On Tue, 2006-09-19 at 11:30 +0530, dubaisans dubai wrote: > What is the suggestion on using a tool like Powerbroker from Symark. > The tool claims to centralise the "sudo" function and also provide > logging? Does anyone have feedback on this tool or any other third > party tool in the same space? >
My company uses Powerbroker (http://www.symark.com/) as its primary means of access control in an environment with several thousand servers and many different groups with some degree of root access. It has two compelling advantages over sudo: * Access control is centralized. You have at least two Powerbroker master servers (you can use more for load balancing); you can delete or add someone's access there and it takes effect instantly. You don't have to update several thousand local sudoers files, and you have one place to look to see who has access to what. * It does keystroke logging. You can go onto a master and play back someone's session line by line or even keystroke by keystroke. This helps when something breaks and one needs to find out who broke it. It also has some disadvantages: * Cost. It's not free, you have to have a support team for it, and you need master servers to run it on. And the servers have to have enough space for the keystroke logs. * You need a stable network and stable master servers. It does have local failover, which works well but not perfectly. * If someone forgets to update the licenses, you can lose all your access at once. This isn't the product's fault, but you need to have the right management processes in place. We use it with sudo as a fallback mechanism; sudo is used only when Powerbroker isn't working (which is almost always either during a build before the machine is registered with a master or when we're upgrading Powerbroker); the sudo logs are monitored centrally and each use has to be justified. Powerbroker is also used for access to application IDs like DBA accounts, not just root. In our environment, with many different groups, stringent regulatory requirements, and the resources to make it work, it's worked well. If you don't have all these things sudo might suit your needs better. Ted Rodriguez-Bell Wells Fargo Services This is not an official opinion of Wells Fargo or any part thereof. -- Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
