PrivX Settings
SCOPE | SECTION | PROPERTY | DESCRIPTION |
---|---|---|---|
GLOBAL | audit | data_folder | Folder for audit trail data. |
timeout_when_no_connmgr | Timeout for connections when no connection manager, in seconds. | ||
trail_expiry | Number of days a trail is available before removed from storage. | ||
ldapconnections | enable_ldap_custom_root_certificates | Specifies if PrivX should use custom root certificates. | |
enable_ldap_system_roots_cert_pool | Specifies if PrivX should use the system certificates pool | ||
insecure_skip_verify_tls | Specifies whether the client should accept any certificate presented by the server. It makes TLS susceptible to man-in-the-middle attacks. | ||
ldap_retry_attempts | LDAP query connection timeout, in seconds. | ||
ldap_root_ca_pem | Custom root certificate in PEM format, which will be added to cert pool for LDAP connections. | ||
disclaimer | privx_disclaimer | Specify disclaimers in JSON format as an array of disclaimer objects. | |
HOST-STORE | health-check-options | service_health_check_max_requests_per_second | Maximum service health check requests per second per worker. |
service_health_check_max_workers | Maximum concurrent health check workers. | ||
service_health_check_wait | Interval between health check runs, in seconds. | ||
service_health_checks_enabled | Specifies whether PrivX should perform network connectivity health checks for services. | ||
host-house-keeping | host_housekeeping_run_interval | Interval between housekeeping runs, in hours. | |
hosts_deleted_age | The delay (in hours) between when a host has been deleted to when it will be permanently removed. | ||
initial-host-service-options-ssh | exec | Set true to enable exec as default for all the hosts. | |
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
shell | Set true to enable shell operations as default for all the hosts. | ||
tunnels | Set true to enable tunnels as default for all the hosts. | ||
x11 | Set true to enable x11 as default for all the hosts. | ||
other | Set true to enable all the other ssh operations as default for all the hosts. | ||
initial-host-service-options-rdp | audio | Set true to enable audio as default for all the hosts. | |
clipboard | Set true to enable clipboard as default for all the hosts. | ||
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
initial-host-service-options-web | audio | Set true to enable audio as default for all the hosts. | |
clipboard | Set true to enable clipboard as default for all the hosts. | ||
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
initial-host-service-options-vnc | clipboard | Set true to enable clipboard as default for all the hosts. | |
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
ROLE-STORE | authorizedkeys | expired_purge_interval_hours | Expired authorized keys purge interval, in hours. |
max_validity_days | Authorized key maximum validity period length in days | ||
min_rsa_key_size | Minimum key size in bits for ssh-rsa keys. | ||
supported_key_types | Specifies the supported authorized key types for logging in to PrivX with user specific authorized keys. | ||
aws | enabled | Specifies whether AWS support is enabled. | |
default_region | Default AWS region to use for fetching access tokens. | ||
enable_assume_role | Enable assume-role temporary session credentials. | ||
assume_role_default_ttl | Expiration time in seconds for assume-role temporary credentials. | ||
enable_federated_tokens | Enable federation token access. | ||
federated_tokens_default_ttl | Expiration time in seconds for federation token | ||
force_mfa | Force Multi Factor Authentication. MFA is supported by default with assume-role level access. But, federated tokens do not support MFA. | ||
max_aws_roles | Maximum number of AWS roles to fetch for role federation | ||
caching | enable | Specifies whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled | |
max_entries | Maximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged | ||
rule_evaluation_cache_enabled | Specifies whether role rule evaluation results should be cached. | ||
sync_interval_seconds | Internal in-mem cache periodic synchronization interval in seconds | ||
ttl | Cache TTL in seconds. | ||
type | Cache type | ||
user_cache_refresh_ttl | Cache TTL for user caching, in seconds. | ||
directory | blacklisted_host_tag_prefixes | Blacklisted host tag prefixes | |
ldap | enable_cache | Enable LDAP query cache | |
default_cache_ttl | Default LDAP cache TTL (in seconds). | ||
attributes | LDAP attributes filter | ||
default_user_filter | Default pre-filter to use when searching users. | ||
enable_nested_groups | Enable nested groups for role mappings. | ||
global_ad_user_filter | filter to AD users or mapping roles | ||
paging_size | LDAP query paging size | ||
scanning | first_host_scanning_delay | Host scanning delay after starting the service in seconds. | |
first_role_scanning_delay | AWS role scanning delay after starting the service | ||
host_scanning_frequency | Host scanning frequency default value in seconds. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
housekeeping | scim_role_housekeeping_interval | SCIM role housekeeping interval in minutes | |
principal_keys | add_on_role_creation | When True, Principal keys get created at the time of role creation. Severly impacts system performance. Defaults to False. | |
