Configure recordings and audits (PSM for SSH)

This topic describes how to configure recordings and audits for PSM for SSH.

Overview

PSM for SSH records privileged sessions and stores them in the Vault where they can be viewed at any time by authorized users. It provides the following recording and audit options:

  • Recordings PSM for SSH can create text and video recordings, including any keystroke, of privileged sessions on SSH connections. You can access these recordings, view their details and their contents, including the location from where the user connected. You can also see detailed information and properties of the recording file. Recordings can be configured at platform level, overriding the general configuration and enabling you to customize recordings for platforms. To configure SSH text or video recording, see Configure video and text recordings.

  • Audits - PSM for SSH can create audit records for activities that are performed during SSH and SCP connections for privileged sessions. The audit records include only those activities that are internally identified as commands. Other activities are not audited but are part of the recordings. To configure the audit, refer to Configure audits.

    PSM for SSH can also create audit records for uploading and downloading files through PSM for SSH using SFTP.

For more information about configuring and accessing recordings and audit records, see Monitor Privileged Sessions.

Customize recordings in PSM for SSH

Video and text recordings for PSM for SSH connections are configured at PSM general level (in Web Access Options). These instructions describe how to customize these recordings at platform level, which overrides the general level.

You can customize settings for the following text recorders:

SSH text recorder PSM for SSH can record all the keystrokes that are typed during privileged sessions on SSH connections. The recording can be viewed either as a text file or as a video. This type of recording is supported for the following connection component:

PSMP-SSH

 

This configuration also affects the SSH text recording in PSM.
Customize recordings in PSM for SSH

  1. Open the platform for editing, as described in Edit a platform.

  2. In the platform settings page, in the left pane, expand UI & Workflows, then right-click Privileged Session Management, a pop-up menu displays the parameter sets that you can add and customize to manage your PSM recordings.

  3. From the pop-up menu, select Add Recorder Settings; a new set of parameters called Recorder Settings is added.

  4. Disable or customize text and video recordings for this platform:

     
    • Video recording in PSM for SSH is affected by the same parameter as text recording.
    • These settings affect SSH text recordings for SSH connections through PSM as well as PSM for SSH connections.

    1. Right-click Recorder Settings, then select Add SSH Text Recorder.

      Anew set of parameters called SSH Text Recorder is added.

    2. By default, SSH text recordings for SSH connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels that will be recorded during the session. By default, the following channels are recorded for SSH connections:

      Property Default Value Description
      In Yes Whether or not the terminal’s STDIN stream will be recorded.
      Out Yes Whether or not the terminal’s STDOUT and STDERR streams will be recorded.
      Keystrokes Yes Whether or not all the keystrokes logged by the user from the start of the line until the user presses Enter will be recorded.
      Note: Control characters are not recorded.

      To disable recordings on any of these channels, set the value of the channel property to No.

  5. Click OK.

Configure detailed audit in PSM for SSH

By default, PSM for SSH records all the activities that take place during privileged sessions and provides audits for the following events:

Event

Description

SSH keystrokes

PSM for SSH records keystrokes that are performed during privileged SSH sessions. It also records remote SSH commands that were executed through PSM for SSH without opening an interactive session. This type of auditing is supported for the following connection component:

PSMP-SSH

 

For SSH keystrokes audit in PSM, refer to Configure universal keystrokes.

File tracking

PSM for SSH records uploading and downloading of files through PSM for SSH using SFTP. The audit includes the directory and file name on the target machine from where you download the file or to where you upload the file. Also, the Vault user for the end user who downloaded or uploaded the file and the time of the activity are included.

This type of auditing supports inline sessions (not interactive mode) and is supported for the following connection component:

PSMP-SFTP
Configure detailed audit in PSM for SSH

  1. Open the platform for editing, as described in Edit a platform.

  2. Expand UI & Workflows, and then right-click Privileged Session Management.

  3. From the pop-up menu, select Add Audit Settings; a new parameter is added to the Privileged Session Management settings.

  4. Select the Audit Settings, then from the pop-up menu, disable or customize SSH Keystrokes Audits for PSMP-SSH connection component using this platform:

    1. Right-click Audit Settings, then from the pop-up menu, select Add SSH Keystrokes Audit.

    2. By default, SSH keystrokes auditing is enabled for the supported connection component. To disable auditing for this component, in the Properties list, set the value of Enable to No.

    3. To audit SSH keystrokes, PSM for SSH uses the shell prompt of the target system to understand text that was entered by the end-user. As different systems and devices have different prompts, you can configure the regular expression that represents the shell prompt so that PSM/PSM for SSH is able to recognize the text entered by the user.

      In addition, you can configure whether the session will continue without an audit, or will be terminated if the shell prompt is not recognized.

      To configure the regular expression, use the parameter ShellPromptForAudit.
      To configure whether the session will continue without an audit, or will be terminated if the shell prompt is not recognized, use the parameter TerminateOnShellPromptFailure.

      See the table PSM for SSH Connection Component Parameters for details on the relevant parameters.

  5. Configure advanced properties to determine how PSM for SSH will manage audit records.

  6. Click OK.

Hide passwords during recordings

PSM for SSH  identifies passwords that are typed by users during SSH sessions by looking for password prompts. By default, the prompts that PSM for SSH looks for include common prompts for Unix platforms or for Vault passwords. Customize this list to include all password prompts that are received in your environment. When users type a character that cannot be included in a password, such as a space, or when they press Enter, PSM for SSH resumes the audit and recording. You can update this list of characters too.

This can be configured at platform level, overriding the general configuration.

This configuration affects both PSM and PSM for SSH, with the following connection components: PSM-SSH, PSM-Telnet, PSMP-SSH.

Hide passwords during recordings

  1. Open the platform for editing, as described in Edit a platform.

  2. Expand UI & Workflows, then right-click Privileged Session Management.

  3. From the pop-up menu, select Internal Capability Settings.

    A new set of parameters called Internal Capability Settings is added.

  4. Right-click Internal Capability Settings, then from the pop-up menu, select Add SSH Password Hiding.

    A new capability parameter is added.

  5. Select SSH Password Hiding, then specify the following properties:

    Property

    Description

    Enabled

    Determines whether or not passwords will be recorded during PSM for SSH sessions. The default value is Yes, indicating that this feature is enabled and passwords will not be recorded.

    PasswordPrompts

    This is a regular expression that is used to identify password prompts. When the system finds a match to this regular expression, it omits the password from the PSM session recording.

    InvalidPasswordChars

    Defines characters that cannot be included in passwords. When the user specifies one of these characters, PSM resumes auditing and recording each keystroke. The default values are spaces and tabs.

  6. Click OK.

Configure SCP audit capabilities

By default, PSM for SSH records SCP commands that are issued in order to copy files securely. This type of auditing is supported for the PSMP-SCP connection component. SCP auditing is automatically configured and enabled at system level and can be overridden at platform level, enabling you to customize detailed audit for platforms.

In order to customize SCP auditing, the following CyberArk component compatibility is required:

All PSM  servers in your environment must be V9.5 or above.
All PSM for SSH servers in your environment must be V7.2.17 or above.
The Vault and the PVWA must both be V9.5 or above.
Configure SCP audit capabilities

  1. Open the platform for editing, as described in Edit a platform.

  2. On the platform settings page, expand UI & Workflows, then right-click Privileged Session Management.

  3. From the pop-up menu, select Add Audit Settings; a new parameter is added to the Privileged Session Management setting.

  4. Right-click Audit Settings, then from the pop-up menu, select SCP Audit.

    • By default, SCP Audit is enabled for the supported connection components. To disable auditing for these components, in the Properties list, set the value of Enable to No.

    • Configure advanced properties to determine how PSM for SSH will manage SCP audit records.

  5. Click OK.

Recordings Safes

Recordings Safes are created automatically by PSM, according to the configuration in the platform. Each Recording Safe is created when the first recording is uploaded to it by PSM. Vault administrators can configure the system to create Recording Safes that suit the enterprise auditor’s specific access control needs. In addition, Vault administrators can manually set different auditors for each Recording Safe according to their access control policy.

 

The built-in Auditors group is automatically added as a member to all Recording Safes. As such, all members of the Auditors group immediately have access to all the recording sessions stored in the Recording Safe. You can manually update the Auditors group’s authorizations in Recording Safes and update the list of members that are part of this group. For more information about setting auditor permissions in Safes, refer to Monitor Privileged Sessions.

There are three ways to configure the way that Recording Safes are created, all of which are configured in the platform settings, as described below.

Method

Description

Predefined Recording Safe name

A Recordings Safe is created for recordings of all accounts that are associated with the same platform. The exact Safe name is specified in the platform settings.

Generated Recording Safe name that includes the Account Safe name

A Recordings Safe is created for all accounts that are stored in the same Safe. The Safe name is partially specified in the platform settings and the name of the Safe where the accounts are stored is generated dynamically when the Safe is created.

Generated Recording Safe name that includes the values of specific connection parameters

A Recordings Safe is created for all sessions that have the same connection parameters values. The Safe name is partially specified in the platform settings and the values of the connection parameters that were used in the session are added dynamically when the Safe is created.

You need configure platforms permissions to perform this procedure.

To configure the Recording Safe:

  1. Open the platform for editing, as described in Edit a platform.

  2. Expand UI & Workflows, and then select Privileged Session Management. The PSM parameters are displayed with their default values.

  3. In SessionRecorderSafe , specify the name of the Safe to store recordings of activities for accounts associated with the platform. Enter the relevant information:

    Property

    Description
    Safe name The name of the Safe.
    Safe name and {AccountSafeName} Specify a partial Safe name and then {AccountSafeName} to create a Safe whose name includes the name of the Safe where the account used to initiate the session is stored. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and you specify ‘PSM-{AccountSafeName}’, a Safe called ‘PSM-Windows’ is created.
    Safe name and {<connection parameter>}

    Specify a partial Safe name and then {<connection parameter>} to create a Safe whose name includes the value of the specified connection parameter that was used in the session. The connection parameter can be anyone of the following:

    • A File Category in the account that was used in the session.

    • A User Parameter that was configured for the connection component that was used in the session.

    • A Client Specific parameter that was configured for the connection component that was used in the session.

      For example, if the session uses an account that has a File Category "EnvironmentType" with the value "Production", and you specify ‘PSM-{EnvironmentType}’, a Safe called ‘PSM-Production’ is created.

       

      If the same connection parameter was set in multiple ways (for example: a File Category and a User Parameter which are both named "EnvironmentType"), the value that is used for the Safe name is according to the following order of precedence: A File Category overrides a User Parameter, and a User Parameter overrides a Client Specific parameter.

    • You can also combine multiple connection parameters. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and uses a connection component with a client specific parameter called "Group" with a value of "GroupA", and you specify ‘PSM-{AccountSafeName}-{Group}’, a Safe called ‘PSM-Windows-GroupA’ is created.

      This Safe is created when the first recording is uploaded to it.

  4. Save your changes.

Create a Recording Safe before initiating sessions

You can create PSM Recording Safes before any sessions are initiated and assign the desired user permissions. In this way, the PSM does not automatically create Recording Safes with default permissions.

Add the PSMAppUsers group as a member of this Safe with full permissions.