Privilege Manager for Unix How To



Similar documents
There are numerous ways to access monitors:

CLC Server Command Line Tools USER MANUAL

Tracking Network Changes Using Change Audit

FileMaker Server 7 and FileMaker Server 7 Advanced Documentation Errata

Evaluator s Guide. PC-Duo Enterprise HelpDesk v5.0. Copyright 2006 Vector Networks Ltd and MetaQuest Software Inc. All rights reserved.

Technical Support Set-up Procedure

Router CLI Overview. CradlePoint, Inc.

Parallels Plesk Panel

WatchDox Administrator's Guide. Application Version 3.7.5

INTEGRATION WITH THIRD PARTY SIEM SYSTEMS

Novell ZENworks Asset Management 7.5

Extending Remote Desktop for Large Installations. Distributed Package Installs

SOA Software API Gateway Appliance 7.1.x Administration Guide

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series

RoomWizard Synchronization Software Manual Installation Instructions

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

MS SQL Express installation and usage with PHMI projects

RECOVER ( 8 ) Maintenance Procedures RECOVER ( 8 )

Quest Privilege Manager Console Installation and Configuration Guide

Getting Started. Getting Started with Time Warner Cable Business Class. Voice Manager. A Guide for Administrators and Users

Use Enterprise SSO as the Credential Server for Protected Sites

Query and Export Guide

Coveo Platform 7.0. Microsoft Dynamics CRM Connector Guide

Using RADIUS Agent for Transparent User Identification

Aras Corporation Aras Corporation. All rights reserved. Notice of Rights. Notice of Liability

IBM WebSphere Application Server V8.5 lab Basic Liberty profile administration using the job manager

Configuring Event Log Monitoring With Sentry-go Quick & Plus! monitors

QUANTIFY INSTALLATION GUIDE

SWsoft, Inc. Plesk File Server. Administrator's Guide. Plesk 7.5 Reloaded

User Guide to the Snare Agent Management Console in Snare Server v7.0

WHAT S NEW 4.5. FileAudit VERSION.

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Ingenious Testcraft Technical Documentation Installation Guide

Security Analytics Engine 1.0. Help Desk User Guide

ThirtySix Software WRITE ONCE. APPROVE ONCE. USE EVERYWHERE. SMARTDOCS SHAREPOINT CONFIGURATION GUIDE THIRTYSIX SOFTWARE

The data between TC Monitor and remote devices is exchanged using HTTP protocol. Monitored devices operate either as server or client mode.

Configuring and Monitoring SiteMinder Policy Servers

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Generating an Apple Enterprise MDM Certificate

Rational Software. Getting Started with Rational Customer Service Online Case Management. Release 1.0

MyOra 3.0. User Guide. SQL Tool for Oracle. Jayam Systems, LLC

User Manual for Web. Help Desk Authority 9.0

UOG User Guide. Windows

uh6 efolder BDR Guide for Veeam Page 1 of 36

Integration Client Guide

Charter Business Phone. Online Control Panel Getting Started Guide. Document Version 1.0

CA Spectrum and CA Service Desk

BMC ProactiveNet Performance Management - Veritas Cluster Server Monitoring

McAfee Cloud Identity Manager

Broner Issue Tracking System User Guide

WebSphere Business Monitor V6.2 KPI history and prediction lab

LifeSize UVC Access Deployment Guide

How to configure the TopCloudXL WHMCS plugin (version 2+) Update: Version: 2.2

753 Broad Street Phone: Suite 200 Fax: Augusta, GA Copyrights

LANDESK Service Desk. Desktop Manager

Security Provider Integration Kerberos Server

Sage CRM. Sage CRM 7.3 Mobile Guide

Troubleshooting This document outlines some of the potential issues which you may encouter while administering an atech Telecoms installation.

Discovery Guide. Secret Server. Table of Contents

Nimsoft Monitor. ntevl Guide. v3.6 series

Sugar Open Source Installation Guide. Version 4.5.1

Sage CRM. 7.2 Mobile Guide

How to integrate Verax NMS & APM with Verax Service Desk

Dashboard Admin Guide

Oracle Exam 1z0-102 Oracle Weblogic Server 11g: System Administration I Version: 9.0 [ Total Questions: 111 ]

Apparo Fast Edit. Excel data import via 1 / 19

How To Use Query Console

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

HP Operations Manager Software for Windows Integration Guide

Security Provider Integration RADIUS Server

Strategic Asset Tracking System User Guide

Content Management System User Guide

Data Domain Profiling and Data Masking for Hadoop

Time & Expense Entry WalkThrough

Security Correlation Server Quick Installation Guide

User Guide to the Content Analysis Tool

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Installation and Configuration Guide

EMC Celerra Network Server

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

MS SQL Server Database Management

How To Edit An Absence Record On A School Website

Sage CRM. Sage CRM 2016 R1 Mobile Guide

HPCC Data Handling. Boca Raton Documentation Team

MATLAB Distributed Computing Server Installation Guide. R2012a

NiCE Log File Management Pack. for. System Center Operations Manager Quick Start Guide

Configuring Logging. Information About Logging CHAPTER

Web Testing, Java Testing, Server Monitoring. AppPerfect Installation Guide

Using LDAP for User Authentication

VERITAS NetBackup Microsoft Windows User s Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Configuring MailArchiva with Insight Server

Using Windows Administrative Tools on VNX

Eventia Log Parsing Editor 1.0 Administration Guide

USER GUIDE. Snow Inventory Client for Unix Version Release date Document date

SonicWALL SSL VPN 3.0 HTTP(S) Reverse Proxy Support

webmethods Certificate Toolkit

Configuring Security for FTP Traffic

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Transcription:

Privilege Manager for Unix How To Administer Event and Keystroke Logs Event and Keystroke Logs Quest One Privilege Manager for UNIX can record two different types of log information for audit purposes. The Privilege Manager event log records details of all requests to run privileged commands -- such as what command was requested, who made the request, when the request was sent, what host was the request submitted from, and whether the request was accepted or rejected. The keystroke logs can also record the user s keystrokes and terminal output of any sessions granted by Privilege Manager. This document will help guide you in the setup and use of these log files. Log Configuration Some aspects of the event and keystroke logging can be configured via the security policy on the Privilege Manager policy servers. Because there are two different policy modes supported by Privilege Manager, what you can configure, and how you configure it will depend on whether you are using the pmpolicy or sudo policy mode on your policy server. We will explore enabling/disabling logging, and specifying the location where the log files will be written. Event logging Event logs are enabled by default for all requests sent to the Privilege Manager policy servers. The default location of the event log file is /var/opt/quest/qpm4u/pm.eventlog. In sudo policy mode, it is not possible to disable or change the location of the event log file. In pmpolicy mode, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, you could disable event logging for all pmlist commands by adding the following code to your security policy: if (basename(command) == "pmlist") { eventlog=""; } The following pmpolicy variables affect event log settings: eventlog, eventlog_encrypt, eventloghost, logomit For further information, please refer to the Quest Privilege Manager for UNIX A-Z Reference Guide. Keystroke Logging Keystroke logging must be explicitly configured in the security policy and also requires a commercial Quest One Privilege Manager license be applied to the policy server. Specifically, you will need a Privilege Manager Sudo Keystroke license to log keystrokes from a Privilege Manager sudo plugin agent, and you will need a Privilege Manager for UNIX Agent license to log keystrokes from a Privilege Manager for UNIX agent.

Keystroke Logging: sudo Policy Mode In sudo policy mode, keystroke logging can be enabled using the log_input or log_output Default parameters. Note that there is no difference between log_input and log_output when using the sudo policy in either case, both input and output are captured in the keystroke log file. For example, to enable keystroke logging for all requests, you could specify: Defaults log_input Or to specify keystroke logging just for the root user, you could specify: Defaults:root log_output You can also override default settings by using the LOG_INPUT, LOG_OUTPUT, NOLOG_INPUT, NOLOG_OUTPUT tags in a user specification entry. For example, to suppress keystroke logging for the ls command: ALL ALL=(ALL) NOLOG_OUTPUT:/bin/ls The location of the keystroke log file is determined by the iolog_dir and iolog_file default specifications. By default, iolog_dir is /var/opt/quest/qpm4u/iolog", and iolog_file is "%{user}/%{runas_user}/%{command}_%y%m%d_%h%m_xxxxxx". Please refer to the sudoers man page for an explanation of the supported percent (%) escape sequences. The trailing XXXXXX characters at the end of iolog_file are required. These X s are replaced with a unique combination of digits and letters, similar to the mktemp() function. Keystroke Logging: pmpolicy Mode In pmpolicy mode, the enabling and location of the keystroke log file is determined by the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, iolog should specify the full path to where the keystroke log is to be created. If you use the default profile based policy, iolog is defined in the profilebasedpolicy.conf file as: iolog=mktemp("/opt/quest/qpm4u/iologs/" + profile + "/" + user + "/" + basename(runcommand) + "_" + strftime("%y%m%d_%h%m") + "_XXXXXX"); Keystroke logging can be enabled on a per profile basis by editing the profile and shellprofile files, and setting the enablekeystrokelogging variable to true or false. The following pmpolicy mode variables affect keystroke log settings: iolog, iolog_encrypt, iolog_opmax, iologhost, logomit, logstderr, logstdin, logstdout, log_passwords For further information, please refer to the Quest Privilege Manager for UNIX A-Z Reference Guide. Page 2

Viewing the Log Files Quest One Management Console for UNIX If you are using the sudo policy mode, you can view events using the Quest One Management Console for UNIX, which provides an intuitive web-based console for managing UNIX hosts. Refer to the Quest One Management Console for UNIX Administrator s Guide for instruction on how to install and configure the Management Console for UNIX. Prior to viewing the events, you need to configure a service account on the primary policy server for your policy group. From the Management Console for UNIX: 1. Select Preferences. 2. Navigate to System settings, Privilege Manager for Sudo and click Configure service account located next to the listed primary policy server. This will create a questusr service account on the primary policy server, which the console uses for Privilege Manager for Sudo related tasks. To view a list of events within the Management Console for UNIX: 1. Navigate to Sudo, Event logs. 2. Select options in the search controls and click Find. 3. If there is a keystroke log file associated with an event, click the Replay keystroke log link next to the event to access and replay the log. The Management Console should not be used with policy servers using pmpolicy mode, unless a Quest One Privilege Manager for Sudo or Sudo Keystroke license has been installed on the policy server. Page 3

Privilege Manager Reporting Console If you are using pmpolicy mode, you can view events using the Privilege Manager Reporting Console, which provides a web-based interface for Privilege Manager historical and event analysis. Refer to the Quest Privilege Manager for UNIX Reporting Console Installation, Overview and Usage Guide for information on how to install and configure the Reporting Console. The Privilege Manager Reporting Console does not support policy servers using sudo policy mode. Use either the Event Analysis or Trend Analysis tabs to find and display events. Event Analysis will display a grid overview of events by user, hosts or commands on a particular date. The date to view can be changed by clicking the calendar date picker at the top of the report. Click one of the coloured tiles to see a list of events that match the intersecting grid row and column in the Event Log Data page. If an event has a corresponding keystroke log file, click the View button to replay the log. Page 4

In Trend Analysis, the comparison time frame can be adjusted using the controls on the bottom of the page. Once the required time frame has been set, select the Event Listing tab on the right hand side view to see a list of events for the configured time frame. The event list can be narrowed further by selecting specific users, commands, hosts and results under the tabs on the left hand side view. As with Event Analysis, if there is a corresponding keystroke log file, you can click the View Log button to replay the log. Command Line Programs pmlogsearch, pmreplay and pmremlog If you don t have access to a web browser, or if you prefer to use command line tools, you can list events and replay log files directly from the primary policy server using the pmlogsearch, pmreplay, and pmremlog commands. pmlogsearch will execute a search across all policy servers in the policy group to return a list of events (and associated keystroke log file names) for requests matching the specified criteria. Search criteria are specified using the following options (at least one search option must be specified). Command --after "YYYY/MM/DD hh:mm:ss" --before "YYYY/MM/DD hh:mm:ss" --user username --host hostname --result accept reject --text keyword Function Search for sessions initiated after the specified date and time Search for sessions initiated before the specified date and time Search for sessions by the specified requesting user Search for sessions executed on the specified host Return only events with the indicated result Search for session containing the specified text With the --user, --host, and --text options, wildcard characters,? and *, may be used to match exactly one character, or any number of characters, respectively, but arguments with wildcards should be enclosed in quotes to prevent the shell from interpreting the wildcards. Page 5

If there is a keystroke log associated with the event, the log host and pathname will be displayed along with the rest of the event information. The following example lists two events with keystroke (IO) logs. # pmlogsearch --user sally Search matches 2 events 2011/03/16 10:40:02 : Accept : sally@qpmsrv1.example.com Request: sally@qpmsrv1.example.com : id Executed: root@qpmsrv1.example.com : id IO Log: qpmsrv1.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20110316_10 40_ESpL6L 2011/03/16 09:56:22 : Accept : sally@qpmsrv2.example.com Request: sally@qpmsrv2.example.com : id Executed: root@qpmsrv2.example.com : id IO Log: qpmsrv2.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20110316_09 56_mrVu4I The pmreplay command can be used to replay a keystroke log file, if the keystroke log file resides on the local policy server. To replay the log, run: pmlogsearch <path_to_keystroke_log> For example, the following command will replay the first ls l /etc log from the previous example: # pmreplay /opt/quest/qpm4u/iologs/demo/sally/id_20110316_1040_espl6l If the keystroke log resides on a remote policy server, you can use the pmremlog command with the h <remote_host> and p pmreplay options to remotely replay a keystroke logfile. The path argument to give to the remote pmreplay is specified after the -- flag. The following example command should be given all on one line: # pmremlog -h qpmsrv2 -p pmreplay -- /opt/quest/qpm4u/iologs/demo/sally/id_20110316_0956_mrvu4i Hostnames may appear in the event logs and keystroke log files in either fully qualified format (e.g. myhost.mycompany.com) or in short name format (e.g., myhost), depending on how hostnames are resolved and the use of the shortnames setting in the pm.settings file. To ensure that either format is matched, use the short host name format with an asterisk wildcard (e.g. myhost*) when specifying a hostname search criteria. Quest, Quest Software and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the Unit ed States of America and other countries. Other trademarks and registered trademarks are property of their respective owners. Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information