Recordings and Audits

PSM records privileged sessions and stores them in the Vault where they can be viewed at any time by authorized users. These recordings are automatically configured and enabled at system level and can be overridden at platform level, enabling you to customize recordings for platforms.

For details on storing recording in an external storage location, see External Storage Device.

Recordings and audit overview

PSM can create the following recording types:

Type

Description

Video recordings

PSM can create video recordings for all supported connection components. By default, all these recordings are enabled.

Text recordings

PSM can create text recordings for all supported connection components. By default, all these recordings are enabled.

 

PSM only captures text recordings for PSM-RDP connections in environments where single language support is configured. For details, see Configure universal keystrokes for Windows connections when an additional language is used.

Audit records

PSM can create audit records for each command and event that is executed or keystrokes that are typed during privileged sessions for all supported connection components.

Customize recordings in PSM

Video and text recordings for PSM connections are automatically enabled at Master Policy level and are configured at PSM general level (in Web Access Options).

These instructions describe how to customize these recordings at platform level, which overrides the general level.

You can customize settings for the following text recorders:

Text Recorder Type Comments and Details Recording Supported for Connection Component
SQL text recorder PSM can record all the commands that are executed during privileged sessions on SQL connections.
  • PSM-Toad
  • PSM-SQLPlus
SSH text recorder PSM can record all the keystrokes that are typed during privileged sessions on SSH connections.
 

This configuration also affects SSH text recordings in PSM for SSH.
  • PSM-SSH
  • PSM-TelnetSample
Windows events text recorder

PSM can record all the Windows titles that were accessed during privileged sessions on Windows connections.

 
  • Universal keystrokes recording and Windows events recording cannot be configured for the same connection.
  • Windows events text recording is not supported when connecting with local administrators (except for the built-in Administrator user) to systems that are UAC enabled.

Before enabling the Windows events text recorder, see Configure Windows events text recording and Windows events auditing.

  • PSM-RDP
  • PSM-WebFormSample 
  • PSM-MS-Azure 
  • PSM-PVWA
  • PSM-AWSConsoleWithSTS 
  • PSM-PTA 
  • PSM-VSphere 
Universal keystrokes text recorder

PSM can record all the keystrokes that are typed during privileged sessions on all supported connections.

Universal keystroke recording and Windows events recordings cannot be configured for the same PSM-RDP connection. Windows events text recording is enabled for PSM-RDP connections by default. To enable universal keystrokes text recording, first disable Windows events text recording. For more information, refer to the relevant steps in the following procedure.

PSM only captures text recordings for PSM-RDP connections in environments where single language support is configured. For more information, refer to Configure universal keystrokes for Windows connections when an additional language is used.

Before enabling the Universal keystrokes text recorder, refer to Configure universal keystrokes text recording and universal keystrokes auditing.

  • For all connection components

  1. in the PVWA, click Administration , and then click Platform Management.

  2. Select the platform to configure, and then click Edit.

  3. On the settings page for the selected platform, expand UI & Workflows, then right-click Privileged Session Management.

  4. From the pop-up menu, select Add Recorder Settings. A new set of parameters called Recorder Settings is added.

  5. Disable or customize video recordings for this platform:

    1. Expand Recorder Settings and select Video Recorder.

    2. By default, video recordings are enabled. To disable video recordings, set the value of Enabled to No.

  6. Disable or customize text recordings for this platform.

  7. Disable or customize SSH text recordings:

     

    These settings affect SSH text recordings for SSH connections through PSM as well as through PSM for SSH.

    1. Right-click Recorder Settings, then select Add SSH Text Recorder. A new set of parameters called SSH Text Recorder is added.

    2. By default, SSH text recordings for SSH connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for SSH connections:

      Property Default Value Description

      In

      Yes

      Whether or not the terminal’s STDIN stream is recorded.

      Out

      Yes

      Whether or not the terminal’s STDOUT and STDERR streams is recorded.

      Keystrokes

      Yes

      Whether or not all the keystrokes logged by the user from the start of the line until the user presses Enter are recorded.

       

      Control characters are not recorded.

      To disable recordings on any of these channels, set the value of the channel property to No.

  8. Disable or customize SQL text recordings:

    1. Right-click Recorder Settings, then select Add SQL Text Recorder. A new set of parameters called SQL Text Recorder is added.

    2. By default, SQL text recordings for SQL connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for Oracle Database connections:

      Property Default Value Description
      In Yes Whether or not SQL commands are recorded.

