Table of Contents

 Viewing Audit Data
 Using CEF Format for Audit Data
 Logging CEF Audit Messages to External SIEM
 Logging CEF Audit Messages Internally
 Session Recording Setup
 Log-Collector Setup
 Matching Certificate-Based-Login Messages
 Audit Events in PrivX

This chapter describes how to use and configure PrivX auditing features.

Viewing Audit Data

In the PrivX GUI, you can find audit data from the following locations:

  • For connection-specific audit events, go to Monitor→Connections and click one of the connection entries.

  • For global audit events, see Monitor→Events.

  • PrivX microservices generate logs to /var/log/messages. These may be useful in troubleshooting scenarios.

Note

To obtain video playback from connections, enable session recording as described in the section called “Session Recording Setup”.

Using CEF Format for Audit Data

PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.

To switch the audit data format to CEF, edit the /opt/privx/etc/shared-config.toml file, setting the audit_event_format parameter to the following:

audit_event_format = "cef"

Restart PrivX to apply the changes:

# systemctl restart privx

Logging CEF Audit Messages to External SIEM

To send CEF log messages to an external SIEM, edit the /etc/rsyslog.conf file, and add the following:

# Send messages using rsyslog "forwarding output module".
# On network error, try to reconnect 100 times to avoid lost messages.
# Queue the messages.
local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")

# Drop the local6 messages from default messages.
local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

For more information on configuring rsyslog, see https://www.rsyslog.com/guides/

Logging CEF Audit Messages Internally

If you want to use the internal syslog service, add the following to the /etc/rsyslog.conf file:

# Create a template for CEF messages.
template(name="SSH_CefFormat" type="string"
    string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n")

# Use the template for local6 (PrivX CEF logger uses that facility)
local6.*                                /var/log/ceflog;SSH_CefFormat

# Drop the local6 messages from default messages.
*.info;mail,authpriv,cron,local6.none   /var/log/messages

Restart syslog:

# systemctl restart rsyslog

Session Recording Setup

This section describes the procedures for setting up session recording.

When session recording is enabled, connection-specific audit events also provide:

  • Video playback. With SSH sessions you can search for keyword occurences.

  • Transferred files.

  • Clipboard (RDP only).

  • Channel logs (SSH only).

To enable session recording for connections to a host:

  1. On the Settings→Hosts page, Edit the host.

  2. Under Options, enable the setting Session Recording. Click Save to apply your changes.

    Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from Monitor→Connections.

Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS). To set up external storage share for PrivX session recordings:

  1. On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisifies the following:

    • The share must be mountable by all PrivX servers.

    • The share must be readable and writable by the privx system user of every PrivX server.

  2. On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install nfs-utils; for SMB shares you will likely need cifs-utils. These extension packages are available from the RHEL/CentOS public repositories.

  3. On each PrivX server, mount the external share to a local directory. To enable mounting the share on system startup, we recommend adding the mount directive to /etc/fstab.

    To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:

    soft
    timeo=10
    retry=1

  4. On each PrivX server, configure PrivX to store session recordings to the mounted share. To do this, edit the data_folder setting in /opt/privx/etc/shared-config.toml (replace /path/to/privx-trails with the local directory to which the external share is mounted):

    data_folder="/path/to/privx-trails"

    Save your changes, then restart PrivX services to apply the changes:

    # systemctl restart privx

By default PrivX retains session recordings indefinitely. You may configure PrivX to automatically delete old recordings, using the following settings:

  • trail_expiry in /opt/privx/etc/shared-config.toml - Delete recordings older than the specified number of days. Set to -1 to disable automatic deletion.

  • housekeeping_interval_for_trails in /opt/privx/etc/connectionmanager.toml - The interval at which PrivX checks for and deletes expired recordings. Specified in hours.

To apply new configurations, restart the PrivX services:

# systemctl restart privx

Note

PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails.

PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.

Log-Collector Setup

You can configure PrivX to forward audit events to external log collectors. The required configurations are provided separately per supported log collector.

AWS CloudWatch

  1. Create an AWS user with permissions for pushing logs to CloudWatch. The user's permissions should be similar to the following (Sid is arbitrary):

    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "examplesid",
           "Effect": "Allow",
           "Action": "events:PutEvents",
           "Resource": "*"
       }
   ]
}

    Obtain the Access key ID and the Secret access key of this AWS user, required later for configuring PrivX.

  2. Create a rule in CloudWatch for collecting PrivX logs. The rule must have the following Event pattern:

    {
  "source": [
    "com.ssh.privx"
  ]
}

    To associate actions to collected logs, also create Targets for the rule.

  3. Add your log collector to PrivX.

    In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Amazon CloudWatch Events, and provide the other required settings as well. Click Save to apply your settings.

    PrivX logs are now sent to your AWS CloudWatch and processed according to all the applicable rule targets.

Azure Event Hubs

  1. In Azure Active Directory, register PrivX as an application.

  2. In Azure Event Hubs, create an event hub for PrivX. Your Access Control must allow the previously-registered PrivX application to access this hub.

  3. To process incoming events, you may create consumers for the hub.

  4. Add your log collector to PrivX.

    In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Azure Event Hubs, and provide the other required settings as well. Click Save to apply your settings.

