Real-time content monitoring with Content Policies
You can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a particular title appears in a graphical protocol. Since content-monitoring is performed real-time, SPS can prevent harmful commands from being executed on your servers. SPS can also detect numbers that might be credit card numbers. The patterns to find can be defined as regular expressions. In case of ICA, RDP, and VNC connections, SPS can detect window title content.
The following channels support content policies:
-
SSH Session shell (event type: Commands/Screen Content/Credit card)
-
Telnet (event type: Commands/Screen Content/Credit card)
-
RDP Drawing (event type: Window title detection)
-
VNC (event type: Window title detection)
-
ICA Drawing (event type: Window title detection)
For details, see Real-time content monitoring with Content Policies.
|
|
NOTE:
Using content policies significantly slows down connections (approximately 5 times slower), and can also cause performance problems when using the indexer service. |
The following describes how to create a new content policy that performs an action if a predefined content appears in a connection.
For details, see Creating a new content policy.
To create a new content policy that performs an action if a predefined content appears in a connection
-
Navigate to Policies > Content Policies, click
and enter a name for the policy.
-
Select the Event type that you want to monitor.
-
Select Match, click
-
To add an exception to the Match rule, select Ignore, click
-
Select the action to perform.
-
Click
.
-
To use the content policy created in the previous steps, select the policy in the channel policy that is used to control the connections.
Indexing service
One Identity Safeguard for Privileged Sessions (SPS) can index the contents of audit trails using its own indexer service or external indexers. Indexing extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: for example words, dates (2009-03-14), MAC or IP addresses, and so on. The indexer returns the extracted tokens to SPS, which builds a comprehensive index from the tokens of the processed audit trails.
Once indexed, the contents of the audit trails can be searched from the web interface. SPS can extract the commands typed and the texts seen by the user in terminal sessions, and text from graphical protocols like RDP, Citrix ICA, and VNC. Window titles are also detected.
SPS has an internal indexer, which runs on the SPS appliance. In addition to the internal indexer, external indexers can run on Linux hosts.
Processing and indexing audit trails requires significant computing resources. If you have to audit lots of connections, or have a large number of custom reports configured, consider using an external indexer to decrease the load on SPS. For sizing recommendations, ask your One Identity partner or contact our Support Team.
For details, see Indexing audit trails.
Using the content search
To most effectively search in the contents of the audit trails, make sure that the following prerequisites are met:
-
Indexing was enabled in the connection policy related to the audit trail during the session, and
-
the audit trail has already been indexed.
For details, see Using the content search.
Configuring the internal indexer
Indexing audit trails allows you to search in the content of the audit trails, for example, to search for specific texts that the user has seen or typed in the session. The following describes how to configure SPS to index the audit trails. For details, see Configuring the internal indexer.
To configure SPS to index the audit trails
-
Navigate to Basic Settings > Local Services > Indexer service, and select Indexer service.
-
Define the Maximum parallel audit trails to index on box. The default value is set to the number of detected CPU cores.
-
(Optional) If you have encrypted audit trails and you want to index them, upload the necessary RSA keys (in PEM-encoded X.509 certificates).
-
Click
-
Navigate to Policies > Indexer Policies.
-
To create a new Indexer Policy, click
-
To configure what languages to detect, select Manual language selection. Select the language(s) to detect.
-
Navigate to the Control page of the traffic type (for example SSH Control), and select the connection policy to index.
-
Select Enable indexing.
-
To determine the priority level of indexing this connection, select the appropriate Priority level.
-
Select the Indexing Policy to be used.
-
Click
-
Check which channel policy is used in the connection, and navigate to the Connection policies page.
-
Select the channel policy used in the connection to index, and verify that the Record audit trail option is selected for the channels you want to index (for example, the Session shell channel in SSH, or the Drawing channel in RDP).
-
Click
-
Test the new configuration: try to initiate a connection from the client (your computer) to the server.
-
After successfully connecting to the server, do something in the connection, for example, execute a simple command in SSH (for example, ls /tmp), or launch an application in RDP (for example, the Windows Explorer), then disconnect from the server.
-
Navigate to Search on the SPS web interface. Your sessions are displayed in the list of connections. Note that for the transparent connection, the client addresses the target server, while the non-transparent connection addresses SPS.
-
Click the
icon. A summary will be displayed about the connection. Enter a text that was displayed in the connection into the search box, for example, the command you executed in SSH, or a menu item or other text you have seen in RDP (for example, Start). SPS will automatically generate a screenshot showing when the text was displayed in the connection.