Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

HTTP indexer configuration format

This section describes the configuration format and options of the HTTP indexer (that is, how and which fields of the HTTP audit trails are indexed). For details on how to customize HTTP indexing, see Customizing the indexing of HTTP traffic.

NOTE:

If you want to index HTTP POST messages, include the "application/x-www-form-urlencoded" Content-Type in the General > WhiteList list. The indexer will decode URL encoding (percentage encoding), and create key=value pairs from the form fields and their values. Note that in the values, the indexer will replace whitespace with the underscore (_) character. To avoid indexing sensitive information (for example, passwords from login forms), use the Form > Blacklist option.

Table 8: HTTP indexer configuration options
HTTP indexer configuration options Type Description
General Top level item

Determines which HTTP Content-Types are indexed. An HTTP message is indexed only if its Content-Type is listed in Whitelist and is not listed in Blacklist. For example:

"General": {
    "Whitelist": ["text/.*", ".*json.*", "multipart/.*", "application/x-www-form-urlencoded"],
    "Blacklist": ["text/css", "application/javascript", "text/xslt", ".*xml.*"]
},		                   
Whitelist list

The list of HTTP Content-Types to index. Every entry of the list is treated as a regular expression. For example:

"Whitelist": ["text/.*", ".*json.*", "multipart/.*", "application/x-www-form-urlencoded"],
Blacklist list

The list of HTTP Content-Types that are not indexed. Every entry of the list is treated as a regular expression. For example:

"Blacklist": ["text/css", "application/javascript", "text/xslt", ".*xml.*"]
Form Top level item

Determines which fields are indexed in HTTP POST messages. For example:

"Form": {
    "Blacklist": ["password", "pass"]
},

NOTE:

If you want to index HTTP POST messages, include the "application/x-www-form-urlencoded" Content-Type in the General > WhiteList list. The indexer will decode URL encoding (percentage encoding), and create key=value pairs from the form fields and their values. Note that in the values, the indexer will replace whitespace with the underscore (_) character. To avoid indexing sensitive information (for example, passwords from login forms), use the Form > Blacklist option.

Blacklist list

The list of fields that are not indexed in HTTP POST messages (for example, when submitting forms, such as login forms). Every entry of the list is treated as a regular expression. For example:

"Blacklist": ["password", "pass"]
Html Top level item

Include this section in the configuration to process text/html messages. HTML tags are stripped from the text, and only their content is indexed (for example, <html><title>Title</title></html> becomes Title). For example:

"Html": {
    "Attributes": ["href", "name", "value", "title", "id", "src"],
    "StrippedTags": ["script", "object", "style", "noscript", "embed", "video", "audio", "canvas", "svg"]
}
Attributes list

The list of HTML attributes that extracted as key=value pairs and indexed. Note that in the values, the indexer will replace whitespace with the underscore (_) character, and decode URL encoding. For example:

"Attributes": ["href", "name", "value", "title", "id", "src"],

Note that for the content attribute of the meta name="description", meta name="keywords", meta name="author" and meta name="application-name" is always indexed.

For example, if an audit trail contains the following HTML:

<head>
    <meta name="description" content="Web page description">
    <meta name="keywords" content="HTML,CSS,XML,JavaScript">
    <meta name="author" content="Balabit SA">
    <meta charset="UTF-8">
</head>

Then the index will contain the following text:

description=Web_page_description keywords=HTML,CSS,XML,JavaScript author=Balabit_SA
StrippedTags list

The list of HTML tags that are not indexed. For example:

"StrippedTags": ["script", "object", "style", "noscript", "embed", "video", "audio", "canvas", "svg"]

Using the Search (classic) interface

This chapter describes how to browse the audit trails stored on SPS, or archived to a remote server, how to search for a specific audit trail, and also how to replay them from the browser.

Searching audit trails: the SPS connection database

SPS has a search interface for browsing the audit trails. This connection database also contains the various meta-information about connections and connection-requests. The search queries can include only alphanumerical characters.

To access the search interface, navigate to Search > Search. Only users with the following privileges can access the Search page:

  • Members of groups who are configured as Authorizers with the Audit or Audit&Authorize permission set in the Access Control field of a connection policy. These users can access only the audit trails of the respective connections.

    For more information on configuring authorizers for a connection, see Configuring four-eyes authorization.

  • Members of groups who have the Search privilege set.

    Assigning the Search privilege to a user on the AAA page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.

    For more information on configuring user rights, see User management and access control.

  • The admin user.

Figure 199: Search > Search — Browse the connections database

Changing the time interval:

The bars display the number of results in the selected interval. Use the and icons to zoom, and the arrows to display the previous or the next intervals. To explicitly select a date, select Jump to and set the date in the calendar. You can change the length of the displayed interval with the Scale option.

Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents. Click a bar to display the entries of that period in the table. Use Shift+Click to select multiple bars.

Searching connections:

NOTE:

This feature is available only if auditing and content indexing was requested for the connection. For details, see Configuring the internal indexer.

To search in the content of the indexed audit trails, enter your search keywords in the Screen content field, and click Filter. Search is case insensitive. You can use complex expressions and boolean operators. For more information, see Using the content search.

Filtering search results:

Connection metadata is displayed in customizable columns that you can filter for any parameter, or a combination of parameters. To filter the list of search results, enter the filter expression in the input field of the appropriate column, and press Enter, or click on an entry in the table.

For the description of the available columns, see Connection metadata.

For information on using and saving filters, see Using and managing search filters.

NOTE:

When you use filters, the bars display the statistics of the filtered results.

Filtering displays also partial matches. You can use the icon to perform an exact search, and the icon for inverse filtering ("does not include"). To clear filters from a column, click .

To restore the original table, click Clear conditions.

TIP:

Use the drop-down menu of the Protocol column to quickly filter the list for a single protocol.

Exporting the search results:

To export the search results as a comma-separated text file, select Export format > CSV, and click Export.

For instructions on displaying statistics about your search results, see Displaying statistics on search results.

Viewing the details of a connection:

To display the summary of a connection, click , or use the shortcuts to view the corresponding connection details (for example, Events). The summary is displayed in the connection details pop-up window. For more information, see Connection details.

To download the audit trail of a session, click the icon in the Audit-trail column.

Connection details

The Details pop-up window provides in-depth information on each of the indexed audit trails stored in the connection database. You can use it to gain contextual insight about the indexed session and its events.

The pop-up window consists of two main parts: the header and the trail details. In the header, you can:

  • Move to the previous / next trail listed on the Search page with the and buttons.

  • Search the current trail. Search is performed on the displayed audit trail only. When you move between trails, search is reset to the query you used on the Search page (if you entered one). You can also revert to that query using the button. For details on using search expressions, see Using the content search.

  • Export / follow the trail. Click the button to export the trail, or the button to follow an ongoing connection. The trail data is exported in .srs format, which you can open with the Safeguard Desktop Player application.

Figure 200: Audit trail details

Trail details:

The details section is organized into tabs (left) and screenshots (right). The Details tab is always visible. The All results, Events, and Alerts tabs are displayed dynamically, when there is matching content in the trail.

Details tab: Quick summary of the connection details (user, server, time).

  • User information: remote and gateway username. The gateway username corresponds with the Username field of the connection metadata database, so note the following:

    • If the user performed inband gateway authentication in the connection, the field contains the username from the gateway authentication (gateway username).

    • Otherwise, the field contains the username used on the remote server.

  • Connection information: connection verdict, protocol, connection policy, client and server address.

  • Session time: start and end time of the connection.

  • Trail information: is the trail indexed, or archived.

  • Link: a link that leads to the Search page filtered to show only this connection. Note that if you share this link, other users can access the audit trail only if they have the required privileges, and can access SPS using the IP address in the link (SPS can be configured to be accessible using multiple IP addresses).

Figure 201: Details tab

All results tab: Matching results for your search on the Search page (or in the trail contents), in chronological order.

  • Date and time of the matching event.

  • Search rank. The displayed Rank indicates how closely the result matches your search query.

  • Screenshots. If screenshots are available for the trail, you can click each search result to view the corresponding screenshot.

Figure 202: All results tab

Events tab: Connection events, in chronological order.

  • Date and time of the event.

  • Event type (command, screen content, window title).

  • Event details.

Figure 203: Events tab

Alerts tab: Content policy alerts triggered in the session, in chronological order.

An event is listed as alert only if the Actions > Store in Connection Database option is selected in the Content Policy used to handle the session.

  • Date and time of the alert.

  • The type of the alert (command, screen content, credit card, window title).

  • The matching content.

  • Terminal buffer contents. If the alert is not visible on the screenshot, you can click the icon to view the contents of the full terminal buffer.

  • Screenshots. If screenshots are available for the trail, you can click each alert to view the corresponding screenshot.

Figure 204: Alerts tab

Screenshots are generated for search results and alerts when the trail is opened, and for subsequent searches. You can scroll between screenshots using the carousel, and view each screenshot in full size. Selecting a screenshot highlights the corresponding search result or alert.

Screenshots are not available for:

  • Ongoing connections.

  • Unindexed trails.

  • Trails of HTTP connections.

  • Encrypted trails (without the necessary certificate).

NOTE:

For SSH and Telnet trails, trail data is aggregated for each second. The screenshot you see reflects the terminal buffer as it was visible at the end of that second. If data was pushed off-screen during this second, the search still finds it, but it will not be visible on the generated screenshot.

Related Documents