Session Recording

Session-Recording Setup


When session recording is enabled, connection-specific audit events also provide:

  • Video playback. With SSH sessions you can search for keyword occurrences.

  • Transferred files.

  • Clipboard (RDP only).

  • Channel logs (SSH only).

To enable session recording for connections to a host:

  1. On the ​Administration→Hosts​ page, ​Edit​​ the host.

  2. Under Options​​, enable the setting ​Session Recording​​. Click ​Save​​ to apply your changes.

    Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from ​Monitoring→Connections​​.

Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS or EFS). To set up external storage share for PrivX session recordings:

  1. On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisfies the following:
  • The share must be mountable by all PrivX servers.

  • The share must be readable and writable by the ​privx​​ system user of every PrivX server.

  1. On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install ​nfs-utils​​; for SMB shares you will likely need ​cifs-utils​​. These extension packages are available from the RHEL/CentOS public repositories.

  2. On each PrivX server, mount the external share to a local directory. The directory path must be the same on all PrivX servers. To enable mounting the share on system startup, we recommend adding the mount directive to ​/etc/fstab​.

    To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:

    soft
    timeo=10
    retry=1
    

📘

Note

To enable live monitoring it is required that NFS clients do not buffer write operations. All PrivX nodes (in an HA setup) should mount the NFS mount point with noac option. This will likely increase the load on the NFS server due to heavier traffic.

  1. To configure PrivX with the new storage location, access the PrivX GUI, go to Administration→Settings→Global, and specify the location in Data folder.

    Save your changes, then restart PrivX services to apply the changes.

    📘

    Note

    PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails. Also note that RDP session recording takes considerable storage space. For some rough estimates about space requirements, see Data Encryption.

    PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.

    While an RDP session is open, the file transfers and the session recording are temporally stored in PrivX servers' /tmp directory. For this reason you will need to ensure sufficient disk space on PrivX servers even when external trail storage is configured.

Real-Time Auditing SSH Connections

Generally, session recordings are available only after the session is closed. Recordings of certain channels can be monitored live. See next chapter for details. For real-time auditing SSH connections, you can configure PrivX to output audit events from SSH connections to syslog. You can then integrate the output with your SIEM for automatic event handling.

Before setting up real-time auditing, you should have a SIEM that is accessible from PrivX.

To enable real-time audit events from SSH connections to syslog:

  1. Configure logging.

    • RPM Deployments: Audit events from SSH connection are audited via SSH-PRIVX-SENSITIVE-AUDIT and need to be forwarded to SIEM.

      For example, this can be configured for rsyslog with the following setting (replace @@192.0.2.8:9010 with the address of your SIEM listener/forwarder):

      :msg, contains, "SSH-PRIVX-SENSITIVE-AUDIT" @@192.0.2.8:9010
      

      Note that by default, audit events from SSH connections are discarded by the following rule in /etc/rsyslog.d/privx-syslog.conf:

      :msg, contains, "SSH-PRIVX-SENSITIVE-AUDIT" /dev/null
      
    • Kubernetes Deployments: Audit events from SSH connection can be enabled by settings the following values in the PrivX Helm Chart (replace @@192.0.2.8:9010 with the address of your SIEM listener/forwarder):

      privx.syslog.enabled = true
      privx.syslog.audit.sensitive.to = @@192.0.2.8:9010
      

    🚧

    Caution

    SSH-PRIVX-SENSITIVE-AUDIT events contain sensitive data that should never be stored on file or disk. Always ensure that all SSH-PRIVX-SENSITIVE-AUDIT events go to your SIEM, or are discarded.

    Real-time audit events from SSH connections are logged only to syslog (if syslog is enabled). PrivX by default discards the audit events related to the SSH connection sessions: PrivX on RPM has a default syslog configuration at /etc/rsyslog.d/privx-syslog.conf that discards all SSH connection audit events. PrivX on Kubernetes comes with its syslog pod that has a similar default rule to discard SSH connection events.

  2. On Administration→Settings→Global, Edit the SSH common settings:

    • Enable Send SSH events to audit log
    • Select the SSH channels that are to output audit events.

    Save your settings, then Restart PrivX to apply your changes.

Audit events from SSH connections are now output to the syslog in real time.

Live Connection Monitoring

You can view real-time video of ongoing connections.

To enable live monitoring:

  1. Enable session recording for hosts where you need live monitoring.
  2. Enable live monitoring on Administration→Settings→Global Settings, under Live connection monitoring. You can enable/disable live monitoring per connection type.

