PrivX Settings

SCOPESECTIONPROPERTYDESCRIPTION
GLOBALauditdata_folderFolder for audit trail data.
timeout_when_no_connmgrTimeout for connections when no connection manager, in seconds.
trail_expiryNumber of days a trail is available before removed from storage.
ldapconnectionsenable_ldap_custom_root_certificatesSpecifies if PrivX should use custom root certificates.
enable_ldap_system_roots_cert_poolSpecifies if PrivX should use the system certificates pool
insecure_skip_verify_tlsSpecifies whether the client should accept any certificate presented by the server. It makes TLS susceptible to man-in-the-middle attacks.
ldap_retry_attemptsLDAP query connection timeout, in seconds.
ldap_root_ca_pemCustom root certificate in PEM format, which will be added to cert pool for LDAP connections.
disclaimerprivx_disclaimerSpecify disclaimers in JSON format as an array of disclaimer objects.
HOST-STOREhealth-check-optionsservice_health_check_max_requests_per_secondMaximum service health check requests per second per worker.
service_health_check_max_workersMaximum concurrent health check workers.
service_health_check_waitInterval between health check runs, in seconds.
service_health_checks_enabledSpecifies whether PrivX should perform network connectivity health checks for services.
host-house-keepinghost_housekeeping_run_intervalInterval between housekeeping runs, in hours.
hosts_deleted_ageThe delay (in hours) between when a host has been deleted to when it will be permanently removed.
initial-host-service-options-sshexecSet true to enable exec as default for all the hosts.
file_transferSet true to enable file_transfer as default for all the hosts.
shellSet true to enable shell operations as default for all the hosts.
tunnelsSet true to enable tunnels as default for all the hosts.
x11Set true to enable x11 as default for all the hosts.
otherSet true to enable all the other ssh operations as default for all the hosts.
initial-host-service-options-rdpaudioSet true to enable audio as default for all the hosts.
clipboardSet true to enable clipboard as default for all the hosts.
file_transferSet true to enable file_transfer as default for all the hosts.
initial-host-service-options-webaudioSet true to enable audio as default for all the hosts.
clipboardSet true to enable clipboard as default for all the hosts.
file_transferSet true to enable file_transfer as default for all the hosts.
initial-host-service-options-vncclipboardSet true to enable clipboard as default for all the hosts.
file_transferSet true to enable file_transfer as default for all the hosts.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
ROLE-STOREauthorizedkeysexpired_purge_interval_hoursExpired authorized keys purge interval, in hours.
max_validity_daysAuthorized key maximum validity period length in days
min_rsa_key_sizeMinimum key size in bits for ssh-rsa keys.
supported_key_typesSpecifies the supported authorized key types for logging in to PrivX with user specific authorized keys.
awsenabledSpecifies whether AWS support is enabled.
default_regionDefault AWS region to use for fetching access tokens.
enable_assume_roleEnable assume-role temporary session credentials.
assume_role_default_ttlExpiration time in seconds for assume-role temporary credentials.
enable_federated_tokensEnable federation token access.
federated_tokens_default_ttlExpiration time in seconds for federation token
force_mfaForce Multi Factor Authentication. MFA is supported by default with assume-role level access. But, federated tokens do not support MFA.
max_aws_rolesMaximum number of AWS roles to fetch for role federation
cachingenableSpecifies whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled
max_entriesMaximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged
rule_evaluation_cache_enabledSpecifies whether role rule evaluation results should be cached.
sync_interval_secondsInternal in-mem cache periodic synchronization interval in seconds
ttlCache TTL in seconds.
typeCache type
user_cache_refresh_ttlCache TTL for user caching, in seconds.
directoryblacklisted_host_tag_prefixesBlacklisted host tag prefixes
ldapenable_cacheEnable LDAP query cache
default_cache_ttlDefault LDAP cache TTL (in seconds).
attributesLDAP attributes filter
default_user_filterDefault pre-filter to use when searching users.
enable_nested_groupsEnable nested groups for role mappings.
global_ad_user_filterfilter to AD users or mapping roles
paging_sizeLDAP query paging size
scanningfirst_host_scanning_delayHost scanning delay after starting the service in seconds.
first_role_scanning_delayAWS role scanning delay after starting the service
host_scanning_frequencyHost scanning frequency default value in seconds.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
housekeepingscim_role_housekeeping_intervalSCIM role housekeeping interval in minutes
MONITOR-SERVICEhousekeepinghousekeeping_intervalInterval between audit events housekeeping runs, in hours
data_retention_periodNumber of days that audit events must be kept in the database.
status_check_intervalInterval between status checks, in seconds.
system_health_check_intervalInterval between system health check, in hours.
cache_db_expiry_intervalInterval for removing expired keys from the database cache, in seconds.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
TRAIL-INDEXhousekeepinghousekeeping_intervalInterval between housekeeping runs, in minutes, for clearing up expired audit trail files.
workersno_of_workersMaximum audit trail indexing concurrency.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
RDP-PROXYrdp_proxyshare_dirRDP shared directory.
smartcard_authentication_enabledRDP smart card authentication.
reauthorization_interval_secReauthorization interval, in seconds.
extender_enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
ws_keepalive_interval_secWeb socket keepalive interval, in seconds.
allow_connect_to_loopbackAllow target connections to loopback addresses.
allow_connect_to_local_addressesAllow target connections to local interface addresses.
target_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets.
web_proxy_enabledEnable to allow remote web proxy (Squid) to authorize web connections via PrivX Web Proxy server.
connectivity_test_timeoutConnection timeout while check a target is reachable.
certificatesupdate_automatically-
renewal_period_months-
renewal_period_days-
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
RDP-MITMrdp_mitmextender_enabledEnable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks.
RDP-MITMrdp_public_addressesRDP-MITM public addresses
video_generator_temp_directoryDirectory where temporary video files are generated before stored as part of trail
video_generator_workersNo of workers encode video simultaneously
ffmpeg_parametersVideo encoding parameters to be passed for ffmpeg library.
allow_role_ip_restrictionsEnforce role context IP limitation checks.
reauthorization_interval_secReauthorization interval, in seconds
RDP-MITMcertificatesupdate_automatically-
renewal_period_months-
renewal_period_days-
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
SSH-PROXYssh_proxyreauthorization_interval_secReauthorization interval, in seconds
extender_enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
forwarder_enabledEnable to allow forwarding of SSH connections from the PrivX agent.
ws_keepalive_interval_secWeb socket keepalive interval in seconds.
ssh_keepalive_interval_secTarget ssh connection keepalive interval, in seconds.
metadata_update_interval_secInterval for metadata updates to connection manager, in seconds.
allow_connect_to_loopbackAllow target connections to loopback addresses.
allow_connect_to_local_addressesAllow target connections to local interface addresses.
target_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
SSH-MITMssh_mitmhostkey_algorithmsHost key algorithms.
ssh_listen_addressesSSH-MITM listen addresses.
proxy_listen_addressesSOCKS / http connect proxy listen addresses.
ssh_public_addressesSSH-MITM public addresses.
extender_enabledEnable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks.
ws_keepalive_interval_secWebsocket keepalive interval, in seconds.
reauthorization_interval_secReauthorization interval, in seconds.
metadata_update_interval_secInterval for metadata updates to connection manager, in seconds.
allow_connect_to_loopbackAllow target connections to loopback addresses.
allow_connect_to_local_addressesAllow target connections to local interface addresses.
target_blacklistA comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets.
allow_role_ip_restrictionsEnable role context IP limitation checks.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
CONNECTION-MANAGERhousekeepinghousekeeping_intervalInterval for connection status housekeeping, in minutes.
housekeeping_conn_meta_retentionRetention period for connection metadata, in days.
housekeeping_interval_for_trailsInterval for trail housekeeping, in hours.
housekeeping_enable_integrity_checkerCheck trail integrity on trail housekeeping.
housekeeping_integrity_checker_use_checksumUse sha256 checksum for trail integrity checker.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
WORKFLOW-ENGINEhousekeepinghousekeeping_intervalInterval for workflow roles cache housekeeping, in hours
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
AUTHloginratelimitenable_username_limitEnable login attempts limit per username + remote IP pair
username_attempts_burst_sizeMaximum number of failed logins per user + IP.
username_attempts_per_minuteNumber of Login attempts for users per minute
enable_subnet_limitEnable login attempts limit per IP subnet
subnet_attempts_burst_sizeMaximum number of failed logins per subnet
subnet_attempts_per_minuteNumber Login attempts for subnets per minute
remoteip_white_listWhitelist of remote IP addresses.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
VAULTsecretsschemasVault secrets schema definitions.
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
AUTHORIZERcertificate_templatesssh_cert_templatesSSH certificate login templates
dbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
USER-STOREdbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections
LICENSE-MANAGERdbconn_max_lifetimeMaximum amount of time a connection may be reused (in seconds)
conn_max_idletimeMaximum amount of time a connection may be Idle (in seconds)
max_open_connsMaximum number of open connections to the database.
max_idle_connsMaximum number of idle DB connections

Did this page help you?