Set Up Session Recording

Text-based recordings can be stored on a remote syslog server, a mounted network share, or both. Graphical recordings can only be stored on a mounted NFS, CIFS, or S3 network share. This content describes how to mount network shares. For more information about syslog servers, see .
capam33
HID_ConfigSessionRecording
Configure session recording to enable the product to create and store recordings of supported (CLI, RDP, VNC, and Web Portal) connection sessions.
Text-based recordings can be stored on a remote syslog server, a mounted network share, or both. Graphical recordings can only be stored on a mounted NFS, CIFS, or S3 network share. This content describes how to mount network shares. For more information about syslog servers, see Remote Syslog Server Configuration.
 
 
2
 
 
Mount an NFS, CIFS, or S3 Network Share for Session Recordings
To ensure that session recording is available and to enable recording of graphical sessions, mount an NFS, CIFS, or S3 directory.
When mounting an NFS or CIFS share for session recordings, configure appropriate privileges for the specified directory on the host system. For an NFS share, grant read, write, and execute permissions (
rwx
) to everybody. For a CIFS share, grant 
Full Control
 to 
Everyone
.
 
Follow these steps
:
  1. Navigate to 
    Configuration
    Logs
    Session Recording
    .
  2. Select the 
    External Storage
     tab.
  3. In the 
    Primary Mount 
     
    Settings
     section, select one of the following network share protocols from the 
    Protocol
     drop-down list:
    • NFS (version 3 and 4 are supported)
    • CIFS
    • Amazon S3
    Option fields relating to the selected protocol are displayed below the Protocol drop-down list.
  4. Complete the option fields that are associated with the selected protocol:
    •  
      NFS:
      •  
        Share Path
        : Enter the directory path name of the NFS mount point.
        Do not use the same NFS mount point that you are using for scheduled database backups. The session recording and scheduled database backup processes create and delete a file with the same name to check the remote storage status. If you specify the same NFS mount point, file locking can occur as both processes attempt to create or delete the same file.
      •  
        Hostname
        : Enter the IP address or hostname of the server with the share.
      •  
        Request Timeout
        : Optionally, enter a non-default timeout value (in tenths of a second) for NFS requests. If no value is specified, the default is determined by the NFS server, typically 600.  
        We recommend that you accept the default 
        Request Timeout 
        to avoid latency if the NFS server doesn’t response quickly enough. However, you can set a lower value to receive early notification if NFS storage is down.
    •  
      CIFS:
      •  
        Share Path
        : Specify the mount point using the format 
        \\hostname\share
        . Forward slashes can also work, such as 
        //<hostname>
         
        /<share>
        .  
      •  
        Username
        : Specify a user who has read and write access to the remote share.
      •  
        Password
        : Specify the password for that user.
      •  
        Domain
        : Specify the CIFS domain.
      •  
        SMB Version
        : Select the version of Server Message Block that is used by the target system. Newer versions of SMB are more secure. If you no longer support older file shares (like Windows 2003), we recommend using SMB2 or SMB3, provided the CIFS system supports it. 
        Azure does not support mounting an Azure file share in a different region than your Azure 
        Privileged Access Manager
         VM.
    •  
      Amazon S3:
      •  
        Bucket
        : Enter the AWS bucket to use.
      •  
        AWS Provision
        : Select the appropriate entry from the drop-down list.
  5. Select 
    Save Settings
    .
    A confirmation message appears at the top of the screen.
  6. Select
     Mount
    .
    A success or an error message appears at the top of the page.
Mount Status
The 
Mount Status
 displays whether the share is mounted or unmounted. If the share is mounted, 
Mount Availability
 displays the status of the mount: 
available
 or
 unavailable
 
If 
Mount Availability
 shows an 
unavailable
 status, the share is still mounted but not currently accessible (for example, due to network problems or share permissions). In this case, there is no need to remount the share. When the issue causing the share to be inaccessible is resolved, the status changes back to 
available
 
By default, an access policy can specify that a session is to be recorded. If the configured network share becomes unavailable, users cannot establish a connection to the share. To allow such sessions to connect anyway, change the session recording access policy to 
Connect anyway. (Operationally Safe)
. For optimal security, we recommend that you keep the default access policy and configure session recording failover.
(Optional) Set Up Session Recording Failover
To avoid losing session recording ability due to a storage failure, mount a secondary share to provide failover. Session recording failover dynamically switches over to the secondary share without any loss of data. While the secondary share is in use, you cannot view session recordings on the secondary or the primary share until the primary is restored. To restore session recording on the primary share, the primary share must be back online. When the primary share comes back online, recordings that were split across the two shares are automatically recombined. You can then view the recordings seamlessly.
To configure failover mount settings, navigate to 
Configuration
Logs
Session Recording, 
 
External Storage
. The configuration for the failover mount settings is identical to the configuration for Primary Mount Settings.
Specify Session Recording Options to Activate Session Recording
To active session recording, specify one or more of the types of sessions that you want to record.
 
