One Identity Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux and macOS) while making satisfying compliance requirements easier. It unifies and consolidates identities, assigns individual accountability, and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.
Achieve unified access control, authentication, authorization, and identity administration for Unix, Linux, and macOS systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance, and Kerberos-based authentication capabilities to Unix, Linux, and macOS. See Authentication Services for more information about the Active Directory Bridge product.
The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.
See Privilege Manager for Sudo for more information about enhancing sudo.
See Privilege Manager for Unix for more information about replacing sudo.
Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include the Management Console for Unix, a common mangement console that provides a consolidated view and centralized point of management for local Unix users and groups; and, Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and macOS platforms and enterprise applications. In addition
One Identity recommends that you follow these steps:
Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:
Privilege Manager for Sudo helps Unix/Linux organizations take privileged account management through sudo to the next level: with a central policy server, centralized management of sudo and sudoers, centralized reporting on sudoers and elevated rights activities, event and keystroke logging of activities performed through sudo, and offline policy evaluation. With Privilege Manager for Sudo, One Identity provides a plugin to Sudo 1.8.1 (and later) to make administering sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-by-box management of sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Figure 1: Privilege Manager for Sudo Architecture
Privilege Manager for Sudo enables you to get more value, security, and compliance out of your existing investment in sudo across any number of Unix/Linux systems.
The vast majority of organizations with Unix/Linux machines in their infrastructure use the open-source sudo project to help delegate the Unix root account to achieve privileged account management objectives. Sudo has a proven history of delivering value, however, management of sudo can be cumbersome, sudo policy across multiple servers is often inconsistently written and executed, and sudo does not include the ability to centrally manage the sudoers policy on multiple systems that is so critical to security and compliance initiatives. One Identity LLC, the company that pioneered the "Active Directory bridge" market with Authentication Services, continues to lead the way for identity and access management in Unix environments, with powerful and innovative new capabilities that provide enterprise-level privileged account management (PAM) by enhancing an existing sudo installation with centralized policy, reporting, management, and keystroke logging through Privilege Manager for Sudo.
Privilege Manager for Sudo provides powerful capabilities:
Privilege Manager for Sudo enhances sudo with new capabilities (central policy server and keystroke logging) that embrace and extend sudo through the Sudo Plugin which fits into the Sudo 1.8.x modular architecture.
Privilege Manager for Sudo permits sudo to use a central service to enforce a policy, removing the need for administrators to manage the deployment of the sudoers policy file on every system. This improves security and reduces administrative effort by centrally administering sudo policy for privileged account management across any number of Unix/Linux servers.
Management Console for Unix provides a single management platform for sudo as well as additional One Identity solutions, such as Authentication Services and Privilege Manager for Unix. It provides a single point of administration for multiple One Identity solutions to simplify administrator-related and auditing-related activities across the entire Unix/Linux environment.
Privilege Manager for Sudo includes Management Console for Unix which provides a single reporting platform for sudo. Available reports include Access and Privilege Reports that analyze the sudo configuration file, as well as user accounts and group memberships, and provides a list of the access and privileges that have been granted to users and systems through sudo. The solution also includes the ability to report on changes made to the sudoers policy for policy groups through the console including versioning and the ability to revert to any previous version. This allows for a report that shows who made what changes to the sudoers policy file, and when. It also includes the ability to report on who ran what sudo command across all managed systems, and whether the command was accepted or rejected based on the policy.
The Privilege Manager for Sudo event logging feature provides the ability to log all commands performed through sudo to know which commands were accepted and rejected, who performed the command, and when the command was performed.
The Privilege Manager for Sudo keystroke logging feature provides the ability to log keystrokes, then view and replay keystroke logs for end-users that perform activities through sudo. The keystroke log provides a comprehensive view of what activities were performed and the commands that were run across all systems. You can filter the report in many ways to find data quickly. For example, you can filter on specific commands or for commands run during a specific time period.
Privilege Manager for Sudo supports offline policy caching. When a Sudo Plugin host operates offline, it stores all log files on the host, then synchronizes the log data back to the primary policy server when it becomes available. See Privilege Manager for Sudo Policy Evaluation for more information.
Management Console for Unix enforces the concept of separation of duty (SoD) by adding the ability to assign users to roles within the console. Based on the role, a user is only permitted to perform certain tasks. For example, the administrator may be allowed to modify the sudo policy, but not to view keystroke log recordings.
A basic Privilege Manager for Sudo configuration would include a primary and a secondary policy server, (known as a policy group), and any number of hosts with the Sudo Plugin installed.
Figure 2: How Privilege Manager for Sudo Works
The first policy server configured is the primary policy server which holds the master copy of the sudoers policy. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share the common sudoers policy.
The Sudo Plugin is installed on each host system. Then the hosts are joined to the policy group. Once joined, sudo commands that run on the hosts are sent to the primary policy server to be evaluated against the centralized policy. (Note: The local sudoers files (/etc/sudoers and /etc/sudoers.d) are no longer used to evaluate the sudo policy on joined hosts.) The primary policy server either accepts or rejects the commands; that is, the primary policy server either allows the command to run on the host or not. The primary policy server records an event each time a command is accepted or rejected. And, if enabled for keystroke logging, the primary policy server records the keystrokes entered on the hosts.
Management Console for Unix provides centralized management of host systems and the sudoers policy file. It also provides centralized installation and configuration of the Sudo Plugin on hosts, centralized reporting, and keystroke log replay.