On 2010 Nov 30, at 19:45, Tom Perrine wrote: > Anyone using any of the PowerBroker products? > > I'm wondering if if would also be suitable managing non-priv'ed > accounts in an all-Linux environment…
We're just finishing migrating away from it back to sudo. Problems: * Cost * Encouraged a model contrary to most security requirements (direct access to shared accounts) * Logged too much (would log passwords typed by the user being monitored, despite their assurances it wouldn't) * Didn't log correctly (couldn't send to a loghost of my choosing that was my corporate log server.) In general, my analysis of it found it to be not a good choice for its stated purpose of maintaining a reliable audit record of who accessed selected application accounts or ran selected commands with elevated privilege. Sudo did the job fine for us once we solved the problems of distribution of sudo entries, validation of authorization for sudo entries, and removal of entries that were expired. (No, we didn't use ldap). Could we have possibly made it work? Yes, but it wasn't worth the money investment, especially on the large scale in terms of number of systems we were looking at. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough mmc...@earthink.net _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
