Documentation

SUDO MANAGER USER GUIDE

Suggest Edits

What is Sudo Manager?

Sudo is widely used by many organizations to define and delegate elevated privileges throughout their Unix and Linux systems. Its appeal lies in the additional layer of protection it gives to root access while providing logging and auditing features, all with no upfront cost.

Sudo Manager is BeyondTrust's offering to provide better management and maintenance of sudo's files and data, leveraging some of the rich core features of EPM-UL without replacing sudo itself.

How is it useful to my organization?

Sudo alternatives, such as Endpoint Privilege Management for Unix and Linux (EPM-UL), are commercially available to provide a more complete, seamless, and secure least privilege solution for the enterprise. This upgrade entails an investment of time and resources.

For organizations that choose not to fully convert their sudo-managed systems, BeyondTrust offers Endpoint Privilege Management for Unix and Linux Sudo Manager, hereinafter Sudo Manager, which simplifies and enhances sudo management using some of the core features of EPM-UL. This allows for a quick and cost-effective implementation and continued use of all existing sudoers files.

Implementing Sudo Manager has the following benefits:

  • Centralization of sudoers policies: Policies are stored in a secure database on the Policy Server host.
  • Change management for sudoers policies: Once sudo policies are stored on the Policy Server, they can be checked out, modified, and checked back in centrally, without the need to go to each sudo host.
  • Integration with EPM-UL event logs: After policy processing, an accept or reject event is logged in the event log.

Overview

To effectively administer Sudo Manager, it is necessary to understand how the product works. A typical Sudo Manager configuration consists of the following:

  • pbsudomgr.so: The plugin extending sudo with some of the core features of EPM-UL.
  • Sudo Manager Policy Server: The component providing central management of sudoers files.
  • Log Host: The component writing the event logs.
  • pbadmin: A robust command line utility for administrators to manage files and data used by Endpoint Privilege Management for Unix and Linux Sudo Manager.

The pbsudomgr.so plugin must reside on the sudo hosts being managed. For optimal security, the Sudo Manager Policy Server and log host should be separate machines isolated from normal activity.

Sudo Manager component, directory, and file locations

ℹ️

Note

For the locations of the Endpoint Privilege Management for Unix and Linux components, directories, and files, along with other changes and post-installation instructions, see the EPM-UL Installation Guide.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.