Skip to content
Services
Support
Contact
Blog
     
    Delinea Blog > Streamline administration of your growing Linux fleet

    Streamline administration of your growing Linux fleet

    Alex Marsh
    Written by
      
    Linux Server Administration: Manage Your Growing Fleet
    6:48

    I recently spoke with a large telecom company with hundreds of thousands of Linux servers, expanding at a rate of 20% each year.

    Their sudo file spanned thousands of lines, tangled in a web of homespun scripts. Privilege creep had set in. Complex permissioning, fear of breaking something, and manually syncing files across thousands of servers had become a burden. They did the math and knew something had to change.

    This company is not alone. Linux has become the primary server infrastructure for many enterprise use cases. According to recent figures from SQ Magazine, large enterprises adopting Linux as their core Operating System grew by 9.8% YoY, reaching 61.4% penetration.

    Cloud-native developers in particular prefer Linux-based environments for building and deploying apps, and most DevOps teams use Linux as their primary platform.

    When you have a large Linux server fleet, things can get out of control quickly. You need an army of specialized Linux experts—architects, administrators, operational folks—and that gets expensive. The day-to-day life of Linux management is a tedious slog of managing sudoers files, wrangling local accounts, and correcting errors.

    Large enterprises with legacy tools and manual processes can easily have a mess on their hands, with thousands of users with excess access violating compliance rules and increasing cyber risk. As your Linux fleet grows, you won’t be able to scale.

    Keep up with your growing Linux fleet through automation, while also making your servers more secure.

    Pain of managing local accounts

    Managing local user accounts on Linux systems is a major pain point for administrators. Without a centralized source of truth like Active Directory, local accounts can easily become overprivileged, forgotten, or left behind as users change roles or leave the organization, creating security risks.

    Linux administrators are used to working independently from the rest of the organization and typically rely on local accounts managed directly on each Linux system to allow users to log in, access files, and run programs. These local accounts are distinct from accounts managed by external services like NIS, LDAP, or Active Directory.

    • Root users are superusers with unrestricted access to the system.
    • Standard users have limited access and permissions, typically created by the root user or an administrator.
    • System users are created by the system to run services and applications.

    Managing these local users requires Linux administrators to manually set up all properties and permissions, increasing the risk of misconfiguration and privilege creep. What if you could eliminate the need for local accounts altogether?

    Likelihood of sudo permission misconfigurations

    In the Linux world, if you want to run things with privilege, you use a command called sudo. The Linux config file "sudoers" on each server defines which users can sudo specific commands. Whenever a user joins the organization, changes roles, or leaves, you must manually adjust that text file on every server in the fleet.

    The more complex a system's configuration, the greater the likelihood of errors.

    As you can imagine, sudo misconfigurations are a major cause of system failures, operational errors, and outages in various domains that rely on Linux, including network management and cloud services. The more complex a system's configuration, with numerous permission settings and options, the greater the likelihood of operator errors.

    Human errors are a major contributor to configuration drift, which can lead to inconsistencies and incorrect or excess privileges.

    To combat the risk of errors, you could write scripts to automate some of this work. Or, build homemade solutions that attempt to manage Joiners-Movers-Leavers in Active Directory by shifting users from one team or group to another. Unfortunately, these kinds of scripts don’t always have the most up-to-date context to determine appropriate user access. Plus, they often rely on static permission rules that don’t change with the business or security environment.

    Say, for example, a company is using AD as its primary identity store and relying on homegrown scripts to manage it. They would still need to maintain local accounts and group files on every Linux server. In addition, they would need to manage a sudoers file for privilege elevation.

    Now add on the additional management overhead of running an audit to identify all those permission requirements and misconfigurations, and rectify them. The hours add up!

    What if you could eliminate the task of administering those sudo configuration files altogether?

    Automated privileged security controls for Linux

    Automated privileged security controls can improve productivity for Linux server administrators, reducing manual tasks, and freeing up their time for other priorities.

    With Active Directory as a source of truth, permissions management becomes role-based. With Privilege Control for Servers on the Delinea Platform, privileges can transition from static to dynamic, based on granular just-in-time (JIT) policies and context.

    Delinea’s drop-in replacement for sudo, called dzdo, manages privilege elevation on Linux using a centralized role-based access control (RBAC) model—eliminating the need to rely on local configuration files like /etc/sudoers for access control. 

    Linux administrators no longer need to maintain siloed, privileged local accounts or manually edit config files to manage permissions. Instead, they install a lightweight agent, reboot the machine, and they’re done. Even better, users log in with their standard enterprise accounts (like Active Directory), and privilege elevation is handled through centralized policies.

    The result: simplified administration and a reduced attack surface.

    Security benefits of Privilege Control for Servers

    In addition to the productivity benefits for Linux administrators, the Delinea approach to server privilege management also reduces risk in several ways. It allows you to:

    • Apply least privilege and zero trust principles to prevent lateral movement.
    • Add MFA at log-in and privilege elevation for additional identity assurance.
    • Monitor, record, and centralize an audit trail of activity on each server to quickly detect anomalous activity and demonstrate compliance.
    • Report on the privileged activity of each user identity individually, rather than shared accounts.

    Linux privilege management without the silos

    If you already have Delinea Secret Server and want to incorporate Linux privilege management into your program, you can do so without having to deploy or manage a separate system. Because Privilege Control for Servers is part of the Delinea Platform, it can leverage the same data, integrations, and policies to manage access to Linux machines as the rest of your IT environment. That makes reporting, auditing, and compliance checks much faster and more accurate.

    See for yourself

    To learn more about streamlining Linux server administration and improving server security, watch the interactive demo of Delinea Privilege Control for Servers.

    Unix Privileged Account Discovery Tool

    Free Unix Privileged Account Discovery Tool

    Discover vulnerabilities and reduce your security risk.
    GET THE TOOL

     
    , ,