Centrally managing sudo policy controls – save yourself the hassleWith so many different iterations of the sudoers policy file used by various groups inside an organization, the need to control and track changes made to each sudoers file quickly becomes an unmanageable task. Almost every user of sudo quickly runs into the issue of appropriately managing the individual sudoers policy files that get created on each Unix or Linux host. Manual synchronization tools and home grown LDAP/database solutions may at first appear appealing, but reliability, complexity and security controls end up dramatically reducing the effectiveness of such configurations, often causing more problems than they solve. There is no effective way to undo changes to one or more sudoers files, or jump back to a certain point of time/version of a sudoers policy file. PowerBroker for Sudo provides a way to quickly and simply centralize one or more sudoers files, enabling change management and version control. With PowerBroker for Sudo:
- Policy changes can be validated before making changes to the policy file live, or quickly compared with highlighted differences between any two versions of a sudoers file.
- The roll-back/roll-forward functionality allows for fast switching between any two saved versions of the sudoers file that are being managed by PowerBroker for Sudo.
- Connecting hosts can be optionally grouped or run in a hybrid of one-to-one plus grouped hosts, allowing simple and controlled access to specific sudoers files located on one or more centralized servers based on the requesting hosts group membership.
Centrally storing sudo audit data – improve log securityUsing sudo means placing log data in different locations on different systems. Depending on the version of Unix or Linux you’re using, the event data ends up in different syslog files and is also mixed in with other system event data. A better way is needed to securely move and store the sudo log data, and sudo session log data to a central location is required, providing one common place to search when performing log reviews or forensic actions. PowerBroker for Sudo provides a secure network connection to a centralized server that stores event and session data (encrypted if desired) to a centralized and secure location as the log data is written, removing the ability of submitting users to tamper with the logs and allowing for much faster log review and forensics when required. While it can’t replace a full-featured commercial Unix/Linux least privilege solution, at least take the iterative step toward making your log files more secure. One of the biggest hang-ups with sudo is that it’s distributed; there’s no centralization. Using these two use cases as best practices can help you along the way to simplifying your life and securing your logs. For more on how PowerBroker for Sudo can help you, check out the white paper, or contact us for a demo.
Paul Harper, Product Manager, BeyondTrust
Paul Harper is product manager for Unix and Linux solutions at BeyondTrust, guiding the product strategy, go-to-market and development for PowerBroker for Unix & Linux, PowerBroker for Sudo and PowerBroker Identity Services. Prior to joining BeyondTrust, Paul was a senior architect at Quest Software/Dell. Paul has more than 20 years of experience in Unix/Linux operations and deployments.