MONITOR-SERVICE | housekeeping | housekeeping_interval | Interval between audit events housekeeping runs, in hours |
data_retention_period | Number of days that audit events must be kept in the database. | ||
status_check_interval | Interval between status checks, in seconds. | ||
system_health_check_interval | Interval between system health check, in hours. | ||
cache_db_expiry_interval | Interval for removing expired keys from the database cache, in seconds. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
TRAIL-INDEX | housekeeping | housekeeping_interval | Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. |
workers | no_of_workers | Maximum audit trail indexing concurrency. | |
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
RDP-PROXY | rdp_proxy | share_dir | RDP shared directory. |
smartcard_authentication_enabled | RDP smart card authentication. | ||
reauthorization_interval_sec | Reauthorization interval, in seconds. | ||
extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. | ||
ws_keepalive_interval_sec | Web socket keepalive interval, in seconds. | ||
allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets. | ||
web_proxy_enabled | Enable to allow remote web proxy (Squid) to authorize web connections via PrivX Web Proxy server. | ||
connectivity_test_timeout | Connection timeout while check a target is reachable. | ||
certificates | update_automatically | - | |
renewal_period_months | - | ||
renewal_period_days | - | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
RDP-MITM | rdp_mitm | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. |
RDP-MITM | rdp_public_addresses | RDP-MITM public addresses | |
video_generator_temp_directory | Directory where temporary video files are generated before stored as part of trail | ||
video_generator_workers | No of workers encode video simultaneously | ||
ffmpeg_parameters | Video encoding parameters to be passed for ffmpeg library. | ||
allow_role_ip_restrictions | Enforce role context IP limitation checks. | ||
reauthorization_interval_sec | Reauthorization interval, in seconds | ||
RDP-MITM | certificates | update_automatically | - |
renewal_period_months | - | ||
renewal_period_days | - | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
SSH-PROXY | ssh_proxy | reauthorization_interval_sec | Reauthorization interval, in seconds |
extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | ||
forwarder_enabled | Enable to allow forwarding of SSH connections from the PrivX agent. | ||
ws_keepalive_interval_sec | Web socket keepalive interval in seconds. | ||
ssh_keepalive_interval_sec | Target ssh connection keepalive interval, in seconds. | ||
metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. | ||
allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
SSH-MITM | ssh_mitm | hostkey_algorithms | Host key algorithms. |
ssh_listen_addresses | SSH-MITM listen addresses. | ||
proxy_listen_addresses | SOCKS / http connect proxy listen addresses. | ||
ssh_public_addresses | SSH-MITM public addresses. | ||
extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | ||
ws_keepalive_interval_sec | Websocket keepalive interval, in seconds. | ||
reauthorization_interval_sec | Reauthorization interval, in seconds. | ||
metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. | ||
allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | ||
allow_role_ip_restrictions | Enable role context IP limitation checks. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
CONNECTION-MANAGER | housekeeping | housekeeping_interval | Interval for connection status housekeeping, in minutes. |
housekeeping_conn_meta_retention | Retention period for connection metadata, in days. | ||
housekeeping_interval_for_trails | Interval for trail housekeeping, in hours. | ||
housekeeping_enable_integrity_checker | Check trail integrity on trail housekeeping. | ||
housekeeping_integrity_checker_use_checksum | Use sha256 checksum for trail integrity checker. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
WORKFLOW-ENGINE | housekeeping | housekeeping_interval | Interval for workflow roles cache housekeeping, in hours |
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
AUTH | loginratelimit | enable_username_limit | Enable login attempts limit per username + remote IP pair |
username_attempts_burst_size | Maximum number of failed logins per user + IP. | ||
username_attempts_per_minute | Number of Login attempts for users per minute | ||
enable_subnet_limit | Enable login attempts limit per IP subnet | ||
subnet_attempts_burst_size | Maximum number of failed logins per subnet | ||
subnet_attempts_per_minute | Number Login attempts for subnets per minute | ||
remoteip_white_list | Whitelist of remote IP addresses. | ||
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
VAULT | secrets | schemas | Vault secrets schema definitions. |
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
AUTHORIZER | certificate_templates | ssh_cert_templates | SSH certificate login templates |
db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
USER-STORE | db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections | ||
LICENSE-MANAGER | db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) |
conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
max_open_conns | Maximum number of open connections to the database. | ||
max_idle_conns | Maximum number of idle DB connections |
Updated 3 months ago