralized server rather than the local issuing client.
BeyondTrust Privilege Management for Unix & Linux provides a best of breed approach to manage multiple policy files, apply version control to sudo files, and even roll-back capabilities around those policy files to ensure constancy and integrity throughout your environment.
In addition, PowerBroker for Sudo provides secure and reliable logging at the event and session level to a centralized location leveraging the BeyondInsight, privileged access management platform.
If you are using sudo for least privilege on your non-critical Unix or Linux servers, it doesn’t have to be so hard! Contact us today to learn more about how we can help address your most pressing server privilege management challenges.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
