I use PowerBroker a lot and I'm very fond of it. (I also use
PowerPassword -- another Symark product -- and I don't like it nearly as
much.)
PowerBroker is very capable. I can set it up so that certain users have
access to certain accounts on certain machines, but only on certain days
or only for certain commands. I can make it so that you operate as a
particular user, particular group, with a particular home directory,
certain startup files, etc., etc.
In addition, it does keystroke-by-keystroke logging so I can go back
after the fact and review a session and see what the user typed and what
they saw. Of course, that doesn't help much if all they do is launch a
gui session, but then neither will any of the other solutions.
The logging and management are done on (one or more) central server(s),
so you can make it so that the users can't modify the logs after the
fact to hide their activities.
I rate the product very highly, but I would say that for a small
environment I wouldn't bother with it -- I'd just use sudo -- unless I
required that degree of logging and protection of logs.
Oh, and sudo is free while PowerBroker is not.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of dubaisans dubai
Sent: Tuesday, September 19, 2006 2:01 AM
To: focus-sun@securityfocus.com
Subject: Re: root group in solaris : Tools
What is the suggestion on using a tool like Powerbroker from Symark.
The tool claims to centralise the "sudo" function and also provide
logging? Does anyone have feedback on this tool or any other third party
tool in the same space?
On 9/19/06, Suzanne Widup <Suzanne.Widup@safeway.com> wrote:
Have you looked at implementing sudo? It's a root delegation tool and
would give you some better accountability as to what people are doing.
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 5:50 AM
To: focus-sun@securityfocus.com
Subject: root group in solaris
Hi,
I would like to give root user privileges to a set of OS
administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I
donot want to share root password with these many people.
I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not
why ? Does the "root" group not have root user-id equivalent
privileges?
Is it possible manually to make the GID 0 privileges equivalant of UID
O?
How else can I give these individual users root privileges - make all
of them UID 0 or something.? Is that a smart idea?
I am looking at something simpler than SUDO or RBAC
"MMS <safeway.com>" made the following annotations.
----------------------------------------------------------------------
--------
Warning:
All e-mail sent to this address will be received by the Safeway
corporate e-mail system, and is subject to archival and review by
someone other than the recipient. This e-mail may contain information
proprietary to Safeway and is intended only for the use of the intended
recipient(s). If the reader of this message is not the intended
recipient(s), you are notified that you have received this message in
error and that any review, dissemination, distribution or copying of
this message is strictly prohibited. If you have received this message
in error, please notify the sender immediately.
======================================================================
========
