Auditing : PrivX Help

This chapter describes how to use and configure PrivX auditing features.

Viewing Audit Data

In the PrivX GUI, you can find audit data from the following locations:

For connection-specific audit events, go to Monitor→Connections and click one of the connection entries.
For global audit events, see Monitor→Events.

Note

To obtain video playback about user's sessions, you need to enable session recording as described in PrivX Administrator Manual > Auditing > Session Recording Setup.

PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails.

PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.

The recorded sessions include transferred files, which can be downloaded from the page of any connection-specific entry.

Monitored connections show metadata for various ssh channels.

PrivX microservices generate logs to /var/log/messages. These may be useful in troubleshooting scenarios.

Using CEF Format for Audit Data

PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.

To switch the audit data format to CEF, edit the /opt/privx/etc/shared-config.toml file, setting the audit_event_format parameter to the following:

audit_event_format = "cef"

Restart PrivX to apply the changes:

# systemctl restart privx

Logging CEF Audit Messages to External SIEM

To send CEF log messages to an external SIEM, edit the /etc/rsyslog.conf file, and add the following:

# Send messages using rsyslog "forwarding output module".
# On network error, try to reconnect 100 times to avoid lost messages.
# Queue the messages.
local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")

# Drop the local6 messages from default messages.
local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

For more information on configuring rsyslog, see https://www.rsyslog.com/guides/

Logging CEF Audit Messages Internally

If you want to use the internal syslog service, add the following to the /etc/rsyslog.conf file:

# Create a template for CEF messages.
template(name="SSH_CefFormat" type="string"
    string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n")

# Use the template for local6 (PrivX CEF logger uses that facility)
local6.*                                /var/log/ceflog;SSH_CefFormat

# Drop the local6 messages from default messages.
*.info;mail,authpriv,cron,local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

Session Recording Setup

This section describes the procedures for setting up session recording.

When session recording is enabled, you can view a video playback and any transferred files of your users' sessions. To enable session recording for connections to a host:

On the Settings→Hosts page, Edit the host.
Under Options, enable the setting Session Recording. Click Save to apply your changes.

Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from Monitor→Connections.

Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS). To set up external storage share for PrivX session recordings:

On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisifies the following:
- The share must be mountable by all PrivX servers.
- The share must be readable and writable by the privx system user of every PrivX server.
On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install nfs-utils; for SMB shares you will likely need cifs-utils. These extension packages are available from the RHEL/CentOS public repositories.
On each PrivX server, mount the external share to a local directory. To enable mounting the share on system startup, we recommend adding the mount directive to /etc/fstab.

To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:

soft

timeo=10

retry=1
On each PrivX server, configure PrivX to store session recordings to the mounted share. To do this, edit the data_folder setting in /opt/privx/etc/shared-config.toml (replace /path/to/privx-trails with the local directory to which the external share is mounted):
```
data_folder="/path/to/privx-trails"
```
Save your changes, then restart PrivX services to apply the changes:
```
# systemctl restart privx
```

By default PrivX retains session recordings indefinitely. You may configure PrivX to automatically delete old recordings, using the following settings:

trail_expiry in /opt/privx/etc/shared-config.toml - Delete recordings older than the specified number of days. Set to -1 to disable automatic deletion.
housekeeping_interval_for_trails in /opt/privx/etc/connection-manager.toml - The interval at which PrivX checks for and deletes expired recordings. Specified in hours.

To apply new configurations, restart the PrivX services:

# systemctl restart privx

Log-Collector Setup

You can configure PrivX to forward audit events to external log collectors. The required configurations are provided separately per supported log collector.

AWS CloudWatch

Create an AWS user with permissions for pushing logs to CloudWatch. The user's permissions should be similar to the following (Sid is arbitrary):
```
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "examplesid",
           "Effect": "Allow",
           "Action": "events:PutEvents",
           "Resource": "*"
       }
   ]
}
```
Obtain the Access key ID and the Secret access key of this AWS user, required later for configuring PrivX.
Create a rule in CloudWatch for collecting PrivX logs. The rule must have the following Event pattern:
```
{
  "source": [
    "com.ssh.privx"
  ]
}
```
To associate actions to collected logs, also create Targets for the rule.
Add your log collector to PrivX.

In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Amazon CloudWatch Events, and provide the other required settings as well. Click Save to apply your settings.

PrivX logs are now sent to your AWS CloudWatch and processed according to all the applicable rule targets.

