Event Logging
Event logs are enabled by default for all requests sent to the Privilege Manager Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.
When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:
if (basename(command) == "pmlist") { eventlog=""; }
The following pmpolicy variables affect event log settings:
| Variable | Data Type | Description |
|---|---|---|
| eventlog | string | The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)
This must be a full pathname starting with a / (slash). For example: eventlog = "/var/logs/pmevents.db"; If the log file name you specify in the policy file cannot be opened, Privilege Manager automatically logs all events in the default log file. See also eventlog. |
| logomit | list | Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.
See also logomit. |
| export | varname | Specify a local variable to add to the event log. (Refer to Operators and Expressions for more information about export.) |
For example, enter the following to specify that you want to:
- record event log in /var/adm/pmevents.db
- not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db";
logomit = {"env","runenv"};
Keystroke (I/O) Logging
Once your 30-day trial license has expired, Quest requests that you obtain a Keystroke Logging license to remain in compliance. (See Privilege Manager Licensing for details.)
You can control keystroke (I/O) logging behavior using the following policy variables.
| Variable | Data Type | Description |
|---|---|---|
| iolog | string | The name of the file in which input, output, and error output is logged. This must be a full pathname starting with a / (slash). To avoid overwriting existing I/O log files, set the iolog variable with a mktemp function call. |
| iolog_encrypt | boolean | Enables encryption of I/O logs: To enable encryption, set: iolog_encrypt = true; Log files are encrypted with AES; view them with pmreplay. |
| iolog_errmax | integer | Limits the amount of text logged for stderr for each command. |
| iolog_opmax | integer | Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter: cat filename1 it only logs the first 500 bytes of output produced by this command. |
| log_passwords | boolean | Specifies whether passwords are logged to the keystroke log. The default setting logs passwords. (See log_passwords for details.) |
| logstderr | boolean | Specifies if error output is logged; default is "true". |
| logstdin | boolean | Specifies whether input is logged; default is "true". |
| logstdout | boolean | Specifies whether output is logged; default is "true". |
|
|
NOTE: All boolean values default to "true". |
Example
iolog=mktemp(”/opt/quest/qpm4u/logs/”+”user”+”_”+basename(command) +”_XXXXXX”); iolog_encrypt = true; iolog_opmax = 500; iolog_errmax = 200; logstderr = false; logstdin = true; logstdout = true; log_passwords = false;
|
|
NOTE: For details about the keystroke logging variables, refer to Global Output Variables. |
Keystroke Logging In Sudo Policy Type
In the sudo policy type, you can enable keystroke logging using the log_input and log_output default parameters.
|
|
NOTE: Enabling log_input and log_output enables keystroke logging. |
For example, to enable keystroke logging for all requests, specify:
Defaults log_input, log_output
To specify keystroke logging of output just for the root user, specify:
Defaults:root log_output
You can also override default settings by using the LOG_INPUT, LOG_OUTPUT, NOLOG_INPUT, NOLOG_OUTPUT tags in a user specification entry. For example, to suppress keystroke logging for the ls command, enter:
ALL ALL=(ALL) NOLOG_OUTPUT:/bin/ls
The location of the keystroke log file is determined by the iolog_dir and iolog_file default specifications.
The defaults are:
Defaults iolog_dir = "/var/opt/quest/qpm4u/iolog"
Defaults iolog_file = "%{user}/%{runas_user}/%{command}_%Y%m%d_%H%M_XXXXXX"
(See the Sudoers man page for an explanation of the supported percent (%) escape sequences.)
|
|
NOTE: The trailing “XXXXXX” characters at the end of iolog_file are required; without them, no I/O log will be generated. These X’s are replaced with a unique combination of digits and letters, similar to the mktemp() function. |
Keystroke Logging Using the pmpolicy Type
When using the pmpolicy type, you can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. (See iolog for details.)
If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:
iolog=mktemp("/var/opt/quest/qpm4u/iolog/"
+ profile
+ "/"
+ user
+ "/"
+ basename(runcommand)
+ "_"
+ strftime("%Y%m%d_%H%M")
+ "_XXXXXX");
You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.
The following variables affect keystroke log settings when using the pmpolicy type:
- iolog
- iolog_encrypt
- iolog_opmax
- iologhost
- logomit
- logstderr
- logstdin
- logstdout
- log_passwords
|
|
NOTE: For details about these variables, refer to the Global Output Variables. |