- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: power broker and sudo
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 05:46 PM
тАО09-12-2005 05:46 PM
Is Power Broker software tool better than sudo for providing privilege access on hpux servers ?
Thanks,
Shiv
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 05:52 PM
тАО09-12-2005 05:52 PM
Re: power broker and sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 06:04 PM
тАО09-12-2005 06:04 PM
SolutionPowerbroker's event logging capabilities are superb.
But this product excels in the functions its name implies, i.e., brokering the power of root user very finely over usernames, commands executed, depending on many different conditions.
Also, a big plus for me, I do not have to type my password everytime if I want to access to my powerbrokered account on every server I log in if the powerbroker is configured correctly.
The only advantage of sudo over powerbroker is its price. Nothing beats FREE. Other than that, if you are trying to be SOX compliant with reporting capabilities of who-did-what-on-which-server scenario, you can not go wrong with the powerbroker.
hope this helps
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 07:04 PM
тАО09-12-2005 07:04 PM
Re: power broker and sudo
Sudo is a popular public domain that allows user, host and pass-word restrictions. It support simple logging. Sudo's password restriction allows for a five minute (default) validation period. If another command is entered within five minutes, no password is required and the `ticket' is updated. Sudo sends mail to a designated user whenever a attempt to invoke a command with Sudo fails. Sudo's main advantage is that it is simple to configure and supports many operating systems.
PowerBroker [FSA1] is a fairly comprehensive package that offers almost every feature mentioned except robust control over command line arguments, a significant drawback. While it does offer some command line argument control, it lacks control over command line arguments that might represent system objects.
PowerBroker security software is designed to enhance native Unix authorization by providing selective delegation of Unix administrative privileges for trusted users without providing full root access, and thus reducing the risk of accidental damage or malicious activity. By providing selective access to root's power, PowerBroker may enable system administrators, database administrators, engineers, application developers, and help desk operators to perform their jobs without introducing security risks. PowerBroker is designed to maintain system integrity by ensuring that root password is not revealed. Granular privilege delegation enables administrators to restrict access to specific system commands as well as third-party applications, directories and files. Administrators may be able to use PowerBroker's C-like scripting language to create comprehensive policies to govern privilege assignment.
To ensure a secure environment and provide clear user accountability, PowerBroker provides an audit trail. It aims to extend native Unix logging capabilities by centrally capturing each system's events, requests, and complete user sessions by keystroke. PowerBroker provides both event logs and I/O logs; a new browser-based GUI enables administrators to view both logs. Log files may be queried, and specified data may be extracted and viewed. For additional protection, "forbidden keystroke" sequences may be designated and systems secured before potential damage occurs
I agree with Mel "The only advantage of sudo over powerbroker is its price".
IA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 07:39 PM
тАО09-12-2005 07:39 PM
Re: power broker and sudo
additional rule set capabilities:
├В┬╖ The ability to create separate policy files to address subsets of your overall policy. These are incorporated into the master configuration file as ├в include├в statements. So you could have a policy configuration file
for interns (interns.conf), and should someone in the UNIX group ├в intern├в call the powerbroker command, it would reference the
intern.conf file. (ie, if (intern) { ├в include intern.conf├в } )
├В┬╖ You can define which host the command will be executed on via the runhost variable.
├В┬╖ You can define periods of time during which operations are permitted or denied via the timebetween() and dayname() variables.
├В┬╖ The triggering of a mail alert regardless of success or failure of the command executed.
├В┬╖ The ability to produce interactive scripts which step-by-step prompt the user for specific information.
├В┬╖ The use of a runtimeout variable provides for a maximum run time.While this could be set to infinite, its use provided for the ability to shut down any process related to a powerbroker session after a given
amount of time.
├В┬╖ The ability to use if() statements and logical operators to generate cases to reflect policy.As is apparent at this point, the configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 10:00 PM
тАО09-12-2005 10:00 PM
Re: power broker and sudo
Here is few details about both the tool.
Powerbroker is better as being a commercial product. Though sudo is also very effective, and well organized, and free product.
Sudo:
Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell. It's features include:
The ability to restrict what commands a user may run on a per-host basis.
Sudo does copious logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, sudo can log all commands to a central host.
Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this timeout is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.
Sudo's configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis.