    PrivX logs are now sent to the hub and processed according to all the applicable rules.

Matching Certificate-Based-Login Messages

PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.

For example, an SSH connection to a Unix host may generate the following messages:

  • On the PrivX server (in /var/log/messages):

    Dec 5 15:57:27 privx.example.com SSH-PRIVX-AUDIT[6825]:
[event="Authorization-certificate-granted" eventID="401"
keyID="alice@127.0.0.1:45910-serial-2571351803943628705"
message="certificate-created" target="127.0.0.1:45910"
username="alice"]

  • And on the target host (typically in /var/log/secure or /var/log/auth.log)

    Dec  5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice
from 192.0.2.102 port 38126 ssh2: RSA-CERT ID alice@127.0.0.1:45910
serial 2571351803943628705 (serial 2571351803943628705)
CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c

As another example, an RDP connection to a Windows host may generate:

  • On the PrivX server (in /var/log/messages):

    Dec 5 08:24:41 dhcp-10-1-54-160.hel.fi.ssh.com SSH-PRIVX-AUDIT[14189]:
[event="Authorization-certificate-granted" eventID="401"
SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created"
serial="1A654E1CD607153C"
sha1-fingerprint="..." sha256-fingerprint="..."
target="127.0.0.1:47390" upn="alice@example.com" username="alice"]

  • And on the target host (in Windows Event Viewer→Windows Logs→Security→Event details):

    Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing
4768 Kerberos Authentication Service "A Kerberos authentication
ticket (TGT) was requested.

Account Information:
Account Name: alice
Supplied Realm Name: EXAMPLE.COM
User ID: EXAMPLE\alice

Service Information:
Service Name: krbtgt
Service ID: EXAMPLE\krbtgt

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 15

Certificate Information:
Certificate Issuer Name: 10.1.54.160
Certificate Serial Number: 1A654E1CD607153C
Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F

Audit Events in PrivX

This section lists the audit events raised by the PrivX system. Note that some of the listed audit-event types are not used by the current PrivX version.

PrivX uses syslog facilities to write audit events. Audit events are stored to the system's default syslog location. On RHEL/CentOS 7 the default location is /var/log/messages.

The debug logs for each microservice are in the following locations:

  • /var/log/privx/auth.log - Logs for the OAuth2 microservice.

  • /var/log/privx/authorizer.log - Logs for the authorizer microservice.

  • /var/log/privx/connectionmanager.log - Logs for the connection manager microservice.

  • /var/log/privx/hoststore.log - Logs for the hoststore microservice.

  • /var/log/privx/indexerservice.log - Logs for the indexer microservice.

  • /var/log/privx/keyvault.log - Logs for the keyvault microservice.

  • /var/log/privx/monitorservice.log - Logs for the monitor microservice.

  • /var/log/privx/rdpmitm.log - Logs for the RDP-Bastion microservice.

  • /var/log/privx/rdpproxy.log - Logs for the RDP-proxy microservice.

  • /var/log/privx/redemption.log - Logs for the RDP-trail-encoder microservice.

  • /var/log/privx/rolestore.log - Logs for the role-store microservice.

  • /var/log/privx/sshmitm.log - Logs for theSSH-Bastion microservice.

  • /var/log/privx/sshproxy.log - Logs for the SSH-proxy microservice.

  • /var/log/privx/trail-indexer.log - Logs for the trail-indexer microservice.

  • /var/log/privx/userstore.log - Logs for the user-store microservice.

  • /var/log/privx/watchdog.log - Logs for the watchdog microservice.

  • /var/log/privx/workflowengine.log - Logs for the workflow-engine microservice.

Table 9.1. List of Audit Events

Event Name

Code

Description

License-error

0

The system license does not allow operation.

Configuration-error

1

The system configuration is invalid.

Service-starting

10

The service is starting.

Service-running

11

The service is running.

Service-stopped

12

The service has been stopped.

Housekeeping-started

20

The service is started housekeeping.

Housekeeping-running

21

Housekeeping is running.

Housekeeping-completed

22

Housekeeping is completed.

User-logged-in

100

User has logged in to the system.

User-login-failed

102

User login operation failed.

User-MFA-challenge-sent

103

User tried to log in without MFA pin code.

User-MFA-challenge-accepted

104

User successfully authenticated with MFA pin code.

User-MFA-challenge-setup-sent

105

User was MFA setup information.

Access-token-granted

106

Access token granted

User-access-token-refreshed

110

User refreshed the access token

User-access-token-refresh-failed

111

User access token refresh failed.

OAuth-client-authenticated

121

OAuth client authenticated

OAuth-client-authentication-failed

122

OAuth client authentication failed

User-login-attempt-rate-limited

130

User login attempt rate limited

Role-added

201

New role added to the system.

Role-modified

202

Role has been modified.

Role-removed

203

Role has been removed.

Directory-added

210

New directory added to the system.

Directory-modified

211

Directory has been modified.

Directory-removed

212

Directory has been removed.

Directory-authentication-failed

213

Directory authentication failed.

User-roles-modified

220

The user's role associations were changed

AWS-token-granted

230

AWS token was granted to a user

AWS-token-grant-failed

231

AWS token grant failed

LogConf-collector-created

232

LogConf collector created

LogConf-collector-modified

233

LogConf collector modified

LogConf-collector-removed

234

LogConf collector removed

LogConf-collector-failed

235

LogConf collector failed

RoleContext-usage-alert

250

RoleContext limitations were violated.

RoleContext-role-blocked

251

RoleContext limitations were violated, role blocked.

Connection-requested

300

Connection was requested.

Connection-authenticated

301

Connection was authenticated.

Connection-rejected

302

Connection was rejected.

Connection-closed

303

Connection was closed.

Connection-failed

304

Connection closed with an error.

Client-authenticated

305

Client was authenticated.

Session-added

310

A session was added to a connection.

Session-removed

311

A session was removed from a connection.

Session-rejected

312

A session was rejected.

File-upload

320

File upload performed.

File-download

321

File download performed.

Host-key-matched

324

Host key matched

Host-key-denied

325

Host key denied

Host-key-accepted

326

Host key accepted

Host-key-saved

327

Host key saved

Extender-connected

328

Extender connected

Extender-disconnected

329

Extender disconnected

File-removed

330

File removed via SSH.

Folder-removed

331

Folder removed via SSH.

File-moved

332

File moved.

Folder-created

333

Folder created.

Connection-audit-started

334

Connection audit started

Connection-audit-failed

335

Connection audit failed

Authorization-requested

400

A client requested an authorization.

Authorization-certificate-granted

401

An authorization certificate granted.

Authorization-role-key-granted

402

An authorization role key granted.

Authorization-role-key-sign-operation-rejected

403

An authorization role key sign operation was rejected.

Authorization-role-key-sign-operation-accepted

404

An authorization role key sign operation was accepted.

Authorization-rejected

405

An authorization was rejected.

Authorization-certificate-warning

406

Authorization certificate creation generated warnings.

Authorization-Passphrase-returned

407

Authorization passphrase was returned

Principal-added

410

A principal was added.

Principal-removed

411

A principal was removed.

Trusted-client-added

420

A trusted client was added.

Trusted-client-modified

421

A trusted client was modified.

Trusted-client-removed

423

A trusted client was removed.

License-updated

430

The service license was updated.

CA-Certificate-Created

440

CA certificate was created.

CA-Certificate-Deleted

441

CA certificate was deleted.

EE-Certificate-Enrolled

442

End entity certificate was enrolled

EE-Certificate-Revoked

443

End entity certificate was revoked

CA-Certificate-Enrolled

444

CA certificate was enrolled

CA-Certificate-Revoked

445

CA certificate was revoked

User-added

500

New user added to the system.

User-modified

501

User has been modified.

User-removed

502

User has been removed.

User-password-modified

510

User password has been modified.

User-authenticated

520

User has been authenticated.

User-authentication-failed

521

User authentication has failed.

Workflow-added

600

A workflow was added.

Workflow-modified

601

A workflow was modified.

Workflow-removed

602

A workflow was removed.

Request-added

610

A request was added.

Request-removed

612

A request was removed.

Decision-made

620

A decision has been made on a request.

Email-sent

630

A email notification has been sent.

Email-configuration-Modified

631

Email configuration has been modified.

Email-not-sent

632

Email not sent.

Log-downloaded

700

Log files have been downloaded.

Log-level-modified

710

The log level was modified.

Host-added

801

A host was added.

Host-modified

802

A host was modified.

Host-removed

803

A host was removed.

Host-service-connection-re-established

804

A host service connection re-established.

Host-service-connection-failure

805

A host service connection failed.

Connection-terminated

900

Connection terminated.

Connection-terminated-for-host

901

Connection terminated for host.

Connection-terminated-for-user

902

Connection terminated for user.

Licensed-connection-count-exceeded

903

Licensed connection count exceeded.

Trail-opened

1000

Trail opened.

Trail-open-failed

1001

Failed to open trail.

Trail-file-open-failed

1002

Failed to open trail file.

Trail-file-read-failed

1003

Failed to read trail file.

Trail-removed

1004

Trail removed.

Trail-remove-failed

1005

Failed to remove trail.

Trail-file-integrity-failed

1006

Trail file integrity check failed.

Trail-file-downloaded

1007

Trail file downloaded.

Config-checksum-added

1100

A config file checksum was added.

Config-checksum-changed

1101

A config file checksum has changed.

Transcript-status-scheduled

1201

Transcript status

Transcript-status-indexing

1202

Transcript status

Transcript-status-indexed

1203

Transcript status

Transcript-status-error

1204

Transcript status

Transcript-status-not-indexed

1205

Transcript status

Transcript-trail-removed

1206

Transcript trail removed.

Transcript-opened

1207

Transcript opened.

Disk-Full

1301

Disk Full.

Secret-Created

1400

Secret created.

Secret-Removed

1401

Secret removed.

Secret-Accessed

1402

Secret accessed.

Secret-Changed

1403

Secret changed.

Secret-Metadata-Changed

1404

Secret's metadata changed.