Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Event Logging

Event logs are enabled by default for all requests sent to the Privilege Manager Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.

When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:

if (basename(command) == "pmlist") { eventlog=""; }

The following pmpolicy variables affect event log settings:

Table 22: Event logging policy variables
Variable Data Type Description
eventlog string The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)

This must be a full pathname starting with a / (slash). For example:

eventlog = "/var/logs/pmevents.db";

If the log file name you specify in the policy file cannot be opened, Privilege Manager automatically logs all events in the default log file.

See also eventlog.

logomit list Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.

See also logomit.

export varname Specify a local variable to add to the event log. (Refer to Operators and Expressions for more information about export.)

For example, enter the following to specify that you want to:

  • record event log in /var/adm/pmevents.db
  • not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db"; 
logomit = {"env","runenv"};

Keystroke (I/O) Logging

Once your 30-day trial license has expired, Quest requests that you obtain a Keystroke Logging license to remain in compliance. (See Privilege Manager Licensing for details.)

You can control keystroke (I/O) logging behavior using the following policy variables.

Table 23: Keystroke logging policy variables
Variable Data Type Description
iolog string The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call.
iolog_encrypt boolean Enables encryption of I/O logs: To enable encryption, set:
iolog_encrypt = true;

Log files are encrypted with AES; view them with pmreplay.

iolog_errmax integer Limits the amount of text logged for stderr for each command.
iolog_opmax integer Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter:
cat filename1

it only logs the first 500 bytes of output produced by this command.

log_passwords boolean Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. (See log_passwords for details.)
logstderr boolean Specifies if error output is logged; default is "true".
logstdin boolean Specifies whether input is logged; default is "true".
logstdout boolean Specifies whether output is logged; default is "true".

NOTE: All boolean values default to "true".

Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command) 
   +”_XXXXXX”); 
iolog_encrypt = true; 
iolog_opmax = 500; 
iolog_errmax = 200; 
logstderr = false; 
logstdin = true; 
logstdout = true; 
log_passwords = false;

NOTE: For details about the keystroke logging variables, refer to Global Output Variables.

Keystroke Logging In Sudo Policy Type

In the sudo policy type, you can enable keystroke logging using the log_input and log_output default parameters.

NOTE: Enabling log_input and log_output enables keystroke logging.

For example, to enable keystroke logging for all requests, specify:

Defaults log_input, log_output

To specify keystroke logging of output just for the root user, specify:

Defaults:root log_output

You can also override default settings by using the LOG_INPUT, LOG_OUTPUT, NOLOG_INPUT, NOLOG_OUTPUT tags in a user specification entry. For example, to suppress keystroke logging for the ls command, enter:

ALL ALL=(ALL) NOLOG_OUTPUT:/bin/ls

The location of the keystroke log file is determined by the iolog_dir and iolog_file default specifications.

The defaults are:

Defaults iolog_dir = "/var/opt/quest/qpm4u/iolog"
Defaults iolog_file = "%{user}/%{runas_user}/%{command}_%Y%m%d_%H%M_XXXXXX"

(See the Sudoers man page for an explanation of the supported percent (%) escape sequences.)

NOTE: The trailing “XXXXXX” characters at the end of iolog_file are required; without them, no I/O log will be generated. These X’s are replaced with a unique combination of digits and letters, similar to the mktemp() function.

Keystroke Logging Using the pmpolicy Type

Administering Log and Keystroke Files > Local Logging > Keystroke (I/O) Logging > Keystroke Logging Using the pmpolicy Type

When using the pmpolicy type, you can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. (See iolog for details.)

If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:

iolog=mktemp("/var/opt/quest/qpm4u/iolog/" 
+ profile 
+ "/" 
+ user 
+ "/" 
+ basename(runcommand) 
+ "_" 
+ strftime("%Y%m%d_%H%M") 
+ "_XXXXXX");

You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.

The following variables affect keystroke log settings when using the pmpolicy type:

  • iolog
  • iolog_encrypt
  • iolog_opmax
  • iologhost
  • logomit
  • logstderr
  • logstdin
  • logstdout
  • log_passwords

NOTE: For details about these variables, refer to the Global Output Variables.

Related Documents