Privileged session management
This section introduces Privileged Session Management which requires additional licencing options. The following sections are covered:
- Introduction
- Configuring privileged session recorder
- Viewing and playing session recordings
- Shadowing a connection being recorded
Introduction
To use the session recording feature it must be included in your licence and will be visible in the enabled features list on the System Configuration > Licencing tab.
The features provided by Privileged Session Management are:
- Recording of privileged device sessions (SSH, HTTP, HTTPS, ESXi, RDP, VNC and Telnet activities).
- Recording of privileged sessions of the Admin Interface.
- Sessions to be selectively recorded include:
- All privileged activities.
- Activities of specifically targeted individuals.
- Activities of all members in a selected profile.
- Activities that take place throughout the infrastructure.
- Active sessions can be shadowed.
- A simple process to store and access recordings.
- A search and playback interface that allows recordings to be easily searched by user, device, time and keystrokes.
Recording of device sessions are driven by profiles. Profiles are used to control which devices are recorded for which users.
Recording of Admin Interface sessions are driven by roles. Roles are used to control which users are recorded.
Session connections through the UI are opened within an embedded browser so only the session window is recorded.
Warning
To prevent a PAM failure due to insufficient disk space, new connections that require the session to be recorded will be blocked when the file store becomes 90% full.
Configuring privileged session recorder
This sections covers the available session recording settings and configuration for a users sessions to be recorded.
- Client settings
- Configuring a profile for device session recording
- Configuring a role for Admin Interface session recording
Client settings
The following session recording related settings are available for configuration on the System Configuration > Client settings tab:
Hide session recording overlay
The Session Recording Overlay is enabled by default. It allows a icon to appear in the top left hand corner of the device session. It informs the user that their session is being recorded.
To hide the Session Recording Overlay:
-
Within the System Configuration page, click on the
Client Settings
tab. -
Click on the icon for Hide session recording overlay.
-
Uncheck the Enabled box.
-
Click
SAVE
. The icon will no longer be visible on sessions that are being recorded.
Session recording terms of use
The Session Recording Terms of use can be configured and updated to reflect a company’s policy when accessing the corporate network, which the user must abide by in order to access devices and run tasks.
The session recording terms of use message will appear when the user opens a session and must be accepted before being allowed to continue to the session. If the user declines the terms of use the session will be terminated.
To update the terms of use message:
-
Click on the icon for Session Recording Terms of use.
-
Enter the new terms into the value box.
By default the window header title will be displayed as Session Recording Terms of Use. If you wish to add a custom window header, the required header text should be placed in square brackets and the body of the message after it.
Example:
If you enter: [Company Session Recording Terms of Use] By clicking ACCEPT you agree to have your session recorded and/or monitored by Osirium PAM.
The user will see the following window:
-
Click
SAVE
.Each time the user opens a device session which has been configured for session recording, the Session Recording Terms of Use message will appear.
Note
If users are already connected when the Session Recording Terms of use is applied, then they won't see the message until the next time they connect.
Configuring a profile for device session recording
To record a user’s device connections, a profile needs to be configured. A profile will link together a group of users, tools, and devices that will be recorded.
To create a profile to record sessions:
-
Click Profiles in the left-hand menu.
-
Within the Manage profiles window click the
NEW PROFILE
-
Within the New profile window, give the profile a name.
-
Check the Session Recording box.
-
Click
SAVE
. -
On the Manage profiles page, click the new profile.
-
Within the Profile detail page, add devices, users, tools and tasks. Now when a user opens a connection to a device listed in the profile, the session will be recorded.
Note
Recorded sessions will be visible on the Device access report page. See Device access report.
Configuring a role for Admin Interface session recording
To record a user’s Admin Interface sessions, the role that the user is a member of needs to be configured to record sessions.
To configure a role to record sessions:
-
Click Roles in the left-hand menu.
-
Within the Roles page click the at the end of the row that you want to update.
-
Check the Record Admin Interface box.
-
Click the icon. Now when a user that is a member of the role opens the Admin Interface, the session will be recorded.
For details on how to associate users to a role see How to associate users and roles.
Note
Recorded sessions will be visible on the Device access report page. See Device access report.
Viewing and playing session recordings
Recorded sessions can be shadowed or played back on the Device access report.
See Device Access Report.
The sessions which are recorded are:
- Captured at 1 frame per second snapshot of the active window.
- The captured frames are stored as PNG, JPEG or WEBP image files. The format is automatically chosen depending on factors like the display size and supported formats.
- The size of the recorded screenshots will differ based on the protocol and window size captured.
- Not recorded as a video, but as individual screenshots taken every second that can then be played back as a video.
- Have a fixed bandwidth requirement because the session only sends one image per second.
-
You can start multiple sessions which are session recorded (channel open), but only the active window is recorded. The recording is paused, and then restarted if you switch between the different sessions windows.
For example:
Device Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6 Channel 1 vSphere Active image Active image No image Active image No image No image Channel 2 F5 SSH No image No image Active image No image Active image Active image -
Recorded sessions are stored locally unless an external filestore has been configured, in which case all session recordings will be automatically saved to the external filestore.
-
The naming convention for the recorded sessions are as follows:
/sessions/session
/screenshot_.png
/sessions/session/screenshot_.jpg
/sessions/session/screenshot_.webp
Searching session recordings
The Fuzzy filter allows you to search inside recorded connections.
The search term is matched against:
- The keystrokes entered during a connection.
-
The titles of recorded device connection windows.
Note
The window refers to the tool opened to access the device.
See Device Access Report.
Archive screenshots
See Device Access Report.
Shadowing a connection being recorded
Shadowing an active recorded connection shows a live view of the connection in progress.
To shadow an active connection being recorded:
-
Click on Device access in the right hand menu.
-
Within the Device access report window, check the checkbox next to
PAM sessions
. -
The PAM sessions section will now be added to the Device access report window.
-
To shadow an active connection being recorded, click the
Shadow connection
icon. -
The Session Player window opens and states that you are shadowing the selected connection.
During the shadowing of an active connection:
- If the shadowed user opens a new recorded device connection, you will be notified, and can either wait for the shadowed window to become active again, or click to shadow the new recorded connection.
- If the shadowed user moves focus away from the recorded window, you will be notified, and can either wait for the user to switch focus back to the shadowed connection, or stop shadowing the connection.