Monitor Privileged Sessions
Privileged Session Manager (PSM) enables organizations to secure, control and monitor privileged access to network devices by using Vaulting technology to manage privileged accounts and create detailed session audits and video recordings of all IT administrator privileged sessions on remote machines.
The PSM Suite also includes PSM for SSH, which preserves the benefits of PSM such as isolation, control and monitoring, whilst enabling users to connect transparently to target UNIX systems from their own workstation without interrupting their native workflow.
|
Be aware that some audit types might capture sensitive information, inserted or retrieved after logging on to a target system. Specific examples include personal identifying information, passwords (particularly when using a jump-host), and other sensitive information. |
Features and roles
|
Feature |
Description |
||
|---|---|---|---|
|
Recorded Privileged Sessions |
All the activities in each privileged session can be recorded in text and/or video format, and stored in the Vault, compressed, for future auditing. These recordings are transparent to users and cannot be bypassed. |
||
|
SQL Command Level Audit (PSM only) |
All the command activities carried out in SQL privileged sessions can be recorded and stored in the Vault as audit records, and viewed at any time by authorized users. Session recordings can be also be searched according to the SQL commands that were invoked during sessions. |
||
|
SSH Keystrokes Audit |
All the keystrokes that are typed during SSH privileged sessions can be recorded and stored in the Vault as audit records, and viewed at any time by authorized users. Users can search session recordings for specific content according to these SSH keystrokes. |
||
|
Windows Events Audit (PSM only) |
Titles of windows opened during a privileged session are recorded and stored in the Vault as audit records. Authorized users can view these audit records at any time. The built in search feature enables users to search for sessions according to window title or process name . |
||
|
Universal Keystrokes Audit (PSM only) |
Captures keystrokes typed during privileged sessions, such as on Mainframe, SQL clients, Windows and stored in the Vault as audit records. Authorized users can view theses session at any time and search session recordings for specific content. In addition, keystrokes that are typed during privileged sessions, initiated by the Universal Connector, are also recorded. Use caution when enabling this feature as this audit method captures all text typed by users which may include personal identifying information (PII) and passwords. For more information, refer to Connection Component Configuration. |
||
|
Identify High Risk Sessions |
The PSM integrates with CyberArk Privileged Threat Analytics (PTA) to enable users to identify high risk privileged sessions and understand their risk score. This enables them to focus their review on the high risk sessions and mitigate potential security issues. |
||
|
Privileged Remote Access (PSM only) |
Users can initiate privileged sessions to the PSM machine using HTTPS protocol. This meets standards for secure remote access by ensuring encrypted sessions and by not requiring the corporate firewall to be opened to additional native protocols. |
||
|
Privileged Single Sign-On |
Users connect transparently to remote target applications and systems through PSM. |
||
|
Centralized Management |
In the PVWA, users can see all the recordings archives, where auditors can retrieve and view comprehensive recordings of privileged sessions. Search features enable auditors to locate specific recordings. |
||
|
Transparent Integration |
PSM can be integrated transparently and seamlessly into existing enterprise infrastructures, including a variety of authentication, monitoring, ticketing, and workflow systems. |
||
|
Monitoring and Terminating Live Sessions |
Authorized users can monitor live privileged sessions in real-time, viewing them or taking part in controlling them according to predefined configurations. This enables authorized users to supervise live sessions and also enables two users to perform a procedure concurrently. In addition, authorized users can terminate suspicious sessions immediately, when necessary.
|
| Role | Description |
|---|---|
|
IT administrators |
Users who need to perform administrative tasks on remote network devices and managed hosts. Users can transparently log onto remote devices directly without disturbing their workflow by needing to retrieve and copy the passwords. The entire privileged session can be recorded automatically without any human intervention. |
|
Auditors and security officers |
Users who require access to audit information and privileged session recordings. These users benefit from centralized administration that is displayed in a simple, intuitive interface. |
|
Administrators |
Users who needs to configure, manage and administer PSM related activities. |
Permissions
The PVWA provides a centralized access point for privileged session recordings. To display information about privileged session recordings to play the session recordings, users require the following authorizations:
Membership in the Auditors group
Or,
Membership in the relevant Password Safes and Recording Safes with the following authorizations:
|
Safe type |
Permissions |
|---|---|
|
Account Safes |
|
|
Recording Safes |
|
Authorized users can view the recordings in any of the following ways:
| ■ | The MONITORING page enables intuitive access to all privileged session recordings. This page is visible to authorized users after the first recording has been uploaded to the Vault. |
| ■ | The Recording Details page enables a more thorough view of a specific session recording. |
| ■ | The Account Details page provides access to recordings for individual passwords. |
Privileged session recordings
The Recording page enables authorized users to search for and access privileged session recordings in a centralized point.
|
Task |
Description |
|---|---|
|
Displaying privileged session activity |
Authorized users can search for video and text recordings according to session information, such as address or username, or by a command or event that was performed during the session and is stored in the recording. For more information, refer to Monitor Privileged Sessions. |
|
Customize views |
You can create a set of customized views that display a list of recordings in one quick step, increasing accessibility and efficiency. You can save these personalized views and even mark one so that it is displayed as the default view the next time you log on and display the MONITORING page. For more information about customizing views, refer to Customize Recording Views. |
|
Access recordings |
You can access video and text recordings of privileged sessions, view their details and their contents. You can also see which other users are authorized to access these recordings and any activities that they performed on them, as well as detailed information and properties of the recording file. For more information, refer to Monitor Privileged Sessions. |
|
View commands and events |
You can view a list of the commands and events that were issued during specific privileged sessions. This enables you to audit every keystroke or command, facilitating total accountability. For more information about auditing commands and events, refer to Monitor Privileged Sessions. |
|
View the risk score and details for each privileged session |
You can view a risk score for each privileged session which indicates that accounts may be compromised. This score can be displayed for live sessions and recordings of finished sessions, enabling you to respond immediately and mitigate potential security issues. In addition, auditors can view details about the security incidents in each session and understand the reason for the risk score of the session. For information about high risk sessions, refer to View high risk sessions. |
|
Play privileged session recordings |
By configuring PSM for direct playback, you can play privileged session video recordings directly from the PVWA using an embedded video player. Alternatively, you can open or download video recordings and view them using your default media player. Likewise, you can either open text recordings and view them immediately or download them and view them at your convenience. For more information, refer to Monitor Privileged Sessions. |
Search session recordings
The MONITORING page displays the following recordings:
| ■ | Video Recordings – Video recordings of privileged PSM, PSM for SSH, and OPM sessions. |
| ■ | Text Based Recordings – Text recordings of privileged PSM, PSM for SSH, and OPM sessions. |
You can search for these recordings using a free text search according to the properties that are associated with the privileged session (e.g. password, user, address, device, machine, ticket ID, or any other account keyword). You can also search for recordings according to SQL commands, SSH or SCP (Secure Copy) commands, SSH commands that were blocked when using Commands Access Control, keystrokes typed during sessions on any platform, Windows events that were recorded during sessions.
You can limit search results according to dates, which adds an extra dimension to the tracking facility and enables a quick search and full audit of all password activity according to keywords over a specific period of time.
After each search, a definition of the search is listed in the Views list, enabling you to access the results of different searches without the need to repeat them. For more information about customized views, refer to Customize Recording Views.
You can change the columns that are displayed in the recordings list to display different properties of the displayed recordings and reorganize the displayed list recordings so that you can locate recordings quickly and easily. For more information, refer to Customize Recording Views.
|
The recordings are stored in the Safe in a compressed format. The size of the recording that is displayed in the Recordings list indicates the size of the compressed recording file, and not its actual size. |
| 1. | Display the MONITORING page; the Monitoring – Sessions List page appears. |
| 2. | In the search edit boxes, specify keywords that will be used in the search. These keywords may include the following: |
| ■ | Search for Sessions – Any information about the privileged session that was recorded. This includes the name of the user or the privileged account user, the name or IP address of the remote machine, the platform name, port or database name. |
| ■ | Search for Commands and Events – You can search for specific events that were executed during PSM sessions. Events and commands that are issued during sessions can be recorded in OPM commands and PSM connections. |
SCP commands that were issued to copy files securely through PSM for SSH can be searched by typing scp.
SSH commands that were blocked when using Commands Access Control will have a prefix DENIED attached to the command text so you can search for them by typing denied.
Note: Specify all or part of a search word. Do not specify wildcards.
For example, you can specify a single command to display recordings of privileged sessions during which that command was issued, or a command and an IP address to display recordings of all the privileged sessions run from a particular IP address during which that command was issued.
Leave the search edit boxes empty to display all the recordings you are authorized to view.
| 3. | To specify a timeframe for the search, select Search for session recordings between; the date and time drop-down boxes are enabled. |
Leave this checkbox clear to check all dates and times.
| 4. | Select a date and time to begin and end the search. |
| 5. | Click Search or press Enter. |
If you did not specify any search criteria, the following message will appear:
| 6. | Click Yes to begin the search, |
or,
Click No to return to the Search for Sessions page where you can specify search criteria.
The Search is performed in the Safes where the recordings that you are authorized to access are stored, and all the Session Recordings that meet the search criteria are displayed.
| 7. | To view recordings: |
| ■ | Video Recordings – In the search results, click one of the following icons: |
| Icon | Name | Description |
|---|---|---|
|
Play recording | Plays the session recording immediately in a direct playback. You can either play the recording from the beginning or from a specific command. This icon is displayed when Direct Playback is enabled. |
|
Download recording | Enables you to open the session recording or save it in a different location. |
| ■ | Text Based Recordings – In the search results, click the following icon: |
| Icon | Name | Description |
|---|---|---|
|
|
Save text recording | Enables you to open the session text recording or save it in a different location. You can view commands and events that were executed during a PSM, PSM for SSH, or OPM session. |
| 8. | To display the Recording Details page, and view the contents of the Events tab, click the recording line in the search results. |
The following example shows the results of a search in recordings for two words, update and emp, that were issued during recorded sessions. These words are not connected by surrounding quotation marks.
This search returns all the recordings that include at least one command that contains both words, although not necessarily consecutively. The commands preview displays several commands that were issued during the session that contain at least one of these words, in this case, update or emp. Commands that do not contain either of the words specified in this search are not included in the preview.
Commands or events that are surrounded by quotation marks, for example “update emp” will initiate a search for recordings of sessions during which these two words were issued consecutively, separated by one space, at least once.
The following example shows the results of a search for recordings in which windows with a title that included the words “new” or “user” were displayed.
This search returns all the recordings in which a window with a title that included the words “new” or “user” was displayed at least once during the session. Each search result includes a preview that displays all window titles displayed in this recording that match the search criteria.
The following example shows the results of a search for recordings in which the scp command was issued to copy files securely through PSM for SSH.
This search returns all the recordings of sessions in which the scp command was used.
View privileged session recordings
Authorized auditors can view the privileged session recordings to see exactly what happened during each session. Users can play recordings directly from the PVWA or download them and play them using a media player.
Recordings can be played or viewed in any of the following pages:
| ■ | Monitoring – Sessions List |
| ■ | Recording Details page |
| ■ | Account Details page |
Users must have the View Audit authorization in the Safe where the recordings are saved or they must belong to the Auditors group.
For more information about viewing OPM sessions, see Audits in OPM.
Display session recording details
The Recording details page enables you to see details about privileged session recordings, including details about the account that was used, a list of all the events that took place during the recorded session, an attestation list of activities performed on the recording, and a list of users who are authorized to access the recording.
This page displays all the details about the recording, including the following:
|
Item |
Description |
|---|---|
|
General Recording Details |
General details about the recording, including the name of the user, the IP address where the account was used, the IP address of the remote machine that was accessed and the date when the privileged session took place. |
|
Account Details |
The ID of the platform that the used account is associated with, the name of the user who accessed the account and the address where the account was accessed. |
|
Video Recording |
The size of the video recording of the privileged session, the name of the user who last reviewed it, and the date when they did so. |
|
Text Recording |
The size of the text recording of the privileged session, the name of the user who last reviewed it, and the date when they did so. |
|
Security Incidents |
Details about Security Incidents that occurred during the displayed privileged session, if it was allocated a risk score. This includes the name of each security incident, the risk score, and the activity performed during the privileged session that posed the highest risk. For information about high risk sessions, refer to View high risk sessions. |
This page also displays the following tabs:
|
Tab |
Description |
|---|---|
|
Events |
A list of commands and keystrokes that were performed during the privileged session and the time from the beginning of the session that they were carried out. You can also play a recording from the point of a specific event. |
|
Attestation |
Activities that were carried out on the recording files. |
|
Permissions |
Users who have permission to access the recording files through object level access. For more information, see Use Object Level Access Control in Safes. |
|
Advanced |
Detailed information and properties of the recording file, including the compressed size and the actual size of the recording files in the Vault. |
In addition to viewing all the information about the recording, you can do the following:
|
Activity |
Description |
|---|---|
|
Play recording |
If this is a video recording, you can play the recording immediately. This option is available when Direct Playback is enabled.For more information about playing video recordings, refer to Monitor Privileged Sessions. |
|
Download recording |
If this is a video recording, you can download it and save it in a different location. For more information about playing video recordings, refer to Download video recordings. |
|
Save text recording |
If this is a text recording, you can save it and view the contents of the recording. For more information about viewing text recordings, refer to View text recordings. |
|
Protect or Unprotect the recording |
You can protect important recordings from being deleted automatically after the Safe retention period on the Recordings Safe has expired. To protect a recording, click Protect on the toolbar; the recording will be stored in the Safe either until you delete it or until you remove the protection. To unprotect a recording, click Unprotect on the toolbar; the recording will be deleted from the Safe the next time that expired Safe history is erased from the Safe. The retention period setting can be modified in the Safe properties. |
|
Browse between search results |
You can easily browse other recordings found during the same search to review their content and recorded commands/events without having to return to the Search results page each time, simplifying the auditor’s review process. |
In the list of Session Recordings, click a specific recording; the Recording Details page appears.
Display recordings for individual accounts
In the Account Details page for accounts whose platform is configured to use PSM, PSM for SSH, or OPM session recording, users can see video and text recordings of every privileged session during which a specific account was used. This provides a complete audit of individual accounts, what they were used for, and on which machine.
Users must have the View Audit authorization in the Password Safe or they must belong to the Auditors group.
| 1. | In the Accounts list, click the account whose recording you want to view; the Account Details page appears. |
| 2. | In the Account Details page, display the Recordings tab; all the recorded privileged sessions for this account appear. |
The following icons in the Recordings tab indicate which recordings are available for this session recording:
| Icon | Indicates |
|---|---|
|
Play a video recording |
|
|
Download a video recording |
|
Download a text recording |
| 3. | You can view more information about a recording by clicking on the specific recording in the Recordings tab. |
Play video recordings
Authorized auditors can play privileged session recordings and see an exact replica of the tasks that were performed during a privileged session in a VCR-like playback. Session recordings are AVI files that, by default, are played with Windows Media Player, although they can be played with other media applications.
| 1. | Display the recording to play, then click the relevant button to start the Direct Play. This may be in any of the following pages: |
In the Monitoring – Sessions List:
| ■ | In the details of the recording to view, click the Play recording icon to play the entire recording, |
or,
| ■ | Click Start playback from this position to play the recording from a specific point. |
In the Recordings Details page:
| ■ | On the toolbar, click Play to play the entire recording, |
| ■ | or, |
| ■ | In the Events tab, click Start playback from this position to play the recording from a specific point. |
The following example shows the Recording Details page of a privileged SQL session. You can start the recording from any specified command.
The following example shows the Recording Details page of a privileged Windows session. You can start the recording from any specified Windows event that has been recorded.
In the Account Details page:
| ■ | In the Recordings tab, in the details of the recording to view, click the Play recording icon. |
If you selected Start playback from this position in the Events tab of the Recording Details page, the recording will start playing from the selected action.
|
|
Player Element |
Description |
Supported Player |
|---|---|---|
|
Full screen |
Click the |
|
|
Zoom |
Click the -/+ buttons to zoom in and out. |
HTML5 |
|
Skip idle automatically |
Automatically skip idle time or skip it manually. |
HTML5 |
|
Skip idle manually |
Skip idle time by clicking the Next frame button.
|
|
|
Fit |
Fit the recording to the screen |
HTML5 |
to open the player to a full screen.
When you play PSM for SSH or OPM session recordings, a similar Direct Play window appears. This Direct Play window provides buttons to skip to the Next and Previous commands, but does not provide buttons to fast-forward, as shown in this example:
After a direct playback has finished running, you can start another one without having to close the embedded video player.
-
After the direct playback has finished running, do not click Close.
-
Toggle to the PVWA and in the details of the next recording to play, click Play; the video player immediately begins playing the recording in the same window.
.
You can also click Start playback from this position to play the recording from a specific point.
Download video recordings
Authorized auditors can download privileged PSM session recordings and view them according to their convenience.
|
Make sure that the PSM codec for high compression session recordings is installed on your desktop. This codec is included in the in the PSM installation package, and enables you to download and play session recordings with a regular media player. Administrator permissions are required in order to install this codec. |
|
Currently, you can download video recordings for PSM sessions, but not for PSM for SSH or OPM sessions. |
| 1. | Display the recording to download, then click the Download recording button. |
In the Recordings List:
In the Recordings Details page:
| ■ | On the toolbar, click Save Video. |
In the Account Details page:
| ■ | In the Recordings tab, in the details of the recording to view, click the Download recording icon. |
| 2. | The File Download window appears. |
| ■ | Click Open to play the recording, |
| ■ | or, |
| ■ | Click Save to save the recording in another location. |
Note: If you save the recording in a location outside the Safe, it will not be secure and unauthorized users will be able to access it.
| 3. | If you click open, the media player will begin to play the recorded session. |
You can play and replay the recording in the same way as any media file.
View text recordings
Authorized auditors can view privileged session text recordings and see all the commands that were executed during a privileged session. Auditors can view the following text recordings:
|
Recording type |
Description |
|---|---|
|
Privileged SSH sessions |
The entire session as textual lists of commands. |
|
Privileged SQL commands |
A list of SQL commands issued in a privileged session. |
|
Privileged Windows sessions |
A full textual log of the windows titles that were opened by the user during the session. |
| 1. | Display the text recording to view, then click Save Text. This may be in any of the following pages: |
In the Recordings List:
| ■ | In the details of the recording to view, click the Save text recording icon. |
In the Recordings Details page:
| ■ | On the toolbar, click Save Text. |
| 2. | The File Download window appears. |
| 3. | Click Open to view the recording, |
or,
Click Save to save the recording in another location.
Note: If you save the recording in a location outside the Safe, it will not be secure and unauthorized users will be able to access it.
| 4. | If you click open, the recording is displayed as a text file. |
The following example shows a text recording of a privileged SSH session:
This text file contains a record of the text that was generated during the privileged session. Depending on the type of session and the PSM connection, this file might contain commands that were issued and the channels that were used during the session.
The following example shows a textual log of a privileged Windows session.
This text file contains a full audit record of the processes that were run during the privileged session.
| 1. | Display the text recording to view, then click Save Text. This may be in any of the following pages: |
In the Recordings List:
| ■ | In the details of the recording to view, click the Save text recording icon to save the text in readable format. |
In the Recordings Details page:
| ■ | On the toolbar, click Save Text to save the text in readable format. |
| ■ | On the toolbar, click Save Raw Text to save all the text that appeared during the session, including keystrokes, control characters, terminal properties, etc. |
| 2. | The File Download window appears. |
| ■ | Click Open to view the recording, |
| ■ | or, |
| ■ | Click Save to save the recording in another location. |
Note: If you save the recording in a location outside the Safe, it will not be secure and unauthorized users will be able to access it.
| 3. | If you click open, the recording is displayed as a text file. |
The following examples show text recordings of OPM sessions:
Example 1: Viewing a readable text recording:
Example 2: Viewing a raw text recording:
These text files contain a record of the text that was generated during the privileged session. Depending on the type of session and the PSM connection, this file might contain commands that were issued and the channels that were used during the session.
