One Identity Safeguard for Privileged Sessions 6.0.3 - Safeguard Desktop Player User Guide

Replay encrypted audit trails from the command line

The following describes how to replay an encrypted audit trail using the command line. Use this method if you want to import the private key only temporarily, or if you want to automate the process. To import the required certificates using the graphical interface of Safeguard Desktop Player, see Replay encrypted audit trails.

To replay an encrypted audit trail using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

1. • If the private key is password-protected, execute the following command:

     player --key <path\to\your\private-key.pem>:<password-to-the-private-key>

     For example, if the private key file is C:\temp\my-key.pem and its password is secret, the command is player --key C:\temp\my-key.pem:secret

     Otherwise, use the following command:

     player --key <path\to\your\private-key.pem>

   • If the audit trail is timestamped or signed, you must have the proper certificate to validate the audit trail. Include the path to the certificate in the command line when starting the Safeguard Desktop Player:

     player --cert <path\to\the\certificate.pem> --key <path\to\your\private-key.pem>:<password-to-the-private-key>

2. Open the encrypted audit trail. The Safeguard Desktop Player will attempt to decrypt it with the private key you provided. If decryption is successful, you can replay the audit trail. Alternatively, you can specify the audit trail to open from the command line, for example:

   player --cert <path\to\the\certificate.pem> --key <path\to\your\private-key.pem>:<password-to-the-private-key> <path\to\audit-trail.zat>

Replay audit files in follow mode

The following describes how to follow active connections in semi-real time.

To follow active connections in semi-real time

1. On the web interface of SPS, go to Active Connections, and click next to the connection you wish to monitor in semi-real time.

2. In the Safeguard Desktop Player application, click OPEN, and select the audit trail to replay.

   Safeguard Desktop Player displays the sessions stored in the audit trail file.

   

   1. Red blinking light.

      When the red blinking light is displayed, it indicates an ongoing, active connection. When neither the LIVE label and icon nor the red blinking light are displayed, it indicates that the connection has ended.

   2. LIVE status indicator.

      The indicator shows three different states:

      • When it is completely red, it indicates that the connection is active and there is some user interaction on the client.

      • When the LIVE label is red but the icon is half red, half black, it indicates that the connection is active but there is no user interaction on the client.

      • When neither the LIVE label and icon nor the red blinking light are displayed, it indicates that the connection has ended.

   3. File size.

      Displays the size of the .zat file loaded. In the case of an active, live connection, the size continuously increases.

3. Click the thumbnail to start replaying the audit file. Alternatively, click the icon next to the channel you want to replay.

4. The replay window opens.

   

   1. Blue progress bar.

      Shows progress in the replay of the live session. When replay is paused (by hitting the Space key, clicking the Pausebutton or the video screen), the progress bar stops. It will only start progressing again, once replay is restarted (by hitting the Space key, clicking the Playbutton or the video screen).

   2. Gray progress bar.

      Shows progress in the loading and conversion of the audit trail file to video. The bar keeps progressing until the session is active. When the video is paused, the gray bar progresses further than the blue bar, indicating to the user that there are some parts of the video that they have not watched yet.

   3. Red light.

      When the red light is displayed, it indicates an ongoing, active connection. When both the LIVE label and icon, as well as the red light turn black, it indicates that the connection has ended.

   4. Terminate.

      Terminate the session you are monitoring if you notice some user action that poses a security risk.

   5. LIVE status indicator.

      The indicator shows three different states:

      • When it is completely red, it indicates that the connection is active and there is some user interaction on the client.

      • When the LIVE label is red but the icon is half red, half black, it indicates that the connection is active but there is no user interaction on the client.

      • When both the LIVE label and icon are black, it indicates that the connection has ended.

   TIP: When you are replaying terminal-based audit trails (for example, SSH or TELNET), you can change the font size of the displayed text by holding down the Ctrl key and scrolling your mouse wheel.

   When the session ends, a button is displayed. On clicking this button, the player reverts to "normal" replay mode, with options such as changing replay speed, or the seeker becoming available again.

Search in the content of the current audit file

Safeguard Desktop Player allows you to search in the contents of the recorded audit trails, for example, in commands that the user executed in the session, or to find a specific text that was displayed on the screen.

You can also search in the contents of the audit trails for trails of graphical sessions created and indexed with SPS 6.0.

To search in the content of an audit file

1. In the Safeguard Desktop Player application, click OPEN, and select the audit trail to replay. If the audit trail is encrypted, see Replay encrypted audit trails.

   Safeguard Desktop Player displays the sessions stored in the audit trail file.

   

2. Click SEARCH and enter your search keywords into the Search in content field. Note that Safeguard Desktop Player creates the index of the content when opening the file, and searching is disabled until creating the index is finished. Depending on the length of the audit trail, this can take several minutes.

   Safeguard Desktop Player displays the search results and highlights the periods of the audit trail when the search keywords were visible. For details on the search syntax, see Search query examples.

   Click to replay the audit trail. To search while replaying an audit trail, click the magnifying glass icon.

Search query examples

The following sections provide examples for different search queries.

• For examples of exact matches, see Searching for exact matches.

• For examples of using boolean operators to combine search keywords, see Combining search keywords.

• For examples of wildcard searches, see Using wildcard searches.

• For examples of searching with special characters, see Searching for special characters.

• For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.

• For examples of proximity search to find words that appear within a special distance, see Proximity search.

• For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.

For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.

Searching for exact matches

By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Combining search keywords

You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Searching for special characters

To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Searching in commands and window titles

For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].

You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.

Searching for fuzzy matches

Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.

Proximity search

Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.

Adjusting the relevance of search terms

By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.