Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

One Identity Privileged Access Suite for Unix

One Identity Privileged Access Suite for Unix
Unix Security Simplified

One Identity Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux® and Mac OS X®) while making satisfying compliance requirements a breeze. It unifies and consolidates identities, assigns individual accountability and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix is a one-stop shop for Unix security that combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.

Active Directory Bridge

Achieve unified access control, authentication, authorization and identity administration for Unix, Linux®, and Mac OS X® systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows® resources to become part of the AD trusted realm, and extends AD’s security, compliance and Kerberos-based authentication capabilities to Unix, Linux®, and Mac OS X®. (See Authentication Services for more information about the Active Directory Bridge product.)

Root Delegation

The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with Sudo.

    (See One Identity Privilege Manager for Sudo for more information about enhancing sudo.)

  • By choosing to replace sudo, you will still be able to delegate the Unix root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo". In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    (See Privilege Manager for Unix for more information about replacing sudo.)

Privileged Access Suite for Unix

Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include: One IdentityManagement Console for Unix, a common mangement console that provides a consolidated view and centralized point of management for local Unix users and groups; and, Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux®, and Mac OS X® platforms and enterprise applications. In addition

  • The Standard edition licenses you for Privilege Manager for Sudo.
  • The Advanced edition licenses you for Privilege Manager for Unix.

Quest recommends that you follow these steps:

  1. Install Authentication Services on one machine, so you can set up your Active Directory Forest.
  2. Install One Identity Management Console for Unix, so you can perform all the other installation steps from the mangement console.
  3. Add and profile host(s) using the mangement console.
  4. Configure the console to use Active Directory.
  5. Deploy client software to remote hosts.

    Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:

    • Privilege Manager for Unix software (that is, Privilege Manager Agent packages)


    • Privilege Manager for Sudo software (that is, Sudo Plugin packages)

NOTE: See Introducing Privilege Manager for Unix or Introducing Privilege Manager for Sudo for an overview of each of these products.

Introducing Privilege Manager for Unix

Introducing Privilege Manager for Unix

Privilege Manager for Unix protects the full power of root access from potential misuse or abuse. Privilege Manager for Unixhelps you to define a security policy that stipulates who has access to which root function, as well as when and where individuals can perform those functions. It controls access to existing programs as well as any purpose-built utilities used for common system administration tasks. With Privilege Manager for Unix, you do not need to worry about someone - whether inadvertently or maliciously - deleting critical files, modifying file permissions or databases, reformatting disks, or damaging UNIX® systems in more subtle ways.

Figure 1: Privilege Manager for Unix Protection

Within the UNIX® world, common management tasks often require root access. Unfortunately, native root access is an all-or-nothing proposition. Consequently, as organizations add new users, fix printer queues, and perform other routine jobs on UNIX® systems, the concern for control, compliance, and security grows. These routine tasks should not expose root passwords to those who don’t need them.

Privilege Manager for Unix also allows administrators to increase security as it protects sensitive data from network monitoring by encrypting root commands or sessions it controls. This capability includes control messages and input entered by users as they run commands through Privilege Manager for Unix.

What is Privilege Manager for Unix?

Introducing Privilege Manager for Unix > What is Privilege Manager for Unix?

Privilege Manager for Unix allows system administrators to safely share the power of root and other important accounts by partitioning them among users in a secure manner. System administrators can specify the circumstances under which users may run certain programs as root (or other privileged accounts).

The result is that you can safely assign the responsibility for such routine maintenance activities as adding user accounts and fixing line printer queues to the appropriate people without disclosing the root password. The full power of root is thus protected from potential misuse or abuse, reducing the risk of system administrator error or misuse (for example, modifying databases or file permissions, erasing disks, or more subtle damage).

Privilege Manager for Unix is capable of selectively recording all activities involving root, including all keyboard input and display output, if required. This indelible audit trail, combined with the safe partitioning of root functionality, provides an extremely secure means of sharing the power of root. A replay utility is provided to allow recorded sessions to be viewed at a later date. Privilege Manager for Unix can also require a checksum match before running any program, thereby guarding against virus or trojan horse attack on important accounts.

Additionally, Privilege Manager for Unix can provide an audit trail of:

  • all users running commands on a particular host

    This may be required if, for example, the host is particularly sensitive, or because access to this host is chargeable.

  • for a particular user

    This may be required, if for example, a temporary contractor has been provided with a login to a host, and the administrator needs to check which files the contractor has accessed.

Benefits of Privilege Manager for Unix

Introducing Privilege Manager for Unix > Benefits of Privilege Manager for Unix

Privilege Manager for Unix is an important component of any heterogeneous organization's comprehensive compliance and identity management strategy. It perfectly complements UNIX® identity integration initiatives using Authentication Services and compliance efforts enhanced through Quest's Compliance Portal.

Some of the benefits that Privilege Manager for Unix brings to your organization are:

  • enhanced security through fine-grained, policy-based control of root access
  • compliance through compartmentalization of IT tasks that require root access
  • visibility and control through automated, secure keystroke logging
  • attainment of compliance and internal security standards through automated gathering of necessary data
  • prevention of unapproved UNIX® root activity

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating