Wednesday, March 02, 2011

Sudo 1.8 Brings Pluggable Policies to Root Access Control

image
This is the title to an article by Joe Brockmeier that just appeared in ServerWatch. Joe “gets” what both Todd Miller is trying to achieve with the 1.8 version of sudo:
We're all familiar with the venerable utility Sudo, but its feature set hasn't kept up with what many companies want for root access control. Specifically, Sudo has lacked support for policy plugins and advanced logging features. There have been a number of proprietary tools that either replace or enhance Sudo for root access control (RAC). But who wants to have to buy an add-on if you can get the features you need as part of the native toolset that comes with your *nix?
There are many, many, many companies that leverage sudo in their day-to-day operations. Most of these companies – certainly the ones that have more than 10 or 20 *nix servers to maintain – struggle with consistent management of their sudo policy files and how to do effective logging. That’s exactly why Todd has implemented “pluggability” in sudo 1.8. I can’t but help agree with Joe with respect to one of his other observations:
Previously, those features (policy management and session logging) were the domain of proprietary RAC  (root access control) tools. And Sudo 1.8 doesn't mean that companies have no opportunity to offer services on top of Sudo, but it does mean that they don't need to replace it entirely -- and shops have the option of writing their own plugin or using open source plugins. During his talk, Miller said several open source plugins are in development. No doubt quite a few open source plugins will be contributed that fit the needs of many companies, and if not you could turn to vendors like Quest, which offer add-ons for Active Directory and other proprietary features.
Joe plans on writing more about how to take advantage of these plugins. I’m looking forward to it!

Technorati Tags: ,,,,,,,

No comments: