PrivX Settings
Scope Name | Section Name | Property Name | Property Description |
---|---|---|---|
AUTH | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
AUTH | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
AUTH | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
AUTH | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
AUTH | loginratelimit | enable_username_limit | When enabled, login attempts are limited per username + IP pair. |
AUTH | loginratelimit | username_attempts_burst_size | Maximum number of failed logins per user + IP pair. |
AUTH | loginratelimit | username_attempts_per_minute | Maximum number of login attempts per user + IP pair per minute. |
AUTH | loginratelimit | enable_subnet_limit | When enabled, login attempts are limited per IP subnet. |
AUTH | loginratelimit | subnet_attempts_burst_size | Maximum number of failed logins per subnet. |
AUTH | loginratelimit | subnet_attempts_per_minute | Maximum number of login attempts per subnet per minute. |
AUTH | loginratelimit | remoteip_white_list | Whitelist of remote IP addresses. |
AUTH | loginmethods | webauthn_enabled | Enable passkey login and credential registration. |
AUTH | loginmethods | sso_enabled | Enable user to log in using single sign-on (SSO). |
AUTH | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
AUTHORIZER | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
AUTHORIZER | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
AUTHORIZER | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
AUTHORIZER | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
AUTHORIZER | certificate_templates | ssh_cert_templates | |
AUTHORIZER | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
CONNECTION-MANAGER | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
CONNECTION-MANAGER | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
CONNECTION-MANAGER | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
CONNECTION-MANAGER | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
CONNECTION-MANAGER | housekeeping | housekeeping_interval | Interval for connection status housekeeping, in minutes. |
CONNECTION-MANAGER | housekeeping | housekeeping_conn_meta_retention | Retention period for connection metadata, in days. Set to -1 to disable metadata removal. |
CONNECTION-MANAGER | housekeeping | housekeeping_interval_for_trails | Interval for trail housekeeping, in hours. |
CONNECTION-MANAGER | housekeeping | housekeeping_enable_integrity_checker | Enable to verify the integrity of recorded trails during housekeeping. |
CONNECTION-MANAGER | housekeeping | housekeeping_integrity_checker_use_checksum | Enable to use SHA-256 checksums when verifying integrity of recorded trails. |
CONNECTION-MANAGER | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
GLOBAL | audit | timeout_when_no_connmgr | Set to 0 to disable timeout and keep connections open. |
GLOBAL | audit | data_folder | Folder for audit trail data. |
GLOBAL | audit | trail_expiry | Set to -1 to disable trail removal. |
GLOBAL | audit | transferred_files_expiry | Set to -1 to disable downloaded/uploaded file removal. |
GLOBAL | audit | file_timestamp_obfuscation | Enable trail file and directory timestamp obfuscation. |
GLOBAL | ldapconnections | ldap_connection_timeout | The duration in seconds before the LDAP query connection should timeout. |
GLOBAL | ldapconnections | ldap_retry_attempts | The number of times to retry if the LDAP query connection times out. |
GLOBAL | ldapconnections | enable_ldap_custom_root_certificates | Specify if PrivX should use custom root certificates. |
GLOBAL | ldapconnections | enable_ldap_system_roots_cert_pool | Specify if PrivX should use the system certificates pool. |
GLOBAL | ldapconnections | ldap_root_ca_pem | Specify a custom root certificate in PEM format, which will be added to the certificate pool for LDAP connections. Note that the custom root certificates setting must be enabled to use this. |
GLOBAL | disclaimer | privx_disclaimer | |
GLOBAL | application_switcher | privx_app_switcher_links_ukm | Enter the URL of the Universal SSH Key Manager web UI. |
GLOBAL | rdp_common | host_certificate_trust_anchors | Specify RDP host certificate trust anchor PEM certificates. |
GLOBAL | rdp_common | allow_plaintext_vnc | |
GLOBAL | ssh_common | audit_enabled | Enable sending SSH events to audit log. |
GLOBAL | ssh_common | events_to_audit | Supported SSH event types to audit. |
GLOBAL | icap | icap_for_ssh_proxy | Configure whether PrivX performs virus scanning for transferred files. |
GLOBAL | icap | icap_for_ssh_mitm | Configure whether PrivX performs virus scanning for transferred files via native SSH. |
GLOBAL | icap | icap_for_rdp_proxy | Configure whether PrivX performs virus scanning for transferred files for RDP and Web Access Gateways. |
GLOBAL | icap | icap_server_hostname | Hostname for ICAP proxy server. |
GLOBAL | icap | icap_server_port | Port number for ICAP proxy server. |
GLOBAL | icap | icap_respmod_url | Send a response modification with http request headers, using this url. |
GLOBAL | icap | icap_reqmod_url | Send a request modification instead of response modification, using this url. |
GLOBAL | icap | icap_preview_length | Maximum preview data size in bytes. Set to 0 to disable preview. |
GLOBAL | icap | icap_service_name | Optional ICAP service name. |
GLOBAL | live_monitoring | enable_live_ssh | |
GLOBAL | live_monitoring | enable_live_rdp | |
GLOBAL | live_monitoring | enable_live_vnc | |
GLOBAL | live_monitoring | enable_live_web | |
GLOBAL | invalidated_session_cache | cache_size | Set a positive size for the invalidated session cache. The size determines the number of invalidated sessions that it can hold before eviction. |
GLOBAL | watermarking | host_heading | |
GLOBAL | watermarking | host_watermark | |
DB-PROXY | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
DB-PROXY | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
DB-PROXY | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
DB-PROXY | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
DB-PROXY | dbproxy_internal | reauthorization_interval_sec | Reauthorization interval, in seconds. |
DB-PROXY | certificates | key_type | The Database Proxy server's key pair used to generate dynamic tls certificate for database connections. |
DB-PROXY | certificates | rsa_key_size | RSA Key Size (Bits) |
DB-PROXY | certificates | ecdsa_key_size | ECDSA Key Size (Bits) |
DB-PROXY | certificates | cache_size | Cache size of dynamically generated tls certificates. |
DB-PROXY | host_trust_anchors | host_certificate_trust_anchors | Specify host certificate trust anchor PEM certificates. |
DB-PROXY | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
EXTENDER-SERVICE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
EXTENDER-SERVICE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
EXTENDER-SERVICE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
EXTENDER-SERVICE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
EXTENDER-SERVICE | service | listener_address_mode | Listener address resolution mode. |
EXTENDER-SERVICE | service | listener_addresses | List of IP addresses or IP subnet CIDRs used for resolving extender listener addresses. |
EXTENDER-SERVICE | service | listener_port_min | Port range start for extender listeners. |
EXTENDER-SERVICE | service | listener_port_max | Port range end for extender listeners. |
EXTENDER-SERVICE | service | ws_keepalive_interval_sec | WebSocket keepalive interval, in seconds. |
EXTENDER-SERVICE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
HOST-STORE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
HOST-STORE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
HOST-STORE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
HOST-STORE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
HOST-STORE | health-check-options | service_health_checks_enabled | Configure whether PrivX performs network connectivity health checks for services. |
HOST-STORE | health-check-options | service_health_check_wait | Interval between health check runs, in seconds. |
HOST-STORE | health-check-options | service_health_check_max_requests_per_second | Maximum service health check requests per second per worker. |
HOST-STORE | health-check-options | service_health_check_max_workers | Maximum concurrent service health requests. |
HOST-STORE | host-house-keeping | host_housekeeping_run_interval | Interval between housekeeping runs, in hours. Housekeeping expunges deleted hosts from the database once hosts have been deleted for longer than the configured expunction delay. Set to 0 to disable housekeeping. |
HOST-STORE | host-house-keeping | hosts_deleted_age | The delay (in hours) between when a host has been deleted to when it will be permanently removed. |
HOST-STORE | initial-host-service-options-ssh | shell | |
HOST-STORE | initial-host-service-options-ssh | file_transfer | |
HOST-STORE | initial-host-service-options-ssh | exec | |
HOST-STORE | initial-host-service-options-ssh | tunnels | |
HOST-STORE | initial-host-service-options-ssh | x11 | |
HOST-STORE | initial-host-service-options-ssh | other | |
HOST-STORE | initial-host-service-options-rdp | file_transfer | |
HOST-STORE | initial-host-service-options-rdp | audio | |
HOST-STORE | initial-host-service-options-rdp | clipboard | |
HOST-STORE | initial-host-service-options-vnc | file_transfer | |
HOST-STORE | initial-host-service-options-vnc | clipboard | |
HOST-STORE | initial-host-service-options-web | file_transfer | |
HOST-STORE | initial-host-service-options-web | audio | |
HOST-STORE | initial-host-service-options-web | clipboard | |
HOST-STORE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
LICENSE-MANAGER | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
LICENSE-MANAGER | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
LICENSE-MANAGER | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
LICENSE-MANAGER | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
LICENSE-MANAGER | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
MONITOR-SERVICE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
MONITOR-SERVICE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
MONITOR-SERVICE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
MONITOR-SERVICE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
MONITOR-SERVICE | housekeeping | housekeeping_interval | Interval between housekeeping runs, in hours. Set to 0 to disable housekeeping. |
MONITOR-SERVICE | housekeeping | data_retention_period | Number of days that audit events must be kept in the database. Set to -1 to disable audit event removal. |
MONITOR-SERVICE | housekeeping | status_check_interval | Interval between status checks, in seconds. Set to 0 to disable checks. |
MONITOR-SERVICE | housekeeping | system_health_check_interval | Interval between system health check, in hours. Set to 0 to disable checks. |
MONITOR-SERVICE | housekeeping | cache_db_expiry_interval | Interval for removing expired keys from the database cache, in seconds. Set to 0 to disable database cache removal. |
MONITOR-SERVICE | housekeeping | external_component_low_storage_warning_threshold | External component low disk space warning threshold, in GB. Set to 0 to disable external component low disk space warning. |
MONITOR-SERVICE | housekeeping | status_expunction_delay | The delay (in hours) before an inactive component's status permanently removed when housekeeping runs. |
MONITOR-SERVICE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
NETWORK-ACCESS-MANAGER | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
NETWORK-ACCESS-MANAGER | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
NETWORK-ACCESS-MANAGER | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
NETWORK-ACCESS-MANAGER | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
NETWORK-ACCESS-MANAGER | service | housekeeping_interval_sec | Interval between housekeeping runs, in minutes, for removing dead sessions from PrivX router. |
NETWORK-ACCESS-MANAGER | service | router_session_removal_max_retries | Maximum number retries for PrivX router session removal. |
NETWORK-ACCESS-MANAGER | service | reauthorization_interval_sec | Reauthorization interval, in seconds. |
NETWORK-ACCESS-MANAGER | service | connection_message_timeout_sec | Timeout interval (seconds) for connection message reply. Default: 5 seconds. |
NETWORK-ACCESS-MANAGER | service | metadata_update_interval_sec | Interval for metadata updates to connection manager (seconds) |
NETWORK-ACCESS-MANAGER | service | timeout_when_no_connmgr_min | Timeout for network target sessions when no connection to connection manager (minutes) |
NETWORK-ACCESS-MANAGER | service | extender_connect_timeout_sec | Connect timeout for extender target connections (seconds) |
NETWORK-ACCESS-MANAGER | router | routers | |
NETWORK-ACCESS-MANAGER | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
RDP-MITM | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
RDP-MITM | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
RDP-MITM | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
RDP-MITM | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
RDP-MITM | rdp_mitm | rdp_public_addresses | RDP Bastion public addresses. |
RDP-MITM | rdp_mitm | reauthorization_interval_sec | Reauthorization interval, in seconds. |
RDP-MITM | rdp_mitm | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. |
RDP-MITM | rdp_mitm | allow_role_ip_restrictions | Enable to enforce role context IP limitation checks. |
RDP-MITM | rdp_mitm | ffmpeg_parameters | Video encoding parameters to be passed to FFmpeg library. |
RDP-MITM | rdp_mitm | video_generator_workers | Number of workers that encode video simultaneously. |
RDP-MITM | rdp_mitm | video_generator_temp_directory | Directory where temporary video files are generated before stored as part of trail. |
RDP-MITM | rdp_mitm | connection_message_timeout_sec | Timeout interval (seconds) for connection message reply. Default: 5 seconds. |
RDP-MITM | certificates | renewal_period_months | Certificate renewal period in months. |
RDP-MITM | certificates | renewal_period_days | Certificate renewal period in days. |
RDP-MITM | certificates | update_automatically | Configure whether certificates should be updated automatically. |
RDP-MITM | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
RDP-PROXY | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
RDP-PROXY | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
RDP-PROXY | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
