Reflecting the growing need for automation tools in the enterprise, Quest Software has released a software package that could help Unix administrators better manage policy files that determine which users can access privileged material and programs on Unix and Linux systems.
The package extends the capabilities of the Unix Sudo tool. "A lot of our customers have been using Sudo for many years. This provides them with compliance and reporting capabilities," said Jackson Shaw, Quest senior director of product management.
The newly released Quest One Privilege Manager for Sudo can provide a lower cost alternative to other enterprise access management software packages for Unix, Shaw argued, because it leverages the free Sudo utility and doesn't require administrators to learn a whole set of new commands.
Sudo proves a way for users to run specific sensitive system commands and programs without needing the full root access to a machine. Administrators can limit what advanced access rights each user can enjoy when evoking the Sudo command.
About 18 months ago, Quest hired the Sudo project maintainer, Todd Miller, to maintain the open-source software on a full-time basis -- he had been working on Sudo during his free time before then.
While widely used, Sudo has limitations in the modern enterprise environment, Shaw argued. An administrator may have to manage the Sudo polices across dozens or hundreds of servers, and making changes can involve manually copying policy files across multiple machines.
Also, Sudo offers little help with reporting on how an organization meets its compliance regulations and policies. "A lot compliance regulations want not just who had access to something, but what they actually did," Shaw said. For instance, Sudo can keep a log of how it was used, but not what keystrokes were used within Sudo mode.
Privilege Manager addresses these concerns. Quest's software was built on the plug-in architecture introduced in Sudo 1.8, released in March. The package contains a central policy server, from which administrators can edit the policy files, which are then distributed to all the servers.
The package also includes a keylogger plug-in, which can capture all the actions within a Sudo session. With this plug-in, an administrator could find out what a user did during a particular session, or who issued a specific command at a particular time. The package can also produce reports of who has privileged access, and what programs they can run. The software can be run from the command line, so it can be incorporated into administrator scripts.
Quest One Privilege Manager for Sudo, available Thursday, costs US$59 per server.