----------------------------------
POWERBROKER:
PowerBroker provides UNIX security and accountability by enabling system administrators to delegate administrative privileges and authorization without disclosing the root password and to grant selective access to UNIX based corporate resources. PowerBroker protects the superuser or root account (the most targeted user account), from hackers who could remove critical system files, gain access to confidential data and delete audit trails. It supports HPUX, AIX, RedHat Linux and Solaris platforms.
Administrative tasks such as system programs mounting, performing backups, adding new users can be delegated to individuals or groups at a granular level, thus reducing the risk of accidental damage and the threat of malicious activities. PowerBroker also grants user access to files, directories and third-party applications and accounts (such as HR, financial or database programs), including generic accounts.
PowerBroker protects the superuser or root account (the most targeted user account), from hackers who could remove critical system files, gain access to confidential data and delete audit trails.
Granular delegation of UNIX ROOT privileges
Secure application generic account privileges (e.g., oracle)
Restrict command line access to programs and applications
Control access to files and directories
Security Policies:
--
Comprehensive access control policies using a "C-like" scripting language
Policy Scripting GUI to speed policy development
Enable access by user, UNIX/Linux group, netgroup, or host
Restrict or replace specific UNIX/Linux commands, including su and r-commands
Restrict access by day, date and time
Restrict access to and from specified hosts, including remote hosts
LDAP querying capabilities
Detailed Audit Trail of UNIX/Linux Tasks
--
Event logs capture detailed information about each task request
Comprehensive "keystroke logs" capture complete session I/O
Web-based log viewers
------------------------------------------------------
Cheers,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2005 10:36 PM
тАО09-12-2005 10:36 PM
Re: power broker and sudo
Downloads are:
1. sudo : http://www.courtesan.com/sudo/dist/sudo-1.6.8p9.tar.gz
2. Powerbroker : http://www.symark.com/evaluation.htm
------------------------------------------------------
Cheers,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2005 05:42 AM
тАО09-14-2005 05:42 AM
Re: power broker and sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2005 05:45 AM
тАО09-14-2005 05:45 AM
Re: power broker and sudo
If you stay with sudo you will have a lot more users to converse with (at least now)
If you have no experience with either, start with sudo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2005 06:11 AM
тАО09-14-2005 06:11 AM
Re: power broker and sudo
As I previously said, you can not beat the price of sudo : FREE. But when you come to the administration and use of the two products, you have some tradeoffs and decisions to make.
sudo has the /etc/sudoers or wherever it is linked to nowadays as its configuration file and it resides on the server where you are running sudo. One wrong command access you grant to the lowly eteranl user, you are giving the keys to the castle to him/her, whereas on powerbroker, you have minimal configuration files stored locally, which basically tells the server to get its authorization or denial from which other server and this server can be off limits to the almighty root user of the local server. The same is true for tne log files kept. sudo keeps them locally whereas you decide if you want to keep them local or somewhere more secure, remotely when using powerbroker.
As you can see, protecting yourself from unexpected intrusions or providing pristine, untouched log files to those pesky Sarbanes-OXymoron auditors is much easier using powerbroker if you set the things up right from the get go. Of course this comes at a price both hard cash price and need for more resources. As you can see, when you are talking about remote authentication, or keystroke logging to a remote server, you are reliant on a very robust and fast network backbone, especially if you are in an environment like HP's with close to 2000 hpux servers scattered around the US. As I have seen from some host names you posted, Shiv, you are working at or with the servers at the HP Atlanta data center. And those servers by default should have the powerbroker installed on them unless something drastically changed in the past year and a half. In case you needthe name of the person who was the administrator of the powerbroker master server over there, I can give it to you via email so you can hear the experiences from the horse's mouth. Just let me know.
Also, when you go powrbroker way, it is mainly because you mean big business and you better consider powerbroker management as full time job of one or more people in such large implementations, as you need to keep tab on master servers, their slaves, how they are performing, if there are any licenses not released from dead sessions etc. It is a very tedious but necessary thing. You do not want to see "out of powerbroker client licenses, contact your administrator" at 2 am in the morning. Planning well and executin well is an absolute necessity for this product. Powerbroker admins usually hate to be in that position, but it is a godsent for the admin who needs to perform root duties on slew of servers without needing to type his/her own password over and over again as in the case of sudo.
UNIX because I majored in cryptology...