Documentation

EPM for Unix/Linux features

Suggest Edits

Why should I use Endpoint Privilege Management for Unix and Linux?

Use Endpoint Privilege Management for Unix and Linux (EPM-UL) to configure users to run certain programs (such as root) and assign them permissions to meet work function responsibilities - without disclosing the account password.

The full power of root is protected from potential misuse or abuse such as modifying databases, file permissions, and erasing disks.

As a system administrator, you can configure if and when a user’s request to run a program is accepted or rejected:

  • A user requests a program to run on a machine as root.
  • EPM-UL evaluates the request.
  • If the request is accepted, the program runs locally or across a network on behalf of the user.

Partitioning

What is Partitioning?

Partitioning is the system administration actions of root (and other important accounts such as oracle or admin) that allows users to carry out their work functions without full access to the administrative account or its password. Account security remains uncompromised.

Use cases for partitioning account functions

  • Help desk personnel can reset passwords for users and reinstate user accounts.
  • Project members can clear a jammed line printer queue, kill hung programs, or reboot certain machines.
  • Administrators can print or delete resource usage logs or start backups.

Configurable actions

Some actions you can configure include:

  • which users can perform a particular task,
  • which tasks can be run through the system,
  • when the user can perform the task,
  • on which machine the task can be performed,
  • from which machine the user may initiate a request to perform the task,
  • whether another user’s permission (in the form of a password) is required before the task is started, and
  • the decisions that are to be made by a program that you supply and which EPM-UL calls to determine if a request should be accepted or rejected.

Session recording

Selectively record all input and output from a session. This audit trail combined with the safe partitioning of root functionality provides a secure way to share the root password.

pbreplay utility

Use the pbreplay utility to view sessions while they are occurring or at a later date.

EPM-UL can also require a checksum match before running any program, guarding against viruses or Trojan horse attacks on important accounts.

Encrypt EPM-UL network traffic

Encryption protects sensitive data from network monitoring. Optionally, encrypt all network traffic that EPM-UL generates, including:

  • control messages,
  • input keyed by users, and
  • output generated by commands run through EPM-UL.

Audit trails

You can also create an audit trail of partitioned root functions. EPM-UL can record all activity that passes through it to the I/O level. You always know exactly what is happening in root, who did it, when it happened, and where.

Precautions

Because root can modify any file, special precautions must be taken to ensure the logs are secure.

  • Configure EPM-UL to receive user requests from the submitting machine, execute tasks on the execution machine, and log all activities on yet another, secure machine.
  • If necessary, machines that contain the policy files and the log files can be made physically inaccessible to users and isolated from remote login over the network.
  • Logs can be printed to hardcopy on a secure printer or recorded to a WORM drive.
  • A secure machine can be assigned a root password, which is unknown to the person who has physical access to it, but known to someone else without physical access. Therefore, the two people would have to collude to subvert system security.

Utilities

EPM-UL can access existing programs and its own set of utilities that run common system administrative tasks.

You can develop utilities to run on top of EPM-UL. These can perform management tasks for passwords, accounts, backups, line printers, file ownership or removal, rebooting, logging out users, killing their programs, deciding who can log in to what machines from where, and more.

📘

Note

Users can work within a restricted shell or editor to access certain programs or files as root.

SafeNet Luna SA Hardware Security Module

What is SafeNet Luna SA Hardware Security Module (HSM)?

SafeNet Luna SA is a flexible, network-attached HSM providing powerful cryptographic processing and hardware key management for applications where security and performance are a top priority.

How is this useful to EPM-UL?

EPM-UL integrates with the SafeNet Luna SA Hardware Security Module (HSM) to provide the first privileged user management solution to use FIPS 140-2 Security Level 2 encryption services to achieve compliance with the most strict key storage requirements and standards.

With FIPS 140-2 Security Level 2 and Common Criteria EAL 4+ validation, SafeNet Luna SA is an Ethernet-attached hardware security appliance that is designed to ensure the integrity and security of key management for PKI root key protection and smartcard issuance, with blazing cryptographic processing for digital signing applications or SSL acceleration for Web servers.

Solr (deprecated)

⚠️

Important information

As of EPM-UL version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but EPM-UL features that use an existing Solr installation do continue to work.

Updated 9 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.