Keystroke (I/O) logging
Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager for Unix licensing for details.
You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. See iolog for details.
If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:
iolog=mktemp("/var/opt/quest/qpm4u/iolog/"
+ profile
+ "/"
+ user
+ "/"
+ basename(runcommand)
+ "_"
+ strftime("%Y%m%d_%H%M")
+ "_XXXXXX");
You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.
The following variables affect keystroke log settings when using the pmpolicy type:
- iolog
- iolog_encrypt
- iolog_opmax
- iologhost
- logomit
- logstderr
- logstdin
- logstdout
- log_passwords
For details about these variables, refer to the Global output variables.
Keystroke (I/O) logging policy variables
You can control keystroke (I/O) logging behavior using the following policy variables.
Table 21: Keystroke logging policy variables
iolog |
string |
The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call. |
iolog_encrypt |
boolean |
Enables encryption of I/O logs: To enable encryption, set: iolog_encrypt = true;
Log files are encrypted with AES; view them with pmreplay. |
iolog_errmax |
integer |
Limits the amount of text logged for stderr for each command. |
iolog_opmax |
integer |
Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter: cat filename1
it only logs the first 500 bytes of output produced by this command. |
log_passwords |
boolean |
Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. See log_passwords for details. |
logstderr |
boolean |
Specifies if error output is logged; default is "true". |
logstdin |
boolean |
Specifies whether input is logged; default is "true". |
logstdout |
boolean |
Specifies whether output is logged; default is "true". |
All boolean values default to "true".
Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command)
+”_XXXXXX”);
iolog_encrypt = true;
iolog_opmax = 500;
iolog_errmax = 200;
logstderr = false;
logstdin = true;
logstdout = true;
log_passwords = false;
For details about the keystroke logging variables, refer to Global output variables.
Audit server logging
Administrators can stream event logs and keystroke (IO) logs from a client to a sudo log audit server (or compatible server) that implements the sudo logsrv protocol. This feature is disabled by default. Enable the recording service through configuring the policy server with pmsrvconfig or by editing pm.settings.
The stored keystroke (IO) logs can be rotated, trimmed, and compressed to manage storage space.
A syslog output of streamed keystroke (IO) logs can be used to send the data to a Security Information and Event Management (SIEM) tool.
pmmasterd sends I/O logs to the audit server when a command is run via pmrun. I/O logs are sent in real-time. A setting in pm.settings determines whether I/O logs are stored locally too.
Configuration options
You can configure the audit server in pm.settings or interactive mode The pm.settings file sincludes settings for the CA bundle, client certificate, and client key files as well as other settings.
Configuration with pm.settings
One or more audit servers can be specified in the pm.settings file along with the associated port (which defaults to port 30344).
When pmmasterd receives an event from the client, it relays the event to sudo_logsrvd. Events that are supported include: Accept, Reject, and Alert. Logging to the audit server is in addition to local logging. A setting in the pm.settings file specifies whether an unreachable audit server is considered a fatal error or not.
See PM settings variables for more information about modifying the following configuration settings:
-
auditsrvCAbundle
-
auditsrvCert
-
auditsrvEnabled
-
auditsrvEnforced
-
auditsrvHosts
-
auditsrvKeepalive
-
auditsrvLocaliologs
-
auditsrvLogdir
-
auditsrvPkey
-
auditsrvPSpaceMB
-
auditsrvTimeout
-
auditsrvTLS
-
auditsrvTLSCheckpeer
-
auditsrvTLSVerify
Configuration with pmsrvconfig
You can also use the interactive mode of pmsrvconfig to perform most configuration.
Example for interactive mode
In this example, you can see the how interactive mode works.
$ pmsrvconfig -i
[...]
** Where would you like to store errors reported by the Privilege Manager policy server daemon? [/var/log/pmmasterd.log]
- Policy server log location: /var/log/pmmasterd.log
*** Configure Audit Server for Privilege Manager
** Audit Server configuration for pmmasterd
- The Audit Server can receive event and kestroke logs in real time.
- If enabled, pmmasterd streams all logs to the Audit Server.
** Would like you to configure Audit Server(s) for Privilege Manager [YES]
- Configuring Audit Server(s) for pmmasterd: YES
** Audit Server availability
- If none of the configured audit servers are available, the policy server can either
- - Reject all commands until an audit server becomes available
- - Save audit trails locally on the policy server.
These trails will be transferred automatically to an audit server when it becomes available.
- When configured audit server(s) become unavailable,
- 1) I want the policy server to reject all requests
- 2) I want to use audit trail caching on the policy server
** Please select an option [1] 2
** Enter the directory where pmmasterd can save audit trails
[/var/opt/quest/qpm4u/auditserver]
- Audit trails will be saved to directory:
/var/opt/quest/qpm4u/auditserver
** How much disk space shall be preserved in megabytes? [100]
- Command execution will not be permitted if the available disk space drops below
100 megabytes
** Would you like to retain old format IO logs locally? [YES]
- Retaining old IO logs locally: YES
** Enter connection timeout in seconds: [3] 10
- Connection timeout: 10
** Would you like to enable TCP keepalive messages? [YES]
- TCP keepalive messages enabled: YES
** Would you like to secure connection with TLS? [YES]
- Communication between policy server and audit server is secured with TLS: YES
** Audit Servers are already configured:
- qpmdevel1.qpmdomain:30344
** Would you like to reconfigure the Audit Servers? [NO]
- Overwriting Audit Server list: YES
** Please enter the address (hostname | ip_v4 | ip_v6): 127.0.0.1
- Audit Server address: 127.0.0.1
** What port number would you like to use for the audit server daemon? [30344]
- Audit Server port: 30344
** Do you want to add an additional Audit Server to the configuration? [NO]
- 127.0.0.1:30344** Configure TLS parameters
- You need to provide the following files in order to configure TLS:
- * CA bundle file
- * Private key file
- * Certificate file
** Please enter the full path to the CA bundle file
[/etc/ssl/sudo/ca.bundle.pem]:
** Checking that CA bundle is in PEM format [ OK ]
- CA bundle file is set: /etc/ssl/sudo/ca.bundle.pem
** Please enter the full path to the private key file
[/etc/ssl/sudo/qpm_qpmdevel1.key.pem]:
** Checking that private key is in PEM format [ OK ]
- Private key file is set: /etc/ssl/sudo/qpm_qpmdevel1.key.pem
** Please enter the full path to the certificate file
[/etc/ssl/sudo/qpm_qpmdevel1.cert.pem]:
** Checking certificate against the private key [ OK ]
** Checking certificate chain of trust [ OK ]
** Checking certificate expiration [ OK ]
** Checking hostname/IP address [WARN]
- WARNING: Could not verify hostname/IP
- Client certificate file is set:
/etc/ssl/sudo/qpm_qpmdevel1.cert.pem
** Would like you to check connection to the audit server(s)? [YES]
Using pmsrvconfig
You can use the pmauditsrv and options for the following:
- Verifies that the configured audit servers are accessible and configured properly and exchanges a "hello" message with the server.
- If the audit server is not accessible, stores the events and keystroke (IO) logs temporarily offline and sent to the audit server when it is available.
The connection from pmmasterd to sudo_logsrvd uses TLS to secure data transmission. If none of the audit servers are reachable, event logs and keystroke I/O logs are queued locally on the policy server and sent to the audit server once it is available. Offline logs are encrypted until they are transferred to the log server.
For more information, see pmauditsrv.