Administering Log and Keystroke Files
Administering Log and Keystroke Files
Privilege Manager for Unix allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.
Privilege Manager for Unix includes three different types of logging; the first two are helpful for audit purposes:
- keystroke logging, also referred to as I/O logging
Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager for Unix.
- event logging
Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.
- error logging
You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.
Related Topics
Security policy types
Controlling logs
The following variables are used to control the logging of program input and output through Privilege Manager for Unix.
Table 19: Logging variables
iolog |
If set to a filename, the iolog variable logs all of the information from the logstdin, logstdout, and logstderr variables to the specified filename. |
logstderr |
If set to true, the logstderr variable logs any error responses. |
logstdin |
If set to true, the logstdin variable logs all information coming in from standard input. |
logstdout |
If set to true, the logstdout variable logs all information being displayed to standard output. |
For details about these logging variables, refer to Global output variables.
To log the input, output and error I/O streams from a request, set logstdin, logstdout, and logstderr to true. Set iolog to the name of the log file. After Privilege Manager for Unix completes the request, you can use the pmreplay command to replay the session that was logged.
You can limit the amount of data logged for each stream. This avoids filling up the I/O logs with large amounts of output from benign commands, such as when using cat or tail to display a large file. You can limit the I/O logging to the first n bytes of the output. For example, to log only the first 500 bytes of stdout, enter:
iolog_opmax=500;
The following example ensures that whenever you run the adduser program through Privilege Manager for Unix, it logs all input and output in the specified file:
if(command=="adduser") {
iolog="/var/log/iolog/" + user + mktemp("_XXXXXX");
logstdin=true;
logstdout=true;
logstderr=true;
runuser="root";
accept;
}
Local logging
The location of the error logs for the Privilege Manager for Unix components, pmrun, pmlocald, and pmmasterd, is specified using keywords in the pm.settings file. Enter the following to specify that you want the error logs written to the /var/adm directory:
pmlocaldlog /var/adm/pmlocald.log
pmmasterdlog /var/adm/pmmasterd.log
pmrunlog /var/adm/pmrun.log
Alternatively, you can enable UNIX syslog error logging in the pm.settings file, by specifying:
syslog YES
Use one of the following keywords to specify which syslog facility to use:
- LOG_KERN
- LOG_USER
- LOG_MAIL
- LOG_DAEMON
- LOG_AUTH (the default)
- LOG_LPR
- LOG_NEWS
- LOG_UUCP
- LOG_CRON
- LOG_LOCAL0 through LOG_LOCAL7
For example, to enable syslog error logging using the LOG_AUTH facility, enter in the pm.settings file:
syslog YES
facility LOG_AUTH
See PM settings variables for more information about modifying the Privilege Manager for Unix configuration settings.
Event logging
Event logs are enabled by default for all requests sent to the Privilege Manager for Unix Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.
When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:
if (basename(command) == "pmlist") { eventlog=""; }
The following pmpolicy variables affect event log settings:
Table 20: Event logging policy variables
eventlog |
string |
The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)
This must be a full pathname starting with a / (slash). For example: eventlog = "/var/logs/pmevents.db";
If the log file name you specify in the policy file cannot be opened, Privilege Manager for Unix automatically logs all events in the default log file.
See also eventlog. |
logomit |
list |
Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.
See also logomit. |
export |
varname |
Specify a local variable to add to the event log. (Refer to Operators and expressions for more information about export.) |
For example, enter the following to specify that you want to:
- record event log in /var/adm/pmevents.db
- not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db";
logomit = {"env","runenv"};