Privileged Access
Hello Guys
Hope you are doing well.
we have a +2k environment with multiple applications installed + vendor products all over the environment which its becoming almost impossible to maintain with sudo, for example a hadoop environment where there is a team in charge of the support of hadoop but not in charge of the OS, if root access is given to them they touch OS configuration files causing damage , the same happens with other applications . we have a large sudo profile per application which its becoming difficult to maintain plus the time that requires to develop a new profile for new applications.
i wonder how do you guys manage these cases and what do you suggest.
thanks in advance.
Responses
Ivan,
This is a genuine problem and is a difficult one to solve with the bundled tools in the OS especially in less 'enterprise' oriented applications like hadoop. Some may suggest SELinux which would tehnically work, but i'm yet to see a straightforward management model for this.
I have definitely seen PowerBroker come up more than once when discussing this issue:
https://www.beyondtrust.com/products/powerbroker-for-unix-linux/
For your OS files, you can manage them with configuration management tools such as Ansible/Puppet which lets you monitor changes and configuration drift which will at least give you visibility of what is changing.
I am interested to see what technical solutions others suggest (policy is the other obvious solution)
Guru
6435 points
You'd need to tell us more about your environment. For example, across those 2,000+ systems, do you use a centralized authentication management system? If so, what do you use? With 2000+ systems, I'd have to assume that you're using some kind of systems automation, automated configuration-management systems and/or automated provisioning solutions - if so, which ones? What's the degree of system-to-system similarity - if only within servers hosting applications of a given type?
While there are some great tools out there for doing the kinds of things you've asked after (several of our customers use PowerBroker, others use Centrify), each of those tools have costs to them. Some of those costs are financial. Some of those costs are in learning and management (one customer that settled on PowerBroker Open did so only after they'd failed in deploying Centrify's Enterprise product because it wasn't nearly so easy to run as they'd expected - and, ultimately, they decided they only really needed centralized authentication and not the costs of Enterprise-licensing or learning how to properly manage Centrify).
Fine-grained access control - no matter what you choose to use - requires expertise, effort and time to do correctly. And, usually, it requires organizations to think about things that they never really thought about, before. And charging ahead before you've thought those things out can cause far more pains than they alleviate.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.