I/O Logs: Endpoint Privilege Management for Unix and Linux

I/O Logs

EPM-UL provides the ability to log any input to, or output from, a secured job. This feature tracks everything that a user does in a Unix/Linux shell or terminal session, including the standard input, standard output, and standard error streams.

Prior to v8.5, applications that use their own non-standard file descriptors, such as X-Windows applications, cannot be logged through the I/O logs. A feature was added in v8.5.0 to capture X11 applications. For more information, see X Window System Session Capturing.

The contents of the I/O log file can also be limited to specific streams. The policy writer can limit the amount of data that is recorded from each of these streams.

I/O logging is configured in the policy file. Set the variable iolog to the name of a unique log file. If you want to turn off any of the standard streams, then you can set the variables logstdin, logstdout, and logstderr to false, as appropriate. After the command has started, you can use the pbreplay command to replay whatever was logged to that point in time, even if the session is still in progress.

In this example, the policy file settings have been modified to ensure that all input and output is logged in logtoday when the adduser program is run through EPM-UL:

if(command=="adduser") {
iolog=logmktemp("/var/log/pb.logs/adduser.XXXXXX");
}

We do not recommend the use of a hard-coded file name, because I/O logs are not overwritten. An attempt to write to an existing I/O log file results in an error.

The function logmktemp() is useful for generating unique file names for log files. Like the Unix/Linux mktemp library call, this function takes a template pattern as its argument and returns a string with the filled template, creating a unique file name.

This example sets the file name for recording input and output to a uniquely named file in /usr/adm. The file name begins with pboutput and ends with a unique number that logmktemp substitutes for the X characters:

iolog=logmktemp("/usr/adm/pboutputXXXXXX");

Different machines might have different file system structures, so when using a log server, you should specify log files using the log server’s file system. Environment variables are recorded in the I/O log file. If you want to suppress the logging of some of those environment variables, then use the logomit list. This variable is a list that contains the names of variables to omit from the log file. This feature is used when there is either no need to log certain variables or when it is wasteful to do so.

The lognopassword variable enables the security administrator to control the logging of non-echoed text (which is traditionally used for passwords) so that no one can see what is typed. If lognopassword is set to true, then only echoed text is logged. If lognopassword is set to false, then everything a user types is logged.

Some commands generate a large amount of output. Two examples are a tar of a complete file system or a daemon that sends output to stdout. It may be useful to limit the amount of output that is recorded in an I/O log for each command so that the logs do not get too large.

The number of characters that are logged from the stdin, stdout, and stderr streams can be limited.

logstdinlimit=150;
logstdoutlimit=200;
logstderrlimit=4096;

This example limits the I/O log to 150 characters for standard input, 200 characters for standard output, and 4096 characters for standard error.

If the command is interactive, such as with a shell, then the characters come from stdin, stdout, and possibly stderr. Each time the output stream changes, stdout to stdin or stdout to stderr, the amount that is logged returns to 0 (unlimited).

To avoid file corruption, do not attempt to edit an I/O log file.

Password Logging

To control password logging, see passwordlogging.

Display I/O Logs

The pbreplay command shows the contents of an I/O log. pbreplay has two modes:

Interactive
Batch

Interactive mode displays the stdout and stderr of any session. Batch mode can show the stderr, stdout, or stdin of a session. In batch mode it is also possible to specify a switch so that end-of-line characters are displayed as usual rather than just a carriage return, thereby preventing the output from overwriting itself.

The nature of I/O logging means that when a user has certain options enabled in some shells (set -o vi in the Korn shell, for example), the input keys are escape sequences. The shells interpret these and the output is displayed on stdout for a given input. EPM-UL does not interpret these input keystrokes. To determine what command is being entered, look at the stdout (pbreplay -o) and extract when a command is run.

I/O Logging and System Crashes

Should a log server crash or the network connection to the log server is lost, then EPM-UL attempts to fail over to an alternative log server. In this case, the start and end events for a task might be stored on two or more different machines. If you need to consolidate the event logs, then you can use pbsyncd.

Additionally, an I/O log could be split between two or more machines. I/O logs can be merged with pbsync.

For more information, see pbsyncd.