SUDO or NOT SUDO. In the PAM industry, both sides have many supporters and with arguments such as: “It’s free but it’s not maintained”. As usual, there is no right or wrong answer, but there is a right way and a wrong way to secure your systems.
What is the debate really about? The purpose of the SUDO command is to enforce least privilege policy to users, still granting them appropriate rights when needed to run sensitive commands (rm -rf *).
The purpose of the SUDO command is to enforce least privilege policy to users.
In the Privileged Access Management (PAM) environment, the relevance of this command can appear limited: a well configured system will have customized access rights providing appropriate access to target accounts. Yes, but … A well configured system does not authorize SSH root access. So much for creating appropriate profiles.
It is also possible to defend the legitimacy of SUDO using the argument of the password vault. The credentials for elevation are stored into the password vault so that no user can access them. Within a PAM environment, there are alternatives such as deploying either a proprietary SUDO or a local agent to centralize SUDO files.
But instead of using detours, why not going straight to the point and use a PAM full strength?
SUDO for PAM
The WALLIX Bastion 6.0 offers a direct injection of commands at the initiation of a SSH session so that your Bastion administrator can realize a very fine tuning of SUDO commands for its privileged users, while credentials stay protected by the WALLIX vault. Instead of bypassing the problem, it is now possible to safely benefit of the full SU/SUDO commands strength and create scripts to limit its scope of action very precisely … with no impact on the target system.
To be simple, the WALLIX Bastion follows two steps to grant privileges to a primary user:
- Establish a non-privileged connection to a target, as SSH root access are forbidden.
- Inject SUDO credentials automatically and transparently within the session to grant the primary user appropriate rights while keeping him or her from knowing those credentials.