cancel
Showing results for 
Search instead for 
Did you mean: 

power broker and sudo

SOLVED
Go to solution
Shivkumar
Super Advisor

power broker and sudo

Dear Sirs,

Is Power Broker software tool better than sudo for providing privilege access on hpux servers ?

Thanks,
Shiv
10 REPLIES
Arunvijai_4
Honored Contributor

Re: power broker and sudo

Power broker is better than sudo since it has got GUI for policy scripting. sudo is opensource and freely available. If you are budget constraint, go for sudo.
"A ship in the harbor is safe, but that is not what ships are built for"
Mel Burslan
Honored Contributor
Solution

Re: power broker and sudo

GUI management is only the tip of the iceberg if you are comparing sudo to powerbroker.

Powerbroker's event logging capabilities are superb.
But this product excels in the functions its name implies, i.e., brokering the power of root user very finely over usernames, commands executed, depending on many different conditions.
Also, a big plus for me, I do not have to type my password everytime if I want to access to my powerbrokered account on every server I log in if the powerbroker is configured correctly.

The only advantage of sudo over powerbroker is its price. Nothing beats FREE. Other than that, if you are trying to be SOX compliant with reporting capabilities of who-did-what-on-which-server scenario, you can not go wrong with the powerbroker.

hope this helps
________________________________
UNIX because I majored in cryptology...
Indira Aramandla
Honored Contributor

Re: power broker and sudo

Hi Shiv,

Sudo is a popular public domain that allows user, host and pass-word restrictions. It support simple logging. Sudo's password restriction allows for a five minute (default) validation period. If another command is entered within five minutes, no password is required and the `ticket' is updated. Sudo sends mail to a designated user whenever a attempt to invoke a command with Sudo fails. Sudo's main advantage is that it is simple to configure and supports many operating systems.

PowerBroker [FSA1] is a fairly comprehensive package that offers almost every feature mentioned except robust control over command line arguments, a significant drawback. While it does offer some command line argument control, it lacks control over command line arguments that might represent system objects.

PowerBroker security software is designed to enhance native Unix authorization by providing selective delegation of Unix administrative privileges for trusted users without providing full root access, and thus reducing the risk of accidental damage or malicious activity. By providing selective access to root's power, PowerBroker may enable system administrators, database administrators, engineers, application developers, and help desk operators to perform their jobs without introducing security risks. PowerBroker is designed to maintain system integrity by ensuring that root password is not revealed. Granular privilege delegation enables administrators to restrict access to specific system commands as well as third-party applications, directories and files. Administrators may be able to use PowerBroker's C-like scripting language to create comprehensive policies to govern privilege assignment.
To ensure a secure environment and provide clear user accountability, PowerBroker provides an audit trail. It aims to extend native Unix logging capabilities by centrally capturing each system's events, requests, and complete user sessions by keystroke. PowerBroker provides both event logs and I/O logs; a new browser-based GUI enables administrators to view both logs. Log files may be queried, and specified data may be extracted and viewed. For additional protection, "forbidden keystroke" sequences may be designated and systems secured before potential damage occurs

I agree with Mel "The only advantage of sudo over powerbroker is its price".


IA
Never give up, Keep Trying
morganelan
Trusted Contributor

Re: power broker and sudo

Powerbroker exceeded sudoâ s capabilities by providing for the following
additional rule set capabilities:
· The ability to create separate policy files to address subsets of your overall policy. These are incorporated into the master configuration file as â includeâ statements. So you could have a policy configuration file
for interns (interns.conf), and should someone in the UNIX group â internâ call the powerbroker command, it would reference the
intern.conf file. (ie, if (intern) { â include intern.confâ } )
· You can define which host the command will be executed on via the runhost variable.
· You can define periods of time during which operations are permitted or denied via the timebetween() and dayname() variables.
· The triggering of a mail alert regardless of success or failure of the command executed.
· The ability to produce interactive scripts which step-by-step prompt the user for specific information.
· The use of a runtimeout variable provides for a maximum run time.While this could be set to infinite, its use provided for the ability to shut down any process related to a powerbroker session after a given
amount of time.
· The ability to use if() statements and logical operators to generate cases to reflect policy.As is apparent at this point, the configuration
Kamal Mirdad
Raj D.
Honored Contributor

Re: power broker and sudo

Hi Shiv,

Here is few details about both the tool.
Powerbroker is better as being a commercial product. Though sudo is also very effective, and well organized, and free product.