Once enabled, you can live monitor ongoing connections from their connection details:

  1. On Monitoring->Connections, click a Connected connection with REC symbol.
  2. Under Channels, click a channel to view it.

Each applicable channels can be monitored live independent from each other.

📘

Note

Enabling live recording affects PrivX performance with increased filesystem read/write calls and encryption/decryption. This cost is active, as long as session recording is enabled, even if the channel is not being monitored live. RDP live monitoring is particularly resource-intensive.

You should review your PrivX resources (RAM, CPU) and trail storage setup if live monitoring is to be used at scale. Ensure that PrivX has sufficient RAM/CPU, a fast filesystem, and a fast network (in case of remote trail storage).

For improved performance, we recommend disabling live monitoring if you are only interested in playing back recordings after the connections have ended.

Acccess Control

Live monitoring access control is basically the access control of the underlying recordings. Users can access the recordings if:

  • The user is a privx-admin.
  • The user has a role with connection-playback permission. The role must be in the same access group as the target. The user can access all recordings in this access group.
  • The user has a role and this role is specified as access role to a connection. The user can only access recordings in this connection.

Typical access control setup is described as follows:

Scenario 1: internal sub-admins wishes to live-monitor connections to specific targets.

A sub group of internal users are assigned a task of monitoring connections to highly classified targets. A role should be created for this user group that belongs to the same Access Group as the targeted hosts. If the hosts are scattered among many Access Groups then as many roles should be created targeting each of them. In (each of) the role, at least the connection-playback permission should be enabled.

When logged in, the sub-admins can select an ongoing connection from Monitoring->Connections. They can click a channel to view its live playback.

📘

Note

Usually for such sub-admins the connections-view, connections-manage, connections-trail, connections-terminate and logs-view are also enabled so that they can see the connection details, monitor it live or not, as well as see audit events and terminate the connection if needed.

Scenario 2: a sub-admin wishes to share a single connection (view-only) with an external user as part of a demo session.

The external user has a role in an isolated Access Group. There is no target hosts in this isolated Access Group.

The sub-admin starts a connection to the target host (with session recording enabled). The sub-admin then browses to this connection in Monitoring->Connections and click on it to open the connection details view. In the "Access roles" the sub-admin adds the role in the isolated Access Group, thereby granting (the external user) ad-hoc access to this connection.

Finally, the sub-admin retrieves the channel URL by clicking corresponding to the opened channel. The sub-admin delivers this URL to the external user and the latter can go directly to the live playback.

Playback Control in Live Session

When you click an ongoing channel, the playback will jump to the latest recording position. A "Live" flag is displayed next to the timer in the playback progression bar.

During the live playback session no playback controls (rewind, fast-forward, pause/unpause) are possible. Data is served passively in one direction to the monitoring user. The monitoring user, however, can resize the browser as needed.

Data arrives to the live monitoring session on best-effort basis: there is always some delay from processing and dispatching the data.

The monitoring user can terminate the live playback at any time. Closing the live monitoring session has no impact on the original connection. If, however, the user in the original connection closes the channel (by closing the connection, or closing the channel tab) then the monitoring session will eventually transform into a normal playback with all controls being again enabled.

Live-Monitoring Audit Events

There are 2 new audit events corresponding to the start and end of a live monitoring session. The audit events have exactly the same content as session-added and session-removed audit events except for the "monitoring-user-id" which indicates the UUID of the user who monitored the connection.

Monitoring Constraints

There is no limit for the total number of monitoring sessions, for the number of live monitoring sessions by any users and for any single channel. This is consistent with playing back the recordings after the connection has ended. The playback is not counted towards license's concurrent connection limit in all cases.

Within an SSH connection each channel is independently monitored.

For SSH only shell and exec (with PTY) channels can be played back and therefore monitored live. Requests to playback other channels, live or not, will be rejected.

When SSH live monitoring flag is set to false PrivX will reject requests to playback the recording while the channel is ongoing. Only after the channel has ended it is possible to playback the recording.

Other Notes

The user in the original connection is not informed in the UI if another user starts or stops monitoring the connection.

The monitoring user is not informed if the user in the original connection opens new channels.

HA setup with NFS external storage: live monitor feature requires trail data to be pushed to NFS server as soon as possible. NFS clients typically buffer file-write operations thus making it hard for the monitoring session to follow updates in the actual connection. Mount the NFS mount point (on client side) with noac to disable write buffering on all PrivX nodes.