Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.2.1 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations Installing Safeguard Desktop Player First steps Validating audit trails Replaying audit trails Replaying encrypted audit trails Replaying encrypted audit trails from the command line Replaying audit files in follow mode Searching in the content of the current audit file Search query examples Exporting the audit trail as video Exporting the sound from an audit trail Exporting zat and zatx files Sharing an encrypted audit trail Replaying X11 sessions Exporting transferred files from SCP, SFTP, HTTP, and RDP audit trails Exporting raw network traffic in PCAP format Exporting screen content text Troubleshooting the Safeguard Desktop Player Keyboard shortcuts

Preferences for the Safeguard Desktop Player

To configure your global preferences, for example, the application language, keyboard layout, and so on, for Safeguard Desktop Player, navigate to (Settings) > Preferences.

Figure 10: Settings > Preferences

Language
  • Safeguard Desktop Player application language: Set the preferred language for the menus, buttons, and other controls of your Safeguard Desktop Player.

    For the changes to take effect, close and restart the Safeguard Desktop Player application.

Graphical protocols
  • Keyboard layout: In some cases, RDP and ICA audit trails do not contain their specific keyboard layouts. To avoid misspellings in the subtitles, you can set your specific layout for all your audit trails.

    For each individual audit trail, you can still override these global settings from your Details page of your Safeguard Desktop Player as shown in the example figure below:

    Figure 11: Safeguard Desktop Player > Details page > Changing the keyboard layout for individual RDP or ICA audit trails

  • Window title: Select how you want to display the window title events on the seeker and in subtitles.

    • If your audit trails are indexed, select Only indexed trails (faster). Indexed audit trails already contain the window titles, and the process of displaying the window titles is faster.

    • If you are unsure whether your audit trails are indexed, select Always. Safeguard Desktop Player detects if your audit trails are indexed. If no indexed audit trail is available, Safeguard Desktop Player will start indexing the audit trails automatically.

    • If your audit trails are not indexed, select Forced detection (slower). The audit trail will be re-indexed, regardless if it had been indexed before or not, and as a result, the process of displaying the window titles is slower.

    • If you do not want to display window titles, select Never.

Terminal-based protocols
  • Terminal encoding: The character encoding of the displayed text on terminal-based audit trails, for example, SSH, Telnet or Sudo iolog. This selection will be your default encoding.

    For each individual audit trail, you can still override these global settings from your Details page of your Safeguard Desktop Player as shown in the example figure below:

    Figure 12: Safeguard Desktop Player > Details page > Changing the encoding for individual audit trails

  • Telnet codec: To deal with special characters, you can set the default codec to display text. The SPS default settings for the Telnet codec is 500 and for the Telnet alternate codec is 310.

Validating audit trails

When you open an audit trail, the Safeguard Desktop Player application automatically validates it. You can see the results of this validation above the session details.

  • is displayed if the audit trail is valid.

  • is displayed if the timestamp or the signature is invalid, or the Safeguard Desktop Player could not decrypt the downstream traffic.

  • DOWNSTREAM

    • : The downstream traffic is available and can be replayed.

    • : The downstream traffic is encrypted, but you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replaying encrypted audit trails to import it.

  • UPSTREAM

    • : The upstream traffic is available and can be replayed.

    • : The upstream traffic is encrypted, but you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replaying encrypted audit trails to import it.

  • SIGNATURE

    • : The trail is signed and the signature is valid.

    • : The Safeguard Desktop Player could not validate the signature. Click Warnings to see the fingerprint of the required certificate, and see Replaying encrypted audit trails to import it.

    • : The audit trail is not signed.

  • TIMESTAMP

    • : The trail is timestamped and the timestamp is valid.

    • : The Safeguard Desktop Player could not validate the timestamp. Click Warnings to see the fingerprint of the required certificate, and see Replaying encrypted audit trails to import it.

    • : The audit trail is not timestamped.

Replaying audit trails

This section describes how to replay an audit trail that is not encrypted.

To replay an encrypted audit trail, see Replaying encrypted audit trails.

You can use the SPS Search page to download an audit trail.

Prerequisites

One of the following prerequisites must be met:

  • The audit trail is available on the computer that runs the Safeguard Desktop Player.

  • Using a web browser, you open the audit trail on the SPS search interface and you open the Safeguard Desktop Player application on the same computer.

To replay an unencrypted audit trail

  1. Open an audit trail that you want to replay. Use one of the following methods:

    • Start the Safeguard Desktop Player application from the menu or the command line, then click OPEN. Select the audit trail you want to replay.

    • Navigate to the audit trail file and open it.

      The Safeguard Desktop Player application displays the details of the sessions stored in the audit trail file. It automatically starts to prepare (render) the audit trail for replaying. You can start replaying the audit trail while rendering is in progress, which is useful in the case of long audit trails.

  2. To start playing the audit trail, click the play button. If the audit trail contains more than one channels that can be replayed, you can select the channel to replay. Alternatively, click the icon next to the channel that you want to replay.

    The replay window opens.

  3. To control the replay, use the following hotkeys:

    • Play/Pause: SPACE

    • Jump to previous event: p

    • Jump to next event: n

    • Enable video scaling (Scale video): Ctrl + Z

    • Toggle fullscreen replay: f

    • Decrease replay speed: [

    • Increase replay speed: ]

    • Reset replay speed :=

    • Jump backward, short, medium, long: Shift + Left Arrow, Alt + Left Arrow, Ctrl + Left Arrow

    • Jump forward, short, medium, long: Shift + Right Arrow, Alt + Right Arrow, Ctrl + Right Arrow

    • Search in trail content: Ctrl + F

  4. To configure the visibility of the seeker indicators for events, click . The Configure seeker indicators panel pops up:

    Use the sliders to toggle between displaying and not displaying seeker indicators for a particular event type. By default, all indicators are on.

    TIP: Indicator colors represent the importance of events. The darker the color, the more important the event is. In decreasing order of importance, the colors are: dark blue > light blue > white. Classifying events this way is required so that when events overlap, there is a clear guideline as to which one of the overlapping events is shown on the seeker. It is always the more important event that will have its indicator displayed.

    In the case of the white indicators, which stand for on-screen changes, the degree of transparency signifies the volume of the change that occurred as compared to the previous on-screen change. Small changes are partly transparent white, while bigger ones are fully opaque white.

    Event type Shown on panel Indicator color
    Application events

    Commands

    Commands run in the session-shell channel of SSH connections, or in Telnet connections.

    For terminal-based protocols Dark blue

    Window titles

    Text appearing as window titles in the case of RDP, Citrix ICA, VNC, and X11 connections.

    This option is only displayed in the case of graphical protocols.

    For graphical protocols
    User interaction

    Keystroke

    Keystrokes in the session-shell channel of SSH connections, or in Telnet connections.

    For all protocols Light blue

    Mouse activity

    Any mouse activity (clicking, scrolling, or mouse movement) in the case of RDP, Citrix ICA, and VNC connections.

    For all protocols
    Other

    On-screen changes

    Any change that occurred on the screen.

    For all protocols

    White

    You can jump to interesting events by:

    • Clicking any of the colored bars on the seeker.

    • Clicking the and buttons.

  5. To display subtitles for the audit trail, click . By default, subtitles are not displayed.

    Subtitles indicate application events (commands and window titles) and user interaction events (keystrokes and mouse activity) in the form of captions, using the colors of the event indicators.

    Subtitles are generated for all audit trails.

    When you export audit trails as video files, you can include subtitles as well. For details, see Exporting the audit trail as video.

Replaying encrypted audit trails

This section describes how to replay an encrypted audit trail. To replay encrypted audit trails using the command line, see Replaying encrypted audit trails from the command line.

Prerequisites
  • To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trail must be available on the host running the Safeguard Desktop Player. On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Current User > Personal Certificate Store.

  • To validate digitally-signed audit trails, the respective CA certificates that issued the certificates used to sign the audit trail must be available on the host running the Safeguard Desktop Player. (This is the CA of the certificates set at Policies > Audit policies > Enable signing on the SPS interface.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities.

  • To validate timestamped audit trails, the CA certificate of SPS must be available on the host running the Safeguard Desktop Player. (This is the CA certificate of SPS set at Basic Settings > Management > SSL Certificates > CA X.509 Certificate.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities.

The certificates and the private keys must be available in PEM format, other formats are not supported.

NOTE: On Microsoft Windows, you cannot import CA certificates from a shared drive. In this case, copy the certificate to a local folder and import it from there.

NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

TIP: One Identity recommends using 2048-bit RSA keys (or stronger).

>

To replay an encrypted audit trail

  1. Open the encrypted audit trail. Safeguard Desktop Player tries to decrypt and validate it. If the decryption or validation fails, the Safeguard Desktop Player notifies you on the screen. Click Warnings to see the fingerprint of the required certificate.

  2. Import the required certificate. In the top-right, click > Key/Certificate import.

  3. Click , then select the certificate file. The certificates and the private keys must be available in PEM format. Other formats are not supported.

  4. Click Load. The Safeguard Desktop Player displays the details of the certificate.

  5. Select how you want to store the certificate, then click Import. On Microsoft Windows, you can import the certificates to the Windows Certificate Store and reuse them later. On other platforms, Safeguard Desktop Player stores the certificates only temporarily, and automatically deletes them when you close the application.

    • If you want Safeguard Desktop Player to delete the certificate after you close the application, select Store temporarily only.

    • If you are importing a private key to decrypt an audit trail, select Store as personal certificate.

    • If you are importing a CA certificate to validate the timestamp or signature of the audit trails, select Store as trusted root certificate.

  6. Repeat the previous steps to import other certificates if needed.

  7. Click , then to start replaying the audit trail.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating