Home Tom Kemp's Centrify Blog

TOM KEMP'S CENTRIFY BLOG

How DirectAuthorize Compares to sudo for Root Access Control

Tuesday, November 4, 2008

This is my fourth in a series in a series of blog posts on our great new product DirectAuthorize. As you may recall from prior posts DirectAuthorize is an Active Directory-based solution that lets you centrally manage and enforce fine-grained control over user access and privileges on UNIX and Linux system. In this blog post I want to discuss how DirectAuthorize compares and contrasts to the popular "sudo" utility found on most UNIX and Linux systems.

But before I jump into the differences, let me first level set and define what sudo is and what it does. Sudo is a UNIX/Linux command that lets users to run programs with the security privileges of another user. Sudo will prompt for a user's password but it can be configured to require the root user's password or no password at all. A more detail description of sudo can be found here. The file /etc/sudoers contains the rules that users have to follow when typing the sudo command. An example of a sudoers file can be found here.

Sudo is quite popular. In surveying a large chunk of our 600+ customers, Centrify found that the vast majority of large UNIX/Linux shops (easily well over 90%) are primarily using sudo for UNIX root access control as opposed the various legacy commercial tools that exist in the market. But even with this widespread adoption, customers consistently told us that they have two major issues with sudo that they want to resolve with DirectAuthorize: having centralized management of administrative access rights and not having to deal with the complexity of setting up policies. Let me expand on both.

Top issues with sudo

The first issue with sudo that we heard from customers is that the key privilege management information is stored locally in the sudoers file on each and every UNIX/Linux systems, as opposed to managed centrally. This may not be a problem with a small number of systems, but can become problematic when servers number in the 100s and you may not be exactly sure what is in each and every sudoers file on each system.

One workaround to this issue could be an automated way of syncing / replicating the sudoers files to the relevant systems and/or groups of systems (i.e. Zones). Centrify DirectControl does exactly this by delivering a sudo-specific group policy that administrators can use to apply a common sudoers policy file across systems within an organizational unit, or they can filter the distribution of the policy on a specific Active Directory object such as a computer or group of computers. (See this group policy chalktalk and/or read more about DirectControl's group policy capabilities for UNIX/Linux/Mac for more information.)

DirectControl even makes it easy to edit the sudo rights policy with a free-form editor as shown below. This interface provides a rich editing environment for many policies where multiple lines of text need to be entered or edited after initial entry, such as the sudo or firewall policies. This editor has the ability to insert all standard commands with a simple right-click, as well as the ability to browse and select names of Active Directory objects and to find their appropriate UNIX name where needed. Additionally, since the policy must adhere to a defined syntax, we made this editor check for proper syntax before allowing you to move on to the next policy.


This is a nice band-aid to manage the local sudoers file and sync them together (and I think DirectControl has the most robust Group Policy in the market for sudo given the editor, etc.), but at the end of the day key administrative access right information is still being stored locally as opposed to centrally, which is less than an optimal way of controlling root access.

Using an analogy, our customers are clearly trying to get away from having to locally manage user account information on each and every machine with the /etc/passwd file (which in theory could also be synced), and instead are using DirectControl to allow the user account information to be stored in a central directory (i.e. Active Directory). So with DirectControl each UNIX system in effect becomes an "Active Directory client," with a central location where authentication can be controlled (e.g. immediate disabling of a user). So like the benefits of centralized user account management with DirectControl, it is understandable that customers would want centralized privilege management and delegation of UNIX root access that DirectAuthorize delivers.

In other words, while expert sudo scripters can create group-based policies, these management groups represent additional identity information that must be separately managed. DirectAuthorize provides easy-to-use graphical tools for modeling role-based policies that can be associated with Active Directory users and groups. Leveraging Active Directory identity information not only streamlines the management of policies but also provides unambiguous accountability and reporting for compliance purposes.

The second major issue we heard from customers regarding sudo is that sudo requires administrators to understand the complexities of the sudoers policy language. As a result, many organizations have used sudo only lightly; for example, they may use sudo to enable a user to switch to a privileged account, but find it too difficult to limit what the user can then do, which results in relatively weak security. By contrast, DirectAuthorize provides a familiar Windows management interface that simplifies the creation of fine-grained, stringent privilege grants.

Other benefits of DirectAuthorize vis a vis sudo

Besides addressing these two major issues with sudo, DirectAuthorize goes well beyond the privilege management capabilities of sudo, enabling administrators to control not only how and when a user can access a computer but also what commands he is allowed to run.

  • DirectAuthorize lets administrators control users' access to secured systems via PAM-enabled applications and interfaces (SSH, FTP, etc.).
  • DirectAuthorize's unique Restricted Environment feature lets administrators control which commands the user is allowed to run, in addition to the privileged commands he is authorized to execute.
  • DirectAuthorize lets administrators define time-based restrictions around the privilege grant for both time of day and day of week. They can also set the start and end date for each person the rights have been granted to, making it easy to grant privileges on a temporary basis.
  • DirectAuthorize enables users to run commands with privilege automatically, making it easier to adopt this technology and a more stringent security policy without requiring IT to retrain staff.

Taken together, DirectAuthorize's ease of use and its advanced features make it an enterprise-ready solution vis a vis sudo for fine-grained control over user access and privileges on UNIX and Linux systems. And as mentioned in a prior blog post the fact that DirectAuthorize is included with DirectControl as part of the Centrify Suite Standard Edition makes it an even bigger no brainer to use our solution over sudo to make delegation of root access control even more secure, robust and manageable. And also makes it easier to pass audits!

Categories: Centrify, Centrify Suite, DirectControl for Systems, DirectAuthorize, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
> Next Article: Strong Authentication for the Mac