Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configuring Keystroke Logging for Privilege Manager for Sudo Policy

Administering Log and Keystroke Files > Configuring Keystroke Logging for Privilege Manager for Sudo Policy

Privilege Manager for Sudo enables event logging. Each time a sudo command is run, the policy server accepts or rejects the requested command according to the sudoers policy file and creates an event (audit) log. If enabled, the policy server records the keystroke input and terminal output for each accepted command, creating comprehensive "keystroke logs" files. With these logs, you can perform forensic-level auditing of any command executed by means of sudo.

Event logs are captured and stored on the policy servers in /var/opt/quest/qpm4u/pmevents.db; keystroke logs are stored at var/opt/quest/qpm4u/iolog.

NOTE: You can use the iolog_dir and iolog_file policy options to reconfigure the iolog file location.

You can view event logs or replay keystroke logs from the Policy tab of the Management Console for Unix if you are logged in either as the supervisor or an Active Directory account with rights to audit the sudoers file; that is, an account in the Audit Sudo Policy role. (See Viewing the Log Files Using a Web Browser for details.)

Configure the sudoers policy for keystroke logging by using the log_input and log_output defaults flags, or the LOG_INPUT and LOG_OUTPUT command tags, as follows:

Defaults log_input, log_output # keystroke logging enabled 
Defaults!/sbin/reboot !log_input,!log_output # no logging for reboots 

NOTE: For complete I/O log records you must use both log_input and log_output.

# disable keystroke logging for the pmreplay command 
ADMINS ALL = (ALL) NOLOG_INPUT:NOLOG_OUTPUT:/opt/quest/sbin/pmreplay 

NOTE: ADMINS is a User_Alias. (See the Sudoers man page for definition of User_Alias).

Validating Sudo Commands

To validate that the centrally managed policy is working, log on to a policy server (or a Sudo Plugin host) as a non-root user, run a command that is already set up in your sudoers policy file and observe the results.

Use a command you expect to work, such as:

$ sudo id

Then run a command that you know you do not have sufficient privileges to run. For instance, run a fake command, such as:

$ sudo fakecmd

When Privilege Manager for Unix rejects a command, it displays a message similar to this:

Sorry, user tuser is not allowed to execute ‘fakecmd’ as root on myhost.example.com. 
Request rejected by Privilege Manager

All systems that are joined to the same policy server will have the same results based on how you have the sudoers policy file configured.

Controlling Logs

The following variables are used to control the logging of program input and output through Privilege Manager:

Table 21: Logging variables
Variable Explanation
iolog If set to a filename, the iolog variable logs all of the information from the logstdin, logstdout, and logstderr variables to the specified filename.
logstderr If set to true, the logstderr variable logs any error responses.
logstdin If set to true, the logstdin variable logs all information coming in from standard input.
logstdout If set to true, the logstdout variable logs all information being displayed to standard output.

NOTE: For details about these logging variables, refer to Global Output Variables.

To log the input, output and error I/O streams from a request, set logstdin, logstdout, and logstderr to true. Set iolog to the name of the log file. After Privilege Manager has executed the request, you can use the pmreplay command to replay the session that was logged.

You can limit the amount of data logged for each stream. This avoids filling up the I/O logs with large amounts of output from benign commands, such as when using cat or tail to display a large file. You can limit the I/O logging to the first n bytes of the output. For example, to log only the first 500 bytes of stdout, enter:

iolog_opmax=500;

The following example ensures that whenever you run the adduser program through Privilege Manager, it logs all input and output in the specified file:

if(command=="adduser") { 
   iolog="/var/log/iolog/" + user + mktemp("_XXXXXX"); 
   logstdin=true; 
   logstdout=true; 
   logstderr=true; 
   runuser="root"; 
   accept; 
}

Local Logging

The location of the error logs for the Privilege Manager components, pmrun, pmlocald and pmmasterd, is specified using keywords in the pm.settings file. Enter the following to specify that you want the error logs written to the /var/adm directory:

pmlocaldlog /var/adm/pmlocald.log 
pmmasterdlog /var/adm/pmmasterd.log 
pmrunlog /var/adm/pmrun.log

Alternatively, you can enable UNIX® syslog error logging in the pm.settings file, by specifying:

syslog YES

Use one of the following keywords to specify which syslog facility to use:

  • LOG_KERN
  • LOG_USER
  • LOG_MAIL
  • LOG_DAEMON
  • LOG_AUTH (the default)
  • LOG_LPR
  • LOG_NEWS
  • LOG_UUCP
  • LOG_CRON
  • LOG_LOCAL0 through LOG_LOCAL7

For example, to enable syslog error logging using the LOG_AUTH facility, enter in the pm.settings file:

syslog YES 
facility LOG_AUTH

See PM Settings Variables for more information about modifying the Privilege Manager configuration settings.

Related Documents