Last Updated: 2012-10-10 14:33:40 UTC
by Kevin Shortt (Version: 1)
Greetings ISC Readers,
Today's "Standards" topic for Cyber Security Awareness Month will begin a Two Part Diary that ties in standardization and UNIX Privileged Accounts. Part One will get our conversation started and tie some things together. Part Two will lay out some technical options for consideration. I touched upon this in my 2011 October Diary on "Critcal Control 8 - Controlled Use of Administrative Privileges" . Both parts in whole will be an overall extension of the discussion last year as they overlap quite a bit.
The ISO has a working draft under development for a Framework for Identity Management (IdM) named ISO/IEC 24760. A sub-component of IdM is Privileged Identity Management which addresses accounts used to administer servers and manage critical services. Privileged accounts carry a different risk profile than ordinary user accounts.
It is still very common for organizations to accept these risks and continue operations with less accountability. This increased risk is created mainly by poor password management of the privileged accounts coupled with the poor accountability for its use. There are some products on the market that manage passwords for privileged accounts with varying OS support and degrees of accountibility . The difficulty of this task has varies greatly which can depend on an organizations budget and committment to provide this control. The use of tools to manage privileged account passwords is a growing expectation of auditors. The main objective of this effort is to limit routine need to have unfettered and unaccountable access.
Now, as a former UNIX admin, I have been part and parcel to many meetings and debates on "limiting root access". The notion implies tying the hands of the very good people that keep the servers operating. However, we are in a new era that affords different challenges and opportunities. Using the UNIX "sudo" utility bridges gaps between access, need and accountability. Ultimately, it lowers the risk profile of the business.
The sudo utility is currently free software  that operates on most flavors of UNIX. Sudo has been a staunch staple of the UNIX community since the early 1990's and is maintained by Todd C. Miller . Today it ships on many UNIX distributions as a means to control privileged user escalation. Some of the newer features in sudo help managing a "Standard Sudo" environment much easier than in versions past. The reality is that some organizations will not true up sudo versions on every server, especially the larger environments (> 100 servers, or even 10oo UNIX servers!, yes they exist!).
The basic idea is to create standard command sets that suit a given operating environment, then push them out with scp/rsync. Part Two of this diary will illustrate how to profile command sets by consistent format of the sudoers file. With standard command sets in place, the privileged account passwords can be protected further and only "checked out" when an event occurs that requires full command line access.
This at a basic level is a perfect model for smaller environments (< 25 servers), yet very challenging for larger environments with too many needs of the business to meet. When the newer INCLUDEDIR  feature arrived, it made medium size environments (< 100 sever s) easier to reach. Again, this only works great as long as all of your servers have a sudo version with the INCLUDEDIR option avai lable. Most UNIX Admin's already have rsync scripts to adapt a new process like this one in a very short time period. So, if the INCLUDEDIR feature is there, then standardizing the sudoers file should be a snap. Larger environments are an entirely different story, without INCLUDEDIR, the simple suggestion above will lie dead on this page. There is hope however! In Part Two, I will lay out some options for implementation of standardizing your sudoers file.
In the mean time, post a comment below to share what you're doing. If I can incorporate them in, then I will be sure to include it and credit you.
ISC Handler on Duty