NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Weighing True Unix/Linux Least Privilege and Not-Quite-Least-Privilege Alternatives

April 13, 2017

  • Blog
  • Archive

Unix/Linux Least Privilege

The goal of any privileged access management (PAM) project is to enable end users and business processes with only the access required to perform their functions, and to restrict their access to the minimum necessary in order to protect systems. Particularly on Unix and Linux systems there is always a fine balance to strike between enabling and restricting users, and providing an irrefutable audit trail confidently is often a challenge when dealing with compliance. In this blog, I will review a framework for proving compliance on Unix/Linux and give you a checklist of features vs. what some alternatives might offer.

Using the NIST Framework to Show Compliance

I recommend to customers who are trying to provide evidence of true ‘least privilege’ to audit teams that they frame and deliver a solution that can meet all NIST Cybersecurity requirements (Predict, Prevent, Detect, and Respond). Why NIST? It provides a common, universal framework for describing the steps involved to security critical infrastructure, like a Unix or Linux asset.

What you will find when you frame your Unix/Linux server privilege requirements in this way is that it will quickly separate ‘the wheat from the chaff.’ Let’s look at our Unix/Linux least privilege solution, PowerBroker for Unix & Linux (PBUL), and how it maps into this NIST framework. As you review this framework, consider how your existing Unix/Linux least privilege solution addresses these areas.

  • Predict – In a recommended installation of PBUL, the default behavior is to ‘reject’ anything that is not explicitly authorized. This removes the necessity to ‘predict’ behavior since any activity that is not specifically permitted is considered unacceptable.
  • Prevent – Like the Predict behavior, anything that is not explicitly authorized is rejected. In addition, PBUL provides Advanced Control and Audit (ACA) functions that can prevent read, write or execute on any file, binary or file system on client systems. This can be configured within a procedure, making it easy to define activities that cannot be performed, and controlled by policy.
  • Detect – PBUL has built-in File Integrity Monitoring (FIM) that can identify changes to any file or file system on clients. In addition, built-in checksum features can be configured within policy to prevent the execution of any script or binary that does not match known values. This feature can help to identify potential malware or malicious code that may have been introduced on a server.
  • Respond – PBUL policy can be configured to notify a Security Operations Center (SOC) of modifications or tampered files via syslog or email as soon as they are detected. This provides a fast-track to response. In advanced deployments, policy may also be configured to automatically restore tampered files on client systems to known good conditions if desired.

Comparing PowerBroker for Unix & Linux vs. Alternative Solutions

Here are a few use cases you can use to compare whether the ‘least privilege’ solution you are evaluating is truly providing least privilege.

Does it provide tamper-proof logging?

PowerBroker for Unix & Linux provides all authorization and logging functions from a centralized, high-availability infrastructure with no local caching of policy information to prevent any tampering by savvy administrators. This applies to authorized activities, as well as session logs which are streamed live to log servers beyond the reach of privileged users. Competitive products, however, cache policy information and session logs on remote servers and move them to a remote storage location when sessions complete; this makes it possible for privileged users to remove, or tamper with these logs.

How flexible is the policy language?

When choosing a PAM product, it is important to choose a solution with as much flexibility as possible to support your evolving PAM program. PowerBroker for Unix & Linux policy language is both flexible and powerful, and can be configured with functions and procedures to make exception handling or broad restrictions easy to manage. Building a single function to restrict access to files and applying it to many policies reduces the overhead required to manage PAM functions in an enterprise. Both regular expression handling, and explicitly defined commands are supported, and with full access to the operating system commands can be validated prior to execution.

PowerBroker for Unix & Linux

Not-quite-least privilege tools

  • Complete flexibility in policy management and development.
    • Script based policies
    • Role based policies
    • Hybrid policies (Script + Role based)
  • Unix based solution, built in Unix, for Unix, with full access to native commands and complete operating system control
  • Built-in Advanced Control and Audit (ACA)
  • Built-in File Integrity Monitoring (FIM)
  • Tamper-proof session and event logging to remote servers beyond the reach of users
  • Included REST API, and flexible configuration to access other data sources within the IAM space to make rational policy determinations
  • Is independent and flexible, a specialist solution for Unix/Linux least privilege
  • Inflexible dependence on a web GUI to manage policies
    • One-by-one command configuration
    • Lack of flexibility for policy development
  • A Windows based solution to manage a Unix environment
  • Products that are detective only with little or no prevention capability
  • Products that cannot monitor file integrity on Unix systems
  • Any product that caches policy, or logs on remote servers, leaving the door open to tampering with or nullifying audit integrity
  • Products that cannot access multiple data sources or require the additional purchase of REST API capability
  • Requires you to go through a vault to retrieve a credential

Don’t trust the security of your most critical Unix/Linux servers to a check box provider. Find out what makes PowerBroker for Unix & Linux the de facto standard for Unix/Linux least privilege.

Some competitive products have elements of NIST requirements, but implementation can be unwieldy and difficult, and often requires increased headcount to manage privileged access. PowerBroker for Unix & Linux, however, provides a tamperproof framework for Unix/Linux privileged access management that will satisfy even the strictest auditors when configured properly in any regulated environment.

Take the Unix/Linux challenge: If you are currently evaluating an alternate solution, grant us the opportunity to help you achieve your true least privilege objectives more completely, more efficiently, and faster. Contact us today.

Photograph of Paul Harper

Paul Harper, Product Manager, BeyondTrust

Paul Harper is product manager for Unix and Linux solutions at BeyondTrust, guiding the product strategy, go-to-market and development for PowerBroker for Unix & Linux, PowerBroker for Sudo and PowerBroker Identity Services. Prior to joining BeyondTrust, Paul was a senior architect at Quest Software/Dell. Paul has more than 20 years of experience in Unix/Linux operations and deployments.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.