Re: root group in solaris : Tools

What is the suggestion on using a tool like Powerbroker from Symark.
The tool claims to centralise the "sudo" function and also provide
logging? Does anyone have feedback on this tool or any other third
party tool in the same space?


On 9/19/06, Suzanne Widup <Suzanne.Widup@...> wrote:

I use PowerBroker a lot and I'm very fond of it. (I also use
PowerPassword -- another Symark product -- and I don't like it nearly as
much.)

PowerBroker is very capable. I can set it up so that certain users have
access to certain accounts on certain machines, but only on certain days
or only for certain commands. I can make it so that you operate as a
particular user, particular group, with a particular home directory,
certain startup files, etc., etc.

In addition, it does keystroke-by-keystroke logging so I can go back
after the fact and review a session and see what the user typed and what
they saw. Of course, that doesn't help much if all they do is launch a
gui session, but then neither will any of the other solutions.

The logging and management are done on (one or more) central server(s),
so you can make it so that the users can't modify the logs after the
fact to hide their activities.

I rate the product very highly, but I would say that for a small
environment I wouldn't bother with it -- I'd just use sudo -- unless I
required that degree of logging and protection of logs.

Oh, and sudo is free while PowerBroker is not.



-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of dubaisans dubai
Sent: Tuesday, September 19, 2006 2:01 AM
To: focus-sun@...
Subject: Re: root group in solaris : Tools

What is the suggestion on using a tool like Powerbroker from Symark.
The tool claims to centralise the "sudo" function and also provide
logging? Does anyone have feedback on this tool or any other third party
tool in the same space?


On 9/19/06, Suzanne Widup <Suzanne.Widup@...> wrote:
> Have you looked at implementing sudo?  It's a root delegation tool and
administrators.
> Everyone has individual user-ids on the system.
> Currently they login with their personal ID and then SU to root. I
> donot want to share root password with these many people.
>
> I am thinking of adding all these users to the "root" group[GID 0].
> Will it provide root-equivalent UID O access to these users. If not
> why ? Does the "root" group not have root user-id equivalent
privileges?
>
> Is it possible manually to make the GID 0 privileges equivalant of UID
corporate e-mail system, and is subject to archival and review by
someone other than the recipient.  This e-mail may contain information
proprietary to Safeway and is intended only for the use of the intended
recipient(s).  If the reader of this message is not the intended
recipient(s), you are notified that you have received this message in
error and that any review, dissemination, distribution or copying of
this message is strictly prohibited.  If you have received this message
in error, please notify the sender immediately.
>
> ======================================================================
> ========
>
>

sodo provides logging, and commands suck as /bin/sh etc can be put into
a group in /etc/sudoers and forbidden.  then add users to the wheel
group who need sudo access.   of course there are ways around the
forbidden things.  you can be specific with which commands they can run
so that they don't write shell scripts and run them with sudo to bypass
the forbidden binaries.



Cmnd_Alias      SHELLS =        /sbin/sh,\
                                /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\
                               
/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

Cmnd_Alias      FORBIDDEN =     /bin/passwd root,/bin/su,/sbin/su

%wheel          ALL =           (ALL) ALL,!SHELLS,!FORBIDDEN


dubaisans dubai wrote:

--
Mike Kuriger
Sr. Systems Engineer
WarnerBros Online
818-977-8198
m@...
aim - mikekuriger

On Tue, Sep 19, 2006 at 11:30:38AM +0530, dubaisans dubai wrote:
> What is the suggestion on using a tool like Powerbroker from Symark.
> The tool claims to centralise the "sudo" function and also provide
> logging? Does anyone have feedback on this tool or any other third
> party tool in the same space?

I've used Powerbroker in an environment with over 200 UNIX systems.   Yes it is an excellent tool.  It is very flexible (C-like programming syntax).  Very good keystroke recording with playback that mimics being there at the console watching the user type in the commands and seeing the output.

-off

--
Got tor?  Support anonymous communication  - http://tor.eff.org/

On Tue, 2006-09-19 at 11:30 +0530, dubaisans dubai wrote:
> What is the suggestion on using a tool like Powerbroker from Symark.
> The tool claims to centralise the "sudo" function and also provide
> logging? Does anyone have feedback on this tool or any other third
> party tool in the same space?
>

My company uses Powerbroker (http://www.symark.com/) as its primary
means of access control in an environment with several thousand servers
and many different groups with some degree of root access.  It has two
compelling advantages over sudo:
  * Access control is centralized.  You have at least two Powerbroker
master servers (you can use more for load balancing); you can delete or
add someone's access there and it takes effect instantly.  You don't
have to update several thousand local sudoers files, and you have one
place to look to see who has access to what.
  * It does keystroke logging.  You can go onto a master and play back
someone's session line by line or even keystroke by keystroke.  This
helps when something breaks and one needs to find out who broke it.

It also has some disadvantages:
  * Cost.  It's not free, you have to have a support team for it, and
you need master servers to run it on.  And the servers have to have
enough space for the keystroke logs.
  * You need a stable network and stable master servers.  It does have
local failover, which works well but not perfectly.
  * If someone forgets to update the licenses, you can lose all your
access at once.  This isn't the product's fault, but you need to have
the right management processes in place.

We use it with sudo as a fallback mechanism; sudo is used only when
Powerbroker isn't working (which is almost always either during a build
before the machine is registered with a master or when we're upgrading
Powerbroker); the sudo logs are monitored centrally and each use has to
be justified.  Powerbroker is also used for access to application IDs
like DBA accounts, not just root.

In our environment, with many different groups, stringent regulatory
requirements, and the resources to make it work, it's worked well.  If
you don't have all these things sudo might suit your needs better.

Ted Rodriguez-Bell
Wells Fargo Services

This is not an official opinion of Wells Fargo or any part thereof.
--
Company policy requires:  This message may contain confidential and/or
privileged information.  If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy, disclose, or
take any action based on this message or any information herein.  If you
have received this message in error, please advise the sender
immediately by reply e-mail and delete this message.  Thank you for your
cooperation.

Mike Kuriger writes:

>sodo provides logging, and commands suck as /bin/sh etc can be put into
>a group in /etc/sudoers and forbidden.  then add users to the wheel
>group who need sudo access.   of course there are ways around the
>forbidden things.  you can be specific with which commands they can run
>so that they don't write shell scripts and run them with sudo to bypass
>the forbidden binaries.



>Cmnd_Alias      SHELLS =        /sbin/sh,\
>                                /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\
>                              
>/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

>Cmnd_Alias      FORBIDDEN =     /bin/passwd root,/bin/su,/sbin/su

>%wheel          ALL =           (ALL) ALL,!SHELLS,!FORBIDDEN

Doesn't help.  If you allow the user to sudo any program that allows them
to shell out (i.e. vi, more) they can get a root shell.

If you need to stop people with sudo access from getting a root shell
you need to have only allow lists, not deny lists.  And, obviously, you
need to be very careful about what programs you allow them.

I did once hack up both vi and more so users couldn't shell out, but
unfortunately that code is long gone.

--
Michael T Pins              | "It is not knowable how long that conflict
mtpins@...            | (Iraq) would last.  It could last, you know,
keeper of the nn sources    | six days, six weeks.  I doubt six months."
ftp://ftp.nndev.org/pub     | - Donald Rumsfeld, Feb 7, 2003

Salut,

On Thu, 2006-09-21 at 15:46 -0700, Mike Kuriger wrote:
> Cmnd_Alias      SHELLS =        /sbin/sh,\
>                                 /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\
>                                
> /usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh
>
> Cmnd_Alias      FORBIDDEN =     /bin/passwd root,/bin/su,/sbin/su
>
> %wheel          ALL =           (ALL) ALL,!SHELLS,!FORBIDDEN

This config is easy to break out of:

sudo visudo
sudo vi /etc/sudoers
sudo nano /etc/sudoers
make editor && sudo editor /etc/sudoers
...

                                Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard@...

I 've deployed PowerBroker at several customers site. It was always
successfull because of the central policy, the HA capability, a good
support and the flexibility of the policy language.
In addition to the advantage already found against sudo I would add:
    - OOTB encryption for request/answer/log/keystrokelog
    - LDAP integration that allow users definition and autorization
saved in directory
    - hardened shells and utilities (sh,ksh,vi,less)
    - integrated logs parser
    - checksum verificationof program to be executed
    - tiered policy

bbr

>I did once hack up both vi and more so users couldn't shell out, but
>unfortunately that code is long gone.

In Solaris 10 you can write a wrapper which removes the "proc_exec"
privilege from the limit set before running vi.

        ppriv -e -s L-proc_exec vi

Unfortuantely, vi will allow you to edit any odd file, so that is
probably pointless but it would help for other prorgams.

Casper

Salut,

On Tue, 2006-09-26 at 11:09 -0700, Mike Kuriger wrote:
> true,  but sudo is for administrators.  if a regular user needs root
> access for anything, it's always just one or 2 commands which we make a
> rule for.  But true, it's very easy to get a root shell with sudo

What I meant to say is, if you give an user root privileges and the
ability to choose in any way what to run, you can't restrict him
anymore. (Even though the restriction seems to be a central point in
this thread.)

                                Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard@...