Follow these steps:
 
  1. Navigate to 
    Configuration
    Logs
    Session Recording
    .
  2. Select the 
    Session Recording
     tab.
  3. Specify the types of sessions that you want to record. Set one or more of the following options on the 
    Configuration
    Logs
    Session Recording
     screen:
    •  
      Text based recording to the syslog server
       
    •  
      Text based recording to a NFS/CIFS/S3 mounted directory
       
    •  
      Graphical session recording to a NFS/CIFS/S3 mounted directory
       
    These recording options are unavailable until you configure the required syslog server or network mounts.
  4.  
    Allow External Storage for Large Session Recording Decryption:
     If storage on your appliance becomes limited, large session recording files might become unviewable. Select this option to allow the decryption of large session recordings on the external storage. We attempt to use appliance storage first, and only use external storage when necessary. The decrypted files are deleted from external storage periodically. If you never want decrypted session recording files on your own storage, leave this option in its default cleared state. 
  5. Select the 
    UPDATE
     button to save your changes.
    To prevent failures, unset the appropriate option if a share is nearing capacity.
Change the Session Recording Access Policy
By default, if the configured network mount becomes unavailable, users cannot establish a connection if their session should be recorded. Use the controls on the 
Access Policy
 tab to change the access policy to allow such sessions to connect anyway.
:  For optimal security, we recommend that you keep the default setting and configure session recording failover, described in this topic.
 
Follow these steps:
 
  1. Navigate to 
    Configuration
    Logs
    Session Recording
    .
  2. Select the 
    Access Policy
     tab.
  3. Select one of the following options to dictate how the product responds if the session recording mount is unavailable:
    •  
      Present an error and do not connect. (Security Safe): 
      This option is the default. If a User is configured for session recording and the mount point is unavailable, do not allow the User to connect to the target device. The 
      Error Message
       entered in the text box is presented to the User. If the mount point is lost during a previous session, the User connection is terminated.
    •  
      Connect anyway. (Operationally Safe)
      : If a user is configured for session recording and the mount point is unavailable, allow the user to connect to the target device anyway. Users are not inhibited from accessing the device, but no session recording is created for this session. If the mount point is lost during a previously started session, the user is allowed to continue, but their session is no longer recorded.
  4.  
    (
    Optional) Specify a non-default 
    Initial Failure Timeout
     value (in seconds). The default value is 300. 
  5. (Optional) If you set the 
    Present an error and do not connect
     option in Step 3, you can enter an 
    Error Message
    . This error message is displayed if a user cannot connect, or has been disconnected because of a mount error. If nothing is entered in this field, a generic message is presented.
  6. Select the 
    UPDATE
     button to save your changes.
(Optional) Configure a Session Recording Purge Policy
Optionally, configure a session recording purge policy to set up automatic deletion of session recordings after a specified number of days. 
The purge job runs nightly at midnight UTC.
 
Follow these steps:
 
  1. Navigate to 
    Configuration
    Logs
    Session Recording
    .
  2. Select the 
    Purge Policy
     tab.
  3. Specify the number of days after which session recordings are automatically purged in the 
    Remove Records Older Than
     field. For example, if you set
     Remove records older than 
    to 5, session recordings made more than five days ago are purged
    To disable automatic purging of session recordings, set the 
    Remove records older than
     value to zero (0).
  4. To purge recordings that include violations, unset the 
    Exclude Recordings With Violations
     option. When the "exclude" checkbox is selected, you retain recordings with violations rather than purge them.
  5. To purge recordings that are identified as suspicious by CA Threat Analytics, unset the 
    Exclude Suspicious Recordings 
    option. When the "exclude" checkbox is selected, you retain suspicious recordings rather than purge them.
  6. Select the 
    UPDATE
     button to save your changes.
Specify Which Sessions to Record
Use one of the following mechanisms to record sessions:
  •  
    Automatically, by policy
     – When provisioning a policy in each 
    Policies
    Manage Policies
    , User/Device record, you can elect to activate recording based on the following criteria:
    • Media type: graphical, command line, bidirectional command line, web portal
    • On violation: socket filter or command filter violation
    For more information, see Set Up a Policy.
  •  
    Manual
     – 
    Privileged Access Manager
     administrators can activate session recording while a session is taking place using controls on the 
    Sessions,
     
     Manage Sessions
     screen. Each session line item has a recording stop/start switch. For more information, see Session Management.
View Recorded Sessions
View recorded sessions them from the 
Sessions
Session Recording
 screen. For more information, see View Session Recordings.