PowerBroker solves the password and privilege management problems surrounding the root account on UNIX systems, as well as providing a secure, indelible audit trail of system administrative actions. It also provides a mechanism to selectively grant certain administrative privileges to specified users under circumstances specified using a custom-crafted policy language.
The new version of PowerBroker includes a complete log query system that can answer such questions as "display all root actions that user fred undertook on machines 37, 38, or 39 last week after 9PM". Also, PowerBroker can now be easily integrated with other mechanisms such as smart-card systems, by calling out directly to them from the PowerBroker policy language.
Using PowerBroker 1.1, system administrators finally have the power to assign specific system management duties to other users, freeing up time to attend to more critical tasks. The system administrator can configure PowerBroker to accept requests from users to run specified programs in important accounts such as root. Criteria for acceptance can include username, program name, time, date, hostname, directory, group, and many more. The full working environment of each program can be specified to address the many security issues surrounding root activities.
PowerBroker selectively logs root activity, providing an indelible audit trail of important system actions. Optionally, PowerBroker records entire sessions for later replay, to discover what a user typed and saw on the screen during a session. PowerBroker can attach to interesting sessions in progress for real-time monitoring. PowerBroker's network traffic can be encrypted, preventing network-snoopers from reading sensitive information as it is being transmitted across a network.
"Companies often find that the administrative tools for controlling privileged access are missing on UNIX," states Dan Freedman, Director of FSA Corp. "PowerBroker gives the system administrator total control and auditability of who can run what, when, and where in the root account, and in other important accounts, without having to disclose sensitive passwords."