Azure Event Hubs

In Azure Active Directory, register PrivX as an application.
In Azure Event Hubs, create an event hub for PrivX. Your Access Control must allow the previously-registered PrivX application to access this hub.
To process incoming events, you may create consumers for the hub.
Add your log collector to PrivX.

In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Azure Event Hubs, and provide the other required settings as well. Click Save to apply your settings.

PrivX logs are now sent to the hub and processed according to all the applicable rules.

Matching Certificate-Based-Login Messages

PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.

For example, an SSH connection to a Unix host may generate the following messages:

On the PrivX server (in /var/log/messages):

Dec 5 15:57:27 privx.example.com SSH-PRIVX-AUDIT[6825]:
[event="Authorization-certificate-granted" eventID="401"
keyID="alice@127.0.0.1:45910-serial-2571351803943628705"
message="certificate-created" target="127.0.0.1:45910"
username="alice"]

And on the target host (typically in /var/log/secure or /var/log/auth.log)

Dec  5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice
from 192.0.2.102 port 38126 ssh2: RSA-CERT ID alice@127.0.0.1:45910
serial 2571351803943628705 (serial 2571351803943628705)
CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c

As another example, an RDP connection to a Windows host may generate:

On the PrivX server (in /var/log/messages):

Dec 5 08:24:41 dhcp-10-1-54-160.hel.fi.ssh.com SSH-PRIVX-AUDIT[14189]:
[event="Authorization-certificate-granted" eventID="401"
SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created"
serial="1A654E1CD607153C"
sha1-fingerprint="..." sha256-fingerprint="..."
target="127.0.0.1:47390" upn="alice@example.com" username="alice"]

And on the target host (in Windows Event Viewer→Windows Logs→Security→Event details):

Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing
4768 Kerberos Authentication Service "A Kerberos authentication
ticket (TGT) was requested.

Account Information:
Account Name: alice
Supplied Realm Name: EXAMPLE.COM
User ID: EXAMPLE\alice

Service Information:
Service Name: krbtgt
Service ID: EXAMPLE\krbtgt

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 15

Certificate Information:
Certificate Issuer Name: 10.1.54.160
Certificate Serial Number: 1A654E1CD607153C
Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F

Audit Events in PrivX

This section lists the audit events raised by the PrivX system. Note that some of the listed audit-event types are not used by the current PrivX version.

PrivX uses syslog facilities to write audit events. Audit events are stored to the system's default syslog location. On RHEL/CentOS 7 the default location is /var/log/messages.

The debug logs for each microservice are in the following locations:

/var/log/privx/auth.log - Logs for the OAuth2 microservice.
/var/log/privx/authorizer.log - Logs for the authorizer microservice.
/var/log/privx/connectionmanager.log - Logs for the connection manager microservice.
/var/log/privx/hoststore.log - Logs for the hoststore microservice.
/var/log/privx/keyvault.log - Logs for the keyvault microservice.
/var/log/privx/rdpproxy.log - Logs for the RDP proxy microservice.
/var/log/privx/rolestore.log - Logs for the role store microservice.
/var/log/privx/sshproxy.log - Logs for the SSH proxy microservice.
/var/log/privx/userstore.log - Logs for the user store microservice.
/var/log/privx/workflowengine.log - Logs for the workflow engine microservice.

