PrivX Settings
| SCOPE | SECTION | PROPERTY | DESCRIPTION |
|---|---|---|---|
| GLOBAL | audit | data_folder | Folder for audit trail data. |
| timeout_when_no_connmgr | Timeout for connections when no connection manager, in seconds. | ||
| trail_expiry | Number of days a trail is available before removed from storage. | ||
| ldapconnections | enable_ldap_custom_root_certificates | Specifies if PrivX should use custom root certificates. | |
| enable_ldap_system_roots_cert_pool | Specifies if PrivX should use the system certificates pool | ||
| insecure_skip_verify_tls | Specifies whether the client should accept any certificate presented by the server. It makes TLS susceptible to man-in-the-middle attacks. | ||
| ldap_retry_attempts | LDAP query connection timeout, in seconds. | ||
| ldap_root_ca_pem | Custom root certificate in PEM format, which will be added to cert pool for LDAP connections. | ||
| disclaimer | privx_disclaimer | Specify disclaimers in JSON format as an array of disclaimer objects. | |
| HOST-STORE | health-check-options | service_health_check_max_requests_per_second | Maximum service health check requests per second per worker. |
| service_health_check_max_workers | Maximum concurrent health check workers. | ||
| service_health_check_wait | Interval between health check runs, in seconds. | ||
| service_health_checks_enabled | Specifies whether PrivX should perform network connectivity health checks for services. | ||
| host-house-keeping | host_housekeeping_run_interval | Interval between housekeeping runs, in hours. | |
| hosts_deleted_age | The delay (in hours) between when a host has been deleted to when it will be permanently removed. | ||
| initial-host-service-options-ssh | exec | Set true to enable exec as default for all the hosts. | |
| file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
| shell | Set true to enable shell operations as default for all the hosts. | ||
| tunnels | Set true to enable tunnels as default for all the hosts. | ||
| x11 | Set true to enable x11 as default for all the hosts. | ||
| other | Set true to enable all the other ssh operations as default for all the hosts. | ||
| initial-host-service-options-rdp | audio | Set true to enable audio as default for all the hosts. | |
| clipboard | Set true to enable clipboard as default for all the hosts. | ||
| file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
| initial-host-service-options-web | audio | Set true to enable audio as default for all the hosts. | |
| clipboard | Set true to enable clipboard as default for all the hosts. | ||
| file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
| initial-host-service-options-vnc | clipboard | Set true to enable clipboard as default for all the hosts. | |
| file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| ROLE-STORE | authorizedkeys | expired_purge_interval_hours | Expired authorized keys purge interval, in hours. |
| max_validity_days | Authorized key maximum validity period length in days | ||
| min_rsa_key_size | Minimum key size in bits for ssh-rsa keys. | ||
| supported_key_types | Specifies the supported authorized key types for logging in to PrivX with user specific authorized keys. | ||
| aws | enabled | Specifies whether AWS support is enabled. | |
| default_region | Default AWS region to use for fetching access tokens. | ||
| enable_assume_role | Enable assume-role temporary session credentials. | ||
| assume_role_default_ttl | Expiration time in seconds for assume-role temporary credentials. | ||
| enable_federated_tokens | Enable federation token access. | ||
| federated_tokens_default_ttl | Expiration time in seconds for federation token | ||
| force_mfa | Force Multi Factor Authentication. MFA is supported by default with assume-role level access. But, federated tokens do not support MFA. | ||
| max_aws_roles | Maximum number of AWS roles to fetch for role federation | ||
| caching | enable | Specifies whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled | |
| max_entries | Maximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged | ||
| rule_evaluation_cache_enabled | Specifies whether role rule evaluation results should be cached. | ||
| sync_interval_seconds | Internal in-mem cache periodic synchronization interval in seconds | ||
| ttl | Cache TTL in seconds. | ||
| type | Cache type | ||
| user_cache_refresh_ttl | Cache TTL for user caching, in seconds. | ||
| directory | blacklisted_host_tag_prefixes | Blacklisted host tag prefixes | |
| ldap | enable_cache | Enable LDAP query cache | |
| default_cache_ttl | Default LDAP cache TTL (in seconds). | ||
| attributes | LDAP attributes filter | ||
| default_user_filter | Default pre-filter to use when searching users. | ||
| enable_nested_groups | Enable nested groups for role mappings. | ||
| global_ad_user_filter | filter to AD users or mapping roles | ||
| paging_size | LDAP query paging size | ||
| scanning | first_host_scanning_delay | Host scanning delay after starting the service in seconds. | |
| first_role_scanning_delay | AWS role scanning delay after starting the service | ||
| host_scanning_frequency | Host scanning frequency default value in seconds. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| housekeeping | scim_role_housekeeping_interval | SCIM role housekeeping interval in minutes | |
| principal_keys | add_on_role_creation | When True, Principal keys get created at the time of role creation. Severly impacts system performance. Defaults to False. | |
| MONITOR-SERVICE | housekeeping | housekeeping_interval | Interval between audit events housekeeping runs, in hours |
| data_retention_period | Number of days that audit events must be kept in the database. | ||
| status_check_interval | Interval between status checks, in seconds. | ||
| system_health_check_interval | Interval between system health check, in hours. | ||
| cache_db_expiry_interval | Interval for removing expired keys from the database cache, in seconds. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| TRAIL-INDEX | housekeeping | housekeeping_interval | Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. |
| workers | no_of_workers | Maximum audit trail indexing concurrency. | |
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| RDP-PROXY | rdp_proxy | share_dir | RDP shared directory. |
| smartcard_authentication_enabled | RDP smart card authentication. | ||
| reauthorization_interval_sec | Reauthorization interval, in seconds. | ||
| extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. | ||
| ws_keepalive_interval_sec | Web socket keepalive interval, in seconds. | ||
| allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
| allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
| target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited RDP targets. | ||
| web_proxy_enabled | Enable to allow remote web proxy (Squid) to authorize web connections via PrivX Web Proxy server. | ||
| connectivity_test_timeout | Connection timeout while check a target is reachable. | ||
| certificates | update_automatically | - | |
| renewal_period_months | - | ||
| renewal_period_days | - | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| RDP-MITM | rdp_mitm | extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling RDP traffic inside VPC networks. |
| RDP-MITM | rdp_public_addresses | RDP-MITM public addresses | |
| video_generator_temp_directory | Directory where temporary video files are generated before stored as part of trail | ||
| video_generator_workers | No of workers encode video simultaneously | ||
| ffmpeg_parameters | Video encoding parameters to be passed for ffmpeg library. | ||
| allow_role_ip_restrictions | Enforce role context IP limitation checks. | ||
| reauthorization_interval_sec | Reauthorization interval, in seconds | ||
| RDP-MITM | certificates | update_automatically | - |
| renewal_period_months | - | ||
| renewal_period_days | - | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| SSH-PROXY | ssh_proxy | reauthorization_interval_sec | Reauthorization interval, in seconds |
| extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | ||
| forwarder_enabled | Enable to allow forwarding of SSH connections from the PrivX agent. | ||
| ws_keepalive_interval_sec | Web socket keepalive interval in seconds. | ||
| ssh_keepalive_interval_sec | Target ssh connection keepalive interval, in seconds. | ||
| metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. | ||
| allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
| allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
| target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| SSH-MITM | ssh_mitm | hostkey_algorithms | Host key algorithms. |
| ssh_listen_addresses | SSH-MITM listen addresses. | ||
| proxy_listen_addresses | SOCKS / http connect proxy listen addresses. | ||
| ssh_public_addresses | SSH-MITM public addresses. | ||
| extender_enabled | Enable to allow remote PrivX Extender client connections for tunneling SSH traffic inside VPC networks. | ||
| ws_keepalive_interval_sec | Websocket keepalive interval, in seconds. | ||
| reauthorization_interval_sec | Reauthorization interval, in seconds. | ||
| metadata_update_interval_sec | Interval for metadata updates to connection manager, in seconds. | ||
| allow_connect_to_loopback | Allow target connections to loopback addresses. | ||
| allow_connect_to_local_addresses | Allow target connections to local interface addresses. | ||
| target_blacklist | A comma separated list of IP addresses or subnets (CIDR) of prohibited SSH targets. | ||
| allow_role_ip_restrictions | Enable role context IP limitation checks. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| CONNECTION-MANAGER | housekeeping | housekeeping_interval | Interval for connection status housekeeping, in minutes. |
| housekeeping_conn_meta_retention | Retention period for connection metadata, in days. | ||
| housekeeping_interval_for_trails | Interval for trail housekeeping, in hours. | ||
| housekeeping_enable_integrity_checker | Check trail integrity on trail housekeeping. | ||
| housekeeping_integrity_checker_use_checksum | Use sha256 checksum for trail integrity checker. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| WORKFLOW-ENGINE | housekeeping | housekeeping_interval | Interval for workflow roles cache housekeeping, in hours |
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| AUTH | loginratelimit | enable_username_limit | Enable login attempts limit per username + remote IP pair |
| username_attempts_burst_size | Maximum number of failed logins per user + IP. | ||
| username_attempts_per_minute | Number of Login attempts for users per minute | ||
| enable_subnet_limit | Enable login attempts limit per IP subnet | ||
| subnet_attempts_burst_size | Maximum number of failed logins per subnet | ||
| subnet_attempts_per_minute | Number Login attempts for subnets per minute | ||
| remoteip_white_list | Whitelist of remote IP addresses. | ||
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| VAULT | secrets | schemas | Vault secrets schema definitions. |
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| AUTHORIZER | certificate_templates | ssh_cert_templates | SSH certificate login templates |
| db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) | |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| USER-STORE | db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections | ||
| LICENSE-MANAGER | db | conn_max_lifetime | Maximum amount of time a connection may be reused (in seconds) |
| conn_max_idletime | Maximum amount of time a connection may be Idle (in seconds) | ||
| max_open_conns | Maximum number of open connections to the database. | ||
| max_idle_conns | Maximum number of idle DB connections |
Updated 3 months ago