Sudo:

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell. It's features include:

The ability to restrict what commands a user may run on a per-host basis.

Sudo does copious logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, sudo can log all commands to a central host.

Sudo uses timestamp files to implement a "ticketing" system. When a user invokes sudo and enters their password, they are granted a ticket for 5 minutes (this timeout is configurable at compile-time). Each subsequent sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.

Sudo's configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis.


----------------------------------

POWERBROKER:

PowerBroker provides UNIX security and accountability by enabling system administrators to delegate administrative privileges and authorization without disclosing the root password and to grant selective access to UNIX based corporate resources. PowerBroker protects the superuser or root account (the most targeted user account), from hackers who could remove critical system files, gain access to confidential data and delete audit trails. It supports HPUX, AIX, RedHat Linux and Solaris platforms.

Administrative tasks such as system programs mounting, performing backups, adding new users can be delegated to individuals or groups at a granular level, thus reducing the risk of accidental damage and the threat of malicious activities. PowerBroker also grants user access to files, directories and third-party applications and accounts (such as HR, financial or database programs), including generic accounts.

PowerBroker protects the superuser or root account (the most targeted user account), from hackers who could remove critical system files, gain access to confidential data and delete audit trails.



Granular delegation of UNIX ROOT privileges
Secure application generic account privileges (e.g., oracle)
Restrict command line access to programs and applications
Control access to files and directories

Security Policies:
--
Comprehensive access control policies using a "C-like" scripting language
Policy Scripting GUI to speed policy development
Enable access by user, UNIX/Linux group, netgroup, or host
Restrict or replace specific UNIX/Linux commands, including su and r-commands
Restrict access by day, date and time
Restrict access to and from specified hosts, including remote hosts
LDAP querying capabilities



Detailed Audit Trail of UNIX/Linux Tasks
--
Event logs capture detailed information about each task request
Comprehensive "keystroke logs" capture complete session I/O
Web-based log viewers

------------------------------------------------------


Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
Raj D.
Honored Contributor

Re: power broker and sudo

Hi Shiv ,

Downloads are:


1. sudo : http://www.courtesan.com/sudo/dist/sudo-1.6.8p9.tar.gz
2. Powerbroker : http://www.symark.com/evaluation.htm

------------------------------------------------------

Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
generic_1
Respected Contributor

Re: power broker and sudo

I found powerbroker broke allot :), and its expensive. It doesnt handle command line scripting well at all.
Rick Garland
Honored Contributor

Re: power broker and sudo

powerbroker as a commercial product does not seem ready for prime time.

If you stay with sudo you will have a lot more users to converse with (at least now)


If you have no experience with either, start with sudo.
Mel Burslan
Honored Contributor

Re: power broker and sudo

Allrigh, Raj D. copied the marketing spiele from the symark's website and sudo webpages. The real life situation is not that rosy at all.

As I previously said, you can not beat the price of sudo : FREE. But when you come to the administration and use of the two products, you have some tradeoffs and decisions to make.

sudo has the /etc/sudoers or wherever it is linked to nowadays as its configuration file and it resides on the server where you are running sudo. One wrong command access you grant to the lowly eteranl user, you are giving the keys to the castle to him/her, whereas on powerbroker, you have minimal configuration files stored locally, which basically tells the server to get its authorization or denial from which other server and this server can be off limits to the almighty root user of the local server. The same is true for tne log files kept. sudo keeps them locally whereas you decide if you want to keep them local or somewhere more secure, remotely when using powerbroker.