      As this is the only channel that is recorded for SQL text recordings, this channel must be enabled in order for sessions to be recorded.

  9. Disable or customize Windows events text recordings:

    1. Right-click Recorder Settings, then select Add Windows Events Text Recorder; a new set of parameters called Windows Events Text Recorder is added.

    2. By default, Windows events text recordings for Windows connections are enabled. To disable these recordings for this platform, set the value of Enabled to No.

    3. Define the channels to record during the session. By default, the following channels are recorded for Windows connections:

      Property Default Value Description
      WindowTitles Yes Whether or not window titles are recorded in a text file.

      As this is the only channel that is recorded for Windows Events text recordings, this channel must be enabled in order for sessions to be recorded.

  10. Disable or customize Universal Keystrokes text recordings:

    1. Right-click Recorder Settings, then select Add Keystrokes Text Recorder; a new set of parameters called Keystrokes Text Recorder is added.

    2. By default, universal keystrokes text recording is enabled for the supported connection components except PSM-RDP.

    3. Define the channels to record during the session. By default, the following channels are recorded for Keystrokes Text auditing:
      PropertyDefault ValueDescription

      In

      Yes

      Whether or not PSM includes each individual keystroke that was typed by the user in the text recording file.

      Keystrokes

      Yes

      Whether or not all the keystrokes logged by the user from the start of the line until the user presses Enter are recorded.

       

      Text recordings for PSM-RDP connections can only be enabled in environments where single language support is configured. For more information, refer to Configure universal keystrokes for Windows connections when an additional language is used.

      To disable recordings on any of these channels, set the value of the channel property to No.

  11. Save your changes.

Automatically adjust the frames per second (FPS) rate of the PSM video recorder

PSM dynamically adjusts the frames per second (FPS) rate of the PSM video recorder if the PSM server is loaded, decreasing the performance impact in environments with large numbers of concurrent sessions. This may result in reduced quality when playing recorded videos of PSM sessions that were run while the PSM server is loaded.

To disable this feature, set EnableDynamicFramesPerSecond to No. This parameter is found in the PVWA configuration, under Options > Privilege Session Management > General Settings > Recorder Settings.

 

The deprecated EnableDynamicFPS parameter in the basic_psm.ini file on the PSM overrides the EnableDynamicFramesPerSecond parameter.

The basic_psm.ini file is found in the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM.

Separate keystroke records

You can define a list of keys that indicate when a keystrokes audit record ends. This list can be defined for each connection component and can be overidden for a specific platform. Whenever the user strikes a key on the keyboard from this list, PSM creates a new audit record that contains the group of keys that were typed up to this point.

 

In an environment where support for multiple languages is configured, in PSM-RDP connections the only separator key is Enter and it cannot be changed. For more information, refer to Configure universal keystrokes for Windows connections when an additional language is used.

    1. in the PVWA, click Administration , and then click Platform Management.

    2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

    3. Expand UI & Workflows, and then expand Connection Components.

    4. Right-click the connection component to configure then, from the pop-up menu, select Add Override target settings; a new set of Override target settings are added to the Connection Component.

    5. Expand Override target Settings, then right-click Client Specific parameters, and select Add Multiline Parameter; a new parameter is added.

    6. In the Properties list, in the Name property, specify the name of the multiline property. Specify KeystrokesRecordSeparator.

    7. Click the Value property; an edit box appears to enable you to specify the list of keys that indicate when a keystrokes audit record ends. As this is a multiline parameter, each line represents a single key. Any key can be specified in this list, although special characters must be enclosed with parenthesis and are case sensitive. For example, [Tab] or [RCtrl]. The default value is the Enter key.

      Specify any regular character or any of the following special characters: [RAlt] [LAlt] [LShift] [RShift] [LCtrl] [RCtrl] [F1] [F2] [F3] [F4] [F5] [F6] [F7] [F8] [F9] [F10] [F11] [F12] [Esc] [Home] [Delete] [Insert] [End] [PageUp] [PageDown] [Pause/Break] [LWinKey] [RWinKey] [Menu] [Tab] [LeftArrow] [RightArrow] [UpArrow] [DownArrow] [Backspace] [CapsLock] [NumLock] [ScrollLock] [Enter]

    8. Click OK; the list of keys that indicate when a keystrokes audit record ends is displayed in the Value property as one line.

    9. Save your changes.

Configure detailed audit in PSM

By default, PSM records all the activities that take place during privileged sessions and provides audits for the following events:

Event

Description

SQL commands

PSM can record all the commands that were executed during privileged SQL sessions on the Server or database. This type of auditing is supported for the following connection components:

  • PSM-Toad

  • PSM-SQLPlus

SSH keystrokes

PSM can record all the keystrokes that are carried out during privileged SSH sessions. This type of auditing is supported for the following connection component:

  • PSM-SSH

For SSH keystrokes audit in PSM for SSH, see Configure recordings and audits (PSM for SSH).

Window titles

PSM can record the titles of the windows that are displayed during privileged Windows sessions. This type of auditing is supported for the following connection components:

  • PSM-RDP
  • PSM-WebFormSample 
  • PSM-MS-Azure 
  • PSM-PVWA
  • PSM-AWSConsoleWithSTS 
  • PSM-PTA 
  • PSM-VSphere 

Universal keystrokes recording and Windows events recording cannot be configured for the same PSM-RDP connection. Windows events recording is enabled for PSM-RDP connections by default.

Windows events audit is not supported when connecting with local administrators (except for the built-in Administrator user) to systems with UAC enabled.

Before enabling the Windows events audit, see Configure Windows events text recording and Windows events auditing.

Universal keystrokes

PSM can record all the keystrokes that are carried out during all privileged sessions. This type of auditing is supported for all connection components.

Universal keystroke recording and Windows events recording cannot be configured for the same PSM-RDP connection. Windows events recording is enabled for PSM-RDP connections by default. To enable universal keystrokes recording, first disable Windows events recording. For more information, refer to the relevant steps in the following procedure.

Universal keystroke recording cannot be applied with Commands Access Control in PSM.

Before enabling the Universal keystrokes audit, see Configure universal keystrokes text recording and universal keystrokes auditing.

In environments where single language support is configured, you can benefit from Universal keystrokes for PSM-RDP connections without any extra configuration. In environments where additional language support is configured, specific prerequisites are required.

For more information, see Configure universal keystrokes for Windows connections when an additional language is used.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and right-click Privileged Session Management.

  4. From the pop-up menu, select Add Audit Settings; a new parameter is added to the Privileged Session Management settings.

  5. Select Audit Settings, then from the pop-up menu, select an option, depending on the audit settings you want to disable or customize.

    SQL Level Audit

    To disable or customize SQL Level Audit for PSM-Toad and PSM-SQLPlus connection components using this platform

    1. Right-click Audit Settings, then from the pop-up menu, select Add SQL Level Audit.

    2. By default, SQL level auditing is enabled for the supported connection components.

    3. To disable auditing for these components, in the Properties list, set the value of Enable to No.

    4. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    SSH Keystrokes Audit

    To disable or customize SSH Keystrokes Audit for PSM-SSH, and/or PSMP-SSH and/or PSM-Telnet connection components using this platform:

    1. Right-click Audit Settings, then from the pop-up menu, select Add SSH Keystrokes Audit.

    2. By default, SSH keystrokes auditing is enabled for the supported connection component.

    3. To disable auditing for this component, in the Properties list, set the value of Enable to No.

       

      This configuration affects SSH Keystrokes Audits in both PSM and PSM for SSH.

    4. To audit SSH keystrokes, PSM uses the shell prompt of the target system to understand text that was entered by the end-user. As different systems and devices have different prompts, you can configure the regular expression that represents the shell prompt so that PSM is able to recognize the text entered by the user.

      In addition, you can configure whether the session continues without an audit, or is terminated if the shell prompt is not recognized.

      • To configure the regular expression, use the parameter ShellPromptForAudit.

      • To configure whether the session continues without an audit, or is terminated if the shell prompt is not recognized, use the parameter TerminateOnShellPromptFailure.

    5. See Connection Component Configuration for details on the

    6. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    Windows Events Audit

    To disable or customize Windows Events Audit for PSM-RDP connection components using this policy:

    1. Right-click Audit Settings, then from the pop-up menu, select Add Windows Events Audit.

    2. By default, Windows events auditing is enabled for the supported connection component.

    3. To disable auditing for this component, in the Properties list, set the value of Enable to No.

    4. Configure additional properties to determine how PSM manages audit records. For more information about these properties, refer to References.

    Universal Keystrokes Audit

    To disable or customize Universal Keystrokes Audit for all connection components using this platform:

    1. Right-click Audit Settings, then from the pop-up menu, select Add Keystrokes Audit.

    2. By default, universal keystrokes audit is enabled for the supported connection components except PSM-RDP.

    3. To disable auditing for any component, in the Properties list, set the value of Enable to No.

    4. To enable these recordings for other platforms, set the value of Enabled to Yes.

    5. Configure advanced properties to determine how PSM manages audit records. For more information about these properties, refer to References.

  6. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the platform settings  page
    • Click OK to save them and return to the System Configuration page. The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter

Configure Windows events text recording and Windows events auditing

Target server prerequisites:

  • A share called "admin" must be available on the target server.
  • Make sure the “SERVER” Windows service is running.
  • In the firewall, open TCP port 445.
  • The account used to access the target machine must belong to the Administrators Group.
 

To enable Detailed Session Auditing, PSM installs a service named CAInvokerService.exe on the target machine. The service starts when a new session is initiated, and stops immediately after the session is established.

  1. Log on to the PrivateArk Client as an administrative user and open the PVWAConfig Safe.

  2. Right-click the PVConfiguration.xml file and retrieve it for editing.

  3. In the PVConfiguration.xml file, make the following changes:

    1. Under the PSM-RDP node, locate the TargetSettings node and add the Capabilities node as its last child node, as shown in bold text in the following example:
       
      <ConnectionComponent Id="PSM-RDP" Height="768" Width="1024"
      FullScreen="no" Type="CyberArk.PasswordVault.TransparentConnection.PSM.PSMConnectionComponent, CyberArk.PasswordVault.TransparentConnection.PSM">
        <ComponentParameters />
        <UserParameters>
          …
        </UserParameters>
        <TargetSettings Protocol="RDP" ClientApp="mstsc.exe" ClientDispatcher="PSMRdpClient.exe">
          <ClientSpecific>
            <Parameter Name="port" Value="3389" />
          </ClientSpecific>
          <LockAppWindow Enable="No" />
          <Capabilities>
            <Capability Id="WindowsEventsTextRecorder" />
            <Capability Id="WindowsEventsAudit" />
          </Capabilities>
        </TargetSettings>
      </ConnectionComponent>

    2. Under the ConnectionClientSettings node, locate the Capabilities node and add the WindowsEventsTextRecorder and WindowsEventsAudit nodes as the last child nodes, as shown in bold text in the following example:

        
      <ConnectionClientSettings>
        <Capabilities>
          ...
          <WindowsEventsTextRecorder Id="WindowsEventsTextRecorder" Description="Windows events text recorder" Type="TextRecorder" IntegrationType="Embedded" Format="WIN">
            <WindowsEventsTextRecorder>
              <Channels />
            </WindowsEventsTextRecorder>
          </WindowsEventsTextRecorder>
          <WindowsEventsAudit Id="WindowsEventsAudit" Description="Windows events audit" Type="Auditer" IntegrationType="Embedded" Format="WIN">
            <WindowsEventsAudit>
              <Channels />
            </WindowsEventsAudit>
          </WindowsEventsAudit>
          ...
        </Capabilities>
      </ConnectionClientSettings>

  4. Save the changes and return the PVConfiguration.xml file to the PVWAConfig Safe. The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter.

Configure universal keystrokes text recording and universal keystrokes auditing

Before enabling Universal keystrokes text recording or Universal keystrokes auditing, configure your PAM - Self-Hosted environment, as described below:

CyberArk Component Compatibility:
All PSM servers in your environment must be V8.6 or above.
All PSM SSH-Proxy servers in your environment must be V7.2.12 or above.
The Vault and the PVWA components must be V8.6 or above.

  1. Log on to the PrivateArk Client as an administrative user and open the PVWAConfig Safe.

  2. Right-click the PVConfiguration.xml file and retrieve it for editing.

  3. In the PVConfiguration.xml file, make the following changes:

    1. Under the ConnectionClientSettings node, locate the Capabilities node and add the KeystrokesTextRecorder and KeystrokesAudit nodes as the last child nodes, as shown in bold text in the following example:

        
       <ConnectionClientSettings>
      <Capabilities>
      			...
      			<KeystrokesTextRecorder Id="KeystrokesTextRecorder" Description="Keystrokes text recorder" Type="TextRecorder" IntegrationType="Embedded" Format="Keystrokes">
      			<KeystrokesTextRecorder>
      			<Channels />
      			</KeystrokesTextRecorder>
      			</KeystrokesTextRecorder>
      			<KeystrokesAudit Id="KeystrokesAudit" Description="Keystrokes audit" Type="Auditer" IntegrationType="Embedded" Format="Keystrokes">
      			<KeystrokesAudit>
      			<Channels />
      			</KeystrokesAudit>
      			</KeystrokesAudit>
      			...
      			</Capabilities>
      		</ConnectionClientSettings>

    2. For every connection component in which you want to add the universal keystrokes features, locate the TargetSettings node and add the Capabilities node as its last child node.

       

      If the Capabilities node already exists, add the new KeystrokesTextRecorder and KeystrokesAudit nodes beneath it.

      The bold text in the example below shows how to add the universal keystrokes features to the PSM-SQLServerMgmtStudio connection component. To configure other connection components, add the same text in their configuration.

        
      <ConnectionComponent Id="PSM-SQLServerMgmtStudio" Type="CyberArk.PasswordVault.TransparentConnection.PSM.PSMConnectionComponent, CyberArk.PasswordVault.TransparentConnection.PSM">
      			<ComponentParameters />
      			<UserParameters>

      			</UserParameters>
      			<TargetSettings Protocol="SQLNet" ClientApp="&quot;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe&quot; -S &quot;{Address}&quot; -U &quot;{UserName}&quot; -P &quot;{Password}&quot;" ClientDispatcher="NA" ClientInvokeType="CommandLine">
      			<ClientSpecific>

      			</ClientSpecific>
      			<LockAppWindow Enable="Yes" MainWindowClass="wndclass_desked_gsk" Timeout="800000" SearchWindowWaitTimeout="30" MainWindowTitle="Microsoft SQL Server Management Studio" />
      			<Capabilities>
      			<Capability Id="KeystrokesAudit" />
      			<Capability Id="KeystrokesTextRecorder" />
      			</Capabilities>
      			</TargetSettings>
      		</ConnectionComponent>

  4. Save the changes and return the PVConfiguration.xml file to the PVWAConfig Safe. The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter.

Configure universal keystrokes for Windows connections when an additional language is used

Universal keystrokes recording is configured by default to support Windows sessions in which a single language is used.

If you use an additional language in your Windows sessions (for example, if you use both English and French keyboards), configure the Universal keystrokes as described In this section:

 

Universal keystrokes that are configured to support an additional language are not recorded when connecting to 32-bit target servers.

Prerequisites and limitations when additional language support is enabled

On the target machine, PSM requires the following:

A share called "admin" must be available on the target server.
Make sure the “SERVER” Windows service is running.
In the firewall, open TCP port 445.
The account used to access the target machine must belong to the Administrators Group.
 

To enable Universal Keystrokes for Windows sessions when additional language support is enabled, PSM installs a service on the target machine. The service starts when a new session is initiated, and stops immediately after the session is established.
Add the additional language as an extra keyboard for the target account user on the target machine.
When Windows Keystrokes additional language support is enabled, only connections to Win2008R2 or Win2012R2 target systems are supported.

On the PSM Server, PSM requires the following:

Set the system locale to the additional language.

By default, single language support for capturing Universal Keystrokes for Windows sessions is configured at system level. This setting can be overriden at system or platform level, enabling you to customize additional language support according to your preferences.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and then expand Connection Components.

  4. Right-click the Windows connection component to configure. By default, the Windows connection component is PSM-RDP.

  5. From the Connection Component pop-up menu, select Add Override target settings; a new set of Override target settings are added to the Connection Component.

  6. Expand Override target Settings, then right-click Client Specific parameters, and select Add Parameter; a new parameter is added.

  7. In the Properties list, in the Name property, specify WindowsKeystrokesSingleLanguage.

  8. In the Properties list, in the Value property, specify No.

     

    To revert to single language support, change this Value to Yes.

  9. To save your changes, do one of the following:

    • Click Apply to apply the new configurations
    • Click OK to save the new configurations and return to the System Configuration page

Filter SQL command audits

PSM can filter SQL command audits that are recorded during PSM-Toad and PSM-SQLPlus connections to minimize unwanted audit records, reducing the number of audit records stored in the Vault and increasing server performance. Filters can be created at system level to apply to all SQL commands issued through PSM connections, or at platform level to apply to SQL commands issued through connections that are linked to a specific platform.

You can define lists to filter commands that are recorded according to the following criteria:

Commands to audit

An allowlistis a list of SQL commands that are included in the command audit records. All other commands are not included. By default, all commands that are issued during privileged sessions are audited. However, after you create an allowlist, only the listed commands are audited, if they do not appear in the denylist.

Commands not to audit

A denylistis a list of SQL commands that are excluded from audit records. All other commands are included.

By defining denylists and allowlists, you assert granular control over audit records in the Vault and determine exactly which commands are audited. These lists are created in audit filter rules as regular expressions which define specific commands. You can create as many rules as you require for denylists as well as allowlists, as well as lists that combine them both.

 

Denylist:

By default, PSM includes a single denylist that excludes the multiple commands that are issued automatically at the start of each Toad session. These commands are predetermined as part of the Toad setup, and are not relevant to the privileged session, other than to start it. This denylist excludes these commands from the session audit, and reduces the number of audit records stored in the Vault.
 

Allowlist:

The following example describes an example of when you would require an allowlist: You wish to audit all DDL queries such as ‘update’, ‘insert’, and ‘delete’ so that you know who issues these commands, when, and from which station. However, you don’t need to audit other commands that are issued. You can create an allowlist that contains these commands, ensuring that every time these specific commands are issued during the privileged session, they are audited.

  1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

  2. Expand the Audit Filters parameters, then select SQLLevelAudit; the following properties of the SQL Level Audit filter are displayed in the Properties list:

    Id The unique ID of the audit filter.
    Description A description of the audit filter.

  3. Expand the SQLLevelAudit filter to display the predefined audit filter rules. Each rule is configured for the system, and can be overridden at platform level.

  4. Select an audit filter rule to display the rule’s Properties list, which includes the following:

    Id The unique ID of the audit filter rule.
    Type Whether this rule is a denylist (exclude) or an allowlist (include).
    EnableForReports Whether or not this rule is enabled by default for reports. This property is for future use.
    EnableForAudit Whether or not this rule is enabled by default for auditing.
    Description A description of the audit rule.

  5. Enable/disable the audit filter rule:

    • To enable the audit filter rule – Set EnableForAudit to Yes; the audit filter rule is applied to all commands issued during PSM-Toad and PSM-SQLPlus connections, regardless of the platform that is used. For more information about enabling audit filters for a specific platform, refer to Apply SQL command audit filters to specific platforms.

       

      By default, before an allowlist is enabled, all commands are audited. After enabling the first allowlist, only the commands specified in this allowlist are audited. To audit more commands, create and enable additional allowlists.

    • To disable the audit filter rule – Set EnableForAudit to No; the audit filter rule is canceled and the filter rule is not applied to commands issued during PSM-Toad and PSM-SQLPlus connections.

  6. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.

  1. Click ADMINISTRATION, then in the System Configuration page, click Options; the Web Access Options are displayed.

  2. Expand the Audit Filters parameters, then right-click SQLLevelAudit.

  3. From the pop-up menu, select Add Audit Filter Rule; a new audit filter rule is added to the list of audit filters and the properties of the new rule are displayed.

  4. Specify the following properties for the new audit filter rule:

    Id

    The unique ID of the audit filter rule.

    Type

    Whether this rule is a denylist or an allowlist.

    • To create a denylist, specify Exclude.
    • To create an allowlist, specify Include.

    EnableForReports

    Whether or not this rule is enabled by default for reports. This property is for future use.

    EnableForAudit

    Whether or not this rule is enabled by default for auditing. Specify Yes to enable this audit filter rule.

    Description

    A description of the audit rule.

  5. Right-click Audit Filter Rule, then from the pop-up menu, select Add Regular Expression; a new parameter is created in which you can specify the regular expression that defines a single audit filter.

  6. In the Properties list, in the RegExp property, specify the regular expression to filter. Repeat this step to list all the commands that are filtered during recorded privileged sessions.

    Blacklist

    This list specifies the commands that are not included in audits of the privileged session.

    Whitelist

    This list specifies the commands that are included in audits of the privileged session. No other commands are audited.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

     

    This is only relevant to platforms that use the following connection components:

    • PSM-Toad

    • PSM-SQL Plus

  3. Expand UI & Workflows, and then right-click Privileged Session Management, then from the pop-up menu, select Add Audit Settings; a new set of parameters is created for Audit Settings.

  4. Right-click Audit Settings, then from the pop-up menu, select Add Audit Filters Override; a new set of parameters is created, in which you can add additional rule parameters to override the audit filters rule that is currently set at system level.

