Weighing True Unix/Linux Least Privilege and Not-Quite-Least-Privilege Alternatives

Paul Harper, April 13th, 2017

Unix/Linux Least Privilege

The goal of any privileged access management (PAM) project is to enable end users and business processes with only the access required to perform their functions, and to restrict their access to the minimum necessary in order to protect systems. Particularly on Unix and Linux systems there is always a fine balance to strike between enabling and restricting users, and providing an irrefutable audit trail confidently is often a challenge when dealing with compliance. In this blog, I will review a framework for proving compliance on Unix/Linux and give you a checklist of features vs. what some alternatives might offer.

Using the NIST Framework to Show Compliance

I recommend to customers who are trying to provide evidence of true ‘least privilege’ to audit teams that they frame and deliver a solution that can meet all NIST Cybersecurity requirements (Predict, Prevent, Detect, and Respond). Why NIST? It provides a common, universal framework for describing the steps involved to security critical infrastructure, like a Unix or Linux asset.

What you will find when you frame your Unix/Linux server privilege requirements in this way is that it will quickly separate ‘the wheat from the chaff.’ Let’s look at our Unix/Linux least privilege solution, PowerBroker for Unix & Linux (PBUL), and how it maps into this NIST framework. As you review this framework, consider how your existing Unix/Linux least privilege solution addresses these areas.

  • Predict – In a recommended installation of PBUL, the default behavior is to ‘reject’ anything that is not explicitly authorized. This removes the necessity to ‘predict’ behavior since any activity that is not specifically permitted is considered unacceptable.
  • Prevent – Like the Predict behavior, anything that is not explicitly authorized is rejected. In addition, PBUL provides Advanced Control and Audit (ACA) functions that can prevent read, write or execute on any file, binary or file system on client systems. This can be configured within a procedure, making it easy to define activities that cannot be performed, and controlled by policy.
  • Detect – PBUL has built-in File Integrity Monitoring (FIM) that can identify changes to any file or file system on clients. In addition, built-in checksum features can be configured within policy to prevent the execution of any script or binary that does not match known values. This feature can help to identify potential malware or malicious code that may have been introduced on a server.
  • Respond – PBUL policy can be configured to notify a Security Operations Center (SOC) of modifications or tampered files via syslog or email as soon as they are detected. This provides a fast-track to response. In advanced deployments, policy may also be configured to automatically restore tampered files on client systems to known good conditions if desired.

Comparing PowerBroker for Unix & Linux vs. Alternative Solutions

Here are a few use cases you can use to compare whether the ‘least privilege’ solution you are evaluating is truly providing least privilege.

Does it provide tamper-proof logging?

PowerBroker for Unix & Linux provides all authorization and logging functions from a centralized, high-availability infrastructure with no local caching of policy information to prevent any tampering by savvy administrators. This applies to authorized activities, as well as session logs which are streamed live to log servers beyond the reach of privileged users. Competitive products, however, cache policy information and session logs on remote servers and move them to a remote storage location when sessions complete; this makes it possible for privileged users to remove, or tamper with these logs.

How flexible is the policy language?

When choosing a PAM product, it is important to choose a solution with as much flexibility as possible to support your evolving PAM program. PowerBroker for Unix & Linux policy language is both flexible and powerful, and can be configured with functions and procedures to make exception handling or broad restrictions easy to manage. Building a single function to restrict access to files and applying it to many policies reduces the overhead required to manage PAM functions in an enterprise. Both regular expression handling, and explicitly defined commands are supported, and with full access to the operating system commands can be validated prior to execution.

PowerBroker for Unix & Linux

Not-quite-least privilege tools

  • Complete flexibility in policy management and development.
    • Script based policies
    • Role based policies
    • Hybrid policies (Script + Role based)
  • Unix based solution, built in Unix, for Unix, with full access to native commands and complete operating system control
  • Built-in Advanced Control and Audit (ACA)
  • Built-in File Integrity Monitoring (FIM)
  • Tamper-proof session and event logging to remote servers beyond the reach of users
  • Included REST API, and flexible configuration to access other data sources within the IAM space to make rational policy determinations
  • Is independent and flexible, a specialist solution for Unix/Linux least privilege
  • Inflexible dependence on a web GUI to manage policies
    • One-by-one command configuration
    • Lack of flexibility for policy development
  • A Windows based solution to manage a Unix environment
  • Products that are detective only with little or no prevention capability
  • Products that cannot monitor file integrity on Unix systems
  • Any product that caches policy, or logs on remote servers, leaving the door open to tampering with or nullifying audit integrity
  • Products that cannot access multiple data sources or require the additional purchase of REST API capability
  • Requires you to go through a vault to retrieve a credential

Don’t trust the security of your most critical Unix/Linux servers to a check box provider. Find out what makes PowerBroker for Unix & Linux the de facto standard for Unix/Linux least privilege.

Some competitive products have elements of NIST requirements, but implementation can be unwieldy and difficult, and often requires increased headcount to manage privileged access. PowerBroker for Unix & Linux, however, provides a tamperproof framework for Unix/Linux privileged access management that will satisfy even the strictest auditors when configured properly in any regulated environment.

Take the Unix/Linux challenge: If you are currently evaluating an alternate solution, grant us the opportunity to help you achieve your true least privilege objectives more completely, more efficiently, and faster. Contact us today.