There is no way that security – and in particular the concept of least privilege– can be overstated on Unix and Linux platforms. After all, many organization typically run their most critical applications and store their most sensitive data in databases that run on *nix systems. To enable least privilege, many in the Unix and Linux community use sudo, hands-down the most widely used security tool in the non-Windows world.
But sometimes, sudo just isn’t enough
For two decades, BeyondTrust has led the way in helping organizations around the world replace sudo with a true enterprise class least privilege solution coupled with indelible auditing capabilities. PowerBroker for Unix & Linux has become a critical part of our customer’s infrastructures, vastly improving on the capabilities and functions offered by the sudo freeware baked in to most *nix operating systems.
There are many benefits that the PowerBroker solution brings to the table, but by far the most common requests are for Centralized Management and Centralized Logging. Only when customers start to peel back the covers do they discover a whole world of possibilities in control and audit functions that even many Unix admins didn’t even know were possible.
Transitioning to a full least privilege solution can be tricky
It can be a huge shift to adopt a complete least privilege solution for *nix. Policy files (sudoers files) must be converted. Certain end user and practices may need to be altered or invoked in different ways. The audit data would be stored, managed and reviewed in different ways. Yes, the benefits and end results are great, but there is work and change required to get there.
So let’s get back to those core requests: Centralized Management and Centralized Logging. Sounds easy enough right? There are websites, forums and even sudo documentation that detail how to leverage LDAP for policy and how to use sync tools (think rsync and scp) to move data around.
But what BeyondTrust has found time and time again is that these homebrew approaches often lead to over-complicated and semi-functioning solutions, maintained primarily through tribal knowledge up until the point that a key person leaves the company and they find themselves forced back to using and sharing the root account.
What if there was a better way? Now there is.
We’re pleased to introduce PowerBroker for Sudo, which combines the core features of a full least privilege solution but allows for quick implementation and continued use of all of your existing ‘sudoers’ files. PowerBroker for Sudo enables companies to centralize one or many sudoers files, then share out those policy files with single hosts, groups of hosts or both. In short, the policy files stay the same, the end user experience stays the same, only the management of the policies becomes centralized with a transparent and secure distribution to each sudo client.
In addition, rather than storing audit/log data on each sudo client and synchronizing the data, audit records both at the event level and the session recording level occur directly to a dedicated log server or log servers.
This approach ensures the integrity of the log files and makes them impossible to tamper with. Using all the same standards supplied by the PowerBroker product line, data in transit and data at rest is fully encrypted and configuration information is standard across all support platforms. Couple this with the included indexing service and graphical reporting system, canned reports, custom reports and forensics become a snap for all your sudo activities.
Need help making sense of sudo? Check out our newest white paper, How Secure is Your Sudo? Or, contact us today to learn more about PowerBroker for Sudo.
Paul Harper, Product Manager, BeyondTrust
Paul Harper is product manager for Unix and Linux solutions at BeyondTrust, guiding the product strategy, go-to-market and development for PowerBroker for Unix & Linux, PowerBroker for Sudo and PowerBroker Identity Services. Prior to joining BeyondTrust, Paul was a senior architect at Quest Software/Dell. Paul has more than 20 years of experience in Unix/Linux operations and deployments.