10. Privileged Session Management
This chapter introduces Privileged Session Recorder which requires additional licencing options. The following topics are covered:
10.1. Privileged Session Management
Privileged Session Recorder feature provides:
- Recording of privileged sessions of SSH, HTTP, HTTPS, ESXi, RDP, VNC and Telnet activities.
- Sessions to be selectively recorded of:
- All privileged activities.
- Activities of specifically targeted individuals.
- Activities of all members in a selected profile.
- Activities that take place throughout the infrastructure.
- Shadow active sessions.
- A simple process to store and access recordings.
- A search and playback interface that allows recordings to be easily
Recording of sessions are driven by PxM profiles. Profiles are used to control which devices are recorded for which users.
Session recording works by the PxM Client detecting what program ID (PID) has initiated the single sign-on connection to a device session through PxM.
For SSH, RDP, ESXi, VNC and Telnet device sessions, there is one PID for the connection and therefore, the active window associated with that PID is recorded.
For HTTP and HTTPS web browser single sign-on connections, works in the same way and records the active window within the browser session. PxM records the active window of the registered connection to the managed device. However, if the browser window contains multiple open tabs, then if the user moves between the tabs, the activity in the active window will continue to be recorded.
For example, if a PxM user single sign-on to a browser session through their client, the session recording will start. If within the browser window, the user opens a second tab, then the recording will continue but the recording will be the activities occurring in the new active tab.
10.2. Configuring Privileged Session Recorder
10.2.1. Licensing tab
When session recording is enabled it is visible in the Enabled Features list on the System Configuration > Licensing tab.
|Enabled features||Session recording enables all the session recording features available.|
To upload a new license, see system-configuration:licensing.
10.2.2. Client settings tab
The following settings will be available for configuration on the System Configuration > Client settings tab:
10.2.3. Hide Session Recording Overlay
The Session Recording Overlay is a red banner which appears around any device connection that is set to be recorded in PxM Platform. It is used to notify the user that the connection is being recorded.
By default, the red banner is visible when session recording is configured within a profile.
The Session Recording overlays may not be seen on full screen applications.
To hide the Session Recording Overlay red banner:
Within the System Configuration page, click on the Client Settings tab.
Click on the icon for Hide session recording overlay.
Uncheck the Enabled box.
The red banner will no longer be visible on device connections that are being recorded.
On the System Configuration page, click on the Client settings tab.
Enter the new terms into the value box.
The window header should be placed in square brackets and the body of the message after it.
10.3. Configuring a Profile for Session Recording
To record a userâs device connections, a profile needs to be configured. A profile will link together a group of users, tools, and devices that will be recorded.
To create a profile to record sessions:
Click the in the left-hand menu next to Profiles.
Within the New profile window, give the profile a name.
Check the Session Recording box.
On the Manage profiles page, click the new profile.
Within the Profile detail page, add users, tools, tasks including the task âRecord sessions on this profileâ, and devices.
Now when a user logs onto the client and single sign-on to a device listed in the profile, the session will be recorded.
Recorded sessions will be visible on the Device access report page. See Device access
10.4. Viewing and Playing Session recordings
Device connections can be shadowed or played back on the Device access report.
See Device access.
The sessions which are recorded are:
Captured at 1 frame per second snapshot of the active window.
The captured frames are:
- Stored as PNG bitmap image files.
- Compressed using gzip.
- Represented by 16 bits per pixel.
The size of the recorded screenshots will differ based on protocol and window size captured.
Not video recorded sessions.
Have a fixed bandwidth requirement because the session only sends one image per second.
You can start multiple sessions which are session recorded (channel open), but only the active window is recorded. The recording does not stop start if you flick between the different sessions windows.
Device Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6 Channel 1 vSphere Active image Active image No image Active image No image No image Channel 2 F5 SSH No image No image Active image No image Active image Active image
Recorded sessions are stored locally unless an external filestore has been configured, in which case all session recordings will be automatically saved to the external filestore.
The naming convention for the recorded sessions are as follows:
Searching session recordings
The Fuzzy filter allows you to search inside recorded connections.
The search term is matched against:
- the keystrokes of a connection
- the titles of a recorded connection windows i.e. SSH PuTTY window or web browser URL etc.
The window refers to the tool opened to access the device.
See Device access.
See Device access.
10.4.1. Shadowing a connection being recorded
Shadowing an active recorded connection shows a live view of the connection in progress.
To shadow an active connection being recorded:
Click on Device access in the right hand menu.
Within the Device access report window, check the checkbox next to Device connections .
The Device connections section will now be added to the Device access report window.
To shadow an active connection being recorded, click the shadow connection button.
The Session Player window opens and states that you are shadowing the selected connection.
During the shadowing of an active connection:
If the shadowed user opens a new recorded device connection, you will be notified, and can either wait for the shadowed window to become active again, or click to shadow the new recorded connection.
If the shadowed user moves focus away from the recorded window, you will be notified, and can either wait for the user to switch focus back to the shadowed connection, or stop shadowing the connection.