HomeDocumentationAPI Reference
Log In
These docs are for v24. Click to read the latest docs for v33.

PrivX-Server Configuration

Suggest Edits

This article describes configurations for customising PrivX-server functionality.

Dedicated Server Roles

front end, back end, server_mode, worker-only, server-only, keyword test

You can dedicate individual PrivX servers in HA deployments to certain roles, which restricts the types of jobs they perform.

To set the server role of a PrivX server:

  1. Access the PrivX server as root.

  2. In the shared-configuration file /opt/privx/etc/shared-config.toml, set the server_modesetting:

    • default - All jobs
    • worker-only - Back-end jobs
    • server-only - Front-end jobs
defaultworker-onlyserver-only
Handle user logins
Cloud-host scans
Check host availability
Process audit logs and session recordings

  1. Restart PrivX services to apply your changes

    systemctl restart privx

📘

Note

The PrivX servers in your deployment must collectively be able to perform all jobs. At all times, ensure your PrivX deployment has at least:

  • 1 or more default servers.

Or:

  • 1 or more worker-only servers, and
  • 1 or more server-only servers.

PrivX Log Settings

By default, regular and audit events are logged to syslog. Audit events use the namespace​ ​SSH-PRIVX-AUDIT​​, and other (debug/info/warning/error) messages use the namespace​ ​SSH-PRIVX​​.

You can adjust the locations to which PrivX writes logs, and the log level of each microservice. The log locations are configured by settings in ​/opt/privx/etc/shared-config.toml​.

# Should we send PrivX system events to logs under /var/log/privx
# send_regular_events_to_stdout = false
​​send_regular_events_to_stdout = false​​

# Should we send PrivX audit events to syslog
# send_regular_events_to_syslog = true
​send_audit_events_to_syslog = true​​

# Should we send PrivX system events to syslog
# send_regular_events_to_syslog = true
​send_regular_events_to_syslog = true​​

To enable debug output for a microservice:

  1. Edit ​/opt/privx/scripts/local-env. Here you can set the logging and trace level per microservice. The example will set Authorizer-microservice log level to DEBUG and trace to 5:

    AUTHORIZER_LOG_LEVEL=DEBUG
AUTHORIZER_TRACE=5

    After editing the /opt/privx/scripts/local-env the microservice(s) needs to be restarted to apply the changes. In this example only Authorizer restart is needed.

    # systemctl restart authorizer

    Alternatively, restart all PrivX services to apply configuration changes to all microservices.

    # systemctl restart privx

  2. By default, the system-logging service rsyslog​ is configured to show INFO-level messages only, which blocks DEBUG messages. To configure rsyslog​ to show DEBUG-level messages, find the following line in the ​rsyslog​ configuration file, ​/etc/rsyslog.conf​​:

    *.info;mail.none;authpriv.none;cron.none    /var/log/messages

    And change it to, for example:

    *.debug;mail.none;authpriv.none;cron.none    /var/log/messages

    Restart ​rsyslog​​ to apply the changes:

    # systemctl restart rsyslog

Custom Instance Names

You can set a custom instance name to better distinguish between multiple PrivX servers. Custom instance names are displayed in the PrivX GUI, and added to the audit events generated from the server.

To set a custom instance name for a PrivX server:

  1. Gain root-terminal access to the PrivX server.

  2. Edit the shared configuration at ​​/opt/privx/etc/shared-config.toml​​. In this file, set the custom instance name with ​privx_instance_name​​. For example:

    # A custom PrivX instance name to be shown in the header
privx_instance_name = "​​PrivX Example Deployment 01​​"

    Save your changes to the file.

  3. Restart the PrivX services to apply the changes:

    # systemctl restart privx

Custom Disclaimers

1454

To show messages to PrivX users upon login:

  1. On the Administration→Settings page, click Edit. Set the Disclaimers settings in JSON format, similar to the following:

    [
{
 "id": "terms-and-conditions",
 "timeStamp": "2020-01-01T12:00:00Z",
 "path": "^/auth/login$",
 "title": "Terms and Conditions",
 "text": "Lorem ipsum dolor sit amet.",
 "accept": "I have read and agree to the terms and conditions",
 "mode": "popup",
 "acceptable": true,
 "closeable": false,
 "expirationTime": 24,
 "expireAtLogin": false
}
]

    You can customize the disclaimer content and visibility with the following parameters:

    • id: Unique identifier to keep track of disclaimer acceptance in case multiple disclaimers are used.

    • timeStamp: The date and time the disclaimer was created or updated. Uses ISO-8601 format, e.g. 2020-01-01T12:00:00Z.

      When the timeStamp is updated the disclaimer will be treated as new and users will see it again even if they previously accepted the disclaimer.

    • path: Optional regular expression that limits the disclaimer to only portions of the PrivX UI, such as the login page.

    • title: Title for the disclaimer.

    • text: Message shown in the disclaimer.

    • accept: Text for the checkbox that allows users to accept the disclaimer.

    • mode: How the disclaimer looks on the page. Can be ​float​​, ​local​​, or ​popup.

    • ​​acceptable: Allow users to accept and close the disclaimer. Can be ​true​ or ​false​​.

      After a user accepts the disclaimer it will not be displayed on subsequent logins, until users clear browser local storage. Unless ​closeable​ is also set to ​true​​, the user must accept the disclaimer to proceed.

    • closeable: Allow users to close the disclaimer without accepting it. Can be ​true​ or ​false​​.

    • expirationTime: Optional expiration time for user dismissals of the disclaimer (in hours).

      The disclaimer will re-appear after the specified amount of time has elapsed after a user has dismissed the disclaimer.

    • expireAtLogin: Allows the user's dismissal of the disclaimer to expire at the next login. Can be ​true​ or ​false​​.

  2. Restart PrivX services to apply the changes:

    # systemctl restart privx

Or click Restart button on Administration→Settings.

Resetting the Superuser Password

If you have forgotten your local PrivX superuser's password, you can reset it as follows:

  1. Access your PrivX server as root. In HA deployments you can perform the commands on one of your PrivX servers.

  2. On a PrivX server, obtain an hashed version of your new password (replace ​<example_password>​​ with your new password):

    # /opt/privx/bin/keyvault-tool bcrypt ​<example_password>​​

  3. Access the PrivX database using ​psql​ with write permissions. Change the superuser password (Replace ​password_hash​ and ​superuser​​ with the hashed password and your superuser-account name respectively):

    # UPDATE localuser SET password='​​password_hash​​' WHERE username='​superuser​​'

    You can now log into PrivX as superuser using the new password.

Resetting PrivX-Server Settings

To reset some or all PrivX settings to default values:

  1. Back up PrivX settings as JSON by running the following on one of your PrivX servers:

    i. Export settings as a JSON:

    # /opt/privx/bin/settings-tool -command=export -out <filename.json>

    ii. If you later need to revert to previous settings:

    #  /opt/privx/bin/settings-tool -command=import -in <filename.json>

    🚧

    Caution

    Only restore settings to the same PrivX version that you took the backups from. Restoring settings to a different PrivX version may break the system.

    🚧

    Caution

    Only restore settings to the same PrivX version that you took the backups from. Restoring settings to a different PrivX version may break the system.

  2. Use the settings-tool on one of your PrivX servers to reset PrivX settings:

    • To reset all the settings:

      #  /opt/privx/bin/settings-tool -command=reset

    • To reset the settings in a specific scope:

      #  /opt/privx/bin/settings-tool -command=reset -scope=<scope>

    • To reset the settings in a specific section in a scope

      #  /opt/privx/bin/settings-tool -command=reset -scope=<scope> -section=<section>

      For more information about the available scopes and sections, see PrivX Settings.

  3. On all of your PrivX servers, restart PrivX to apply the changes:

    # systemctl restart privx

SSH Product Integrations

PrivX can have predefined links for switching between different SSH products. These links are shown to administrators on the right-hand corner of the header bar.

To configure links:

  1. On the Administration→Settings page, click Edit. Edit the SSH Product Integrations for different products. At the moment there is a configuration for SSH Universal Key Manager, the value must be a valid URL.

  2. Restart PrivX services to apply the changes. To do this, click Restart.

To access your applications, click drawing on the right-hand corner of the header bar.

Changing Bastion Ports

By default, SSH Bastion and RDP Bastion are under ports 2222 and 3389 respectively. You may assign Bastion services under other ports, the high-level steps include:

  • Updating port settings under PrivX configuration.
  • Updating firewall settings to accommodate the new port.

Changing SSH-Bastion Port

To change the SSH-Bastion Port, perform the following on all your PrivX Servers:

  1. In the configuration file/opt/privx/etc/ssh-mitm.toml, modify ssh_listen_address to include your new port. For example, to change the port to 8022, change the setting to:

    ssh_listen_addresses = [
":8022"
]

    Save your changes to the file.

  2. Allow the new port in firewall settings (replace 8022 with your new port number):

    sudo firewall-cmd --permanent --zone=public --add-port=8022/tcp

    You should also block the old, unused SSH-Bastion port (replace 2222 with your old port number):

    sudo firewall-cmd --permanent --zone=public --remove-port=2222/tcp

    Apply your firewall changes:

    sudo firewall-cmd --reload

  3. Finally, restart PrivX:

    sudo systemctl restart privx

    You should now be able to establish SSH connections via the new SSH Bastion port.

Changing RDP-Bastion Port

To change the RDP-Bastion Port, perform the following on all your PrivX Servers:

  1. In the configuration file/opt/privx/etc/rdpmitm/rdpproxy.ini, under the [globals] section, add a port setting. For example, to change the port to 3999 add a line like the following:

    port=3999

    Save your changes to the file.

  2. Allow the new port in firewall settings (replace 3999 with your new port number):

    sudo firewall-cmd --permanent --zone=public --add-port=3999/tcp

    You should also block the old, unused SSH-Bastion port (replace 3389 with your old port number):

    sudo firewall-cmd --permanent --zone=public --remove-port=3389/tcp

    Apply your firewall changes:

    sudo firewall-cmd --reload

  3. Finally, restart PrivX:

    sudo systemctl restart privx

Updated over 2 years ago