Configure video and text recordings

In PSM, you can further refine the settings for your video and text recordings.

  1. in the PVWA, click Administration , and then click Platform Management.

  2. Select the platform to configure and click Edit.

  3. On the settings page for the selected platform, expand UI & Workflows and right-click Privileged Session Management.

  4. From the pop-up menu, select Add Recorder Settings. A new set of parameters called Recorder Settings is added.

  5. Disable or customize video recordings for this platform:

    1. Expand Recorder Settings and select Video Recorder.

    2. By default, video recordings are enabled. To disable video recordings, set the value of Enabled to No.

  6. Disable or customize SSH text recordings:

     

    These settings affect SSH text recordings for SSH connections through PSM as well as through PSM for SSH.

    1. Right-click Recorder Settings and select Add SSH Text Recorder. A new set of parameters called SSH Text Recorder is added.

    2. By default, SSH text recordings for SSH connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for SSH connections:

      Property Default Value Description

      In

      Yes

      Whether the terminal’s STDIN stream is recorded.

      Out

      Yes

      Whether the terminal’s STDOUT and STDERR streams are recorded.

      Keystrokes

      Yes

      Whether all the keystrokes logged by the user from the start of the line until the user presses Enter are recorded.

       

      Control characters are not recorded.

      To disable recordings on any of these channels, set the value of the channel property to No.

  7. Disable or customize SQL text recordings:

    1. Right-click Recorder Settings and select Add SQL Text Recorder. A new set of parameters called SQL Text Recorder is added.

    2. By default, SQL text recordings for SQL connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for Oracle Database connections:

      Property Default Value Description
      In Yes Whether SQL commands are recorded.

      As this is the only channel that is recorded for SQL text recordings, this channel must be enabled for sessions to be recorded.

  8. Disable or customize Windows events text recordings:

    1. Right-click Recorder Settings and select Add Windows Events Text Recorder. A new set of parameters called Windows Events Text Recorder is added.

    2. By default, Windows events text recordings for Windows connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for Windows connections:

      Property Default Value Description
      WindowTitles Yes Whether window titles are recorded in a text file.

      As this is the only channel that is recorded for Windows Events text recordings, this channel must be enabled for sessions to be recorded.

  9. Disable or customize Universal Keystrokes text recordings:

    1. Right-click Recorder Settings and select Add Keystrokes Text Recorder. A new set of parameters called Keystrokes Text Recorder is added.

    2. Define the channels to record during the session. By default, the following channels are recorded for Keystrokes Text auditing:
      PropertyDefault ValueDescription

      In

      Yes

      Whether PSM includes each individual keystroke that was typed by the user in the text recording file.

      Keystrokes

      Yes

      Whether all the keystrokes logged by the user from the start of the line until the user presses Enter are recorded.

       

      Text recordings for PSM-RDP connections can only be enabled in environments where single language support is configured. For more information, refer to Configure universal keystrokes for Windows connections when an additional language is used.

      To disable recordings on any of these channels, set the value of the channel property to No.

  10. Click Apply to save your changes.

Automatically adjust the frames per second (FPS) rate of the PSM video recorder

PSM dynamically adjusts the frames per second (FPS) rate of the PSM video recorder if the PSM server is loaded, decreasing the performance impact in environments with large numbers of concurrent sessions. This may result in reduced quality when playing recorded videos of PSM sessions that were run while the PSMserver is loaded.

To disable this feature, set EnableDynamicFramesPerSecond to No. This parameter is found in the PVWA configuration, under Options > Privilege Session Management > General Settings > Recorder Settings.

 

The deprecated EnableDynamicFPS parameter in the basic_psm.ini file on the PSM overrides the EnableDynamicFramesPerSecond parameter.

The basic_psm.ini file is found in the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM.

Enable access to session monitoring

Vault administrators can configure the system to create Recording Safes that suit the enterprise auditor’s specific access control needs. In addition, administrators can manually set different auditors for each Recording Safe according to their access control policy.

Also, to monitor live sessions or review recordings, users do not necessarily have to be a member of the Auditors group. They can have membership in the relevant Password Safes and Recording Safes with the appropriate permissions.

For more information about setting permissions in Safes, refer to Monitor Privileged Sessions.

There are several ways to configure the way that Recording Safes are created, all of which are configured in the platform settings, as described in Configure video and text recordings.

 

Users who are assigned to the Auditors Group have permissions to view all recordings.

To assign more granular permissions to an auditor, remove them from the auditors group and assign them to the safe or safes that are relevant.

For example, an organization may want to create recordings by division and give permissions to auditors to only access their specific division recordings.

Configure Recording Safes

Recording Safes are created automatically by PSM, according to the configuration in the platform. Each Recording Safe is created when the first recording is uploaded.

Method

Description

Predefined Recording Safe name

A Recordings Safe is created for recordings of all accounts that are associated with the same platform. The exact Safe name is specified in the platform settings.

Generated Recording Safe name that includes the Account Safe name

A Recordings Safe is created for all accounts that are stored in the same Safe. The Safe name is partially specified in the platform settings and the name of the Safe where the accounts are stored is generated dynamically when the Safe is created.

Generated Recording Safe name that includes the values of specific connection parameters

A Recordings Safe is created for all sessions that have the same connection parameters values. The Safe name is partially specified in the platform settings and the values of the connection parameters that were used in the session are added dynamically when the Safe is created.

You need configure platforms permissions to perform this procedure.

To configure the Recording Safe:

  1. Open the platform for editing, as described in Edit a platform.

  2. Expand UI & Workflows, and then select Privileged Session Management. The PSM parameters are displayed with their default values.

  3. In SessionRecorderSafe , specify the name of the Safe to store recordings of activities for accounts associated with the platform. Enter the relevant information:

    Property

    Description
    Safe name The name of the Safe.
    Safe name and {AccountSafeName} Specify a partial Safe name and then {AccountSafeName} to create a Safe whose name includes the name of the Safe where the account used to initiate the session is stored. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and you specify ‘PSM-{AccountSafeName}’, a Safe called ‘PSM-Windows’ is created.
    Safe name and {<connection parameter>}

    Specify a partial Safe name and then {<connection parameter>} to create a Safe whose name includes the value of the specified connection parameter that was used in the session. The connection parameter can be anyone of the following:

    • A File Category in the account that was used in the session.

    • A User Parameter that was configured for the connection component that was used in the session.

    • A Client Specific parameter that was configured for the connection component that was used in the session.

      For example, if the session uses an account that has a File Category "EnvironmentType" with the value "Production", and you specify ‘PSM-{EnvironmentType}’, a Safe called ‘PSM-Production’ is created.

       

      If the same connection parameter was set in multiple ways (for example: a File Category and a User Parameter which are both named "EnvironmentType"), the value that is used for the Safe name is according to the following order of precedence: A File Category overrides a User Parameter, and a User Parameter overrides a Client Specific parameter.

    • You can also combine multiple connection parameters. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and uses a connection component with a client specific parameter called "Group" with a value of "GroupA", and you specify ‘PSM-{AccountSafeName}-{Group}’, a Safe called ‘PSM-Windows-GroupA’ is created.

      This Safe is created when the first recording is uploaded to it.

  4. Save your changes.

Create a Recording Safe before initiating sessions

You can create PSM Recording Safes before any sessions are initiated and assign the desired user permissions. In this way, the PSM does not automatically create Recording Safes with default permissions.

Add the PSMAppUsers group as a member of this Safe with full permissions.

Change the PSM recordings folder

PSM recordings are saved temporarily in a local folder until the PSM session ends, when they are uploaded to the Vault.

The path of this folder is set during the PSM installation.

Until version 12.2, the recordings folder path name was stored in the PVWA configuration LocalRecordingsFolder parameter. See Recorder Settings.

From version 12.2, the recordings folder path name is stored in the basic_psm.ini configuration RecordingsDirectory parameter.

To change the PSM recordings folder path after installation:

  1. Create a corresponding folder in the new location.

  2. In the Basic_psm.ini file, set RecordingsDirectory with the new path.

  3. Restart the PSM service.

  4. Run the PSMHardening script.

    1. From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML and disable all steps except Runs the hardening script.

    2. Open a PowerShell window and run the following command:

        
      CD “<CD-Image Path>\InstallationAutomation”
      .\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML

      For additional information, see Hardening.

Enable session recordings for specific users and groups

You can enable session recordings for specific users and groups on the platform level. In addition, certain users and groups can be excluded from that list. For example, in an implementation where all external users’ sessions are recorded, you can exclude a specific user, such as the external_admin user.

Enable session monitoring for specific users and groups:

  1. Open the platform for editing, as described in Edit a platform.

  2. In the left pane, expand UI & Workflows, right-click Privileged Session Management and select Add Recorded Users and Groups.

    A Recorded Users and Groups section is added.

    This section defines the users and groups whose sessions are recorded by the PSM. These users and groups are only recorded if the Record and save session activity rule is set in the Master Policy, and if these users and groups do not appear in the Exclude Recorded Users and Groups section. By default, all users and groups are recorded.

  3. Expand Recorded Users and Groups, and select User or Group.

    To add additional users and groups to the list, right-click Recorded Users and Groups, and select Add User or Group.

  4. In the Properties list, specify the name of the user or group that are recorded when they connect to a remote device with an account associated with this platform.

  5. Right-click Privileged Session Management, then from the drop-down menu, select Add Exclude Recorded Users and Groups.

    An Exclude Recorded Users and Groups section is added.

    This section defines the users and groups whose sessions are not recorded by the PSM, even when the Record and save session activity rule is set in the Master Policy.

  6. Expand Exclude Recorded Users and Groups , and select User or Group.

    To add additional users and groups to the list, right-click Recorded Users and Groups, and select Add User or Group.

  7. In the Properties list, specify the name of the user or group to exclude from the Recorded Users and Groups list.

  8. Save your changes.

Hide passwords during recordings

PSM identifies passwords that are typed by users during SSH and Telnet sessions by looking for password prompts. By default, the prompts that PSM looks for include common prompts for Unix platforms or for Vault passwords. Customize this list to include all password prompts that are received in your environment. When users type a character that cannot be included in a password, such as a space, or when they press Enter, PSM resumes the audit and recording. You can update this list of characters too.

This can be configured at platform level, overriding the general configuration.

 

This configuration affects both PSM and PSM for SSH, with the following connection components: PSM-SSH, PSM-Telnet, PSMP-SSH.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, then right-click Privileged Session Management: a pop-up menu displays the parameter sets that you can add and customize to manage your PSM recordings.

  4. From the pop-up menu, select Internal Capability Settings; a new set of parameters called Internal Capability Settings is added.

  5. Right-click Internal Capability Settings, then from the pop-up menu, select Add SSH Password Hiding; a new capability parameter is added.

  6. Select SSH Password Hiding, then specify the following properties:

    Enabled Determines whether or not passwords are recorded during PSM for SSH sessions. The default value is Yes, indicating that this feature is enabled and passwords are not recorded.
    PasswordPrompts This is a regular expression that is used to identify password prompts. When the system finds a match to this regular expression, it omits the password from the PSM session recording.
    InvalidPasswordChars Defines characters that cannot be included in passwords. When the user specifies one of these characters, PSM resumes auditing and recording each keystroke. The default values are spaces and tabs.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page.

    The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter.