Quest™ Privilege Manager for Unix 6.0
Quest One™ Privilege Manager for Sudo 2.0
Welcome to Quest Privilege Manager
New in this Release
Resolved Issues and Enhancements
Upgrade and Compatibility
For More Information
Quest Privilege Manager for Unix protects the full power of root from potential misuse or abuse. With Privilege Manager, there’s no need to worry about anyone deleting critical files, modifying file permissions or databases, reformatting disks or doing more subtle damage. Privilege Manager enables you to define a security policy that stipulates who has access to which root functions, as well as when and where they can perform those functions. It controls access to existing programs as well as purpose-built utilities that execute common system administration tasks. At the administrator’s request, Privilege Manager can protect sensitive data from network monitoring by encrypting the root commands or sessions it controls, including control messages and input keyed by users while running commands through Privilege Manager
Quest One Privilege Manager for Sudo helps Unix/Linux organizations take privileged account management through Sudo to the next level: with a central policy server, centralized management of Sudo and sudoers, centralized reporting on sudoers and elevated rights activities, and event and keystroke logging of activities performed through Sudo. With Quest One Privilege Manager for Sudo, Quest provides a plug-in to Sudo 1.8.1 (and later) to make administering Sudo across a few, dozens, hundreds, or thousands of Unix/Linux servers easy, intuitive, and consistent. It eliminates the box-by-box management of Sudo that is the source of so much inefficiency and inconsistency. In addition, the centralized approach delivers the ability to report on the change history of the sudoers policy file
This section lists new features introduced in this release of Privilege Manager.
See Resolved Issues and Enhancements or the list of issues addressed and enhancements implemented in this release.
Quest Privilege Manager for Unix 6.0 New Features:
Quest Privilege Manager for Sudo 2.0 New Features:
New features in both Quest Privilege Manager for Unix 6.0 and Quest One Privilege Manager for Sudo 2.0:
The following lists issues resolved and enhancements implemented in this release of Privilege Manager.
|Support for Quest One Management Console for Unix
Quest One Management Console for Unix supports Privilege Manager for Unix and its associated agents, providing a web-based console for administrators using the Management Console to:
Reporting can show which users have access to which commands, on which systems for auditing purposes, show who edited the Privilege Manager policy, what was changed, etc. You can also:
Secure access to each function is defined and controlled according to the administrator’s credentials.
Several improvements have been made to the default profile-based policy files:
An attempt to execute any regular, non-built-in, command after a
|Support for AD host group membership
Two new policy functions (
In addition, the default profile-based policy in Privilege Manager for
Unix 6.0 uses 4 new profile variables (
Please refer to the Quest Privilege Manager Administrator's Guide for more information on the new functions and profile variables.
|Do not allow command to run unless it exists in the specified directory(s)
A new policy variable,
|Mac OS X support for Privilege Manager for Sudo plug-ins
The Privilege Manager for Sudo plug-ins are now supported on Mac OS X 10.7 and 10.8.
|New configuration option to use local sudoers file with centralized
Support for the
|Sudo plug-in offline evaluation
The Sudo plug-in may be configured to always perform local policy evaluation.
|Events logged in database format
The Privilege Manager event logs are now stored in database format. Event
logs from previous versions of Privilege Manager may be imported into a
database format file set using the new
The Quest Privilege Manager for Unix and Quest One Privilege Manager for Sudo documentation has been consolidated into a single Administrator's Guide.
The profile-based profiles were not correctly disabling password logging by default.
On some platforms, the
Including the same file more than once in the policy may cause incorrect
In some instances, Privilege Manager processes might not shutdown correctly
if an active session was abnormally terminated (for example, if an active
session was running in a Putty window and the window was closed).
If you are using Solaris Projects, agent sessions on Solaris systems will now set their Project ID to the runuser’s default Project ID.
Note: The updated profile-based policy adheres to a naming convention
Two new list variables have been introduced to specify paths from which
commands are permitted to execute. The paths may be specified in the
If configured, the agent will reject a command unless it is executed from one of the specified paths.
The following platforms have been deprecated in this release:
|Sudo plug-in with hostname on loopback address
The Sudo plug-in can now be configured on DHCP hosts where the hostname is assigned to a loopback address in the local hosts file, as long as the host's network address can be obtained by resolving the hostname in DNS.
|Change to local sudoers file to indicate Privilege Manager control
A comment is now added to the local sudoers file when the Sudo plug-in is configured to indicate that the local sudoers file is no longer used and that the sudoers rules are managed by Privilege Manager for Sudo.
The following platforms have been deprecated in this release:
|keystroke log timestamps and keystroke log replay
If more than 256 seconds elapsed between keystroke logging events,
|Initialization script fails to start
|Privilege Manager binaries not large file aware
On some operating systems, Privilege Manager binaries are not large file aware.
On 64-bit Linux systems running Linux kernel version 3, the
|Support for Tectia SSH
Privilege Manager leverages ssh software for internal security policy management. Privilege Manager will now work with Tectia SSH.
|Advance Notice of Platform Deprecation
Please note that support for the following platforms will be deprecated in any release of Privilege Manager for Unix later than version 6.0, and in any release of Privilege Manager for Sudo later than version 2.0:
The following is a list of issues known to exist at the time of in this release of Privilege Manager.
|Known Issue||Defect ID|
|Time restriction interpretation
In the profile-based policy, the time restriction specified in the
|Handshake failed message
Improperly configured clients may display a
This can be resolved by removing the
|Known Issue||Defect ID|
|Sudo session termination
If a Sudo session is terminated by either closing the terminal window
or dropping the SSH connection, Sudo does not notify
Note: This issue was fixed in Sudo 1.8.4.
|AIX platform specific search failure
When you search (using the management console or from the command line
|Known Issue||Defect ID|
|preflight failures with
The Privilege Manager preflight may fail on systems that use the
|Reported event times offset
Reported event times may be offset if the MCU console server and policy servers are not set to use the same timezone.
To upgrade from Privilege Manager 5.5 to version 6.0, follow the installation instructions in Upgrading Privilege Manager for Unix 5.5 in the Quest Privilege Manager Administrator's Guide.
We recommend that:
Note: The upgrade process will create symbolic links to ensure that your existing paths function correctly.
Note: Use of the Privilege Manager clients (
pmshells) with a policy server in Sudo policy mode is not currently
The process for upgrading Quest One Privilege Manager for Sudo from an older version is similar to installing it for the first time. The installer detects an older version and automatically upgrades the components. (Please see Quest Privilege Manager Administrator's Guide for more information.)
Note: Use of the Privilege Manager for Sudo plug-ins with a policy server in pmpolicy mode is not currently supported.
Before installing Privilege Manager, ensure your system meets the following minimum hardware and software requirements:
Click here to review a list of Unix and Linux platforms that support Privilege Manager for Unix.
Click here to review a list of Unix, Linux, and Mac platforms that support Privilege Manager for Sudo.
Note: To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.
Note: Management Console for Unix does not support Security-Enhanced Linux (SELinux).
|Disk Space||80 MB of disk space for program binaries and manuals for each architecture.
Note: At a minimum, you must have 80 MB of free disk space. The
directories in which the binaries are installed must have sufficient disk
space available on a local disk drive rather than a network drive. Before
you install Quest Privilege Manager for Unix, ensure that the partitions
that will contain
Note: The space can be on a network disk drive rather than a local drive.
|Additional Software||SSH Server and Client software (including
You must enable access to SSH as the root user on the policy server hosts during configuration of the policy servers. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.
Privilege Manager uses TCP/IP to communicate with networked computers, so it is essential that TCP/IP is correctly configured before installing Privilege Manager.
Privilege Manager uses the masterport, port 12345, to communicate with
the policy server daemon (
|Management Console for Unix||Privilege Manager is integrated with the Quest One Management Console
for Unix, a web-based console where you can centrally manage local Unix
users and groups, edit your sudoers policy file, and create and view keystroke
logs, as well as generate and view comprehensive reports.
Prior to installing the management console, ensure your system meets the minimum hardware and software requirements for your platform. (See the Quest One Management Console for Unix Administrator's Guide for details.)
|Processor||4 cores (policy servers)|
|RAM||4GB (policy servers)|
For further information, refer to Planning Deployment in the Quest Privilege Manager Administrator's Guide.
Refer to Privilege Manager Licensing for more information about licensing Privilege Manager.
This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.
This release is Unicode-enabled and supports any character set. In this release, all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan.
This release has the following known capabilities or limitations: Quest Authentication Services has been tested with double-byte configured locales on the Linux platform. All of the client side components operate successfully with double-byte characters in all Unix attributes
There is no localization of either the client or Windows user interface.
The Privilege Manager release package contains the following products::
Product Documentation, including:
Note: You can find the product documentation in http://documents.quest.com at the following links:
For installation instructions, refer to Installation and Configuration, in the Quest Privilege Manager Administrator's Guide.
For information on Quest Privilege Manager licensing and system requirements please refer to Planning Deployment, in the Quest Privilege Manager Administrator's Guide.
Get the latest product information, find helpful resources, test the product betas, and join a discussion with the development team and other community members. Join the Community at All Things Unix.
Dell listens to customers and delivers worldwide innovative technology, business
solutions and services they trust and value. For more information, visit
Product Questions and Sales:
(800) 306 – 9329
Support is available to customers who have a trial version or who have purchased Quest software and have a valid maintenance contract. The Support Portal at www.quest.com/support is the definitive resource for technical support with self-help capabilities so you can solve problems quickly and independently 24 hours a day, 365 days a year. The portal also provides direct access to our support engineers through an online service request facility. From one central location, you will find everything you need – support offerings, policies and procedures, contact information, as well as:
1 For trial users please use the Trial Downloads to get the latest generally available version of the software.
Quest Software is now Dell Software
© 2013 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Attn: LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (www.quest.com) for regional and international office information.
Dell, the Dell logo, Quest, Quest Software, the Quest Software logo, and Vintela are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.