CaclMgr
Our CaclMgr is a very secure and easy to use UNIX privilege delegation software which could be used for system/application job automation. It has the most advanced environment variable/value control, say, for example, limit an environment variable to be usable for certain commands and with limited value range.
It can be used by all types of privileged accounts to grant their privilege to be used by others for specific commands, and it has an SHA384 checksum verification for granted commands before executing them with different privilege.
It comes with the shlog program, allow you to log the command's display on the terminal and replay back.
Compared with other similar software, CaclMgr is the most multi-user friendly and easy to control privilege delegation software: any privileged user, such as dba, can use CaclMgr to directly grant his/her privilege for another account to run a command; and any privileged user can easily check who on the system has got his/her grant, what commands have been granted and who has used that privilege to run the commands, and can also easily revoke a grant with a simple command.
Compared with sudo, CaclMgr is far more secure by default, and its log is also more trust-worthy.
Even though sudo is widely used, even by some big financial institutions, it has pretty bad security record. For most sudo deployments today, a malicious person would still be able to cause security damage through the sudo, that's very bad.
Compared with Power Broker, CaclMgr is more usable and cost effective, more suitable to run scripts and helpful in reducing data breach during normal operation, better in following least privilege principle in job automation.
CaclMgr's customizable command warning feature can help users to maintain good security for the system, for example, a security knowledge not so good database administrator could grant his privilege of running /bin/env to an user based on that user's request; with CaclMgr, it will warn the dba: doing so will cause security issue. So company with home grown programs which when running by a privilege delegation software can cause security issue, those programs can be added into /etc/CaclMgr.warn: the file which lists those "dangerous" commands when running in privilege switched environment. Very easy.
Also, with sudo and some other similar software, if you find a new environment variable which is dangerous for used with privilege switched environment, you need to wait for the software to be updated to include the fix for the issue, and that one you never know when will happen and even whether it will happen, but with CaclMgr, you can do the control yourself using the /etc/badenv.lst and /etc/goodenv.lst files.
The following is a list of the best features of CaclMgr:
• |
Easy to maintain and use: each privileged user can just use a single command "cacl" to grant command to another user or group; check who has used his/her privilege to run a command and at what time; check what commands have been given to other users and to whom; revoke the grant from a user or group for a command. |
• |
Help to maintain good security for privileged users who do not have good security knowlege about the privilege delegation: your company's skilled security staff and system administrators can update the /etc/CaclMgr.warn file to put in any new command they find to be dangerous when executed in privilege delegated environment. With commands listed in that file, when a less skilled user be asked to grant a command in that list to another user, CaclMgr will warn the user, and if he/she continue to do the delegation, will ask him/her to confirm again. |
• |
Can be used by any privileged user directly, no need to use root account to do the job; meet the least privilege principle. |
• |
Can be used by system and application automation jobs. |
• |
Has the most advanced environment variable and its value control and all environment variables except those basic ones (HOME, SHELL, LOGNAME, USER, PATH), can be directly controlled by customer, no need to depends on our software update. And our environment variable and its value control can be command based, for example, if an environment variable is only good when its value is within certain range for a specific command, just put that variable and its value range specification in the /etc/badenv.lst and add that command to the command exception list. |
• |
Very secure and logs are more trust-worthy. CaclMgr's command execution logs not only record the start time of the command execution, but also its exit time. Also, if during the privilege escalated command execution period, the log file got illegal change, CaclMgr can detect it. |
• |
Has the unique and most comprehensive software based password stealing attacks detection function, can detect most software based password stealing attacks in real-time. |