RDP-PROXY | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
RDP-PROXY | rdp_proxy | reauthorization_interval_sec | Reauthorization interval, in seconds. |
RDP-PROXY | rdp_proxy | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. |
RDP-PROXY | rdp_proxy | web_proxy_enabled | Enable to allow remote web proxy (Squid) to authorize web connections via PrivX web proxy server. |
RDP-PROXY | rdp_proxy | smartcard_authentication_enabled | Configure whether RDP smart card authentication is enabled. |
RDP-PROXY | rdp_proxy | smartcard_status_workaround_disabled | Disable RDP smart card login failure workaround. |
RDP-PROXY | rdp_proxy | allow_connect_to_local_addresses | Allow target connections to local interface addresses. |
RDP-PROXY | rdp_proxy | allow_connect_to_loopback | Allow target connections to loopback addresses. |
RDP-PROXY | rdp_proxy | enable_wallpaper | Enable desktop wallpaper for target hosts. Disabling this makes screen updates faster. |
RDP-PROXY | rdp_proxy | enable_font_smoothing | Enable font smoothing. Enabling this usually improves the text quality. |
RDP-PROXY | rdp_proxy | share_dir | RDP shared directory. |
RDP-PROXY | rdp_proxy | target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets. |
RDP-PROXY | rdp_proxy | connectivity_test_timeout | Connection timeout while check a target is reachable, in seconds. |
RDP-PROXY | rdp_proxy | ws_keepalive_interval_sec | WebSocket keepalive interval, in seconds. |
RDP-PROXY | rdp_proxy | connection_message_timeout_sec | Timeout interval (seconds) for connection message reply. Default: 5 seconds. |
RDP-PROXY | certificates | renewal_period_months | Certificate renewal period in months. |
RDP-PROXY | certificates | renewal_period_days | Certificate renewal period in days. |
RDP-PROXY | certificates | update_automatically | Configure whether certificates should be updated automatically. |
RDP-PROXY | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
ROLE-STORE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
ROLE-STORE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
ROLE-STORE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
ROLE-STORE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
ROLE-STORE | authorizedkeys | expired_purge_interval_hours | Expired authorized keys purge interval in hours. Set to 0 to disable automatic deletion of expired authorized keys. |
ROLE-STORE | authorizedkeys | max_validity_days | Authorized key maximum validity period length in days. Valid values are 1-7300 days. |
ROLE-STORE | authorizedkeys | min_rsa_key_size | Minimum key size in bits for ssh-rsa keys. |
ROLE-STORE | authorizedkeys | supported_key_types | Specify the supported authorized key types for logging in to PrivX with user specific authorized keys. |
ROLE-STORE | aws | enabled | Specify whether AWS support is enabled. |
ROLE-STORE | aws | default_region | Default AWS region to use for API access. |
ROLE-STORE | aws | enable_assume_role | Enable assume-role temporary session credentials. These credentials can be used to give PrivX users temporary access to AWS API via AWS CLI or scripting. |
ROLE-STORE | aws | assume_role_default_ttl | Expiration time in seconds for assume-role temporary credentials. AWS service limits are minimum 900 (15 min), maximum 43200 (12 hours). Values above 3600 seconds require modifying the AWS target role config or token grants will fail. |
ROLE-STORE | aws | enable_federated_tokens | Enable federation token access. These credentials can be used to give SSH PrivX users temporary access to AWS API via AWS roles. If both assume-role and federated role tokens are enabled, assume-role will be used. |
ROLE-STORE | aws | federated_tokens_default_ttl | Expiration time in seconds for federated tokens. AWS service limits are minimum 900 (15 min), maximum 129600 (36 hours). |
ROLE-STORE | aws | max_aws_roles | Maximum number of AWS role to fetch. This restriction is applied after role path or role name filtering is done. |
ROLE-STORE | caching | enable | Specify whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled. Additionally, it is used to define the size of cache used for storing deleted roles. Disabling the setting is not recommended. |
ROLE-STORE | caching | type | Cache type. Local caching uses an in-memory LRU cache. Cache type "Local" is recommended for security reasons. |
ROLE-STORE | caching | rule_evaluation_cache_enabled | Specify whether role rule evaluation results should be cached. Enabling this setting is recommended. |
ROLE-STORE | caching | max_entries | Maximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged. The minimum size of cache should be greater than the number of active PrivX users + total PrivX role rule count. |
