Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.2.0 - Safeguard Desktop Player User Guide

Export the audit trail as video

The following describes how to export an audit trail as a video file (optionally including the accompanying subtitles). Note that you must open the audit trail in order to export it.

Prerequisites:

The exported files use the WEBM format with the VP8 codec. You can replay WebM videos in most modern browsers, and several media player applications. For details, see the Playing WebM Video page. Note that for Internet Explorer, you must install an add-on.

To export an audit trail as a video file

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replay encrypted audit trails.

  2. Click EXPORT > Export video.

  3. If the audit trail contains multiple channels that can be replayed, select which channels you want to export.

  4. To export the subtitles listing the user events that occurred in the session (window titles that appeared on the screen, commands executed, mouse activity, and keystrokes), select the Subtitle checkbox.

  5. Click , and select the directory where you want to save the video file.

  6. Click EXPORT.

Sharing an encrypted audit trail

The following describes how to share an encrypted audit trail with a third party. Note that you must open the audit trail in order to export it.

  • Export the audit trail as a video file

  • If you want the third party to be able to replay the audit trail with the Safeguard Desktop Player, complete the following steps. Currently you can do this only using the command line.

Prerequisites:

This procedure involves encrypting the audit trail with an encryption key that you can share with the third party. Encrypting audit trails requires an X.509 certificate in PEM format that uses an RSA key.

You will also need the audit trail file that you want to share, and the encryption key(s) required to replay it. You cannot use this procedure to encrypt an audit trail that is not already encrypted.

NOTE:

Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

One Identity recommends using 2048-bit RSA keys (or stronger).

To share an encrypted audit trail with a third party

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

  1. Specify the audit trail to process, its decryption key, the new audit trail file, and the new encryption key.

    Windows: adp.exe --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>

    Linux or MacOS: ./adp --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>

    If the audit trail is encrypted with multiple keys, repeat the --key <keyfile.pem:passphrase> option. Include the colon (:) character even if the key is not password-protected. For example:

    ./adp --task rekey --file /tmp/ssh-171128T1353-frobert-frobert-10.30.255.68.zat --key /tmp/indexer-certificate-key.pem: --out /tmp/shared-ssh.zat --new-cert /tmp/new-encryption-certificate.pem
  2. Open the output file in the Safeguard Desktop Player and import the private key of the certificate you used to re-encrypt the audit trail. Verify that you can replay the audit trail. If it is working as expected, you can share the re-encrypted audit trail file and the private key with third parties, they will be able to replay the audit trail using the SPS application.

Replay X11 sessions

The Safeguard Desktop Player application can replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). You can replay X11 sessions similarly to other audit trails, but note the following points.

  • X11 sessions can contain several different X11 channels. For example, some applications open a separate channel for every window they display. The Safeguard Desktop Player application automatically merges these channels into a single channel, to make reviewing the sessions easier. Since these audit trails can contain SSH terminal channels as well, you can choose between replaying the SSH sessions and the X11 session in the CHANNELS > X11 section of the audit trail data.

  • If you need the list of X11 channels that the audit trail contains, they are listed in CHANNELS > X11 > channel_ids section of the audit trail data.

  • The Safeguard Desktop Player stores the fonts used to display the texts in the audit trail in the <desktop-player-installation-folder>/fonts folder.

Export transferred files from SCP, SFTP, HTTP, and RDP audit trails

You can export the files that the user transferred in an SCP, SFTP, and HTTP sessions as well as via RDP clipboard. You can export such files from the audit trails using the command line or the GUI of Safeguard Desktop Player.

NOTE:

Exporting transferred files via RDP clipboard is a feature that has been tested with Microsoft-supported clients.

Related Documents