Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Privilege Manager for Unix 6.1.1 - Administration Guide for Unix

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Keystroke (I/O) logging

Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager licensing for details.

You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. See iolog for details.

If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:

iolog=mktemp("/var/opt/quest/qpm4u/iolog/" 
+ profile 
+ "/" 
+ user 
+ "/" 
+ basename(runcommand) 
+ "_" 
+ strftime("%Y%m%d_%H%M") 
+ "_XXXXXX");

You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.

The following variables affect keystroke log settings when using the pmpolicy type:

  • iolog
  • iolog_encrypt
  • iolog_opmax
  • iologhost
  • logomit
  • logstderr
  • logstdin
  • logstdout
  • log_passwords

For details about these variables, refer to the Global output variables.

Keystroke (I/O) logging policy variables

You can control keystroke (I/O) logging behavior using the following policy variables.

Table 20: Keystroke logging policy variables
Variable Data type Description
iolog string The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call.
iolog_encrypt boolean Enables encryption of I/O logs: To enable encryption, set:
iolog_encrypt = true;

Log files are encrypted with AES; view them with pmreplay.

iolog_errmax integer Limits the amount of text logged for stderr for each command.
iolog_opmax integer Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter:
cat filename1

it only logs the first 500 bytes of output produced by this command.

log_passwords boolean Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. See log_passwords for details.
logstderr boolean Specifies if error output is logged; default is "true".
logstdin boolean Specifies whether input is logged; default is "true".
Specifies whether output is logged; default is "true".

All boolean values default to "true".

Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command) 
   +”_XXXXXX”); 
iolog_encrypt = true; 
iolog_opmax = 500; 
iolog_errmax = 200; 
logstderr = false; 
logstdin = true; 
logstdout = true; 
log_passwords = false;

For details about the keystroke logging variables, refer to Global output variables.

Central logging with Privilege Manager for Unix

Privilege Manager for Unix can configure central logging for I/O and event logs using the iologhost and eventloghost policy variables.

pmmasterd uses port number 12345 by default to communicate with the log server.

A host that is configured as a centralized log server must have the client's keyword added to the pm.settings file to specify which policy servers may forward their I/O and event log information to this log server.

Figure 9: Configuring central logging for I/O and event Logs

In this example, master1, master2, master3, and logmaster are all Privilege Manager policy servers (pmmasterd).

logmaster is configured as the centralized log host for I/O and event logs for master1, master2 and master3. To send I/O and event log information to logmaster, the policy must include the following statements:

iologhost = "logmaster"; 
eventloghost = "logmaster";

If for any reason (such as a system outage) the logs cannot be forwarded to the central logging host (logmaster in the above example), log files are stored locally on the authenticating policy server (master1, master2, or master3 in the above example). The location of the log files is specified by the tmplogdir policy variable, which defaults to var/opt/quest/qpm4u/iolog/queue.

The pm.settings file for logmaster must include the clients keyword. For example:

clients master1 master2 master3
Related Topics

PM settings variables

tmplogdir

Controlling log size with Privilege Manager for Unix

An effective strategy for controlling the size of the log file in Privilege Manager for Unix is to limit the amount of information sent to the logs. Instead of logging keystrokes for every command, you might construct a policy that only captures keystrokes for sensitive commands.

You can use policy variables to limit the information sent to the log files.

Table 21: Size-controlling logging variables
Variable Data type Description
iolog_encrypt boolean Enables I/O logs encryption; default is "true".

Log files are encrypted with AES; view them with pmreplay.

iolog_errmax integer Limits the amount of text logged for stderr for each command.
iolog_opmax integer Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter the following command:
cat filename1
it only logs the first 500 bytes of output produced by this command.
logomit list Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.
logstderr boolean Specifies if error output is logged; default is "true".
logstdin boolean Specifies whether input is logged; default is "true".
Specifies whether output is logged; default is "true".

Documents connexes