Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.2.1 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations Installing Safeguard Desktop Player First steps Validating audit trails Replaying audit trails Replaying encrypted audit trails Replaying encrypted audit trails from the command line Replaying audit files in follow mode Searching in the content of the current audit file Search query examples Exporting the audit trail as video Exporting the sound from an audit trail Exporting zat and zatx files Sharing an encrypted audit trail Replaying X11 sessions Exporting transferred files from SCP, SFTP, HTTP, and RDP audit trails Exporting raw network traffic in PCAP format Exporting screen content text Troubleshooting the Safeguard Desktop Player Keyboard shortcuts

Replaying X11 sessions

With the Safeguard Desktop Player application, you can replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). You can replay X11 sessions similarly to other audit trails, but consider the following points:

  • X11 sessions can contain several different X11 channels. For example, some applications open a separate channel for every window they display. The Safeguard Desktop Player application automatically merges these channels into a single channel, to make reviewing the sessions easier. Since these audit trails can contain SSH terminal channels as well, you can choose between replaying the SSH sessions and the X11 session in the CHANNELS > X11 section of the audit trail data.

  • If you need the list of X11 channels that the audit trail contains, they are listed in CHANNELS > X11 > channel_ids section of the audit trail data.

  • The Safeguard Desktop Player stores the fonts used to display the texts in the audit trail in the <desktop-player-installation-folder>/fonts folder.

Exporting transferred files from SCP, SFTP, HTTP, and RDP audit trails

You can export the files that the user transferred in SCP, SFTP, and HTTP sessions as well as through the RDP clipboard. You can export such files from the audit trails using the command line or the Safeguard Desktop Player GUI.

NOTE: Exporting transferred files through the RDP clipboard is a feature that has been tested with Microsoft-supported clients.

Exporting files from an audit trail after RDP file transfer through clipboard or disk redirection

Prerequisites

Configure SPS to allow exporting files from an audit trail. For more information, see Configuring SPS to enable exporting files from audit trails after RDP file transfer.

NOTE: By default, the Safeguard Desktop Player application only exports complete files. To export partially transferred files, see Exporting transferred files from SCP, SFTP, HTTP and RDP audit trail using the command line.

To export files from an audit trail after RDP file transfer through clipboard or disk redirection

  1. Navigate to Main Menu > Search in SPS, select the session during which the files were copy-pasted through the clipboard or transferred through disk redirection, and click .
  2. Click , save the .zat file, and open the Safeguard Desktop Player application.
  3. Open the .zat file and click in the Safeguard Desktop Player interface window.
  4. Navigate to EXPORT > Export transferred files... and select Choose in the Select folder – Safeguard Desktop Player window. Safeguard Desktop Player automatically displays the files in a new window under EXPORTED FILES (<number of files>), with information about the files' original path.
  5. (Optional) Open the files to see if the export was successful.

Exporting transferred files from SCP, SFTP, HTTP and RDP audit trail using the command line

This section describes how to export the files that you transferred, using the command line, in one of the following sessions:

  • SCP

  • SFTP

  • HTTP

  • RDP

To export the files that you transferred in an SCP, SFTP, HTTP, or RDP session using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player.

By default, the installation directories on the different operating systems are the following:

  • On Microsoft Windows platforms: C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\

  • On Linux: ~/SafeguardDesktopPlayer

  • On MacOS: /Applications/Safeguard Desktop Player.app/Contents/Resources/

NOTE: By default, the Desktop Player only exports complete files. If you want to export partially transferred files as well, use the adp --export-files command.

  1. List the channels in the audit trail, and find the one you want to extract files from. Note down the ID number of this channel as it will be required later on (it is 3 in the following example).

    • Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    • Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the files from the audit trail. Use the ID number of the channel from the previous step.

    Windows: adp --task indexer --channel 3 --file <path/to/audit-trail.zat> --export-files <folder/to/save/files/>

    Linux or MacOS: adp --task indexer --channel 3 --file <path/to/audit-trail.zat> --export-files <folder/to/save/files/>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating