지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Administering Log and Keystroke Files

Privilege Manager allows you to control what is logged, as well as when and where it is logged. To help you set up and use these log files, the topics in this section explore enabling and disabling logging, as well as how to specify the log file locations.

Privilege Manager includes three different types of logging; the first two are helpful for audit purposes:

  • keystroke logging, also referred to as I/O logging

    Keystroke logs record the user’s keystrokes and the terminal output of any sessions granted by Privilege Manager.

  • event logging

    Event logs record the details of all requests to run privileged commands. The details include what command was requested, who made the request, when the request was sent, what host the request was submitted from, and whether the request was accepted or rejected.

  • error logging

You can configure some aspects of the event and keystroke logging by means of the security policy on the policy servers. What you can configure and how you configure it depends on which type of security policy you are using on your policy server -- pmpolicy or sudo.

Related Topics

Security policy types

Controlling logs

The following variables are used to control the logging of program input and output through Privilege Manager.

Table 18: Logging variables
Variable Explanation
iolog If set to a filename, the iolog variable logs all of the information from the logstdin, logstdout, and logstderr variables to the specified filename.
logstderr If set to true, the logstderr variable logs any error responses.
logstdin If set to true, the logstdin variable logs all information coming in from standard input.
logstdout If set to true, the logstdout variable logs all information being displayed to standard output.

NOTE: For details about these logging variables, refer to Global output variables.

To log the input, output and error I/O streams from a request, set logstdin, logstdout, and logstderr to true. Set iolog to the name of the log file. After Privilege Manager completes the request, you can use the pmreplay command to replay the session that was logged.

You can limit the amount of data logged for each stream. This avoids filling up the I/O logs with large amounts of output from benign commands, such as when using cat or tail to display a large file. You can limit the I/O logging to the first n bytes of the output. For example, to log only the first 500 bytes of stdout, enter:

iolog_opmax=500;

The following example ensures that whenever you run the adduser program through Privilege Manager, it logs all input and output in the specified file:

if(command=="adduser") { 
   iolog="/var/log/iolog/" + user + mktemp("_XXXXXX"); 
   logstdin=true; 
   logstdout=true; 
   logstderr=true; 
   runuser="root"; 
   accept; 
}

Local logging

The location of the error logs for the Privilege Manager components, pmrun, pmlocald, and pmmasterd, is specified using keywords in the pm.settings file. Enter the following to specify that you want the error logs written to the /var/adm directory:

pmlocaldlog /var/adm/pmlocald.log 
pmmasterdlog /var/adm/pmmasterd.log 
pmrunlog /var/adm/pmrun.log

Alternatively, you can enable UNIX syslog error logging in the pm.settings file, by specifying:

syslog YES

Use one of the following keywords to specify which syslog facility to use:

  • LOG_KERN
  • LOG_USER
  • LOG_MAIL
  • LOG_DAEMON
  • LOG_AUTH (the default)
  • LOG_LPR
  • LOG_NEWS
  • LOG_UUCP
  • LOG_CRON
  • LOG_LOCAL0 through LOG_LOCAL7

For example, to enable syslog error logging using the LOG_AUTH facility, enter in the pm.settings file:

syslog YES 
facility LOG_AUTH

See PM settings variables for more information about modifying the Privilege Manager configuration settings.

Event logging

Event logs are enabled by default for all requests sent to the Privilege Manager Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.

When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:

if (basename(command) == "pmlist") { eventlog=""; }

The following pmpolicy variables affect event log settings:

Table 19: Event logging policy variables
Variable Data type Description
eventlog string The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)

This must be a full pathname starting with a / (slash). For example:

eventlog = "/var/logs/pmevents.db";

If the log file name you specify in the policy file cannot be opened, Privilege Manager automatically logs all events in the default log file.

See also eventlog.

logomit list Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.

See also logomit.

export varname Specify a local variable to add to the event log. (Refer to Operators and expressions for more information about export.)

For example, enter the following to specify that you want to:

  • record event log in /var/adm/pmevents.db
  • not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db"; 
logomit = {"env","runenv"};
관련 문서