Database Reference
In-Depth Information
EM 12.1.0.3.0 has integrated PowerBroker functionality. What this means is that an individual, personally
identifiable user—e.g., “Jdoe”—can be mapped to a subset of
"root"
privileges by PowerBroker on the target OS
managed by EM. This is very cool, because PowerBroker already has a mature set of powerful features for managing
privileged access. Let's have a look at the basics.
PowerBroker consists mainly of a secure replacement for
sudo
. Sudo is great but when calling a command like
vi
or
less
it is possible to have that program subsequently call a new shell as
root
that does not have sudo controls upon
it. Sudo has the
NOEXEC
option, but this does not work for all platforms and applications. PowerBroker has sudo-like
functionality along with a secure version of bash and kshell and a secure IOLogger (keylogger). PowerBroker also
supports sending its logs to the standard *nix syslog facility. This can then be integrated with our other audit trails
through a log aggregator like ScienceLogic or Splunk.
Powerbroker commands are run in the same way as sudo, just replacing
"sudo -u root"
with
pbrun
.
[oracle@orlin ~]$ sudo -u root cat /etc/shadow (pbrun cat /etc/shadow)
[sudo] password for oracle:
root:$6$Pp/o5MEX$jD8HCZxjeKPGJKWV/zBedphihPyTEY0.9oJ8xiZqm7UL/6EsDqKC3Vpastgfwvj
sDMVYC9Fs1axuQWDvZx3S6/:16080:0:99999:7:::
bin:*:15064:0:99999:7:::
daemon:*:15064:0:99999:7:::
The
cloudcontrol.conf
used by PowerBroker on the OS from EM12c is shown in Figure
19-4
.
Figure 19-4.
PowerBroker's cloudcontrol.conf file for EM12c OS users