Re: root group in solaris : Tools



On Tue, 2006-09-19 at 11:30 +0530, dubaisans dubai wrote:
What is the suggestion on using a tool like Powerbroker from Symark.
The tool claims to centralise the "sudo" function and also provide
logging? Does anyone have feedback on this tool or any other third
party tool in the same space?


My company uses Powerbroker (http://www.symark.com/) as its primary
means of access control in an environment with several thousand servers
and many different groups with some degree of root access. It has two
compelling advantages over sudo:
* Access control is centralized. You have at least two Powerbroker
master servers (you can use more for load balancing); you can delete or
add someone's access there and it takes effect instantly. You don't
have to update several thousand local sudoers files, and you have one
place to look to see who has access to what.
* It does keystroke logging. You can go onto a master and play back
someone's session line by line or even keystroke by keystroke. This
helps when something breaks and one needs to find out who broke it.

It also has some disadvantages:
* Cost. It's not free, you have to have a support team for it, and
you need master servers to run it on. And the servers have to have
enough space for the keystroke logs.
* You need a stable network and stable master servers. It does have
local failover, which works well but not perfectly.
* If someone forgets to update the licenses, you can lose all your
access at once. This isn't the product's fault, but you need to have
the right management processes in place.

We use it with sudo as a fallback mechanism; sudo is used only when
Powerbroker isn't working (which is almost always either during a build
before the machine is registered with a master or when we're upgrading
Powerbroker); the sudo logs are monitored centrally and each use has to
be justified. Powerbroker is also used for access to application IDs
like DBA accounts, not just root.

In our environment, with many different groups, stringent regulatory
requirements, and the resources to make it work, it's worked well. If
you don't have all these things sudo might suit your needs better.

Ted Rodriguez-Bell
Wells Fargo Services

This is not an official opinion of Wells Fargo or any part thereof.
--
Company policy requires: This message may contain confidential and/or
privileged information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy, disclose, or
take any action based on this message or any information herein. If you
have received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you for your
cooperation.



Relevant Pages