Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Keystroke (I/O) logging

Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. For more details, see Privilege Manager for Unix licensing.

You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. For more details, see iolog.

If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:

iolog=mktemp("/var/opt/quest/qpm4u/iolog/" 
+ profile 
+ "/" 
+ user 
+ "/" 
+ basename(runcommand) 
+ "_" 
+ strftime("%Y%m%d_%H%M") 
+ "_XXXXXX");

You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.

The following variables affect keystroke log settings when using the pmpolicy type:

  • iolog

  • iolog_encrypt

  • iolog_opmax

  • iologhost

  • logomit

  • logstderr

  • logstdin

  • logstdout

  • log_passwords

For details about these variables, see Global output variables.

Keystroke (I/O) logging policy variables

You can control keystroke (I/O) logging behavior using the following policy variables.

Table 21: Keystroke logging policy variables
Variable Data type Description

iolog

string

The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call.

iolog_encrypt

boolean

Enables encryption of I/O logs: To enable encryption, set:

iolog_encrypt = true;

Log files are encrypted with AES; view them with pmreplay.

iolog_errmax

integer

Limits the amount of text logged for stderr for each command.

iolog_opmax

integer

Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter:

cat filename1

it only logs the first 500 bytes of output produced by this command.

log_passwords

boolean

Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. For more details, see log_passwords.

logstderr

boolean

Specifies if error output is logged; default is "true".

logstdin

boolean

Specifies whether input is logged; default is "true".

logstdout

boolean

Specifies whether output is logged; default is "true".

All boolean values default to "true".

Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command) 
   +”_XXXXXX”); 
iolog_encrypt = true; 
iolog_opmax = 500; 
iolog_errmax = 200; 
logstderr = false; 
logstdin = true; 
logstdout = true; 
log_passwords = false;

For details about the keystroke logging variables, see Global output variables.

Audit server logging

Administrators can stream event logs and keystroke (IO) logs from a client to a sudo log audit server (or compatible server) that implements the sudo logsrv protocol. This feature is disabled by default. Enable the recording service through configuring the policy server with pmsrvconfig or by editing pm.settings.

The stored keystroke (IO) logs can be rotated, trimmed, and compressed to manage storage space.

A syslog output of streamed keystroke (IO) logs can be used to send the data to a Security Information and Event Management (SIEM) tool.

pmmasterd sends I/O logs to the audit server when a command is run via pmrun. I/O logs are sent in real-time. A setting in pm.settings determines whether I/O logs are stored locally too.

Configuration options

You can configure the audit server in pm.settings or interactive mode The pm.settings file sincludes settings for the CA bundle, client certificate, and client key files as well as other settings.

Configuration with pm.settings

One or more audit servers can be specified in the pm.settings file along with the associated port (which defaults to port 30344).

When pmmasterd receives an event from the client, it relays the event to sudo_logsrvd. Events that are supported include: Accept, Reject, and Alert. Logging to the audit server is in addition to local logging. A setting in the pm.settings file specifies whether an unreachable audit server is considered a fatal error or not.

See PM settings variables for more information about modifying the following configuration settings:

  • auditsrvCAbundle

  • auditsrvCert

  • auditsrvEnabled

  • auditsrvEnforced

  • auditsrvHosts

  • auditsrvKeepalive

  • auditsrvLocaliologs

  • auditsrvLogdir

  • auditsrvPkey

  • auditsrvPSpaceMB

  • auditsrvTimeout

  • auditsrvTLS

  • auditsrvTLSCheckpeer

  • auditsrvTLSVerify

Configuration with pmsrvconfig

You can also use the interactive mode of pmsrvconfig to perform most configuration.

Example for interactive mode

In this example, you can see the how interactive mode works.

$ pmsrvconfig -i
[...]
** Where would you like to store errors reported by the Privilege Manager policy server daemon? [/var/log/pmmasterd.log]
- Policy server log location: /var/log/pmmasterd.log
*** Configure Audit Server for Privilege Manager
** Audit Server configuration for pmmasterd
- The Audit Server can receive event and kestroke logs in real time.
- If enabled, pmmasterd streams all logs to the Audit Server.
** Would like you to configure Audit Server(s) for Privilege Manager [YES]
- Configuring Audit Server(s) for pmmasterd: YES
** Audit Server availability
- If none of the configured audit servers are available, the policy server can either
- - Reject all commands until an audit server becomes available
- - Save audit trails locally on the policy server.
These trails will be transferred automatically to an audit server when it becomes available.
- When configured audit server(s) become unavailable,
- 1) I want the policy server to reject all requests
- 2) I want to use audit trail caching on the policy server
** Please select an option [1] 2
** Enter the directory where pmmasterd can save audit trails
[/var/opt/quest/qpm4u/auditserver]
- Audit trails will be saved to directory:
/var/opt/quest/qpm4u/auditserver
** How much disk space shall be preserved in megabytes? [100]
- Command execution will not be permitted if the available disk space drops below
100 megabytes
** Would you like to retain old format IO logs locally? [YES]
- Retaining old IO logs locally: YES
** Enter connection timeout in seconds: [3] 10
- Connection timeout: 10
** Would you like to enable TCP keepalive messages? [YES]
- TCP keepalive messages enabled: YES
** Would you like to secure connection with TLS? [YES]
- Communication between policy server and audit server is secured with TLS: YES
** Audit Servers are already configured:
- qpmdevel1.qpmdomain:30344
** Would you like to reconfigure the Audit Servers? [NO]
- Overwriting Audit Server list: YES
** Please enter the address (hostname | ip_v4 | ip_v6): 127.0.0.1
- Audit Server address: 127.0.0.1
** What port number would you like to use for the audit server daemon? [30344]
- Audit Server port: 30344
** Do you want to add an additional Audit Server to the configuration? [NO]
- 127.0.0.1:30344** Configure TLS parameters
- You need to provide the following files in order to configure TLS:
- * CA bundle file
- * Private key file
- * Certificate file
** Please enter the full path to the CA bundle file
[/etc/ssl/sudo/ca.bundle.pem]:
** Checking that CA bundle is in PEM format [ OK ]
- CA bundle file is set: /etc/ssl/sudo/ca.bundle.pem
** Please enter the full path to the private key file
[/etc/ssl/sudo/qpm_qpmdevel1.key.pem]:
** Checking that private key is in PEM format [ OK ]
- Private key file is set: /etc/ssl/sudo/qpm_qpmdevel1.key.pem
** Please enter the full path to the certificate file
[/etc/ssl/sudo/qpm_qpmdevel1.cert.pem]:
** Checking certificate against the private key [ OK ]
** Checking certificate chain of trust [ OK ]
** Checking certificate expiration [ OK ]
** Checking hostname/IP address [WARN]
- WARNING: Could not verify hostname/IP
- Client certificate file is set:
/etc/ssl/sudo/qpm_qpmdevel1.cert.pem
** Would like you to check connection to the audit server(s)? [YES]
Using pmsrvconfig

You can use the pmauditsrv and options for the following:

  • Verifies that the configured audit servers are accessible and configured properly and exchanges a "hello" message with the server.

  • If the audit server is not accessible, stores the events and keystroke (IO) logs temporarily offline and sent to the audit server when it is available.

The connection from pmmasterd to sudo_logsrvd uses TLS to secure data transmission. If none of the audit servers are reachable, event logs and keystroke I/O logs are queued locally on the policy server and sent to the audit server once it is available. Offline logs are encrypted until they are transferred to the log server.

For more information, see pmauditsrv.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating