Privilege Manager for Sudo helps Unix/Linux® organizations take privileged account management through sudo to the next level: with a central policy server, centralized management of sudo and sudoers, centralized reporting on sudoers and elevated rights activities, event and keystroke logging of activities performed through sudo, and offline policy evaluation. With Privilege Manager for Sudo, Quest provides a plugin to Sudo 1.8.1 (and newer) to make administering sudo across a few, dozens, hundreds, or thousands of Unix/Linux® servers easy, intuitive, and consistent. It eliminates the box-by-box management of sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.
Figure 4: Privilege Manager for Sudo Architecture
Privilege Manager for Sudo enables you to get more value, security, and compliance out of your existing investment in sudo across any number of Unix/Linux® systems.
The vast majority of organizations with Unix/Linux® machines in their infrastructure use the open-source sudo project to help delegate the Unix root account to achieve privileged account management objectives. Sudo has a proven history of delivering value, however, management of sudo can be cumbersome, sudo policy across multiple servers is often inconsistently written and executed, and sudo does not include the ability to centrally manage the sudoers policy on multiple systems that is so critical to security and compliance initiatives. Quest Software Inc., the company that pioneered the "Active Directory bridge" market with Authentication Services, continues to lead the way for identity and access management in Unix environments, with powerful and innovative new capabilities that provide enterprise-level privileged account management (PAM) by enhancing an existing sudo installation with centralized policy, reporting, management, and keystroke logging through Privilege Manager for Sudo.
Privilege Manager for Sudo provides powerful capabilities:
Privilege Manager for Sudo enhances sudo with new capabilities (central policy server and keystroke logging) that embrace and extend sudo through the new Sudo Plugin which fits into the Sudo 1.8.1 modular architecture.
Privilege Manager for Sudo permits sudo to use a central service to enforce a policy, removing the need for administrators to manage the deployment of the sudoers policy file on every system. This improves security and reduces administrative effort by centrally administering sudo policy for privileged account management across any number of Unix/Linux® servers.
Management Console for Unix provides a single management platform for sudo as well as additional Quest solutions, such as Authentication Services and Privilege Manager for Sudo. It provides a single point of administration for multiple Quest solutions to simplify administrator- and auditing-related activities across the entire Unix/Linux® environment.
Privilege Manager for Sudo includes Management Console for Unix which provides a single reporting platform for sudo. Available reports include Access and Privilege Reports that analyze the sudo configuration file, as well as user accounts and group memberships, and provides a list of the access and privileges that have been granted to users and systems through sudo. The solution also includes the ability to report on changes made to the sudoers policy for policy groups through the console including versioning and the ability to revert to any previous version. This allows for a report that shows who made what changes to the sudoers policy file, and when. It also includes the ability to report on who ran what sudo command across all managed systems, and whether the command was accepted or rejected based on the policy.
The Privilege Manager for Sudo event logging feature provides the ability to log all commands performed through sudo to know which commands were accepted and rejected, who performed the command, and when the command was performed.
The Privilege Manager for Sudo keystroke logging feature provides the ability to log keystrokes, then view and replay keystroke logs for end-users that perform activities through sudo. The keystroke log provides a comprehensive view of what activities were performed and the commands that were executed across all systems. You can filter the report in many ways to find data quickly. For example, you can filter on specific commands or for commands run during a specific time period.
Privilege Manager for Sudo supports offline policy caching. When a Sudo Plugin host operates offline, it stores all log files on the host, then synchronizes the log data back to the primary policy server when it becomes available. (See Privilege Manager for Sudo Policy Evaluation for more information.)
Management Console for Unix enforces the concept of separation of duty (SoD) by adding the ability to assign users to roles within the console. Based on the role, a user is only permitted to perform certain tasks. For example, the administrator may be allowed to modify the sudo policy, but not to view keystroke log recordings.
A basic Privilege Manager for Sudo configuration would include a primary and a secondary policy server, (known as a policy group), and any number of hosts with the Sudo Plugin installed.
Figure 5: How Privilege Manager for Sudo Works
The first policy server configured is the primary policy server which holds the master copy of the sudoers policy. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share the common sudoers policy.
The Sudo Plugin is installed on each host system. Then the hosts are joined to the policy group. Once joined, sudo commands executed on the hosts are sent to the primary policy server to be evaluated against the centralized policy. (Note: The local sudoers files (/etc/sudoers) is no longer used to evaluate the sudo policy on joined hosts.) The primary policy server either accepts or rejects the commands; that is, the primary policy server either allows the command to be executed on the host or not. The primary policy server records an event each time a command is accepted or rejected. And, if enabled for keystroke logging, the primary policy server records the keystrokes entered on the hosts.
Management Console for Unix provides centralized management of host systems and the sudoers policy file. It also provides centralized installation and configuration of the Sudo Plugin on hosts, centralized reporting, and keystroke log replay.
Before you run the installer, consider the following questions:
If you only plan to use one policy server for an entire network, it should be the most reliable and secure machine.
NOTE: You can specify multiple policy servers to avoid having a single point of failure.
If more than 150 users will be using a single pmmasterd for validation, you will want to have multiple policy servers to avoid a UNIX® network resource bottleneck. Plan to have a maximum of 150 users validating at a single policy server.
Only those hosts running the local daemon (PM Agent package) may receive and run Privilege Manager for Unix requests. (See pmlocald for details.)
Quest recommends that you initially specify one policy server and three or four local hosts when you first install and experiment with Privilege Manager for Unix.
If you require greater protection, you can select an encryption level such as AES, or a dedicated encryption system such as Kerberos. When configuring Privilege Manager for Unix in interactive mode, you are asked if you are using Kerberos. If you are using Kerberos, Privilege Manager for Unix automatically uses Kerberos for encryption.
You can configure the policy file to require a checksum match to authorize program execution. If configured in the policy, Privilege Manager executes the program only if its checksum matches that configured in the policy file. By default, it uses a CRC algorithm, but you can configure the MD5 algorithm instead by setting the keyword checksumtype to MD5 in pm.settings.
Choose numbers that do not conflict with other numbers in the /etc/services file. Ensure these entries are propagated to all machines accessing Privilege Manager for Unix.
By default, the log files are placed in /var/adm, /usr/adm or /var/log depending on the host architecture. The installer allows you to change the directory by specifying command line options to the Privilege Manager for Unix daemons. The partition needs to contain enough space for log files to increase in size.