Power Broker has nothing to do with windows, you must be thinking of one of their other products or the Quest Privilage Manager product, which was forked from the same codebase 10-15 years ago and is now AD 'integrated'
it's pricy, but it is very nice in many ways. if you want, you can keep a keystroke log of everything that is typed or viewed in a session (this will include passwords, so limit who has access to these logs) it allows for a command line to be run on one machine that will execute commands on different machines. it's configuration language is very complete, it can lookup things in many different types of places (including LDAP and therefor AD), it can make sure that your environment variables are scrubbed (or retained, or set, as needed) it works on just about any flavor of *nix (including all the cross-machine capabilities) it's logs are _very_ complete. it logs the entire user environment where the command was run, as well as the environment used to run the privilaged command. you can tailor/limit/automate commands i.e. 'pbrun doit x y z' could check the values of x y z, and create an arbatrary command line out of anything that it can know about or look up somewhere. it has a limited 'forbidden keystrokes' function that you can use to terminate a session if someone tries to do something. This can be defeated, but can be a good guard against accidents (for example, if you forbid 'rm -rf /' but they type 'rmm<bs> -rf /' it won't be caught) downsides price (this is a big one, list price is >$1k/machine complexity (all it's capabilities come at the cost of having to configure things) up until at least the most recent versions, all logging is in it's own format (I think the most recent version or two gained the ability to do some logging to syslog natively. prior to that you would have to insert callsto logger in the config file) it's logs are very large (several KB of logs for each command run, even without keystroke logging) it is very definantly not for all environments, but there are times when you really do need to give people access to shared accounts (your DBAs need access to the Oracle account for example), but want to keep track of everything that's done. it takes discipline to make good use of. If your admins set their .profile to execute 'pbrun root' and get a shell as root every time they login, your keystroke logs will be so large and cover so much time that finding anything in them is hunting for a needle in a haystack. If you can have your admins do most of their work as themselves, then do pbrun root only when they have to and exit back to themselves immediatly afterwords, your keystroke logs are short, and you only have a few that cover any point in time, so figuring out what happened when something goes wrong is fairly fast. if sudo will do the job you need, Power Broker is overkill and a waste of your money, however the ability to do all this other stuff, and control it from a central point (instead of the sudo configuration across all your systmes) can make it very nice in high sensitivity environments. David Lang On Tue, 30 Nov 2010, Michael C Tiernan wrote: > ----- Original Message ----- >> From: "Tom Perrine" <[email protected]> >> To: "LOPSA Technical Discussions" <[email protected]> >> Sent: Tuesday, November 30, 2010 8:45:27 PM >> Subject: [lopsa-tech] BeyondTrust's PowerBroker? >> Anyone using any of the PowerBroker products? >> >> I'm wondering if if would also be suitable managing non-priv'ed >> accounts in an all-Linux environment... > > If it's the one I think, in one of my previous lifes, the guy who's a > salesman for them tried to convince me that their product, is rock solid, > unbreakable, and 100% guaranteed to be as secure as anything I could imagine. > > When I asked "What's it run on?" and he told me, proudly, {Microsoft}-Windows > I laughed, he didn't understand why I doubted him. > > If we set aside my prejudges about MS-Windows, any sales droid that tries to > convince me that anything is 100% solid and safe is not educated enough to be > making those claims. > > Right there and then I didn't trust him for squat. > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
