Configure audits

In PSM, you can further refine the settings for your audit.

  1. In PVWA, click ADMINISTRATION and then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and right-click Privileged Session Management.

  4. From the pop-up menu, select Add Audit Settings; a new parameter is added to the Privileged Session Management settings.

  5. Right-click Audit Settings and select the audit settings you want to disable or customize from the pop-up menu.

    SQL Level Audit

    To disable or customize SQL Level Audit for PSM-Toad and PSM-SQLPlus connection components using this platform:

    1. Right-click Audit Settings and select Add SQL Level Audit from the pop-up menu.

    2. By default, SQL level auditing is enabled for the supported connection components.

    3. To disable auditing for these components, set the value of Enable to No in the Properties list.

    4. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    SSH Keystrokes Audit

    To disable or customize SSH Keystrokes Audit for PSM-SSH, PSMP-SSH or PSM-Telnet connection components using this platform:

    1. Right-click Audit Settings and select Add SSH Keystrokes Audit from the pop-up menu.

    2. By default, SSH keystrokes auditing is enabled for the supported connection components.

    3. To disable auditing for these components, set the value of Enable to No in the Properties list.

       

      This configuration affects SSH Keystrokes Audits in both PSM and PSM for SSH.

    4. To audit SSH keystrokes, PSM uses the shell prompt of the target system to understand text that was entered by the end-user. As different systems and devices have different prompts, you can configure the regular expression that represents the shell prompt so that PSM is able to recognize the text entered by the user.

      In addition, you can configure whether the session continues without an audit, or is terminated if the shell prompt is not recognized.

      • To configure the regular expression, use the ShellPromptForAudit parameter.

      • To configure whether the session continues without an audit, or is terminated if the shell prompt is not recognized, use the TerminateOnShellPromptFailure parameter.

    5. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    Windows Events Audit

    To disable or customize Windows Events Audit for all connection components using this platform:

    1. Right-click Audit Settings and select Add Windows Events Audit from the pop-up menu.

    2. By default, Windows events auditing is enabled for the supported connection components.

    3. To disable auditing for these components, set the value of Enable to No in the Properties list.

    4. Configure additional properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    Universal Keystrokes Audit

    To disable or customize Universal Keystrokes Audit for all connection components using this platform:

    1. Right-click Audit Settings and select Add Keystrokes Audit from the pop-up menu.

    2. By default, universal keystrokes audit is enabled for the supported connection components except PSM-RDP.

    3. To disable auditing for any component, set the value of Enable to No in the Properties list.

    4. To enable these recordings for other platforms, set the value of Enabled to Yes.

    5. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

  6. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the platform settings page.
    • Click OK to save the new parameter values and return to the System Configuration page. The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter.

Configure Windows events text recording and Windows events auditing

On the target machine, PSM requires the following:

  • A share called admin must be available on the target server.

  • Make sure the SERVER Windows service is running.

  • In the firewall, open TCP port 445.

  • The account used to access the target machine must belong to the Administrators Group.

 

To enable Detailed Session Auditing, PSM installs a service named CAInvokerService.exe on the target machine. The service starts when a new session is initiated, and stops immediately after the session is established.

  1. Log on to PVWA.

  2. Go to Administration > Configuration Options > Options > Connection Components.

  3. For each connection component that you want to add windows events capabilities, configure the audit and text recording capabilities:

    1. Go to Target settings and right-click on Supported Capabilities. Under Add capability, add the following IDs:

      • WindowsEventsTextRecorder

      • WindowsEventsAudit

  4. Click Apply to save your changes.

Filter SQL command audits

PSM can filter SQL command audits that are recorded during PSM-Toad and PSM-SQLPlus connections to minimize unwanted audit records, reducing the number of audit records stored in the Vault and increasing server performance. Filters can be created at system level to apply to all SQL commands issued through PSM connections, or at platform level to apply to SQL commands issued through connections that are linked to a specific platform.

You can define lists to filter commands that are recorded according to the following criteria:

Commands to audit

An allowlistis a list of SQL commands that are included in the command audit records. All other commands are not included. By default, all commands that are issued during privileged sessions are audited. However, after you create an allowlist, only the listed commands are audited, if they do not appear in the denylist.

Commands not to audit

A denylistis a list of SQL commands that are excluded from audit records. All other commands are included.

By defining denylists and allowlists, you assert granular control over audit records in the Vault and determine exactly which commands are audited. These lists are created in audit filter rules as regular expressions which define specific commands. You can create as many rules as you require for denylists as well as allowlists, as well as lists that combine them both.

 

Denylist:

By default, PSM includes a single denylist that excludes the multiple commands that are issued automatically at the start of each Toad session. These commands are predetermined as part of the Toad setup, and are not relevant to the privileged session, other than to start it. This denylist excludes these commands from the session audit, and reduces the number of audit records stored in the Vault.
 

Allowlist:

The following example describes an example of when you would require an allowlist: You wish to audit all DDL queries such as ‘update’, ‘insert’, and ‘delete’ so that you know who issues these commands, when, and from which station. However, you don’t need to audit other commands that are issued. You can create an allowlist that contains these commands, ensuring that every time these specific commands are issued during the privileged session, they are audited.

  1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

  2. Expand the Audit Filters parameters, then select SQLLevelAudit; the following properties of the SQL Level Audit filter are displayed in the Properties list:

    Id The unique ID of the audit filter.
    Description A description of the audit filter.

  3. Expand the SQLLevelAudit filter to display the predefined audit filter rules. Each rule is configured for the system, and can be overridden at platform level.

  4. Select an audit filter rule to display the rule’s Properties list, which includes the following:

    Id The unique ID of the audit filter rule.
    Type Whether this rule is a denylist (exclude) or an allowlist (include).
    EnableForReports Whether or not this rule is enabled by default for reports. This property is for future use.
    EnableForAudit Whether or not this rule is enabled by default for auditing.
    Description A description of the audit rule.

  5. Enable/disable the audit filter rule:

    • To enable the audit filter rule – Set EnableForAudit to Yes; the audit filter rule is applied to all commands issued during PSM-Toad and PSM-SQLPlus connections, regardless of the platform that is used. For more information about enabling audit filters for a specific platform, refer to Apply SQL command audit filters to specific platforms.

       

      By default, before an allowlist is enabled, all commands are audited. After enabling the first allowlist, only the commands specified in this allowlist are audited. To audit more commands, create and enable additional allowlists.

    • To disable the audit filter rule – Set EnableForAudit to No; the audit filter rule is canceled and the filter rule is not applied to commands issued during PSM-Toad and PSM-SQLPlus connections.

  6. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.

  1. Click ADMINISTRATION, then in the System Configuration page, click Options; the Web Access Options are displayed.

  2. Expand the Audit Filters parameters, then right-click SQLLevelAudit.

  3. From the pop-up menu, select Add Audit Filter Rule; a new audit filter rule is added to the list of audit filters and the properties of the new rule are displayed.

  4. Specify the following properties for the new audit filter rule:

    Id

    The unique ID of the audit filter rule.

    Type

    Whether this rule is a denylist or an allowlist.

    • To create a denylist, specify Exclude.
    • To create an allowlist, specify Include.

    EnableForReports

    Whether or not this rule is enabled by default for reports. This property is for future use.

    EnableForAudit

    Whether or not this rule is enabled by default for auditing. Specify Yes to enable this audit filter rule.

    Description

    A description of the audit rule.

  5. Right-click Audit Filter Rule, then from the pop-up menu, select Add Regular Expression; a new parameter is created in which you can specify the regular expression that defines a single audit filter.

  6. In the Properties list, in the RegExp property, specify the regular expression to filter. Repeat this step to list all the commands that are filtered during recorded privileged sessions.

    Blacklist

    This list specifies the commands that are not included in audits of the privileged session.

    Whitelist

    This list specifies the commands that are included in audits of the privileged session. No other commands are audited.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

     

    This is only relevant to platforms that use the following connection components:

    • PSM-Toad

    • PSM-SQL Plus

  3. Expand UI & Workflows, and then right-click Privileged Session Management, then from the pop-up menu, select Add Audit Settings; a new set of parameters is created for Audit Settings.

  4. Right-click Audit Settings, then from the pop-up menu, select Add Audit Filters Override; a new set of parameters is created, in which you can add additional rule parameters to override the audit filters rule that is currently set at system level.

  5. Right-click Audit Filters Override, then from the pop-up menu, select Add Audit Filter Rule Override; a new parameter is added with the following property:

    AuditFilterId The unique ID of the audit filter to override at platform level. This ID is specified in the Audit Filters rules in Web Access Options. For more information about locating this property, refer to Enable/Disable the SQL command audit filter.

  6. Right-click Audit Filter Rule Override, then from the pop-up menu, select Add Rule; a new parameter is added with the following properties:

    Id The unique ID of the rule to override. This ID is specified in the Audit Filters rules in Web Access Options.
    EnableForAudit Whether or not this rule is enabled by default for auditing. This property overrides the same property at system level for this platform only.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the platform settings page,
    • Click OK to save them and return to the System Configuration page.

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.