That Time You Couldn’t Replace Sudo No Matter How Hard You Tried

I think we are all well aware that sudo is not secure or compliant enough to help you prevent a cyber attack against your Unix/Linux servers or to meet stringent auditor demands to prove log integrity for compliance. But I get it. Sometimes you just can’t replace sudo fully. For even the most mature users of an enterprise least privilege solution, there will almost always be some machines that still have access to sudo. So, you have to make the best of it, right? In this blog I will give you two use cases where a third-party tool can help you better manage sudo to improve your odds against a data breach or the auditors.

Centrally managing sudo policy controls – save yourself the hassle

With so many different iterations of the sudoers policy file used by various groups inside an organization, the need to control and track changes made to each sudoers file quickly becomes an unmanageable task. Almost every user of sudo quickly runs into the issue of appropriately managing the individual sudoers policy files that get created on each Unix or Linux host.

Manual synchronization tools and home grown LDAP/database solutions may at first appear appealing, but reliability, complexity and security controls end up dramatically reducing the effectiveness of such configurations, often causing more problems than they solve. There is no effective way to undo changes to one or more sudoers files, or jump back to a certain point of time/version of a sudoers policy file.

PowerBroker for Sudo provides a way to quickly and simply centralize one or more sudoers files, enabling change management and version control. With PowerBroker for Sudo:

• Policy changes can be validated before making changes to the policy file live, or quickly compared with highlighted differences between any two versions of a sudoers file.
• The roll-back/roll-forward functionality allows for fast switching between any two saved versions of the sudoers file that are being managed by PowerBroker for Sudo.
• Connecting hosts can be optionally grouped or run in a hybrid of one-to-one plus grouped hosts, allowing simple and controlled access to specific sudoers files located on one or more centralized servers based on the requesting hosts group membership.

If you *have* to use sudo, at least centralize the policy control to save yourself the hassle.

Centrally storing sudo audit data – improve log security

Using sudo means placing log data in different locations on different systems. Depending on the version of Unix or Linux you’re using, the event data ends up in different syslog files and is also mixed in with other system event data. A better way is needed to securely move and store the sudo log data, and sudo session log data to a central location is required, providing one common place to search when performing log reviews or forensic actions.

PowerBroker for Sudo provides a secure network connection to a centralized server that stores event and session data (encrypted if desired) to a centralized and secure location as the log data is written, removing the ability of submitting users to tamper with the logs and allowing for much faster log review and forensics when required.

While it can’t replace a full-featured commercial Unix/Linux least privilege solution, at least take the iterative step toward making your log files more secure.

One of the biggest hang-ups with sudo is that it’s distributed; there’s no centralization. Using these two use cases as best practices can help you along the way to simplifying your life and securing your logs. For more on how PowerBroker for Sudo can help you, check out the white paper, or contact us for a demo.