Keystroke (I/O) logging
Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager licensing for details.
You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. See iolog for details.
If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:
iolog=mktemp("/var/opt/quest/qpm4u/iolog/"
+ profile
+ "/"
+ user
+ "/"
+ basename(runcommand)
+ "_"
+ strftime("%Y%m%d_%H%M")
+ "_XXXXXX");
You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.
The following variables affect keystroke log settings when using the pmpolicy type:
- iolog
- iolog_encrypt
- iolog_opmax
- iologhost
- logomit
- logstderr
- logstdin
- logstdout
- log_passwords
For details about these variables, refer to the Global output variables.
Keystroke (I/O) logging policy variables
You can control keystroke (I/O) logging behavior using the following policy variables.
Table 20: Keystroke logging policy variables
iolog |
string |
The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call. |
iolog_encrypt |
boolean |
Enables encryption of I/O logs: To enable encryption, set: iolog_encrypt = true;
Log files are encrypted with AES; view them with pmreplay. |
iolog_errmax |
integer |
Limits the amount of text logged for stderr for each command. |
iolog_opmax |
integer |
Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter: cat filename1
it only logs the first 500 bytes of output produced by this command. |
log_passwords |
boolean |
Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. See log_passwords for details. |
logstderr |
boolean |
Specifies if error output is logged; default is "true". |
logstdin |
boolean |
Specifies whether input is logged; default is "true". |
Specifies whether output is logged; default is "true". |
All boolean values default to "true".
Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command)
+”_XXXXXX”);
iolog_encrypt = true;
iolog_opmax = 500;
iolog_errmax = 200;
logstderr = false;
logstdin = true;
logstdout = true;
log_passwords = false;
For details about the keystroke logging variables, refer to Global output variables.
Central logging with Privilege Manager for Unix
Privilege Manager for Unix can configure central logging for I/O and event logs using the iologhost and eventloghost policy variables.
pmmasterd uses port number 12345 by default to communicate with the log server.
A host that is configured as a centralized log server must have the client's keyword added to the pm.settings file to specify which policy servers may forward their I/O and event log information to this log server.
Figure 9: Configuring central logging for I/O and event Logs
In this example, master1, master2, master3, and logmaster are all Privilege Manager policy servers (pmmasterd).
logmaster is configured as the centralized log host for I/O and event logs for master1, master2 and master3. To send I/O and event log information to logmaster, the policy must include the following statements:
iologhost = "logmaster";
eventloghost = "logmaster";
If for any reason (such as a system outage) the logs cannot be forwarded to the central logging host (logmaster in the above example), log files are stored locally on the authenticating policy server (master1, master2, or master3 in the above example). The location of the log files is specified by the tmplogdir policy variable, which defaults to var/opt/quest/qpm4u/iolog/queue.
The pm.settings file for logmaster must include the clients keyword. For example:
clients master1 master2 master3
Related Topics
PM settings variables
tmplogdir
Controlling log size with Privilege Manager for Unix
An effective strategy for controlling the size of the log file in Privilege Manager for Unix is to limit the amount of information sent to the logs. Instead of logging keystrokes for every command, you might construct a policy that only captures keystrokes for sensitive commands.
You can use policy variables to limit the information sent to the log files.
Table 21: Size-controlling logging variables
iolog_encrypt |
boolean |
Enables I/O logs encryption; default is "true".
Log files are encrypted with AES; view them with pmreplay. |
iolog_errmax |
integer |
Limits the amount of text logged for stderr for each command. |
iolog_opmax |
integer |
Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter the following command: cat filename1 it only logs the first 500 bytes of output produced by this command. |
logomit |
list |
Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs. |
logstderr |
boolean |
Specifies if error output is logged; default is "true". |
logstdin |
boolean |
Specifies whether input is logged; default is "true". |
Specifies whether output is logged; default is "true". |