  5. Right-click Audit Filters Override, then from the pop-up menu, select Add Audit Filter Rule Override; a new parameter is added with the following property:

    AuditFilterId The unique ID of the audit filter to override at platform level. This ID is specified in the Audit Filters rules in Web Access Options. For more information about locating this property, refer to Enable/Disable the SQL command audit filter.

  6. Right-click Audit Filter Rule Override, then from the pop-up menu, select Add Rule; a new parameter is added with the following properties:

    Id The unique ID of the rule to override. This ID is specified in the Audit Filters rules in Web Access Options. For more information about locating this property, refer to Recordings and Audits.
    EnableForAudit Whether or not this rule is enabled by default for auditing. This property overrides the same property at system level for this platform only.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the platform settings page,
    • Click OK to save them and return to the System Configuration page.

    These changes are applied the next time PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.

Hide passwords during recordings

PSM identifies passwords that are typed by users during SSH and Telnet sessions by looking for password prompts. By default, the prompts that PSM looks for include common prompts for Unix platforms or for Vault passwords. Customize this list to include all password prompts that are received in your environment. When users type a character that cannot be included in a password, such as a space, or when they press Enter, PSM resumes the audit and recording. You can update this list of characters too.

This can be configured at platform level, overriding the general configuration.

 

This configuration affects both PSM and PSM for SSH, with the following connection components: PSM-SSH, PSM-Telnet, PSMP-SSH.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, then right-click Privileged Session Management: a pop-up menu displays the parameter sets that you can add and customize to manage your PSM recordings.

  4. From the pop-up menu, select Internal Capability Settings; a new set of parameters called Internal Capability Settings is added.

  5. Right-click Internal Capability Settings, then from the pop-up menu, select Add SSH Password Hiding; a new capability parameter is added.

  6. Select SSH Password Hiding, then specify the following properties:

    Enabled Determines whether or not passwords are recorded during PSM for SSH sessions. The default value is Yes, indicating that this feature is enabled and passwords are not recorded.
    PasswordPrompts This is a regular expression that is used to identify password prompts. When the system finds a match to this regular expression, it omits the password from the PSM session recording.
    InvalidPasswordChars Defines characters that cannot be included in passwords. When the user specifies one of these characters, PSM resumes auditing and recording each keystroke. The default values are spaces and tabs.

  7. To save your changes, do one of the following:

    • Click Apply to save the new parameter values and stay in the Web Access Options page
    • Click OK to save them and return to the System Configuration page.

    The changes are applied after the period of time specified in the ConfigurationRefreshInterval parameter.

Enable access to session monitoring

Vault administrators can configure the system to create Recording Safes that suit the enterprise auditor’s specific access control needs. In addition, administrators can manually set different auditors for each Recording Safe according to their access control policy.

Also, to monitor live sessions or review recordings, users do not necessarily have to be a member of the Auditors group. They can have membership in the relevant Password Safes and Recording Safes with the appropriate permissions.

For more information about setting permissions in Safes, refer to Monitor Privileged Sessions.

There are several ways to configure the way that Recording Safes are created, all of which are configured in the platform settings, as described in Configure Recording Safes.

 

Users who are assigned to the Auditors Group have permissions to view all recordings.

To assign more granular permissions to an auditor, remove them from the auditors group and assign them to the safe or safes that are relevant.

For example, an organization may want to create recordings by division and give permissions to auditors to only access their specific division recordings.

Configure Recording Safes

Recording Safes are created automatically by PSM, according to the configuration in the platform. Each Recording Safe is created when the first recording is uploaded.

Method

Description

Predefined Recording Safe name

A Recordings Safe is created for recordings of all accounts that are associated with the same platform. The exact Safe name is specified in the platform settings.

Generated Recording Safe name that includes the Account Safe name

A Recordings Safe is created for all accounts that are stored in the same Safe. The Safe name is partially specified in the platform settings and the name of the Safe where the accounts are stored is generated dynamically when the Safe is created.

Generated Recording Safe name that includes the values of specific connection parameters

A Recordings Safe is created for all sessions that have the same connection parameters values. The Safe name is partially specified in the platform settings and the values of the connection parameters that were used in the session are added dynamically when the Safe is created.

You need configure platforms permissions to perform this procedure.

Configure the Recording Safe

  1. Open the platform for editing, as described in Edit a platform.

  2. Expand UI & Workflows, and then select Privileged Session Management. The PSM parameters are displayed with their default values.

  3. In SessionRecorderSafe , specify the name of the Safe to store recordings of activities for accounts associated with the platform. Enter the relevant information:

    Property

    Description
    Safe name The name of the Safe.
    Safe name and {AccountSafeName} Specify a partial Safe name and then {AccountSafeName} to create a Safe whose name includes the name of the Safe where the account used to initiate the session is stored. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and you specify ‘PSM-{AccountSafeName}’, a Safe called ‘PSM-Windows’ is created.
    Safe name and {<connection parameter>}

    Specify a partial Safe name and then {<connection parameter>} to create a Safe whose name includes the value of the specified connection parameter that was used in the session. The connection parameter can be anyone of the following:

    • A File Category in the account that was used in the session.

    • A User Parameter that was configured for the connection component that was used in the session.

    • A Client Specific parameter that was configured for the connection component that was used in the session.

      For example, if the session uses an account that has a File Category "EnvironmentType" with the value "Production", and you specify ‘PSM-{EnvironmentType}’, a Safe called ‘PSM-Production’ is created.

       

      If the same connection parameter was set in multiple ways (for example: a File Category and a User Parameter which are both named "EnvironmentType"), the value that is used for the Safe name is according to the following order of precedence: A File Category overrides a User Parameter, and a User Parameter overrides a Client Specific parameter.

    • You can also combine multiple connection parameters. For example, if the session uses an account that is stored in a Safe called ‘Windows’, and uses a connection component with a client specific parameter called "Group" with a value of "GroupA", and you specify ‘PSM-{AccountSafeName}-{Group}’, a Safe called ‘PSM-Windows-GroupA’ is created.

      This Safe is created when the first recording is uploaded to it.

  4. Save your changes.

Create a Recording Safe before initiating sessions

You can create PSM Recording Safes before any sessions are initiated and assign the desired user permissions. In this way, the PSM does not automatically create Recording Safes with default permissions.

Add the PSMAppUsers group as a member of this Safe with full permissions.

Change the PSM recordings folder

PSM recordings are saved temporarily in a local folder until the PSM session ends, when they are uploaded to the Vault.

The path of this folder is set during the PSM installation.

Until version 12.2, the recordings folder path name was stored in the PVWA configuration LocalRecordingsFolder parameter. See Recorder Settings.

From version 12.2, the recordings folder path name is stored in the basic_psm.ini configuration RecordingsDirectory parameter.

To change the PSM recordings folder path after installation:

  1. Create a corresponding folder in the new location.

  2. In the Basic_psm.ini file, set RecordingsDirectory with the new path.

  3. Restart the PSM service.

  4. Run the PSMHardening script.

    1. From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML and disable all steps except Runs the hardening script.

    2. Open a PowerShell window and run the following command:

        
      CD “<CD-Image Path>\InstallationAutomation”
      .\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML

      For additional information, see Hardening.

Enable session recordings for specific users and groups

You can enable session recordings for specific users and groups on the platform level. In addition, certain users and groups can be excluded from that list. For example, in an implementation where all external users’ sessions are recorded, you can exclude a specific user, such as the external_admin user.

Enable session monitoring for specific users and groups:

  1. Open the platform for editing, as described in Edit a platform.

  2. In the left pane, expand UI & Workflows, right-click Privileged Session Management and select Add Recorded Users and Groups.

    A Recorded Users and Groups section is added.

    This section defines the users and groups whose sessions are recorded by the PSM. These users and groups are only recorded if the Record and save session activity rule is set in the Master Policy, and if these users and groups do not appear in the Exclude Recorded Users and Groups section. By default, all users and groups are recorded.

  3. Expand Recorded Users and Groups, and select User or Group.

    To add additional users and groups to the list, right-click Recorded Users and Groups, and select Add User or Group.

  4. In the Properties list, specify the name of the user or group that are recorded when they connect to a remote device with an account associated with this platform.

  5. Right-click Privileged Session Management, then from the drop-down menu, select Add Exclude Recorded Users and Groups.

    An Exclude Recorded Users and Groups section is added.

    This section defines the users and groups whose sessions are not recorded by the PSM, even when the Record and save session activity rule is set in the Master Policy.

  6. Expand Exclude Recorded Users and Groups , and select User or Group.

    To add additional users and groups to the list, right-click Recorded Users and Groups, and select Add User or Group.

  7. In the Properties list, specify the name of the user or group to exclude from the Recorded Users and Groups list.

  8. Save your changes.