ROLE-STORE | caching | sync_interval_seconds | Local cache periodic synchronization interval in seconds. Should be a relatively small value (default is 60 seconds). Set to 0 to disable synchronization. This setting should be enabled in HA environments. |
ROLE-STORE | caching | ttl | Cache TTL in seconds. Should be set to a relatively small value (few minutes). However setting this too low (e.g less than 3 seconds) might cause synchronization issues when running multiple instances of the same service. |
ROLE-STORE | caching | user_cache_refresh_ttl | Cache TTL for user caching in seconds. If user data in the user cache has been refreshed more recently than the User Cache TTL setting, then it won't be reloaded from the user directory. Value of 0 disables the cache. Note that disabling the cache forces fetching user data from the user directory every time user roles are resolved. Disabling the setting is NOT recommended. |
ROLE-STORE | caching | deleted_roles_cache_size | Size of the cache that stores deleted roles in memory. Minimum value is 1000 and maximum value is 10000000 (10M). Default value is 1000000 (1M) |
ROLE-STORE | directory | blacklisted_host_tag_prefixes | When the "Import host instance tags from the directory" setting is enabled for a host directory, all host tags will be imported to PrivX except tags starting with these prefixes. |
ROLE-STORE | housekeeping | scim_role_housekeeping_interval | Interval between housekeeping runs, in minutes, for clearing up unused roles created by SCIM directories. Set to 0 to disable housekeeping. |
ROLE-STORE | housekeeping | users_active_interval | Interval where user is considered as active from last login. If the user is not logged in in this interval, the user will be considered as inactive. Therefore, house-keeping will be applied to this user (it includes deleting usersettings, user explicit role mappings, authorized keys, OIDC user data). Note that this behavior is not applied for Local users and API-Clients. |
ROLE-STORE | ldap | enable_nested_groups | Enable nested groups for role mappings. Enables LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) filter for role queries against user directories. This option affects only role mappings. AD directory settings are not affected by this setting. |
ROLE-STORE | ldap | default_cache_ttl | Default LDAP cache TTL in seconds. Used if no TTL is specified for an LDAP directory. If you have many users or very slow LDAP servers, set the TTL to a higher value. |
ROLE-STORE | ldap | paging_size | LDAP query pagination size. The default maximum for Active Directory is 1000. Use as high of a value as possible for maximum performance. |
ROLE-STORE | ldap | attributes | Specifies which attributes to fetch from LDAP for caching. Leaving this empty will fetch all attributes for LDAP objects. Filtering out unused attributes will make the memory consumption smaller and improve query times. Note that only the specified attributes can be used for LDAP query filters and role source rules. The recommended attributes filter is: objectClass cn dn distinguishedName whenCreated whenChanged name userPrincipalName givenName company departmentNumber mail email mobile sAMAccountName uid memberOf entryDN displayName userAccountControl groupType servicePrincipalName objectCategory objectGUID objectSID |
ROLE-STORE | ldap | default_user_filter | Default pre-filter to use when searching users. Not required, but allows using shorter LDAP search strings. Use this to filter out non-user objects. Directory level user filters override this default setting. Leaving user filter empty increases memory consumption. The recommended attributed filter is: ((objectClass=user)(objectClass=person)(objectClass=inetOrgPerson)) |
ROLE-STORE | ldap | global_ad_user_filter | Automatically append this filter to Active Directory requests when fetching users or mapping roles. The recommended AD user filter to filter out disabled users, is: (!userAccountControl:1.2.840.113556.1.4.803:=2) |
ROLE-STORE | scanning | first_host_scanning_delay | Host scanning delay after starting the service, in seconds. |
ROLE-STORE | scanning | first_role_scanning_delay | AWS role scanning delay after starting the service, in seconds. |
ROLE-STORE | scanning | host_scanning_frequency | Default interval between host scanning runs, in seconds. |
ROLE-STORE | scanning | role_member_count_update_frequency | Frequency for resolving granted membership counts for roles, in seconds. |
ROLE-STORE | scim | max_results | Max Results page size for SCIM get requests. |
ROLE-STORE | principal_keys | add_on_role_creation | When True, Principal keys get created at the time of role creation. Defaults to False |
ROLE-STORE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
SSH-MITM | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
SSH-MITM | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
SSH-MITM | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