Table 9. Audit Events

Name	Code	Description
License-error	0	The system license does not allow operation.
Configuration-error	1	The system configuration is invalid.
Service-starting	10	The service is starting.
Service-running	11	The service is running.
Service-stopped	12	The service has been stopped.
User-logged-in	100	User has logged in to the system.
User-login-failed	102	User login operation failed.
User-MFA-challenge-sent	103	User tried to log in without MFA pin code.
User-MFA-challenge-accepted	104	User successfully authenticated with MFA pin code.
User-MFA-challenge-setup-sent	105	User was MFA setup information.
Access-token-granted	106	Access token granted
User-access-token-refreshed	110	User refreshed the access token
User-access-token-refresh-failed	111	User access token refresh failed.
OAuth-client-authenticated	121	OAuth client authenticated
OAuth-client-authentication-failed	122	OAuth client authentication failed
Role-added	201	New role added to the system.
Role-modified	202	Role has been modified.
Role-removed	203	Role has been removed.
Directory-added	210	New directory added to the system.
Directory-modified	211	Directory has been modified.
Directory-removed	212	Directory has been removed.
Directory-authentication-failed	213	Directory authentication failed.
User-roles-modified	220	The user's role associations were changed
AWS-token-granted	230	AWS token was granted to a user
AWS-token-grant-failed	231	AWS token grant failed
LogConf-collector-created	232	LogConf collector created
LogConf-collector-modified	233	LogConf collector modified
LogConf-collector-removed	234	LogConf collector removed
LogConf-collector-failed	235	LogConf collector failed
Connection-requested	300	Connection was requested.
Connection-authenticated	301	Connection was authenticated.
Connection-rejected	302	Connection was rejected.
Connection-closed	303	Connection was closed.
Connection-failed	304	Connection closed with an error.
Client-authenticated	305	Client connection was authenticated.
Session-added	310	A session was added to a connection.
Session-removed	311	A session was removed from a connection.
Session-rejected	312	A session was rejected.
File-upload	320	File upload performed.
File-download	321	File download performed.
File-upload-rejected	322	File upload was rejected.
File-download-rejected	323	File download was rejected.
Host-key-matched	324	Host key matched
Host-key-denied	325	Host key denied
Host-key-accepted	326	Host key accepted
Host-key-saved	327	Host key saved
Extender-connected	328	Extender connected
Extender-disconnected	329	Extender disconnected
File-removed	330	File removed.
Folder-removed	331	Folder removed.
File-moved	332	File moved.
Folder-created	333	Folder created.
Connection-audit-started	334	Connection audit started
Connection-audit-failed	335	Connection audit failed
Authorization-requested	400	A client requested an authorization.
Authorization-certificate-granted	401	An authorization certificate granted.
Authorization-role-key-granted	402	An authorization role key granted.
Authorization-role-key-sign-operation-rejected	403	An authorization role key sign operation was rejected.
Authorization-role-key-sign-operation-accepted	404	An authorization role key sign operation was accepted.
Authorization-rejected	405	An authorization was rejected.
Authorization-certificate-warning	406	Authorization certificate creation generated warnings.
Authorization-Passphrase-returned	407	Authorization passphrase was returned
Principal-added	410	A principal was added.
Principal-removed	411	A principal was removed.
Trusted-client-added	420	A trusted client was added.
Trusted-client-modified	421	A trusted client was modified.
Trusted-client-removed	423	A trusted client was removed.
License-updated	430	The service license was updated.
CA-Certificate-Created	440	CA certificate was created.
CA-Certificate-Deleted	441	CA certificate was deleted.
EE-Certificate-Enrolled	442	End entity certificate was enrolled
EE-Certificate-Revoked	443	End entity certificate was revoked
CA-Certificate-Enrolled	444	CA certificate was enrolled
CA-Certificate-Revoked	445	CA certificate was revoked
User-added	500	New user added to the system.
User-modified	501	User has been modified.
User-removed	502	User has been removed.
User-password-modified	510	User password has been modified.
User-authenticated	520	User has been authenticated.
User-authentication-failed	521	User authentication has failed.
Workflow-added	600	A workflow was added.
Workflow-modified	601	A workflow was modified.
Workflow-removed	602	A workflow was removed.
Request-added	610	A request was added.
Request-removed	612	A request was removed.
Decision-made	620	A decision has been made on a request.
Email-sent	630	A email notification has been sent.
Email-configuration-Modified	631	Email configuration has been modified.
Log-downloaded	700	Log files have been downloaded.
Log-level-modified	710	The log level was modified.
Host-added	801	A host was added.
Host-modified	802	A host was modified.
Host-removed	803	A host was removed.
Connection-terminated	900	Connection terminated.
Connection-terminated-for-host	901	Connection terminated for host.
Connection-terminated-for-user	902	Connection terminated for user.
Licensed-connection-count-exceeded	903	Licensed connection count exceeded.
Trail-opened	1000	Trail opened.
Trail-open-failed	1001	Failed to open trail.
Trail-file-open-failed	1002	Failed to open trail file.
Trail-file-read-failed	1003	Failed to read trail file.
Trail-removed	1004	Trail removed.
Trail-remove-failed	1005	Failed to remove trail.
Trail-file-integrity-failed	1006	Trail file integrity check failed.
Config-checksum-added	1100	A config file checksum was added.
Config-checksum-changed	1101	A config file checksum has changed.
Transcript-status-scheduled	1201	Transcript status
Transcript-status-indexing	1202	Transcript status
Transcript-status-indexed	1203	Transcript status
Transcript-status-error	1204	Transcript status
Transcript-status-not-indexed	1205	Transcript status
Transcript-trail-removed	1206	Transcript trail removed.
Transcript-opened	1207	Transcript opened.

Auditing