Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Sessions 6.9.5 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations First steps Validate audit trails Replay audit trails Replay encrypted audit trails Replay encrypted audit trails from the command line Replay audit files in follow mode Search in the content of the current audit file Search query examples Export the audit trail as video Sharing an encrypted audit trail Replay X11 sessions Export transferred files from SCP, SFTP, HTTP, and RDP audit trails Export raw network traffic in PCAP format Export screen content text Troubleshooting the Safeguard Desktop Player Install Safeguard Desktop Player Keyboard shortcuts

Export files from an audit trail after RDP file transfer through clipboard or disk redirection

Prerequisites

To export files from an audit trail, you must configure SPS to enable this feature. If you do not yet have SPS configured to enable this feature, complete the steps in Configuring SPS to enable exporting files from audit trails after RDP file transfer.

NOTE: By default, the Desktop Player only exports complete files. If you want to export partially transferred files too, see Export transferred files from SCP, SFTP, HTTP and RDP audit trail using the command line.

To export files from an audit trail after RDP file transfer through clipboard or disk redirection

  1. Navigate to Main Menu > Search in SPS, select the session during which the files were copy-pasted via clipboard or transferred through disk redirection, and click .
  2. Click , save the .zat file, and open the Safeguard Desktop Player application.
  3. Open the .zat file and click in the Safeguard Desktop Player interface window.
  4. Navigate to EXPORT > Export transferred files... and select Choose in the Select folder – Safeguard Desktop Player window. Safeguard Desktop Player will automatically display the files in a new window under EXPORTED FILES (<number of files>), with information about the files' original path.
  5. (Optional) Open the files to verify their content.

Export transferred files from SCP, SFTP, HTTP and RDP audit trail using the command line

The following procedure describes how to export the files that the user transferred in an SCP, SFTP, HTTP, or RDP session using the command line.

To export the files that the user transferred in an SCP, SFTP, HTTP, or RDP session using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

NOTE: By default, the Desktop Player only exports complete files. If you want to export partially transferred files too, use the adp --export-files command.

  1. List the channels in the audit trail, and find the one you want to extract files from. Note down the ID number of this channel as it will be required later on (it is 3 in the following example).

    Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the files from the audit trail. Use the ID number of the channel from the previous step.

    Windows: adp --task indexer --channel 3 --file <path/to/audit-trail.zat> --export-files <folder/to/save/files/>

    Linux or MacOS: adp --task indexer --channel 3 --file <path/to/audit-trail.zat> --export-files <folder/to/save/files/>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Export raw network traffic in PCAP format

You can choose to "convert" audit trails to packet capture (PCAP) format, which is a common file format for storing network traffic.

Export raw network traffic in PCAP format using the command line

The following describes how to export raw network traffic in PCAP format using the command line.

To export raw network traffic in PCAP format using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

  1. List the channels in the audit trail, and find the one(s) you want to export. Note down the ID number of the channel(s) as it will be required later on (it is 3 in the following example).

    Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the channel(s) from the audit trail. Use the ID number(s) of the channel(s) from the previous step.

    Windows: adp.exe -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    Linux or MacOS: adp -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen