Weighing True Unix/Linux Least Privilege and Not-Quite-Least-Privilege Alternatives
April 13th, 2017
The goal of any privileged access management (PAM) project is to enable end users and business processes with only the access required to perform their functions, and to restrict their access to the minimum necessary in order to protect systems. Particularly on Unix and Linux systems there is always a fine balance to strike between enabling and restricting users, and providing an irrefutable audit trail confidently is often a challenge when dealing with compliance. In this blog, I will review a framework for proving compliance on Unix/Linux and give you a checklist of features vs. what some alternatives might offer.
Using the NIST Framework to Show Compliance
I recommend to customers who are trying to provide evidence of true ‘least privilege’ to audit teams that they frame and deliver a solution that can meet all NIST Cybersecurity requirements (Predict, Prevent, Detect, and Respond). Why NIST? It provides a common, universal framework for describing the steps involved to security critical infrastructure, like a Unix or Linux asset.
What you will find when you frame your Unix/Linux server privilege requirements in this way is that it will quickly separate ‘the wheat from the chaff.’ Let’s look at our Unix/Linux least privilege solution, PowerBroker for Unix & Linux (PBUL), and how it maps into this NIST framework. As you review this framework, consider how your existing Unix/Linux least privilege solution addresses these areas.
- Predict – In a recommended installation of PBUL, the default behavior is to ‘reject’ anything that is not explicitly authorized. This removes the necessity to ‘predict’ behavior since any activity that is not specifically permitted is considered unacceptable.
- Prevent – Like the Predict behavior, anything that is not explicitly authorized is rejected. In addition, PBUL provides Advanced Control and Audit (ACA) functions that can prevent read, write or execute on any file, binary or file system on client systems. This can be configured within a procedure, making it easy to define activities that cannot be performed, and controlled by policy.
- Detect – PBUL has built-in File Integrity Monitoring (FIM) that can identify changes to any file or file system on clients. In addition, built-in checksum features can be configured within policy to prevent the execution of any script or binary that does not match known values. This feature can help to identify potential malware or malicious code that may have been introduced on a server.
- Respond – PBUL policy can be configured to notify a Security Operations Center (SOC) of modifications or tampered files via syslog or email as soon as they are detected. This provides a fast-track to response. In advanced deployments, policy may also be configured to automatically restore tampered files on client systems to known good conditions if desired.
Comparing PowerBroker for Unix & Linux vs. Alternative Solutions
Here are a few use cases you can use to compare whether the ‘least privilege’ solution you are evaluating is truly providing least privilege.
Does it provide tamper-proof logging?
PowerBroker for Unix & Linux provides all authorization and logging functions from a centralized, high-availability infrastructure with no local caching of policy information to prevent any tampering by savvy administrators. This applies to authorized activities, as well as session logs which are streamed live to log servers beyond the reach of privileged users. Competitive products, however, cache policy information and session logs on remote servers and move them to a remote storage location when sessions complete; this makes it possible for privileged users to remove, or tamper with these logs.
How flexible is the policy language?
When choosing a PAM product, it is important to choose a solution with as much flexibility as possible to support your evolving PAM program. PowerBroker for Unix & Linux policy language is both flexible and powerful, and can be configured with functions and procedures to make exception handling or broad restrictions easy to manage. Building a single function to restrict access to files and applying it to many policies reduces the overhead required to manage PAM functions in an enterprise. Both regular expression handling, and explicitly defined commands are supported, and with full access to the operating system commands can be validated prior to execution.
PowerBroker for Unix & Linux
Not-quite-least privilege tools
Don’t trust the security of your most critical Unix/Linux servers to a check box provider. Find out what makes PowerBroker for Unix & Linux the de facto standard for Unix/Linux least privilege.
Some competitive products have elements of NIST requirements, but implementation can be unwieldy and difficult, and often requires increased headcount to manage privileged access. PowerBroker for Unix & Linux, however, provides a tamperproof framework for Unix/Linux privileged access management that will satisfy even the strictest auditors when configured properly in any regulated environment.
Take the Unix/Linux challenge: If you are currently evaluating an alternate solution, grant us the opportunity to help you achieve your true least privilege objectives more completely, more efficiently, and faster. Contact us today.