Session Recording

Session-Recording Setup


When session recording is enabled, connection-specific audit events also provide:

  • Video playback. With SSH sessions you can search for keyword occurrences.

  • Transferred files.

  • Clipboard (RDP only).

  • Channel logs (SSH only).

To enable session recording for connections to a host:

  1. On the ​Administration→Hosts​ page, ​Edit​​ the host.

  2. Under Options​​, enable the setting ​Session Recording​​. Click ​Save​​ to apply your changes.

    Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from ​Monitoring→Connections​​.

Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS or EFS). To set up external storage share for PrivX session recordings:

  1. On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisfies the following:
  • The share must be mountable by all PrivX servers.

  • The share must be readable and writable by the ​privx​​ system user of every PrivX server.

  1. On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install ​nfs-utils​​; for SMB shares you will likely need ​cifs-utils​​. These extension packages are available from the RHEL/CentOS public repositories.

  2. On each PrivX server, mount the external share to a local directory. The directory path must be the same on all PrivX servers. To enable mounting the share on system startup, we recommend adding the mount directive to ​/etc/fstab​.

    To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:

    soft
    timeo=10
    retry=1
    
  3. To configure PrivX with the new storage location, access the PrivX GUI, go to Administration→Settings→Global, and specify the location in Data folder.

    Save your changes, then restart PrivX services to apply the changes.

    📘

    Note

    PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails. Also note that RDP session recording takes considerable storage space. For some rough estimates about space requirements, see Data Encryption.

    PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.

    While an RDP session is open, the file transfers and the session recording are temporally stored in PrivX servers' /tmp directory. For this reason you will need to ensure sufficient disk space on PrivX servers even when external trail storage is configured.

Real-Time Auditing SSH Connections

By default, session recordings are available only after the session is closed. For real-time auditing SSH connections, you can configure PrivX to output audit events from SSH connections to syslog. You can then integrate the output with your SIEM for automatic event handling.

Before setting up real-time auditing, you should have a SIEM that is accessible from PrivX.

To enable real-time audit events from SSH connections to syslog:

  1. Configure logging.

    • RPM Deployments: Audit events from SSH connection are audited via SSH-PRIVX-SENSITIVE-AUDIT and need to be forwarded to SIEM.

      For example, this can be configured for rsyslog with the following setting (replace @@192.0.2.8:9010 with the address of your SIEM listener/forwarder):

      :msg, contains, "SSH-PRIVX-SENSITIVE-AUDIT" @@192.0.2.8:9010
      

      Note that by default, audit events from SSH connections are discarded by the following rule in /etc/rsyslog.d/privx-syslog.conf:

      :msg, contains, "SSH-PRIVX-SENSITIVE-AUDIT" /dev/null
      
    • Kubernetes Deployments: Audit events from SSH connection can be enabled by settings the following values in the PrivX Helm Chart (replace @@192.0.2.8:9010 with the address of your SIEM listener/forwarder):

      privx.syslog.enabled = true
      privx.syslog.audit.sensitive.to = @@192.0.2.8:9010
      

    🚧

    Caution

    SSH-PRIVX-SENSITIVE-AUDIT events contain sensitive data that should never be stored on file or disk. Always ensure that all SSH-PRIVX-SENSITIVE-AUDIT events go to your SIEM, or are discarded.

    Real-time audit events from SSH connections are logged only to syslog (if syslog is enabled). PrivX by default discards the audit events related to the SSH connection sessions: PrivX on RPM has a default syslog configuration at /etc/rsyslog.d/privx-syslog.conf that discards all SSH connection audit events. PrivX on Kubernetes comes with its syslog pod that has a similar default rule to discard SSH connection events.

  2. On Administration→Settings→Global, Edit the SSH common settings:

    • Enable Send SSH events to audit log
    • Select the SSH channels that are to output audit events.

    Save your settings, then Restart PrivX to apply your changes.

Audit events from SSH connections are now output to the syslog in real time.


Did this page help you?