Event logs are enabled by default for all requests sent to the Safeguard Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.
Event logs are enabled by default for all requests sent to the Safeguard Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.
Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Safeguard licensing for details.
You can enable keystroke logging using the log_input and log_output default parameters.
Enabling log_input and log_output enables keystroke logging.
For example, to enable keystroke logging for all requests, specify:
Defaults log_input, log_output
To specify keystroke logging of output just for the root user, specify:
Defaults:root log_output
You can also override default settings by using the LOG_INPUT, LOG_OUTPUT, NOLOG_INPUT, NOLOG_OUTPUT tags in a user specification entry. For example, to suppress keystroke logging for the ls command, enter:
ALL ALL=(ALL) NOLOG_OUTPUT:/bin/ls
The location of the keystroke log file is determined by the iolog_dir and iolog_file default specifications.
The defaults are:
Defaults iolog_dir = "/var/opt/quest/qpm4u/iolog" Defaults iolog_file = "%{user}/%{runas_user}/%{command}_%Y%m%d_%H%M_XXXXXX"
See the Sudoers man page for an explanation of the supported percent (%) escape sequences.
The trailing “XXXXXX” characters at the end of iolog_file are required; without them, no I/O log will be generated. These X’s are replaced with a unique combination of digits and letters, similar to the mktemp() function.
Administrators can stream event logs and keystroke (IO) logs from a client to a sudo log audit server (or compatible server) that implements the sudo logsrv protocol. This feature is disabled by default. Enable the recording service through configuring the policy server with pmsrvconfig or by editing pm.settings.
The stored keystroke (IO) logs can be rotated, trimmed, and compressed to manage storage space.
A syslog output of streamed keystroke (IO) logs can be used to send the data to a Security Information and Event Management (SIEM) tool.
pmmasterd sends I/O logs to the audit server when a command is run via pmrun. I/O logs are sent in real-time. A setting in pm.settings determines whether I/O logs are stored locally too.
You can configure the audit server in pm.settings or interactive mode The pm.settings file sincludes settings for the CA bundle, client certificate, and client key files as well as other settings.
One or more audit servers can be specified in the pm.settings file along with the associated port (which defaults to port 30344).
When pmmasterd receives an event from the client, it relays the event to sudo_logsrvd. Events that are supported include: Accept, Reject, and Alert. Logging to the audit server is in addition to local logging. A setting in the pm.settings file specifies whether an unreachable audit server is considered a fatal error or not.
See PM settings variables for more information about modifying the following configuration settings:
auditsrvCAbundle
auditsrvCert
auditsrvEnabled
auditsrvEnforced
auditsrvHosts
auditsrvKeepalive
auditsrvLocaliologs
auditsrvLogdir
auditsrvPkey
auditsrvPSpaceMB
auditsrvTimeout
auditsrvTLS
auditsrvTLSCheckpeer
auditsrvTLSVerify
You can also use the interactive mode of pmsrvconfig to perform most configuration.
In this example, you can see the how interactive mode works.
$ pmsrvconfig -i [...] ** Where would you like to store errors reported by the Privilege Manager policy server daemon? [/var/log/pmmasterd.log] - Policy server log location: /var/log/pmmasterd.log *** Configure Audit Server for Privilege Manager ** Audit Server configuration for pmmasterd - The Audit Server can receive event and kestroke logs in real time. - If enabled, pmmasterd streams all logs to the Audit Server. ** Would like you to configure Audit Server(s) for Privilege Manager [YES] - Configuring Audit Server(s) for pmmasterd: YES ** Audit Server availability - If none of the configured audit servers are available, the policy server can either - - Reject all commands until an audit server becomes available - - Save audit trails locally on the policy server. These trails will be transferred automatically to an audit server when it becomes available. - When configured audit server(s) become unavailable, - 1) I want the policy server to reject all requests - 2) I want to use audit trail caching on the policy server ** Please select an option [1] 2 ** Enter the directory where pmmasterd can save audit trails [/var/opt/quest/qpm4u/auditserver] - Audit trails will be saved to directory: /var/opt/quest/qpm4u/auditserver ** How much disk space shall be preserved in megabytes? [100] - Command execution will not be permitted if the available disk space drops below 100 megabytes ** Would you like to retain old format IO logs locally? [YES] - Retaining old IO logs locally: YES ** Enter connection timeout in seconds: [3] 10 - Connection timeout: 10 ** Would you like to enable TCP keepalive messages? [YES] - TCP keepalive messages enabled: YES ** Would you like to secure connection with TLS? [YES] - Communication between policy server and audit server is secured with TLS: YES ** Audit Servers are already configured: - qpmdevel1.qpmdomain:30344 ** Would you like to reconfigure the Audit Servers? [NO] - Overwriting Audit Server list: YES ** Please enter the address (hostname | ip_v4 | ip_v6): 127.0.0.1 - Audit Server address: 127.0.0.1 ** What port number would you like to use for the audit server daemon? [30344] - Audit Server port: 30344 ** Do you want to add an additional Audit Server to the configuration? [NO] - 127.0.0.1:30344** Configure TLS parameters - You need to provide the following files in order to configure TLS: - * CA bundle file - * Private key file - * Certificate file ** Please enter the full path to the CA bundle file [/etc/ssl/sudo/ca.bundle.pem]: ** Checking that CA bundle is in PEM format [ OK ] - CA bundle file is set: /etc/ssl/sudo/ca.bundle.pem ** Please enter the full path to the private key file [/etc/ssl/sudo/qpm_qpmdevel1.key.pem]: ** Checking that private key is in PEM format [ OK ] - Private key file is set: /etc/ssl/sudo/qpm_qpmdevel1.key.pem ** Please enter the full path to the certificate file [/etc/ssl/sudo/qpm_qpmdevel1.cert.pem]: ** Checking certificate against the private key [ OK ] ** Checking certificate chain of trust [ OK ] ** Checking certificate expiration [ OK ] ** Checking hostname/IP address [WARN] - WARNING: Could not verify hostname/IP - Client certificate file is set: /etc/ssl/sudo/qpm_qpmdevel1.cert.pem ** Would like you to check connection to the audit server(s)? [YES]
You can use the pmauditsrv and options for the following:
The connection from pmmasterd to sudo_logsrvd uses TLS to secure data transmission. If none of the audit servers are reachable, event logs and keystroke I/O logs are queued locally on the policy server and sent to the audit server once it is available. Offline logs are encrypted until they are transferred to the log server.
For more information, see pmauditsrv.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Termini di utilizzo Privacy Cookie Preference Center