Endpoint Privilege Management for Unix and Linux Sudo Manager
Sudo is widely used by many organizations to define and delegate elevated privileges throughout their Unix and Linux systems. Its appeal lies in the additional layer of protection it gives to root access while providing logging and auditing features, all with no upfront cost.
However, sudo’s limitations become apparent when deployed in larger environments because it does not scale well within an enterprise. It does not provide central storage and administration of sudoers policy files. It does not provide a secure and efficient means of distributing sudoers policy files over multiple systems. It does not natively protect the integrity of generated logs and cannot provide remote logging to remote servers, which are best practices for security and compliance.
Sudo alternatives, such as Endpoint Privilege Management for Unix and Linux (EPM-UL), are commercially available to provide a more complete, seamless, and secure least privilege solution for the enterprise that addresses the aforementioned issues and more. This upgrade, however, entails an investment of time and resources.
For organizations that choose not to fully convert their sudo-managed systems, BeyondTrust offers Endpoint Privilege Management for Unix and Linux Sudo Manager, hereinafter Sudo Manager, which simplifies and enhances sudo management using some of the core features of EPM-UL. This allows for a quick and cost-effective implementation and continued use of all existing sudoers files.
Sudo Manager is BeyondTrust's offering to provide better management and maintenance of sudo's files and data, leveraging some of the rich core features of EPM-UL without replacing sudo itself. Implementing Sudo Manager has the following benefits:
- Centralization of sudoers policies: Policies are stored in a secure database on the Policy Server host.
- Change management for sudoers policies: Once sudo policies are stored on the Policy Server, they can be checked out, modified, and checked back in centrally, without the need to go to each sudo host.
- Integration with EPM-UL event logs: After policy processing, an accept or reject event is logged in the event log.
This guide assumes that you have a basic understanding of Unix or Linux system administration and some experience with a scripting or other computer language. We recommend that you have experience in these areas before you attempt to create or modify security policy files.
Specific font and line spacing conventions are used to ensure readability and to highlight important information, such as commands, syntax, and examples.
The BeyondInsight integration for Endpoint Privilege Management for Unix and Linux is no longer supported. Instead, EPM-UL uses BeyondInsight for Unix & Linux and ElasticSearch.
Both pbguid and pbsguid are deprecated as of EPM-UL version 22.3.0.
Overview
To effectively administer Sudo Manager, it is necessary to understand how the product works. A typical Sudo Manager configuration consists of the following:
- pbsudomgr.so: The plugin extending sudo with some of the core features of EPM-UL.
- Sudo Manager Policy Server: The component providing central management of sudoers files.
- Log Host: The component writing the event logs.
- pbadmin: A robust command line utility for administrators to manage files and data used by Endpoint Privilege Management for Unix and Linux Sudo Manager.
The pbsudomgr.so plugin must reside on the sudo hosts being managed. For optimal security, the Sudo Manager Policy Server and log host should be separate machines isolated from normal activity.
Sudo Manager Component, Directory, and File Locations
For the locations of the Endpoint Privilege Management for Unix and Linux components, directories, and files, along with other changes and post-installation instructions, see the EPM-UL Installation Guide.
