Privileged session management
This section introduces Privileged Session Management which requires additional licencing options. The following sections are covered:
- Introduction
- Configuring privileged session recorder
- Viewing and playing session recordings
- Shadowing a connection being recorded
Introduction
To use the session recording feature it must be included in your licence and will be visible in the enabled features list on the System Configuration > Licencing tab.
The features provided by Privileged Session Management are:
-
Recording of privileged sessions of SSH, HTTP, HTTPS, ESXi, RDP, VNC and Telnet activities.
-
Sessions to be selectively recorded include:
- All privileged activities.
- Activities of specifically targeted individuals.
- Activities of all members in a selected profile.
- Activities that take place throughout the infrastructure.
- Active sessions can be shadowed.
- A simple process to store and access recordings.
- A search and playback interface that allows recordings to be easily searched by user, device, time and keystrokes.
Recording of sessions are driven by profiles. Profiles are used to control which devices are recorded for which users.
Device session connections through the UI are opened within an embedded browser so only the session window is recorded.
Configuring privileged session recorder
The following session recording related settings will be available for configuration on the System Configuration > Client settings tab:
Hide session recording overlay
The Session Recording Overlay is enabled by default. It allows a icon to appear in the top left hand corner of the device session. It informs the user that their session is being recorded.
To hide the Session Recording Overlay:
-
Within the System Configuration page, click on the
Client Settings
tab. -
Click on the icon for Hide session recording overlay.
-
Uncheck the Enabled box.
-
Click
SAVE
. The icon will no longer be visible on device connections that are being recorded.
Session recording terms of use
The Session Recording Terms of use can be configured and updated to reflect a company’s policy when accessing the corporate network, which the user must abide by in order to access devices and run tasks.
The session recording terms of use message will appear when the user opens a device session and must be accepted before being allowed to continue to the session. If the user declines the terms of use the device session will be terminated.
To update the terms of use message:
-
Click on the icon for Session Recording Terms of use.
-
Enter the new terms into the value box.
By default the window header title will be displayed as Session Recording Terms of Use. If you wish to add a custom window header, the required header text should be placed in square brackets and the body of the message after it.
Example:
If you enter: [Company Session Recording Terms of Use] By clicking ACCEPT you agree to have your session recorded and/or monitored by Osirium PAM.
The user will see the following window:
-
Click
SAVE
.Each time the user opens a device session which has been configured for session recording, the Session Recording Terms of Use message will appear.
Note
If users are already connected when the Session Recording Terms of use is applied, then they won't see the message until the next time they connect.
Configuring a profile for session recording
To record a user’s device connections, a profile needs to be configured. A profile will link together a group of users, tools, and devices that will be recorded.
To create a profile to record sessions:
-
Click Profiles in the left-hand menu.
-
Within the Manage profiles window click the
NEW PROFILE
-
Within the New profile window, give the profile a name.
-
Check the Session Recording box.
-
Click
SAVE
. -
On the Manage profiles page, click the new profile.
-
Within the Profile detail page, add devices, users, tools and tasks. Now when a user opens a connection to a device listed in the profile, the session will be recorded.
Note
Recorded sessions will be visible on the Device access report page. See Device access report.
Viewing and playing session recordings
Device connections can be shadowed or played back on the Device access report.
See Device Access Report.
The sessions which are recorded are:
- Captured at 1 frame per second snapshot of the active window.
- The captured frames are:
- Stored as PNG bitmap image files.
- Compressed using gzip.
- Represented by 16 bits per pixel.
- The size of the recorded screenshots will differ based on the protocol and window size captured.
- Not recorded as a video, but as individual screenshots taken every second that can then be played back as a video.
- Have a fixed bandwidth requirement because the session only sends one image per second.
-
You can start multiple sessions which are session recorded (channel open), but only the active window is recorded. The recording is paused, and then restarted if you switch between the different sessions windows.
For example:
Device Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6 Channel 1 vSphere Active image Active image No image Active image No image No image Channel 2 F5 SSH No image No image Active image No image Active image Active image -
Recorded sessions are stored locally unless an external filestore has been configured, in which case all session recordings will be automatically saved to the external filestore.
-
The naming convention for the recorded sessions are as follows:
/sessions/session
/screenshot_.png
Searching session recordings
The Fuzzy filter allows you to search inside recorded connections.
The search term is matched against:
- The keystrokes entered during a connection.
-
The titles of recorded device connection windows.
Note
The window refers to the tool opened to access the device.
See Device Access Report.
Archive screenshots
See Device Access Report.
Shadowing a connection being recorded
Shadowing an active recorded connection shows a live view of the connection in progress.
To shadow an active connection being recorded:
-
Click on Device access in the right hand menu.
-
Within the Device access report window, check the checkbox next to
PAM sessions
. -
The PAM sessions section will now be added to the Device access report window.
-
To shadow an active connection being recorded, click the
Shadow connection
icon. -
The Session Player window opens and states that you are shadowing the selected connection.
During the shadowing of an active connection:
- If the shadowed user opens a new recorded device connection, you will be notified, and can either wait for the shadowed window to become active again, or click to shadow the new recorded connection.
- If the shadowed user moves focus away from the recorded window, you will be notified, and can either wait for the user to switch focus back to the shadowed connection, or stop shadowing the connection.