Set Up Session Recording

Text-based recordings can be stored on a remote syslog server, a mounted network share, or both. Graphical recordings can only be stored on a mounted NFS, CIFS, or S3 network share. This content describes how to mount network shares. For more information about syslog servers, see .
capam33
HID_ConfigSessionRecording
Configure session recording to enable the product to create and store recordings of supported (CLI, RDP, VNC, and Web Portal) connection sessions.
Text-based recordings can be stored on a remote syslog server, a mounted network share, or both. Graphical recordings can only be stored on a mounted NFS, CIFS, or S3 network share. This content describes how to mount network shares. For more information about syslog servers, see Remote Syslog Server Configuration.
2
Mount an NFS, CIFS, or S3 Network Share for Session Recordings
To ensure that session recording is available and to enable recording of graphical sessions, mount an NFS, CIFS, or S3 directory.
When mounting an NFS or CIFS share for session recordings, configure appropriate privileges for the specified directory on the host system. For an NFS share, grant read, write, and execute permissions (
rwx
) to everybody. For a CIFS share, grant
Full Control
to
Everyone
.
Follow these steps
:
  1. Navigate to
    Configuration
    ,
    Logs
    ,
    Session Recording
    .
  2. Select the
    External Storage
    tab.
  3. In the
    Primary Mount
    Settings
    section, select one of the following network share protocols from the
    Protocol
    drop-down list:
    • NFS (version 3 and 4 are supported)
    • CIFS
    • Amazon S3
    Option fields relating to the selected protocol are displayed below the Protocol drop-down list.
  4. Complete the option fields that are associated with the selected protocol:
    • NFS:
      • Share Path
        : Enter the directory path name of the NFS mount point.
        Do not use the same NFS mount point that you are using for scheduled database backups. The session recording and scheduled database backup processes create and delete a file with the same name to check the remote storage status. If you specify the same NFS mount point, file locking can occur as both processes attempt to create or delete the same file.
      • Hostname
        : Enter the IP address or hostname of the server with the share.
      • Request Timeout
        : Optionally, enter a non-default timeout value (in tenths of a second) for NFS requests. If no value is specified, the default is determined by the NFS server, typically 600. 
        We recommend that you accept the default
        Request Timeout
        to avoid latency if the NFS server doesn’t response quickly enough. However, you can set a lower value to receive early notification if NFS storage is down.
    • CIFS:
      • Share Path
        : Specify the mount point using the format
        \\hostname\share
        . Forward slashes can also work, such as
        //<hostname>
        /<share>
        .
      • Username
        : Specify a user who has read and write access to the remote share.
      • Password
        : Specify the password for that user.
      • Domain
        : Specify the CIFS domain.
      • SMB Version
        : Select the version of Server Message Block that is used by the target system. Newer versions of SMB are more secure. If you no longer support older file shares (like Windows 2003), we recommend using SMB2 or SMB3, provided the CIFS system supports it.
        Azure does not support mounting an Azure file share in a different region than your Azure
        Privileged Access Manager
        VM.
    • Amazon S3:
      • Bucket
        : Enter the AWS bucket to use.
      • AWS Provision
        : Select the appropriate entry from the drop-down list.
  5. Select
    Save Settings
    .
    A confirmation message appears at the top of the screen.
  6. Select
    Mount
    .
    A success or an error message appears at the top of the page.
If you ever need to unmount a configured NFS share and restart the NFS server, wait at least two minutes for the NFS share to become available before attempting to remount the share.
Mount Status
The
Mount Status
displays whether the share is mounted or unmounted. If the share is mounted,
Mount Availability
displays the status of the mount:
available
or
unavailable
If
Mount Availability
shows an
unavailable
status, the share is still mounted but not currently accessible (for example, due to network problems or share permissions). In this case, there is no need to remount the share. When the issue causing the share to be inaccessible is resolved, the status changes back to
available
By default, an access policy can specify that a session is to be recorded. If the configured network share becomes unavailable, users cannot establish a connection to the share. To allow such sessions to connect anyway, change the session recording access policy to
Connect anyway. (Operationally Safe)
. For optimal security, we recommend that you keep the default access policy and configure session recording failover.
(Optional) Set Up Session Recording Failover
To avoid losing session recording ability due to a storage failure, mount a secondary share to provide failover. Session recording failover dynamically switches over to the secondary share without any loss of data. While the secondary share is in use, you cannot view session recordings on the secondary or the primary share until the primary is restored. To restore session recording on the primary share, the primary share must be back online. When the primary share comes back online, recordings that were split across the two shares are automatically recombined. You can then view the recordings seamlessly.
To configure failover mount settings, navigate to
Configuration
,
Logs
,
Session Recording,
External Storage
. The configuration for the failover mount settings is identical to the configuration for Primary Mount Settings.
Specify Session Recording Options to Activate Session Recording
To active session recording, specify one or more of the types of sessions that you want to record.
Follow these steps:
  1. Navigate to
    Configuration
    ,
    Logs
    ,
    Session Recording
    .
  2. Select the
    Session Recording
    tab.
  3. Specify the types of sessions that you want to record. Set one or more of the following options on the
    Configuration
    ,
    Logs
    ,
    Session Recording
    screen:
    • Text based recording to the syslog server
    • Text based recording to a NFS/CIFS/S3 mounted directory
    • Graphical session recording to a NFS/CIFS/S3 mounted directory
    These recording options are unavailable until you configure the required syslog server or network mounts.
  4. Allow External Storage for Large Session Recording Decryption:
    If storage on your appliance becomes limited, large session recording files might become unviewable. Select this option to allow the decryption of large session recordings on the external storage. We attempt to use appliance storage first, and only use external storage when necessary. The decrypted files are deleted from external storage periodically. If you never want decrypted session recording files on your own storage, leave this option in its default cleared state.
  5. Select the
    UPDATE
    button to save your changes.
    To prevent failures, unset the appropriate option if a share is nearing capacity.
Change the Session Recording Access Policy
By default, if the configured network mount becomes unavailable, users cannot establish a connection if their session should be recorded. Use the controls on the
Access Policy
tab to change the access policy to allow such sessions to connect anyway.
For optimal security, we recommend that you keep the default setting and configure session recording failover, described in this topic.
Follow these steps:
  1. Navigate to
    Configuration
    ,
    Logs
    ,
    Session Recording
    .
  2. Select the
    Access Policy
    tab.
  3. Select one of the following options to dictate how the product responds if the session recording mount is unavailable:
    • Present an error and do not connect. (Security Safe):
      This option is the default. If a User is configured for session recording and the mount point is unavailable, do not allow the User to connect to the target device. The
      Error Message
      entered in the text box is presented to the User. If the mount point is lost during a previous session, the User connection is terminated.
    • Connect anyway. (Operationally Safe)
      : If a user is configured for session recording and the mount point is unavailable, allow the user to connect to the target device anyway. Users are not inhibited from accessing the device, but no session recording is created for this session. If the mount point is lost during a previously started session, the user is allowed to continue, but their session is no longer recorded.
  4. (Optional) Specify a non-default
    Initial Failure Timeout
    value (in seconds). The default value is 300.
  5. (Optional) If you set the
    Present an error and do not connect
    option in Step 3, you can enter an
    Error Message
    . This error message is displayed if a user cannot connect, or has been disconnected because of a mount error. If nothing is entered in this field, a generic message is presented.
  6. Select the
    UPDATE
    button to save your changes.
(Optional) Configure a Session Recording Purge Policy
Optionally, configure a session recording purge policy to set up automatic deletion of session recordings after a specified number of days.
The purge job runs nightly at midnight UTC.
Follow these steps:
  1. Navigate to
    Configuration
    ,
    Logs
    ,
    Session Recording
    .
  2. Select the
    Purge Policy
    tab.
  3. Specify the number of days after which session recordings are automatically purged in the
    Remove Records Older Than
    field. For example, if you set
    Remove records older than
    to 5, session recordings made more than five days ago are purged
    To disable automatic purging of session recordings, set the
    Remove records older than
    value to zero (0).
  4. To purge recordings that include violations, unset the
    Exclude Recordings With Violations
    option. When the "exclude" checkbox is selected, you retain recordings with violations rather than purge them.
  5. To purge recordings that are identified as suspicious by CA Threat Analytics, unset the
    Exclude Suspicious Recordings
    option. When the "exclude" checkbox is selected, you retain suspicious recordings rather than purge them.
  6. Select the
    UPDATE
    button to save your changes.
Specify Which Sessions to Record
Use one of the following mechanisms to record sessions:
  • Automatically, by policy
    – When provisioning a policy in each
    Policies
    ,
    Manage Policies
    , User/Device record, you can elect to activate recording based on the following criteria:
    • Media type: graphical, command line, bidirectional command line, web portal
    • On violation: socket filter or command filter violation
    For more information, see Set Up a Policy.
  • Manual
    Privileged Access Manager
    administrators can activate session recording while a session is taking place using controls on the
    Sessions,
    Manage Sessions
    screen. Each session line item has a recording stop/start switch. For more information, see Session Management.
View Recorded Sessions
View recorded sessions them from the
Sessions
,
Session Recording
screen. For more information, see View Session Recordings.