SSH-MITM | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
SSH-MITM | ssh_mitm | ssh_public_addresses | SSH Bastion public addresses. |
SSH-MITM | ssh_mitm | reauthorization_interval_sec | Reauthorization interval, in seconds. |
SSH-MITM | ssh_mitm | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. |
SSH-MITM | ssh_mitm | allow_role_ip_restrictions | Enable to enforce role context IP limitation checks. |
SSH-MITM | ssh_mitm | allow_connect_to_local_addresses | Allow target connections to local interface addresses. |
SSH-MITM | ssh_mitm | allow_connect_to_loopback | Allow target connections to loopback addresses. |
SSH-MITM | ssh_mitm | hostkey_algorithms | Supported hostkey algorithms. |
SSH-MITM | ssh_mitm | target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. |
SSH-MITM | ssh_mitm | metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. |
SSH-MITM | ssh_mitm | ws_keepalive_interval_sec | WebSocket keepalive interval, in seconds. |
SSH-MITM | ssh_mitm | exec_connection_idle_timeout_sec | SSH exec connection idle timeout, in seconds. |
SSH-MITM | ssh_mitm | connection_message_timeout_sec | Timeout interval (seconds) for connection message reply. Default: 5 seconds. |
SSH-MITM | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
SSH-PROXY | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
SSH-PROXY | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
SSH-PROXY | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
SSH-PROXY | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
SSH-PROXY | ssh_proxy | reauthorization_interval_sec | Reauthorization interval, in seconds. |
SSH-PROXY | ssh_proxy | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. |
SSH-PROXY | ssh_proxy | forwarder_enabled | Enable to allow forwarding of SSH connections from the PrivX agent. |
SSH-PROXY | ssh_proxy | allow_connect_to_local_addresses | Allow target connections to local interface addresses. |
SSH-PROXY | ssh_proxy | allow_connect_to_loopback | Allow target connections to loopback addresses. |
SSH-PROXY | ssh_proxy | target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. |
SSH-PROXY | ssh_proxy | metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. |
SSH-PROXY | ssh_proxy | ssh_keepalive_interval_sec | Target ssh connection keepalive interval, in seconds. |
SSH-PROXY | ssh_proxy | ws_keepalive_interval_sec | WebSocket keepalive interval, in seconds. |
SSH-PROXY | ssh_proxy | connection_message_timeout_sec | Timeout interval (seconds) for connection message reply. Default: 5 seconds. |
SSH-PROXY | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
TRAIL-INDEX | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
TRAIL-INDEX | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
TRAIL-INDEX | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
TRAIL-INDEX | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
TRAIL-INDEX | housekeeping | housekeeping_interval | Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. Set to 0 to disable housekeeping. |
TRAIL-INDEX | workers | no_of_workers | Maximum audit trail indexing concurrency. |
TRAIL-INDEX | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
USER-STORE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
USER-STORE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
USER-STORE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
USER-STORE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
USER-STORE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
VAULT | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
VAULT | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
VAULT | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
VAULT | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
VAULT | secrets | schemas | Specify secret schemas in JSON format as an array of schema objects, as shown in the example. |
VAULT | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
WORKFLOW-ENGINE | db | conn_max_idletime | Maximum amount of time a connection may be idle. Set 0 to keep the idle connections open from lazily closed. |
WORKFLOW-ENGINE | db | conn_max_lifetime | Maximum amount of time a connection may be reused. Set 0 to reuse the connection forever. |
WORKFLOW-ENGINE | db | max_idle_conns | Maximum number of idle database connections. Set 0 to lazily remove all idle connections. |
WORKFLOW-ENGINE | db | max_open_conns | Maximum number of open connections to the database. Set 0 to use unlimited number of open connections. |
WORKFLOW-ENGINE | auditevents | skip_event_ids | Comma-separated list of audit-event codes or code ranges, e.g. 1,10,20-30. Specified audit events are not saved to PrivX database, but only logged to syslog. |
SECRETS-MANAGER | winrm | winrm_host_certificate_trust_anchors | Specify WinRM host certificate trust anchor PEM certificates. |
Updated about 1 month ago