Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Controlling logs

The following variables are used to control the logging of program input and output through Privilege Manager for Unix.

Table 19: Logging variables
Variable Explanation
iolog If set to a filename, the iolog variable logs all of the information from the logstdin, logstdout, and logstderr variables to the specified filename.
logstderr If set to true, the logstderr variable logs any error responses.
logstdin If set to true, the logstdin variable logs all information coming in from standard input.
If set to true, the logstdout variable logs all information being displayed to standard output.

For details about these logging variables, refer to Global output variables.

To log the input, output and error I/O streams from a request, set logstdin, logstdout, and logstderr to true. Set iolog to the name of the log file. After Privilege Manager for Unix completes the request, you can use the pmreplay command to replay the session that was logged.

You can limit the amount of data logged for each stream. This avoids filling up the I/O logs with large amounts of output from benign commands, such as when using cat or tail to display a large file. You can limit the I/O logging to the first n bytes of the output. For example, to log only the first 500 bytes of stdout, enter:

iolog_opmax=500;

The following example ensures that whenever you run the adduser program through Privilege Manager for Unix, it logs all input and output in the specified file:

if(command=="adduser") { 
   iolog="/var/log/iolog/" + user + mktemp("_XXXXXX"); 
   logstdin=true; 
   logstdout=true; 
   logstderr=true; 
   runuser="root"; 
   accept; 
}

Local logging

The location of the error logs for the Privilege Manager for Unix components, pmrun, pmlocald, and pmmasterd, is specified using keywords in the pm.settings file. Enter the following to specify that you want the error logs written to the /var/adm directory:

pmlocaldlog /var/adm/pmlocald.log 
pmmasterdlog /var/adm/pmmasterd.log 
pmrunlog /var/adm/pmrun.log

Alternatively, you can enable UNIX syslog error logging in the pm.settings file, by specifying:

syslog YES

Use one of the following keywords to specify which syslog facility to use:

  • LOG_KERN
  • LOG_USER
  • LOG_MAIL
  • LOG_DAEMON
  • LOG_AUTH (the default)
  • LOG_LPR
  • LOG_NEWS
  • LOG_UUCP
  • LOG_CRON
  • LOG_LOCAL0 through LOG_LOCAL7

For example, to enable syslog error logging using the LOG_AUTH facility, enter in the pm.settings file:

syslog YES 
facility LOG_AUTH

See PM settings variables for more information about modifying the Privilege Manager for Unix configuration settings.

Event logging

Event logs are enabled by default for all requests sent to the Privilege Manager for Unix Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.

When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:

if (basename(command) == "pmlist") { eventlog=""; }

The following pmpolicy variables affect event log settings:

Table 20: Event logging policy variables
Variable Data type Description
eventlog string The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)

This must be a full pathname starting with a / (slash). For example:

eventlog = "/var/logs/pmevents.db";

If the log file name you specify in the policy file cannot be opened, Privilege Manager for Unix automatically logs all events in the default log file.

See also eventlog.

logomit list Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.

See also logomit.

Specify a local variable to add to the event log. (Refer to Operators and expressions for more information about export.)

For example, enter the following to specify that you want to:

  • record event log in /var/adm/pmevents.db
  • not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db"; 
logomit = {"env","runenv"};

Keystroke (I/O) logging

Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager for Unix licensing for details.

You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. See iolog for details.

If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:

iolog=mktemp("/var/opt/quest/qpm4u/iolog/" 
+ profile 
+ "/" 
+ user 
+ "/" 
+ basename(runcommand) 
+ "_" 
+ strftime("%Y%m%d_%H%M") 
+ "_XXXXXX");

You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.

The following variables affect keystroke log settings when using the pmpolicy type:

  • iolog
  • iolog_encrypt
  • iolog_opmax
  • iologhost
  • logomit
  • logstderr
  • logstdin
  • logstdout
  • log_passwords

For details about these variables, refer to the Global output variables.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating