This chapter describes how to use and configure PrivX auditing features.
In the PrivX GUI, you can find audit data from the following locations:
For connection-specific audit events, go to Monitor→Connections and click one of the connection entries.
For global audit events, see Monitor→Events.
PrivX microservices generate logs to
/var/log/messages. These may be useful in troubleshooting scenarios.
Note
To obtain video playback from connections, enable session recording as described in the section called “Session Recording Setup”.
PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.
To switch the audit data format to CEF, edit the /opt/privx/etc/shared-config.toml file, setting the audit_event_format parameter to the following:
audit_event_format = "cef"
Restart PrivX to apply the changes:
# systemctl restart privx
To send CEF log messages to an external SIEM, edit the /etc/rsyslog.conf file, and add the following:
# Send messages using rsyslog "forwarding output module". # On network error, try to reconnect 100 times to avoid lost messages. # Queue the messages. local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") # Drop the local6 messages from default messages. local6.none /var/log/messages
Restart syslog:
# systemctl restart rsyslog
For more information on configuring rsyslog, see https://www.rsyslog.com/guides/
If you want to use the internal syslog service, add the following to the /etc/rsyslog.conf file:
# Create a template for CEF messages. template(name="SSH_CefFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n") # Use the template for local6 (PrivX CEF logger uses that facility) local6.* /var/log/ceflog;SSH_CefFormat # Drop the local6 messages from default messages. *.info;mail,authpriv,cron,local6.none /var/log/messages
Restart syslog:
# systemctl restart rsyslog
This section describes the procedures for setting up session recording.
When session recording is enabled, connection-specific audit events also provide:
Video playback. With SSH sessions you can search for keyword occurences.
Transferred files.
Clipboard (RDP only).
Channel logs (SSH only).
To enable session recording for connections to a host:
On the Settings→Hosts page, Edit the host.
Under Options, enable the setting Session Recording. Click Save to apply your changes.
Subsequent sessions to the host are recorded. You can view the playback and transferred files from the connection-specific audit events, available from Monitor→Connections.
Session recordings should not be stored on PrivX servers as they may consume lots of disk space; you should configure PrivX to store session recordings on an external share instead (such as NFS). To set up external storage share for PrivX session recordings:
On your external storage server, create a share for storing PrivX session recordings. The share must be a directory that satisifies the following:
The share must be mountable by all PrivX servers.
The share must be readable and writable by the privx system user of every PrivX server.
On each PrivX server, install any extensions required for mounting the external-storage share. For example, to mount NFS shares you will likely need to install
nfs-utils; for SMB shares you will likely needcifs-utils. These extension packages are available from the RHEL/CentOS public repositories.On each PrivX server, mount the external share to a local directory. To enable mounting the share on system startup, we recommend adding the mount directive to
/etc/fstab.To allow the GUI to display other connection logs when the NFS server is unavailable, mount the share with options like the following:
soft timeo=10 retry=1 On each PrivX server, configure PrivX to store session recordings to the mounted share. To do this, edit the
data_foldersetting in/opt/privx/etc/shared-config.toml(replace/path/to/privx-trailswith the local directory to which the external share is mounted):data_folder="/path/to/privx-trails"
Save your changes, then restart PrivX services to apply the changes:
# systemctl restart privx
By default PrivX retains session recordings indefinitely. You may configure PrivX to automatically delete old recordings, using the following settings:
trail_expiryin/opt/privx/etc/shared-config.toml- Delete recordings older than the specified number of days. Set to-1to disable automatic deletion.housekeeping_interval_for_trailsin/opt/privx/etc/connectionmanager.toml- The interval at which PrivX checks for and deletes expired recordings. Specified in hours.
To apply new configurations, restart the PrivX services:
# systemctl restart privx
Note
PrivX generates keyframe data when opening RDP session recordings for the first time. Note that this may take up to several minutes for large RDP and web-connection trails.
PrivX indexes session recordings when they are searched for the first time. Depending on the duration of the recording, the first search may take some time. SSH transcripts require roughly ten times the storage space compared to the original video recording.
You can configure PrivX to forward audit events to external log collectors. The required configurations are provided separately per supported log collector.
AWS CloudWatch
Create an AWS user with permissions for pushing logs to CloudWatch. The user's permissions should be similar to the following (
Sidis arbitrary):{ "Version": "2012-10-17", "Statement": [ { "Sid": "examplesid", "Effect": "Allow", "Action": "events:PutEvents", "Resource": "*" } ] }Obtain the Access key ID and the Secret access key of this AWS user, required later for configuring PrivX.
Create a rule in CloudWatch for collecting PrivX logs. The rule must have the following Event pattern:
{ "source": [ "com.ssh.privx" ] }To associate actions to collected logs, also create Targets for the rule.
Add your log collector to PrivX.
In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Amazon CloudWatch Events, and provide the other required settings as well. Click Save to apply your settings.
PrivX logs are now sent to your AWS CloudWatch and processed according to all the applicable rule targets.
Azure Event Hubs
In Azure Active Directory, register PrivX as an application.
In Azure Event Hubs, create an event hub for PrivX. Your Access Control must allow the previously-registered PrivX application to access this hub.
To process incoming events, you may create consumers for the hub.
Add your log collector to PrivX.
In the PrivX GUI, navigate to the page Settings→Deployment→Configure cloud log collectors, then click Add Log Collector. Set Service to Azure Event Hubs, and provide the other required settings as well. Click Save to apply your settings.
PrivX logs are now sent to the hub and processed according to all the applicable rules.
PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.
For example, an SSH connection to a Unix host may generate the following messages:
On the PrivX server (in
/var/log/messages):Dec 5 15:57:27 privx.example.com SSH-PRIVX-AUDIT[6825]: [event="Authorization-certificate-granted" eventID="401" keyID="alice@127.0.0.1:45910-serial-2571351803943628705" message="certificate-created" target="127.0.0.1:45910" username="alice"]And on the target host (typically in
/var/log/secureor/var/log/auth.log)Dec 5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice from 192.0.2.102 port 38126 ssh2: RSA-CERT ID alice@127.0.0.1:45910 serial 2571351803943628705 (serial 2571351803943628705) CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c
As another example, an RDP connection to a Windows host may generate:
On the PrivX server (in
/var/log/messages):Dec 5 08:24:41 dhcp-10-1-54-160.hel.fi.ssh.com SSH-PRIVX-AUDIT[14189]: [event="Authorization-certificate-granted" eventID="401" SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created" serial="1A654E1CD607153C" sha1-fingerprint="..." sha256-fingerprint="..." target="127.0.0.1:47390" upn="alice@example.com" username="alice"]And on the target host (in Windows Event Viewer→Windows Logs→Security→Event details):
Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing 4768 Kerberos Authentication Service "A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: alice Supplied Realm Name: EXAMPLE.COM User ID: EXAMPLE\alice Service Information: Service Name: krbtgt Service ID: EXAMPLE\krbtgt Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 15 Certificate Information: Certificate Issuer Name: 10.1.54.160 Certificate Serial Number: 1A654E1CD607153C Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F
This section lists the audit events raised by the PrivX system. Note that some of the listed audit-event types are not used by the current PrivX version.
PrivX uses syslog facilities to write audit events. Audit events are stored to the system's default syslog location. On RHEL/CentOS 7 the default location is /var/log/messages.
The debug logs for each microservice are in the following locations:
/var/log/privx/auth.log- Logs for the OAuth2 microservice./var/log/privx/authorizer.log- Logs for the authorizer microservice./var/log/privx/connectionmanager.log- Logs for the connection manager microservice./var/log/privx/hoststore.log- Logs for the hoststore microservice./var/log/privx/indexerservice.log- Logs for the indexer microservice./var/log/privx/keyvault.log- Logs for the keyvault microservice./var/log/privx/monitorservice.log- Logs for the monitor microservice./var/log/privx/rdpmitm.log- Logs for the RDP-Bastion microservice./var/log/privx/rdpproxy.log- Logs for the RDP-proxy microservice./var/log/privx/redemption.log- Logs for the RDP-trail-encoder microservice./var/log/privx/rolestore.log- Logs for the role-store microservice./var/log/privx/sshmitm.log- Logs for theSSH-Bastion microservice./var/log/privx/sshproxy.log- Logs for the SSH-proxy microservice./var/log/privx/trail-indexer.log- Logs for the trail-indexer microservice./var/log/privx/userstore.log- Logs for the user-store microservice./var/log/privx/watchdog.log- Logs for the watchdog microservice./var/log/privx/workflowengine.log- Logs for the workflow-engine microservice.
Table 9.1. List of Audit Events
| Event Name | Code | Description |
|---|---|---|
| License-error | 0 | The system license does not allow operation. |
| Configuration-error | 1 | The system configuration is invalid. |
| Service-starting | 10 | The service is starting. |
| Service-running | 11 | The service is running. |
| Service-stopped | 12 | The service has been stopped. |
| Housekeeping-started | 20 | The service is started housekeeping. |
| Housekeeping-running | 21 | Housekeeping is running. |
| Housekeeping-completed | 22 | Housekeeping is completed. |
| User-logged-in | 100 | User has logged in to the system. |
| User-login-failed | 102 | User login operation failed. |
| User-MFA-challenge-sent | 103 | User tried to log in without MFA pin code. |
| User-MFA-challenge-accepted | 104 | User successfully authenticated with MFA pin code. |
| User-MFA-challenge-setup-sent | 105 | User was MFA setup information. |
| Access-token-granted | 106 | Access token granted |
| User-access-token-refreshed | 110 | User refreshed the access token |
| User-access-token-refresh-failed | 111 | User access token refresh failed. |
| OAuth-client-authenticated | 121 | OAuth client authenticated |
| OAuth-client-authentication-failed | 122 | OAuth client authentication failed |
| User-login-attempt-rate-limited | 130 | User login attempt rate limited |
| Role-added | 201 | New role added to the system. |
| Role-modified | 202 | Role has been modified. |
| Role-removed | 203 | Role has been removed. |
| Directory-added | 210 | New directory added to the system. |
| Directory-modified | 211 | Directory has been modified. |
| Directory-removed | 212 | Directory has been removed. |
| Directory-authentication-failed | 213 | Directory authentication failed. |
| User-roles-modified | 220 | The user's role associations were changed |
| AWS-token-granted | 230 | AWS token was granted to a user |
| AWS-token-grant-failed | 231 | AWS token grant failed |
| LogConf-collector-created | 232 | LogConf collector created |
| LogConf-collector-modified | 233 | LogConf collector modified |
| LogConf-collector-removed | 234 | LogConf collector removed |
| LogConf-collector-failed | 235 | LogConf collector failed |
| Connection-requested | 300 | Connection was requested. |
| Connection-authenticated | 301 | Connection was authenticated. |
| Connection-rejected | 302 | Connection was rejected. |
| Connection-closed | 303 | Connection was closed. |
| Connection-failed | 304 | Connection closed with an error. |
| Client-authenticated | 305 | Client was authenticated. |
| Session-added | 310 | A session was added to a connection. |
| Session-removed | 311 | A session was removed from a connection. |
| Session-rejected | 312 | A session was rejected. |
| File-upload | 320 | File upload performed. |
| File-download | 321 | File download performed. |
| Host-key-matched | 324 | Host key matched |
| Host-key-denied | 325 | Host key denied |
| Host-key-accepted | 326 | Host key accepted |
| Host-key-saved | 327 | Host key saved |
| Extender-connected | 328 | Extender connected |
| Extender-disconnected | 329 | Extender disconnected |
| File-removed | 330 | File removed via SSH. |
| Folder-removed | 331 | Folder removed via SSH. |
| File-moved | 332 | File moved. |
| Folder-created | 333 | Folder created. |
| Connection-audit-started | 334 | Connection audit started |
| Connection-audit-failed | 335 | Connection audit failed |
| Authorization-requested | 400 | A client requested an authorization. |
| Authorization-certificate-granted | 401 | An authorization certificate granted. |
| Authorization-role-key-granted | 402 | An authorization role key granted. |
| Authorization-role-key-sign-operation-rejected | 403 | An authorization role key sign operation was rejected. |
| Authorization-role-key-sign-operation-accepted | 404 | An authorization role key sign operation was accepted. |
| Authorization-rejected | 405 | An authorization was rejected. |
| Authorization-certificate-warning | 406 | Authorization certificate creation generated warnings. |
| Authorization-Passphrase-returned | 407 | Authorization passphrase was returned |
| Principal-added | 410 | A principal was added. |
| Principal-removed | 411 | A principal was removed. |
| Trusted-client-added | 420 | A trusted client was added. |
| Trusted-client-modified | 421 | A trusted client was modified. |
| Trusted-client-removed | 423 | A trusted client was removed. |
| License-updated | 430 | The service license was updated. |
| CA-Certificate-Created | 440 | CA certificate was created. |
| CA-Certificate-Deleted | 441 | CA certificate was deleted. |
| EE-Certificate-Enrolled | 442 | End entity certificate was enrolled |
| EE-Certificate-Revoked | 443 | End entity certificate was revoked |
| CA-Certificate-Enrolled | 444 | CA certificate was enrolled |
| CA-Certificate-Revoked | 445 | CA certificate was revoked |
| User-added | 500 | New user added to the system. |
| User-modified | 501 | User has been modified. |
| User-removed | 502 | User has been removed. |
| User-password-modified | 510 | User password has been modified. |
| User-authenticated | 520 | User has been authenticated. |
| User-authentication-failed | 521 | User authentication has failed. |
| Workflow-added | 600 | A workflow was added. |
| Workflow-modified | 601 | A workflow was modified. |
| Workflow-removed | 602 | A workflow was removed. |
| Request-added | 610 | A request was added. |
| Request-removed | 612 | A request was removed. |
| Decision-made | 620 | A decision has been made on a request. |
| Email-sent | 630 | A email notification has been sent. |
| Email-configuration-Modified | 631 | Email configuration has been modified. |
| Email-not-sent | 632 | Email not sent. |
| Log-downloaded | 700 | Log files have been downloaded. |
| Log-level-modified | 710 | The log level was modified. |
| Host-added | 801 | A host was added. |
| Host-modified | 802 | A host was modified. |
| Host-removed | 803 | A host was removed. |
| Host-service-connection-re-established | 804 | A host service connection re-established. |
| Host-service-connection-failure | 805 | A host service connection failed. |
| Connection-terminated | 900 | Connection terminated. |
| Connection-terminated-for-host | 901 | Connection terminated for host. |
| Connection-terminated-for-user | 902 | Connection terminated for user. |
| Licensed-connection-count-exceeded | 903 | Licensed connection count exceeded. |
| Trail-opened | 1000 | Trail opened. |
| Trail-open-failed | 1001 | Failed to open trail. |
| Trail-file-open-failed | 1002 | Failed to open trail file. |
| Trail-file-read-failed | 1003 | Failed to read trail file. |
| Trail-removed | 1004 | Trail removed. |
| Trail-remove-failed | 1005 | Failed to remove trail. |
| Trail-file-integrity-failed | 1006 | Trail file integrity check failed. |
| Config-checksum-added | 1100 | A config file checksum was added. |
| Config-checksum-changed | 1101 | A config file checksum has changed. |
| Transcript-status-scheduled | 1201 | Transcript status |
| Transcript-status-indexing | 1202 | Transcript status |
| Transcript-status-indexed | 1203 | Transcript status |
| Transcript-status-error | 1204 | Transcript status |
| Transcript-status-not-indexed | 1205 | Transcript status |
| Transcript-trail-removed | 1206 | Transcript trail removed. |
| Transcript-opened | 1207 | Transcript opened. |
| Disk-Full | 1301 | Disk Full. |