Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Every system is a privileged system: Incorporating Unix/Linux in your privilege management strategy


Written by Paul Harper

November 24th, 2020

Lately we’ve been banging the drum that “every user is a privileged user,” meaning privileged users aren’t limited to system administrators but also include business users with access to applications and endpoints linked to critical business data and functions.

The second verse to that refrain is that “every system is a privileged system.” Within your IT environment, laptops, servers, databases, and cloud platforms all must be incorporated into your privilege management strategy. All types of systems—Windows, Mac, and Unix/Linux—need privilege security controls.

You need the ability to demonstrate granular control to company leadership and auditors

Across your entire organization, you need granular control over who can do what, where they are doing it, and when they can do it. Additionally, you need the ability to demonstrate that granular control to company leadership and auditors with consolidated, easily understood reports.

Unix and Linux are too often left out of modern PAM programs

Unix and Linux systems represent some of the most vulnerable holes in your attack surface. They run mission-critical applications, such as web servers, database servers, and application servers, as well as computer hardware and mainframes. If cyber criminals access powerful Unix/Linux root accounts, they can leverage superuser privileges to wreak havoc.

Despite their importance, Unix/Linux local and privileged accounts often don’t get sufficient oversight in a centralized PAM strategy.

True, the Unix/Linux userbase is typically more technically savvy and has a greater understanding of security than your typical user. In some ways, Unix/Linux actually led the move toward PAM decades ago. The problem is, not much has changed in decades. They still heavily rely on their own methods for privileged management, such as Sudo controls, and are still using Sudo with few differences from when it was first introduced.

No matter how savvy the user, Unix/Linux privileged accounts are time-consuming and tedious to manage, so they often don’t get sufficient oversight. In addition, when it comes time for an audit, it’s extremely difficult to piece together all of the privileged account activities and security controls. You might have one report for Windows and Mac and a separate one or many for Unix/Linux. You can’t get a consolidated view of risk to use for decision-making or show progress to your auditors.

Support Unix/Linux environments within the same enterprise-level PAM solution available to manage Windows and Mac systems

Thycotic Privilege Manager, our endpoint privilege management and application control solution, gives you the ability to implement and enforce least privilege policies that don’t block productivity. Privilege Manager currently supports management of Windows and Mac endpoints and servers and will soon support Unix/Linux as well. Even after removing local administrative rights, users can continue to access and execute the commands and applications they need to do their jobs.

With policy-based controls, you can create allow lists and deny lists to either accept or block the running of known applications and actions. You can also set up workflows to review exceptions that fall outside your policies, and then choose to elevate them if approved, run them in a limited capacity, or block them.

You might end up using wild cards leaving you overly exposed to risk

In a Unix/Linux environment, it’s virtually impossible to create an allow list of everything a user should be able to do because command-line controls can be created in so many different ways. You might end up using wild cards when creating controls, which can’t account for every scenario and often leaves you overly exposed to risk.

As much as you might want to control what Unix/Linux users do, you can truly only control the list of activities you don’t want them to do. Therefore, privilege management for Unix/Linux is designed to help you block the most common activities that increase your business risk.

With a deny policy for Windows, for example, you could prevent new users from being added to the domain admin group, which would block potential backdoor accounts. In a Unix/Linux case, you could also prevent users from resetting passwords and changing SSH keys. In fact, anything that would significantly impact your business—rebooting and shutting down servers and/or applications, dropping database tables, stopping web services—can be specified in a deny list.

Once the common scenarios are blocked, session monitoring and auditing increase your oversight. Think of this security strategy as setting up cameras to watch user behavior because you can’t block all the doors.

When you incorporate all IT systems in your environment under the same privilege management umbrella policies, you can get a more manageable picture of your organization’s security risk. It’s easier to set policies, create audit reports, and feel confident that they are comprehensive and accurate without piecing together a system-by-system view.

Privilege Manager

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.


Like this post?

Get our top blog posts delivered to your inbox once a month.