Privilege Manager enables event logging. Each time a command is run, the policy server accepts or rejects the requested command according to the rules in the policy and creates an event (audit) log. The policy server records the keystroke input and terminal output for each accepted command, creating comprehensive "keystroke logs" files. With these logs, you can perform forensic-level auditing of any command executed.
Event logs are always captured and stored on the policy servers in /var/opt/quest/qpm4u/pmevents.db; keystroke logs are stored at var/opt/quest/qpm4u/iolog.
|
Note: You can use the iolog_dir and iolog_file policy options to reconfigure the iolog file location. For more information about the policy options, refer to the Privilege ManagerAdministration Guide. |
You can view event logs or replay keystroke logs from the Policy tab of the mangement console if you are logged in either as the supervisor or an Active Directory account with rights to audit the policy file; that is, an account in the Audit Sudo Policy or Audit PM Policy role.
|
BEST PRACTICE: As a best practice, One Identity recommends that you set up a separate policy server for archiving and viewing logs. |
To enable keystroke logging for sudo policy
From the mangement console, navigate to Policy | Sudo Policy Editor.
Open the Open menu and select Current version to open the latest saved version of the policy file that is currently in use by the mangement console. (See Open Policy Files for details.)
Add the following line to the policy file to enable keystroke logs:
Defaults log_output
Add an entry for a local user in the form who where = (as_whom) what. For example:
localuser ALL=(ALL) ALL
where localuser is a local user account name.
|
NoteS:
|
To enable keystroke logging for pmpolicy
Privilege Manager only generates a keystroke log when the policy server accepts a command and keystroke logging is enabled in the policy. When the policy server accepts a command, Privilege Manager records the keystrokes and stores them on the policy server. If the policy server rejects a command, Privilege Manager does not record keystrokes nor does it generate a log.
To generate a keystroke log
Log into the host on which the Privilege Manager software is installed as a non-privileged user specified in the policy.
At the command prompt, enter:
sudo bash
Enter your password.
When you enter sudo bash, it opens a new shell.
At the new shell's command prompt, enter the following lines:
echo "This is fun." echo "My keystrokes are being recorded" whoami id
|
Note: For a fun demonstration, type echo"This is a mistake" and then backspace over a mistake and enter fixed. When you replay the keystroke log you will see that it records every keystroke! |
Enter exit to close the bash shell.
It records every keystroke after you enter sudo until you enter exit.
You are now ready to replay your keystroke log from the mangement console.
Keystroke logs are related to events. When you run a command, such as sudo whoami, the policy server either accepts or rejects the command based on the rules in the policy. When the policy server accepts the command, it creates an event and a corresponding keystroke log. If it rejects the event, it does not create a keystroke log. In order to view a keystroke log, you must first list events.
|
Note: To record and replay keystroke logs, you must log in either as the supervisor or an Active Directory account with rights to audit the policy file; that is, an account in the Audit Sudo Policy or Audit PM Policy role. |
To list events and replay keystroke logs
From the mangement console, navigate to Policy | Event Logs.
|
Note: You can also access Event Logs from these context menus:
|
Select options in the search controls on the Find Event Logs pane, and click Find.
For example, you can search for all events logged for a particular user, or all events logged on a particular host, or you can find events logged during a specific date and time.
|
Note: Host names may appear in the event logs and keystroke log files in either format. To ensure you match a host name, when you specify host name search criteria, use the short host name format with an asterisk wild card (myhost*). |
For example, you can find events that pertain to the usage of a specific command or content of the command output.
Click the Replay keystroke log button next to a listed event to load the log for replay.
A Replay Log tab displays.
Click the Play button () to replay the log.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy