This whole sentence raises questions for the reader without answering them. When is "at some point"? Or better, why is this needed? What is "managed account escalation"?

How about something more definite:

System administrators often need the ability to grant enhanced permissions to users so they can perform privileged tasks.

Probably can be done better, just winging it.

Better to break the sentence here:

...levels.  However,

Passive->active:

s/will//

Do we say "superuser" or "super user" elsewhere? Should be consistent with that, and should be in the FDPP word list (it's not).

s/start up/startup/

s/will/needs to/
s/For many years, the/Traditionally,/
(yes, the "the" is not needed)

"would manage this" is kind of unclear. Maybe:

Traditionally, standard users and groups, file permissions, and &man.su.1; were used to manage this access.

s/as/and as/

"needed" is redundant with the previous usage in the sentence. Maybe "desired" or "required"?

Since the application name is capitalized, it should be here also.

s/administrations/administrators/

s/commands,/commands/

s/ports collection/Ports Collection as <package role="port">security/sudo</package>/

The end of that sentence can be simplified, and it is not necessary to say "for example":

or with &man.pkg.8;.  To install the <application>Sudo</application> package:</para>

See note for previous line, "perform the following steps" is not needed.

I suggest that it is not necessary to show users how to install from a package or port for everything. Actually, it is probably counterproductive. Mention the origin of the port (as above), then show installing it as a port or package and call it good. So this sentence can be left out.

"file" is redundant.

I don't know what you mean by "pragmatically" here. Can't it just be

can be edited manually or using

(may == permission, can == possibility)
(via == road directions)

Should be <command>, and then the redundant word can be removed:

<command>visudo</command>.

I would suggest flipping this around. Recommend the right way to do it, then say (if needed) that it can be edited manually.
(Note that the reader is not told why they are editing the file yet. Needs a sentence or so to describe what the config file is before this.)

After installation, use <command>visudo</command> can be used to edit
<filename>/etc/sudoers</filename>.  This file can also be modified with other editors,
but <command>visudo</command> checks for configuration errors.</para>

s/mini/small/

s/allows/allow/
(several small sections which allow)

s/user1/<replaceable>user1</replaceable>

Passive->active:
s/will need/needs/

s/webservice/<replaceable>webservice</replaceable>/

"the following" is not needed here, it's already following. Suggestion:

Add this line to the end of <filename>/etc/sudoers</filename>:</para>

"the following" is not needed:

The user can start <replaceable>webservice</replaceable> with this command:</para>

I'm not sure if the full path to "service" helps make the command clearer or not. And shouldn't that be webservice rather than httpd?

This sentence kind of loses track in the middle. Semicolons are best for long narratives:

It was a dark and stormy night. Like a raccoon digging through a trash can, the editor delved through the portions of text. Semicolons were discarded like rotten green peppers; long ago, the existentially-challenged not-a-comma-not-a-period questionableness of these indeterminate punctuation marks had made itself known. Too often, they were used as sentence splices; making sentences longer and more complex (not a good thing for documentation), and a job better done by simpler and more humble punctuation.

So:

This configuration gives a single user control of <replaceable>webservice</replaceable>.  But in most organizations,...

Maybe s/the service/such services/ ?

Also:
s/may/can/

Try to avoid the if/then pause with the comma by reordering:

A single line can also give access to an entire group.

s/The following/These/

Passive->active:
s/will create/create/

"our" is a little unclear. "the"?

This last sentence is not needed. Just jam the colon onto the previous sentence:

group to manage the service:</para>

Passive -> active:
s/will be/is/

Passive -> active:
s/will alow/allows/

Since "webservice" is a name, I'd skip the "the" (and also use <replaceable>):

...to manage <replaceable>webservice</replaceable>.

Redundant, and if using the name, capitalize:

Unlike &man.su.1;, <application>Sudo</application>

This is a little vague about how it "requires" the user's password.

"Unlike" is kind of an "if not", if you see what I mean. Maybe:

Users permitted to run applications with <application>Sudo</application> only enter their own passwords.  This is more secure and gives better control than &man.su.1;, where the root password is entered and the user acquires all root permissions.

(That can be done better, I'm sure. The two things to point out (IMO) are that sudo asks for passwords each time, and that it's the user password.)

Not too clear.

<application>Sudo</application> removes the need to deal with the security implications of shared passwords.

"The sudo"? Let's just write it like we'd say it:

<application>Sudo</application> provides for these cases

s/by use of/with the/

It's a keyword, though, isn't it? So maybe

with the <literal>NOPASSWORD</literal> keyword.

Start the sentence here, like this. Don't need "For example".

Also, passive -> active:

Adding it to the configuration above allows all members

s/webteam/<replaceable>webteam</replaceable>

End the sentence here:

requirement:</para>

Nice to have xml:id set for all sections. It generated anchors that can be linked in URLs.

s/sudo/Sudo/

"By" is not needed, just "Using"

s/sudo/Sudo/
passive->active: s/will be/are/

Sentence splice or two... and user/uses is confusing.

directory entry.  This example shows a user variable.  However,

Unsplice:

several other log filename conventions exist.  Consult the

Maybe just say "consult &man.sudoreplay.8;" instead?

(Yes, we have a problem with the default link to man pages not including the port man pages. Help to fix that is welcome.)

Not clear whether the program creates the directory or the user is meant to.

Redundant. Not "the sudoers file", better to be just the full path:

options inside <filename>/etc/sudoers</filename>.</para>

s/may/can/

"current" is not clear. How about saying "the previous example can be modified so the <replaceable>webteam</replaceable> has these additional changes:</para>`

s/webteam/<replaceable>webteam</replaceable>/

Should be "webservice", not plural. And should have <replaceable> tags.

This is one of those if/then "to do this... do this" sentences with a pause at the start. It can be rearranged to avoid the pause:

The list of previous and current sessions can be displayed with:</para>

This sentence starts with three separate pausing parts. It's not really clear what it's saying, maybe something like "A specific section of the log can be replayed. Locate the <literal>TSID=</literal> entry in the desired session, then give that value to <command>sudoreplay</command> to replay that session at normal speed:</para>

Reader questions: But what is "normal" speed? What exactly does "replay" mean here?

Note use of <command> tags.

I switched can to "may" here on this one. I can't come up with a different sentence which covers everything I would like so this works.

I think the compound sentence is fine - I really don't want to start a sentence with "however" as it's just odd. I guess the sentence could stand on its own.

Appears to be superuser. Updated.

"needs" has a very odd sound here, used "need" as it still implies the requirement but removes the plural. All else is done here.

I altered to be like:

<para>The <application>Sudo</application> application allows
  administrators to configure more rigid access to system
  commands and provide for some advanced logging
  features.  As a tool, it is available from the Ports Collection
  or by use of the &man.pkg.8; tool.  To use
  the &man.pkg.8; tool:</para>

<screen>&prompt.root; <userinput>pkg install sudo</userinput></screen>

I'm having a hard time making sense of it without file: "the /etc/sudoers may be ..."

Reworded:

<para>After the installation is complete, the installed
  <command>visudo</command> will open the configuration file with
  a text editor.  Using <command>visudo</command> is highly
  recommended as it comes with a built in syntax checker to verify
  there are no errors before the file is saved.</para>

I'll need to come up with something better, there are two independent thoughts here, maybe they should both be fleshed out and made into two or three different paragraphs.

I used yours with added <username> markup.

I removed "however" and split into two sentences.

Ok, what work has been done with the ports manual page link?

Did some fix up here.

I used "in the example shown" and added replaceable markup.

Guess I need to rewrite this paragraph. I was debating on putting in some kind of definition for replay to start with.

This needs re-written. Because while I know that I mean "finding a removed log entry" would leave questions, I can't promise the reader will come to the same conclusion.

I rewrote the paragraph:

<warning>

<para>While sessions are logged, any administrator is

	  able to remove sessions and leave only a question of why they
	  had done so.  It is worthwhile to add a daily check
	  through an intrusion detection system (<acronym>IDS</acronym>)
	  or similar software so that other administrators are alerted
	  to manual alterations.</para>
      </warning>

It's called "sudo" not "Sudo" (and should be <application>sudo</application>, no ?)

same here.

Drop "the" and "application".

Say it comes from security/sudo with the appropriate markup.

/usr/local/etc/sudoers

shouldn't there be a sudo in there ? like before /usr/sbin/service ?

/usr/local/etc/sudoers

end-user ?

Maybe igor could check that every chapter/sect[12] have xml:id (and maybe sect[34] too.

I'd really like to see the full change suggested by @wblock here.