FINAL WORD
“
BY VIRTUE OF BEING
OPEN SOURCE, THERE IS NO
INDEMNIFICATION IF THERE IS A
CRITICAL ERROR.
consuming to manage as environments
grow. With sudo, you have to rely on local
systems on the server to keep logs, rotate
them, send them to an archival environment
and ensure that no one is tampering with
any of the other related subsystems. This can
be a complex and time-consuming process. All of these deficiencies – lack of log
integrity, lack of session monitoring, no
change management – introduces risk when
organisations must prove compliance or
investigate anomalies.
Forensics and audit risks By virtue of being open source, there is no
indemnification if there is a critical error.
Also, there is no rollback with sudo, so there
is always the chance that mistakes will bring
an entire system down with no one to call for
support. Sure, it is possible to centralise sudo
through a third-party tool such as Puppet
or CFEngine, but you still end up managing
multiple files across multiple groups of systems
manually (or managed as one huge policy).
With this approach, there is greater risk that
mistakes will break every system at once.
Administrative costs aside, arguably a far
greater risk is that of not being able to
produce log data for forensic investigations.
There is currently no keystroke logging within
sudo and since any logs of sudo activity
are stored locally on servers, they can be
tampered with by savvy administrators.
It also lacks log integrity – no chain of
custody on logs – meaning logs can’t be
non-repudiated and therefore can’t be used
in legal proceedings in most jurisdictions.
This is a significant risk to organisations,
especially in criminal prosecution,
termination, or other disciplinary actions.
Business continuity risks
Lack of enterprise support
Another risk associated with being open source
is that there is no official service level for
INTELLIGENTCIO
Although they come at a higher cost than free
open source solutions, commercial solutions
provide an effective way to mitigate the
general issues related to sudo. Commercial
solutions usually have a regular release cycle
and can typically deliver patches, in response
to vulnerabilities, in hours or days from the
time the vulnerability is reported.
These solutions provide event logging on
separate infrastructure that is inaccessible
to privileged users which eliminates the
possibility of log tampering. They also
provide strong, centralised policy controls
that are managed within an infrastructure
separate from systems under management;
this eliminates the possibility of rogue
changes to privileged access policies in
server environments.
Strong policy control also moves security
posture from ‘respond’ to ‘prevent’ and
advanced features provide the ability to
integrate with other enterprise tools and
conditionally alert when privileged access
sessions begin, or end.
For organisations that are serious about
incorporating a strong privileged access
management into their security program,
there is no question that a commercial
product is better suited than an open
source offering such as sudo.
Eliminating the possibility of malicious
behaviour using strong controls, centralised
log file collection and centralised policy
management is far better than relying on
questionable, difficult to manage controls
delivered within sudo.
Session logs are one of the best forensic
tools available for investigating what
happened on servers. It’s human nature that
people tend to be more cautious when they
know they can be watched.
96
Benefits of using a
commercial solution
Conclusion
Another concern with sudo is that the change
management processes can’t be verified. Best
practices call for review of change records and
validation that what was performed during the
change matches the im