Unix and Linux systems present high-value targets for external attackers and malicious insiders. The same holds true for networked devices, such as IoT, ICS and SCADA. Gaining root or other privileged credentials makes it easy for attackers to fly under the radar and access sensitive systems and data.
BeyondTrust Privilege Management for Unix & Linux is an enterprise-class, gold-standard privilege management solution that helps security and IT organizations achieve compliance, control privileged access, and prevent and contain breaches that can affect Unix and Linux systems—without hurting productivity.
First, there’s a client installed on a server. This is used to initiate any sort of elevated commands.
These commands are sent off to the second component, which is the policy server. The policy server evaluates the policy and decides centrally based on your business rules who is authorized to run what commands, as well as where and when they can run them.
These commands are recorded in the event log, so we know which commands were attempted and whether or not they ran elevated.
The session recorder then starts a session recording on the policy server before the command is elevated.
Finally, the client runs the command as the run user.
This architecture allows for both centralized policy management and centralized auditing. Rather than capturing logs locally on the machine where the user has been given root access, logs are captured off the host the user is logged into and where they're trying to elevate.