Unix Security Simplified
One Identity Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux and Mac) while making satisfying compliance requirements a breeze. It unifies and consolidates identities, assigns individual accountability and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix is a one-stop shop for Unix security that combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.
Active Directory Bridge
Achieve unified access control, authentication, authorization and identity administration for Unix, Linux, and Mac systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance and Kerberos-based authentication capabilities to Unix, Linux, and Mac. See Authentication Services for more information about the Active Directory Bridge product.
The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.
Privileged Access Suite for Unix
Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include: One Identity Management Console for Unix, a common management console that provides a consolidated view and centralized point of management for local Unix users and groups; and Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and Mac platforms and enterprise applications. In addition
- The Standard edition licenses you for Privilege Manager for Sudo.
- The Advanced edition licenses you for Privilege Manager for Unix.
One Identity recommends that you follow these steps:
- Install Authentication Services on one machine, so you can set up your Active Directory Forest.
- Install One Identity Management Console for Unix, so you can perform all the other installation steps from the mangement console.
- Add and profile hosts using the mangement console.
- Configure the console to use Active Directory.
- Deploy client software to remote hosts.
Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:
- Privilege Manager for Unix software (that is, Privilege Manager Agent packages)
- Privilege Manager for Sudo software (that is, Sudo Plugin packages)
See Installing Privilege Manager agent or plugin software for more information about the two Privilege Manager client software packages available to install onto remote hosts.
Note: Refer to Getting Started tab for a better understanding of the steps to take to be up and running quickly.
One Identity Management Console for Unix is a web-based console that delivers a consolidated view and centralized point of management for local Unix users and groups, including:
- Local Unix user and group management
- Centralized reporting
- Pre-migration readiness assessment for integrating with Active Directory
- Remote client-agent deployment
- Secure local Unix accounts with Active Directory authentication
Key features and capabilities of the mangement console:
Local Unix User and Group Management
Management Console for Unix enables administrators to use the same tool to manage all Unix account information regardless of its location (within Active Directory or locally on Unix systems). With the mangement console, administrators can remotely manage local users and groups on Unix, Linux, and Mac systems. This functionality is shipped with Authentication Services, Privilege Manager for Unix, and Privilege Manager for Sudo.
Active Directory Integration
Management Console for Unix provides the quickest path to compliance by enabling organizations to quickly, easily, and inexpensively implement Active Directory-based authentication for Unix, Linux, and Mac systems. The mangement console allows remote Unix systems to be profiled and assessed to check their readiness for integration with Active Directory. Once deployed, Management Console for Unix even enables Unix accounts to remain where they are and yet use Active Directory for centralized authentication.
Privilege Manager Integration
Management Console for Unix provides advanced management and reporting capabilities when used with One Identity Privilege Manager. You can install and configure the Policy Server as well as the PM Agent and the Sudo Plugin software to remote hosts. You can also join hosts to a policy group if you have activated it in the Privilege Manager settings. This gives you the ability to centrally manage policy and create comprehensive "keystroke logs" that capture forensic-level auditing.
Remote Agent Deployment
Management Console for Unix streamlines deployment of client agent software by empowering administrators to remotely install the software packages and join systems either to Active Directory or a Privilege Manager policy group. The mangement console allows non-Unix administrators to administer and deploy the solution without ever touching the Unix command line.
Role-Based Access Control
Active Directory users and groups can now be granted access to the mangement console and given limited use of console features by means of roles. This means you can configure separation of duties for specific tasks.
- Manage Hosts
- Console Administration
- Manage Console Access
Additional Privilege Manager Roles:
- Manage Sudo Policy
- Audit Sudo Policy
- Manage PM Policy
- Audit PM Policy
Management Console for Unix enables administrators to quickly and easily provide auditors with granular reports on Unix identity information, including the highly desirable access and privilege reports. By consolidating the generation and viewing of reports within the mangement console, Management Console for Unix reduces the time and effort required to generate key reports that traditionally required multiple data collation and manual processes across multiple Unix systems.
Securing Local Unix Accounts with Active Directory Authentication
Management Console for Unix eases deployments of Authentication Services by providing a birds-eye view of all local Unix accounts and Active Directory accounts with Unix account information. When viewing local Unix accounts, administrators can determine which accounts to configure for Active Directory authentication.
Management Console for Unix allows you to access the server by means of Web Services, including Unix command line utilities and Windows Powershell cmdlets that enable you to script common local Unix user and group management tasks. For example, you can write a script to reset a local Unix user's password across multiple Unix systems.
Management Console for Unix has continued to add powerful configuration, administration, management, and migration capabilities through a Web-based console. The following is a list of the new features for One Identity Management Console for Unix 2.5.
One Identity Privilege Manager for Unix integration
Support for advanced, centralized Privilege Manager for Unix policy management, remote agent plugin installation and configuration, keystroke logging and replay, and reporting.
- New roles for managing Privilege Manager for Unix
- Remote installation of the Privilege Manager software
- Readiness checks for both server configuration and host joins to policy groups
- Ability to configure both primary and secondary policy servers
- Centralized pmpolicy profile management with reporting and auditing
- Support for the PMRUN elevation credential
One Identity Privilege Manager for Sudo
Authentication Services Access Control Management
Support for limiting Active Directory user access to host systems by managing which Active Directory users and groups can access the host systems.
- Manage access control on a single host system
- Add and remove Active Directory users or groups across multiple hosts
Other new Management Console for Unix features
- Reset or change passwords for multiple local accounts across multiple hosts
- Modify certain user properties across multiple hosts
- Support for Tectia SSH
- Context-sensitive help is now available
- New console role for access to all reports
- Product License Usage report
Upgrading from Identity Manager for Unix 1.0
If you are upgrading from Quest Identity Manager for Unix 1.0 to Management Console for Unix 2.x, be aware of the following:
- Passwords cached by the supervisor account or AD users with console access were not migrated during the upgrade process due to changes in encryption. Users will have to re-enter their passwords for hosts they manage the next time they perform tasks on the hosts, and choose to cache their credentials again on the server.
- It is important to re-profile all hosts after an upgrade of any version of Management Console for Unix.
- Existing Active Directory users and groups granted access to the mangement console are added to the Manage Hosts role, giving them access to the features they had before the upgrade.
The following summarizes the differences between the core version of Management Console for Unix and what is available when it is used in conjunction with Privilege Manager or Authentication Services.
Core features of Management Console for Unix:
- Provides a central management and reporting console for local Unix hosts.
- Provides up-to-date synchronization between the host and the console.
- Ability to create, delete, and modify local user and group accounts.
- Ability to browse Active Directory
- Ability to assign users to console roles
- Ability to perform console tasks using Windows Powershell and Unix command line tools.
When used with Privilege Manager
- Ability to remotely install Privilege Manager software on a remote host.
- Ability to configure both primary and secondary policy servers.
- Ability to join remote hosts to policy groups.
- Ability to centrally manage the policy file.
- Ability to enable keystroke logging and view captured keystroke logs.
- Ability to provide access and privileges reports to determine which actions users are permitted to perform on Unix hosts.
- Ability to report which commands were executed using sudo on Unix hosts.
When used with Authentication Services:
- Ability to remotely install Authentication Services agents, join systems to Active Directory, and implement AD-based authentication for Unix, Linux, and Mac systems.
- Ability to manage access control on a single host system or across multiple hosts.
- Ability to create reports about Unix-enabled Active Directory users and groups.
- Ability to create access control reports that show which user is permitted to log into which Unix host.