Chat now with support
Chat with Support

Safeguard for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

One Identity Privileged Access Suite for Unix

Unix Security Simplified

One Identity Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux and macOS) while making satisfying compliance requirements easier. It unifies and consolidates identities, assigns individual accountability, and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.

Active Directory Bridge

Achieve unified access control, authentication, authorization, and identity administration for Unix, Linux, and macOS systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance, and Kerberos-based authentication capabilities to Unix, Linux, and macOS. See Authentication Services for more information about the Active Directory Bridge product.

Root Delegation

The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with sudo.

    See Privilege Manager for Sudo for more information about enhancing sudo.

  • By choosing to replace sudo, you will still be able to delegate the Unix root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo". In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    See Privilege Manager for Unix for more information about replacing sudo.

Privileged Access Suite for Unix

Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include the Management Console for Unix, a common mangement console that provides a consolidated view and centralized point of management for local Unix users and groups; and, Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and macOS platforms and enterprise applications. In addition

  • The Standard edition licenses you for Privilege Manager for Sudo.
  • The Advanced edition licenses you for Privilege Manager for Unix.

One Identity recommends that you follow these steps:

  1. Install Authentication Services on one machine, so you can set up your Active Directory Forest.
  2. Install Management Console for Unix, so you can perform all the other installation steps from the mangement console.
  3. Add and profile hosts using the mangement console.
  4. Configure the console to use Active Directory.
  5. Deploy client software to remote hosts.

    Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:

    • Privilege Manager for Unix software (that is, Privilege Manager Agent packages)


    • Privilege Manager for Sudo software (that is, Sudo Plugin packages)

Introducing Privilege Manager for Sudo

Privilege Manager for Sudo helps Unix/Linux organizations take privileged account management through sudo to the next level: with a central policy server, centralized management of sudo and sudoers, centralized reporting on sudoers and elevated rights activities, event and keystroke logging of activities performed through sudo, and offline policy evaluation. With Privilege Manager for Sudo, One Identity provides a plugin to Sudo 1.8.1 (and later) to make administering sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-by-box management of sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file.

Figure 1: Privilege Manager for Sudo Architecture

Privilege Manager for Sudo enables you to get more value, security, and compliance out of your existing investment in sudo across any number of Unix/Linux systems.

Features and benefits of Privilege Manager for Sudo

Embracing and enhancing Sudo

The vast majority of organizations with Unix/Linux machines in their infrastructure use the open-source sudo project to help delegate the Unix root account to achieve privileged account management objectives. Sudo has a proven history of delivering value, however, management of sudo can be cumbersome, sudo policy across multiple servers is often inconsistently written and executed, and sudo does not include the ability to centrally manage the sudoers policy on multiple systems that is so critical to security and compliance initiatives. One Identity LLC, the company that pioneered the "Active Directory bridge" market with Authentication Services, continues to lead the way for identity and access management in Unix environments, with powerful and innovative new capabilities that provide enterprise-level privileged account management (PAM) by enhancing an existing sudo installation with centralized policy, reporting, management, and keystroke logging through Privilege Manager for Sudo.

Privilege Manager for Sudo provides powerful capabilities:

  • Centralized management of sudo across any number of Unix/Linux servers
  • Centralized reporting on sudo policy, activities, and history
  • Event and keystroke logging
  • Offline policy evaluation and log synchronization
  • Policy revision management with change tracking and reporting, and policy roll-back
Extend Sudo 1.8.x

Privilege Manager for Sudo enhances sudo with new capabilities (central policy server and keystroke logging) that embrace and extend sudo through the Sudo Plugin which fits into the Sudo 1.8.x modular architecture.

Central Sudo policy

Privilege Manager for Sudo permits sudo to use a central service to enforce a policy, removing the need for administrators to manage the deployment of the sudoers policy file on every system. This improves security and reduces administrative effort by centrally administering sudo policy for privileged account management across any number of Unix/Linux servers.

Centralized management

Management Console for Unix provides a single management platform for sudo as well as additional One Identity solutions, such as Authentication Services and Privilege Manager for Unix. It provides a single point of administration for multiple One Identity solutions to simplify administrator-related and auditing-related activities across the entire Unix/Linux environment.

Centralized reporting

Privilege Manager for Sudo includes Management Console for Unix which provides a single reporting platform for sudo. Available reports include Access and Privilege Reports that analyze the sudo configuration file, as well as user accounts and group memberships, and provides a list of the access and privileges that have been granted to users and systems through sudo. The solution also includes the ability to report on changes made to the sudoers policy for policy groups through the console including versioning and the ability to revert to any previous version. This allows for a report that shows who made what changes to the sudoers policy file, and when. It also includes the ability to report on who ran what sudo command across all managed systems, and whether the command was accepted or rejected based on the policy.

Event logging

The Privilege Manager for Sudo event logging feature provides the ability to log all commands performed through sudo to know which commands were accepted and rejected, who performed the command, and when the command was performed.

Keystroke logging

The Privilege Manager for Sudo keystroke logging feature provides the ability to log keystrokes, then view and replay keystroke logs for end-users that perform activities through sudo. The keystroke log provides a comprehensive view of what activities were performed and the commands that were run across all systems. You can filter the report in many ways to find data quickly. For example, you can filter on specific commands or for commands run during a specific time period.

Offline policy evaluation and log synchronization

Privilege Manager for Sudo supports offline policy caching. When a Sudo Plugin host operates offline, it stores all log files on the host, then synchronizes the log data back to the primary policy server when it becomes available. See Privilege Manager for Sudo Policy Evaluation for more information.

Separation of duty enforcement

Management Console for Unix enforces the concept of separation of duty (SoD) by adding the ability to assign users to roles within the console. Based on the role, a user is only permitted to perform certain tasks. For example, the administrator may be allowed to modify the sudo policy, but not to view keystroke log recordings.

How Privilege Manager for Sudo works

A basic Privilege Manager for Sudo configuration would include a primary and a secondary policy server, (known as a policy group), and any number of hosts with the Sudo Plugin installed.

Figure 2: How Privilege Manager for Sudo Works

The first policy server configured is the primary policy server which holds the master copy of the sudoers policy. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share the common sudoers policy.

The Sudo Plugin is installed on each host system. Then the hosts are joined to the policy group. Once joined, sudo commands that run on the hosts are sent to the primary policy server to be evaluated against the centralized policy. (Note: The local sudoers files (/etc/sudoers and /etc/sudoers.d) are no longer used to evaluate the sudo policy on joined hosts.) The primary policy server either accepts or rejects the commands; that is, the primary policy server either allows the command to run on the host or not. The primary policy server records an event each time a command is accepted or rejected. And, if enabled for keystroke logging, the primary policy server records the keystrokes entered on the hosts.

Management Console for Unix provides centralized management of host systems and the sudoers policy file. It also provides centralized installation and configuration of the Sudo Plugin on hosts, centralized reporting, and keystroke log replay.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents