PrivX Settings
SCOPE | SECTION | PROPERTY | DESCRIPTION |
---|---|---|---|
GLOBAL | audit | data_folder | Folder for audit trail data. |
timeout_when_no_connmgr | Timeout for connections when no connection manager, in seconds. | ||
trail_expiry | Number of days a trail is available before removed from storage. | ||
GLOBAL | ldapconnections | enable_ldap_custom_root_certificates | Specifies if PrivX should use custom root certificates. |
enable_ldap_system_roots_cert_pool | Specifies if PrivX should use the system certificates pool | ||
insecure_skip_verify_tls | Specifies whether the client should accept any certificate presented by the server. It makes TLS susceptible to man-in-the-middle attacks. | ||
ldap_retry_attempts | LDAP query connection timeout, in seconds. | ||
ldap_root_ca_pem | Custom root certificate in PEM format, which will be added to cert pool for LDAP connections. | ||
GLOBAL | disclaimer | privx_disclaimer | Specify disclaimers in JSON format as an array of disclaimer objects. |
HOST-STORE | health-check-options | service_health_check_max_requests_per_second | Maximum service health check requests per second per worker. |
service_health_check_max_workers | Maximum concurrent health check workers. | ||
service_health_check_wait | Interval between health check runs, in seconds. | ||
service_health_checks_enabled | Specifies whether PrivX should perform network connectivity health checks for services. | ||
HOST-STORE | host-house-keeping | host_housekeeping_run_interval | Interval between housekeeping runs, in hours. |
hosts_deleted_age | The delay (in hours) between when a host has been deleted to when it will be permanently removed. | ||
HOST-STORE | initial-host-service-options-ssh | exec | Set true to enable exec as default for all the hosts. |
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
shell | Set true to enable shell operations as default for all the hosts. | ||
tunnels | Set true to enable tunnels as default for all the hosts. | ||
x11 | Set true to enable x11 as default for all the hosts. | ||
other | Set true to enable all the other ssh operations as default for all the hosts. | ||
HOST-STORE | initial-host-service-options-rdp | audio | Set true to enable audio as default for all the hosts. |
clipboard | Set true to enable clipboard as default for all the hosts. | ||
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
HOST-STORE | initial-host-service-options-web | audio | Set true to enable audio as default for all the hosts. |
clipboard | Set true to enable clipboard as default for all the hosts. | ||
file_transfer | Set true to enable file_transfer as default for all the hosts. | ||
ROLE-STORE | authorizedkeys | expired_purge_interval_hours | Expired authorized keys purge interval, in hours. |
max_validity_days | Authorized key maximum validity period length in days | ||
min_rsa_key_size | Minimum key size in bits for ssh-rsa keys. | ||
supported_key_types | Specifies the supported authorized key types for logging in to PrivX with user specific authorized keys. | ||
ROLE-STORE | aws | enabled | Specifies whether AWS support is enabled. |
default_region | Default AWS region to use for fetching access tokens. | ||
enable_assume_role | Enable assume-role temporary session credentials. | ||
assume_role_default_ttl | Expiration time in seconds for assume-role temporary credentials. | ||
enable_federated_tokens | Enable federation token access. | ||
federated_tokens_default_ttl | Expiration time in seconds for federation token | ||
force_mfa | Force Multi Factor Authentication. MFA is supported by default with assume-role level access. But, federated tokens do not support MFA. | ||
max_aws_roles | Maximum number of AWS roles to fetch for role federation | ||
ROLE-STORE | caching | enable | Specifies whether caching of user role memberships, rule evaluation results, user settings and AWS role descriptions is enabled |
max_entries | Maximum entries in the local LRU cache. If cache exceeds this size, the least recently used entries are purged | ||
rule_evaluation_cache_enabled | Specifies whether role rule evaluation results should be cached. | ||
sync_interval_seconds | Internal in-mem cache periodic synchronization interval in seconds | ||
ttl | Cache TTL in seconds. | ||
type | Cache type | ||
user_cache_refresh_ttl | Cache TTL for user caching, in seconds. | ||
ROLE-STORE | directory | blacklisted_host_tag_prefixes | Blacklisted host tag prefixes |
ROLE-STORE | ldap | enable_cache | Enable LDAP query cache |
default_cache_ttl | Default LDAP cache TTL (in seconds). | ||
attributes | LDAP attributes filter | ||
default_user_filter | Default pre-filter to use when searching users. | ||
enable_nested_groups | Enable nested groups for role mappings. | ||
global_ad_user_filter | filter to AD users or mapping roles | ||
paging_size | LDAP query paging size | ||
ROLE-STORE | scanning | first_host_scanning_delay | Host scanning delay after starting the service in seconds. |
first_role_scanning_delay | AWS role scanning delay after starting the service | ||
host_scanning_frequency | Host scanning frequency default value in seconds. | ||
MONITOR-SERVICE | housekeeping | housekeeping_interval | Interval between audit events housekeeping runs, in hours |
data_retention_period | Number of days that audit events must be kept in the database. | ||
status_check_interval | Interval between status checks, in seconds. | ||
system_health_check_interval | Interval between system health check, in hours. | ||
cache_db_expiry_interval | Interval for removing expired keys from the database cache, in seconds. | ||
TRAIL-INDEX | housekeeping | housekeeping_interval | Interval between housekeeping runs, in minutes, for clearing up expired audit trail files. |
TRAIL-INDEX | workers | no_of_workers | Maximum audit trail indexing concurrency. |
Updated over 3 years ago