10. Privileged Session Management

This chapter introduces Privileged Session Recorder which requires additional licencing options. The following topics are covered:

10.1. Privileged Session Management

Privileged Session Recorder feature provides:

  • Recording of privileged sessions of SSH, HTTP, HTTPS, ESXi, RDP, VNC and Telnet activities.
  • Sessions to be selectively recorded of:
    • All privileged activities.
    • Activities of specifically targeted individuals.
    • Activities of all members in a selected profile.
    • Activities that take place throughout the infrastructure.
  • Shadow active sessions.
  • A simple process to store and access recordings.
  • A search and playback interface that allows recordings to be easily searched by:
    • User
    • Device
    • Time
    • Keystrokes

Recording of sessions are driven by PxM profiles. Profiles are used to control which devices are recorded for which users.

Session recording works by the PxM Client detecting what program ID (PID) has initiated the single sign-on connection to a device session through PxM.

For SSH, RDP, ESXi, VNC and Telnet device sessions, there is one PID for the connection and therefore, the active window associated with that PID is recorded.

For HTTP and HTTPS web browser single sign-on connections, works in the same way and records the active window within the browser session. PxM records the active window of the registered connection to the managed device. However, if the browser window contains multiple open tabs, then if the user moves between the tabs, the activity in the active window will continue to be recorded.

For example, if a PxM user single sign-on to a browser session through their client, the session recording will start. If within the browser window, the user opens a second tab, then the recording will continue but the recording will be the activities occurring in the new active tab.

10.2. Configuring Privileged Session Recorder

10.2.1. Licensing tab

When session recording is enabled it is visible in the Enabled Features list on the System Configuration > Licensing tab.

WebUI System config enabled features screenshot

Heading Description
Enabled features Session recording enables all the session recording features available.

To upload a new license, see system-configuration:licensing.

10.2.2. Client settings tab

The following settings will be available for configuration on the System Configuration > Client settings tab:

WebUI System config client settings tab

10.2.3. Hide Session Recording Overlay

The Session Recording Overlay is a red banner which appears around any device connection that is set to be recorded in PxM Platform. It is used to notify the user that the connection is being recorded.

By default, the red banner is visible when session recording is configured within a profile.

Example session recorded window

Note

The Session Recording overlays may not be seen on full screen applications.

To hide the Session Recording Overlay red banner:

  1. Within the System Configuration page, click on the Client Settings tab.

  2. Click on the Edit pencil icon icon for Hide session recording overlay.

  3. Uncheck the Checked box iconEnabled box.

    WebUI Generic value window

  4. Click Save.

    The red banner will no longer be visible on device connections that are being recorded.

10.2.4. Session Recording Terms of use

The Session Recording Terms of use can be configured and updated to reflect a Company’s policy when accessing the corporate network, which the user must abide by in order to access devices and run tasks through the PxM Platform.

The session recording terms of use message will appear every time the user logs onto the PxM Client and the user must accept before being allowed to continue.

To update the Terms of Use message:

  1. On the System Configuration page, click on the Client settings tab.

  2. Click on the Edit pencil icon icon for Session Recording Terms of use.

  3. Enter the new terms into the value box.

    WebUI Session recording terms of use window

    The window header should be placed in square brackets and the body of the message after it.

    Example:

    [Session Recording Terms of Use] By clicking OK you agree to have your session recorded.

    Client SR terms of use example

  4. Click Save.

    Each time the user logs onto the client, the ‘Session Recording Terms of Use’ message will appear. This does not mean that all device sessions will be recorded, only those that are in the appropriate profile. If you click the Cancel button then you won’t be logged in.

Note

If users are already connected to PxM when the Session Recording Terms of use is applied, then they won’t see the message until the next time they connect.

10.3. Configuring a Profile for Session Recording

To record a user’s device connections, a profile needs to be configured. A profile will link together a group of users, tools, and devices that will be recorded.

To create a profile to record sessions:

  1. Click the Plus icon in the left-hand menu next to Profiles.

  2. Within the New profile window, give the profile a name.

    WebUI New profile window

  3. Check the Checked box iconSession Recording box.

  4. Click Save.

  5. On the Manage profiles page, click the new profile.

  6. Within the Profile detail page, add users, tools, tasks including the task ‘Record sessions on this profile’, and devices.

    Now when a user logs onto the client and single sign-on to a device listed in the profile, the session will be recorded.

Recorded sessions will be visible on the Device access report page. See Device access

10.4. Viewing and Playing Session recordings

Device connections can be shadowed or played back on the Device access report.

See Device access.

The sessions which are recorded are:

  • Captured at 1 frame per second snapshot of the active window.

  • The captured frames are:

    • Stored as PNG bitmap image files.
    • Compressed using gzip.
    • Represented by 16 bits per pixel.
  • The size of the recorded screenshots will differ based on protocol and window size captured.

  • Not video recorded sessions.

  • Have a fixed bandwidth requirement because the session only sends one image per second.

  • You can start multiple sessions which are session recorded (channel open), but only the active window is recorded. The recording does not stop start if you flick between the different sessions windows.

    For example:

      Device Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6
    Channel 1 vSphere Active image Active image No image Active image No image No image
    Channel 2 F5 SSH No image No image Active image No image Active image Active image
  • Recorded sessions are stored locally unless an external filestore has been configured, in which case all session recordings will be automatically saved to the external filestore.

  • The naming convention for the recorded sessions are as follows:

    /sessions/session<session_id>/screenshot_<frame_id>.png

Searching session recordings

The Fuzzy filter allows you to search inside recorded connections.

The search term is matched against:

  • the keystrokes of a connection
  • the titles of a recorded connection windows i.e. SSH PuTTY window or web browser URL etc.

Note

The window refers to the tool opened to access the device.

See Device access.

Archive screenshots

See Device access.

10.4.1. Shadowing a connection being recorded

Shadowing an active recorded connection shows a live view of the connection in progress.

To shadow an active connection being recorded:

  1. Click on Device access in the right hand menu.

  2. Within the Device access report window, check the checkbox next to Device connections .

    WebUI Device access report checkboxes

  3. The Device connections section will now be added to the Device access report window.

    WebUI Device access report device connections tab

  4. To shadow an active connection being recorded, click the Shadow iconshadow connection button.

  5. The Session Player window opens and states that you are shadowing the selected connection.

    WebUI Screenshot player shadowing window

    During the shadowing of an active connection:

  • If the shadowed user opens a new recorded device connection, you will be notified, and can either wait for the shadowed window to become active again, or click to shadow the new recorded connection.

    WebUI User unrecorded notice

  • If the shadowed user moves focus away from the recorded window, you will be notified, and can either wait for the user to switch focus back to the shadowed connection, or stop shadowing the connection.

    WebUI User inactive notice