As a security professional, chances are when you hear the words Unix/Linux, you have visions of complex problems to address, especially in the way of protecting privileges. Many organizations have a tough time trying to effectively and efficiently secure, control, and monitor their privileged accounts and credentials in Unix/Linux environments.
In this blog post, we’ll explore the common challenges faced with Unix/Linux security, and how effectively managing Unix/Linux privileged accounts can mitigate a number of security risks. Also If you would like a deeper dive into this subject, should check out my new white paper: Simplifying the Unix/Linux Security Puzzle.
The Inherent Problem with Unix/Linux
To effectively protect Unix/Linux accounts and credentials, organizations must implement controls that allow for central management of their privileged accounts throughout the enterprise. These organizations must also secure and manage SSH keys and other secrets. They also need to proactively secure privileged user sessions while continuously monitoring privileged access to detect unusual activity.
Already you can see that there are a number of necessary steps to take in order to shore up defenses. Hackers know this, which makes Unix/Linux systems a popular and prime target. So, what can you do?
Evolving Beyond Sudo To Secure Your Unix/Linux Privileged Accounts
One option for controlling privileged accounts is to use sudo. However, sudo requires costly and onerous custom configurations to meet privilege access security and compliance needs. Although it can help with some challenges around privileged accounts, its usefulness is limited, and it does not scale well.
If your organization is composed of relatively small and uncomplex server infrastructures, sudo can be useful for controlling your Unix/Linux privileged accounts. But if your server infrastructure is medium to large and of even moderate complexity, sudo will prove woefully inadequate. Also, sudo falls short when it comes to administration efficiencies, architectural vision, and security-related compliance requirements needed to protect your critical assets.
Here are three key challenges you will face if you try to make sudo serve as your primary controller over Unix/Linux privileged account security:
1. Management burden and complexity: Sudo lacks an efficient method for centralized administration. Your system administrators will expend considerable energy (and frustration) trying to use sudo to build and distribute files across your system. Sudo cannot easily put servers into local categories, classify users by various roles, or define the associated access rules. Sudo does not integrate well with identity management systems.
2. Security risk: Sudo becomes yet another security risk because local files control it. The burden is on your security admins to properly distribute your files. To distribute them properly, each server typically needs to have a unique file, but in most cases, shortcuts are taken by administrators, which results in overprovisioning privilege to admins. Another significant security risk is that your local admins could easily modify your sudo configuration.
3. Compliance issues: The distributed sudo conf files are disliked by auditors because they utilize “static trust.” The sudo configuration files need to be secured. This can create problems around passing audits.
Sudo can help with the simplest of environments, but it is obviously not an enterprise-class tool and has serious shortcomings. So, what you can you do to gain effective and efficient control over their privileged accounts across your Unix and Linux server estate?
The Answer: A Unified, Comprehensive PAM Solution
When you are trying to assess the vulnerability of your Unix/Linux system, you should determine who can access your system from other systems. If your server trusts root on other systems, anyone with root access to those servers can assume root on your server. This is something you definitely want to audit and avoid.
You will only gain the granular control you need to truly secure your privileged account via a privileged access management solution that controls, monitors, logs, and alerts on the use of your organization's Unix/Linux privileged accounts. Implementing the PAM solution will allow you to add an essential layer of security between your users and your critical accounts.
BeyondTrust’s Privilege Management for Unix & Linux is the industry’s gold-standard solution for securing Unix/Linux privileged access. With BeyondTrust’s solution you can:
- Analyze user behavior by collecting, securely storing, and indexing keystroke logs, session recordings, and other privileged events
- Elevate privileges for standard users on Unix and Linux through fine-grained, policy-based controls.
- Utilize factors such as time, day, location, and application/asset vulnerability status to make privilege elevation decisions
- Enable users to run specific commands and conduct sessions remotely based on rules—without logging on as admin or root
- Audit and report on changes to critical policy, system, application, and data files
- Correlate user behavior against asset vulnerability data and security intelligence from best-of-breed security solutions
Privilege Management for Unix & Linux and Active Directory Bridge (AD Bridge) are part of BeyondTrust’s Privileged Access Management Platform, the most integrated solution for providing control and visibility over all privileged accounts and users, and their credentials.
Don’t forget to download and read ‘Simplifying The Unix/Linux Security Puzzle’ white paper for much more depth on this subject. And for a quick overview of how BeyondTrust meets these challenges, here’s their Privilege Management for Unix/Linux overview page.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.