As you can see, protecting yourself from unexpected intrusions or providing pristine, untouched log files to those pesky Sarbanes-OXymoron auditors is much easier using powerbroker if you set the things up right from the get go. Of course this comes at a price both hard cash price and need for more resources. As you can see, when you are talking about remote authentication, or keystroke logging to a remote server, you are reliant on a very robust and fast network backbone, especially if you are in an environment like HP's with close to 2000 hpux servers scattered around the US. As I have seen from some host names you posted, Shiv, you are working at or with the servers at the HP Atlanta data center. And those servers by default should have the powerbroker installed on them unless something drastically changed in the past year and a half. In case you needthe name of the person who was the administrator of the powerbroker master server over there, I can give it to you via email so you can hear the experiences from the horse's mouth. Just let me know.

Also, when you go powrbroker way, it is mainly because you mean big business and you better consider powerbroker management as full time job of one or more people in such large implementations, as you need to keep tab on master servers, their slaves, how they are performing, if there are any licenses not released from dead sessions etc. It is a very tedious but necessary thing. You do not want to see "out of powerbroker client licenses, contact your administrator" at 2 am in the morning. Planning well and executin well is an absolute necessity for this product. Powerbroker admins usually hate to be in that position, but it is a godsent for the admin who needs to perform root duties on slew of servers without needing to type his/her own password over and over again as in the case of sudo.

________________________________
UNIX because I majored in cryptology...
BazipZeehok
Occasional Visitor

Re: power broker and sudo

Just a bit of perspective from a guy who actually has to get this to work.

I'm forced to use PowerBroker on just under a thousand OS images. Furthermore, I inherited it from a previous sysadmin who was less than perfectly tidy in setting this up. I have just spent several days trying to find out how this thing works, and I still don't know. It's gained the nickname "PowerBroken", which I hasten to add it already had before the previous admin ran for the hills.

Information on this product is non-existent on the web. A google search of the content of various configuration files comes up a blank. (Well, not blank. There's plenty of pages that tell you how fantastically wonderful PowerBroker is). Instead of using a well-understood scripting language such as, say, Perl, Python, Shell... they have invented their own "C-like" scripting language. Nobody can tell me what the syntax is of this language. It doesn't appear to have a name. By contrast, a google search of "/etc/sudoers" yields configuration examples in the first twenty hits.

If you use PowerBroker, then there will come a night where you are sitting there while your idiot system tells you that it thinks you haven't paid your bills. It uses license management. License managers are specifically designed to make software not work. It will undoubtedly succeed at this. Sudo has none of this.

About the only thing that PowerBroker does that Sudo itself can't, is session logging. The only interaction I have with those logs is when someone leaves a performance monitor like top or nmon running for a few days, and the resulting log overflows the /var partition on the master server. PowerBroken will at that point no longer elevate users or execute commands, and we're back to using good old su(1) with the root password. But I suppose it is worth it to look over our shoulders.

I've read here that the big advantage of PowerBroker is its central management. You'll be pleased to know that these days, you can put your sudoers info on a central LDAP server. Who knows? Maybe you can even get an Active Directory server to play nice with Sudo. I personally don't know anyone who does this, it being easier just to push out a few config files. If you worry that someone might tamper with that file, you need root to change it in the first place. If you give me root on a system for five minutes, I'll have it forever if I really want it. Regardless of what you use to give it to me in the first place.

If you decide to use PowerBroker, or have that decision made for you by someone else, make sure that you can get the root password to any system you administer. Or, since sudo is free, install it alongside PowerBroker just in case you need it. On modern Unixen, sudo is part of the standard install unless you specifically ask for it not to be installed.

I'm sure that in a simple environment, you can get PowerBroker to work most of the time. In a complex environment, it quickly becomes an administrative nigfhtmare. Since you're into expensive solutions already, you may as well hire a consultant. Send someone on a course. To me, PowerBroker looks like a classic instance of throwing money at a problem.