This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PAM agent sessions monitoring

Dears,

Hope all are well and safe.

When installing a PAM agent on a server, we are able to monitor the full activity of the users accessing the server through PAM (video/screenshots/keystrokes...).

Is there a way we can also monitor the sessions coming from outside of PAM? through RDP for example? (also videos/screenshots/keystrokes/etc...).

I am noticing the dashboard shows the sessions being accessed but not approved by PAM; but I am unable to monitor the activity happening during those sessions.

Best regards,

Georgio Maalouf

  • 0
    Yes. If you are wanting see rdp session, you are must add this command "rdp session" in rule for your host and marking "video"
  • 0 in reply to 

    Dear,

    Thank you for your feedback.

    Please clarify where to assign the mentioned command (RDP Relay?), since as I said, an agent is installed on the server, the sessions running through PAM are monitored; while the sessions running outside of PAM are not monitored.

    Best regards,

    Georgio Maalouf

  • 0 in reply to 

    Give me please your host log

     

  • 0 in reply to 

    Dear,

    Please advise if you need the unifid.log file, and if it shows the sessions going outside of PAM or not.

    Or if any other log file is needed.

    Best regards,
    Georgio Maalouf

  • 0 in reply to 

    Ok, let's try to set up the rules first. You need to go to the admin console. Go to the "command control" section.

    Create a rule for your host, drag the selected commands into this rule.Screenshot_1.png

    Then highlight your rule and change the value between the commands from "and" to "or".

    Screenshot_2.png

    Then edit the rules and set the values ​​as in the picture.

    Screenshot_3.png

    Save the values. There should be a record if you connect to the host via RDP past PAM and if you connect to the host directly.

    You may need to install the audit package from the HOST page for your agent of the admin panel.

    Screenshot_4.png

  • 0   in reply to 

    The Direct RDP use-case is the scenario here to be configuring to capture any Windows sessions where PAM Agents have been installed. This can be done with a single command control rule. An example of this use-case can be found here: See Direct Remote Desktop Protocol for more details. So for example, any user that logs into a Windows Server where PAM Agent is installed using RDP, Windows would authorize the session for the user and PAM would honor that authorization based on the command control rule where 'Authorize: Yes' and 'Run User' and 'Run Host' being 'Submit User' and 'Submit Host' and then session capture or video monitoring can be configured. See the documentation link above for details.

     

    DO NOT install the audit manager package on the Agents - this will have very unfortunate consequences and is not the intended design. The base 4 packages that come with the Agent install is all that is necessary to fulfill the audited sessions - the data for these sessions are delivered to audit managers within the framework automatically and do not require that this 'audit' manager package be installed on every agent. Again, please do not do this.

  • 0 in reply to   
    Yes you are right! Forgot to write that the audit package is not needed
  • 0 in reply to   

    Dears,

    Please note I tried Lexon's reply and it worked and monitored the session.

    The only difference between the documentation and Lexon's reply is that the documentation asks to only add the command "windows direct session" while in Lexon's reply mentions "RDP session" and "windows direct session".

    Should I remove the "rdp session" from the rule?

    Thank you.

  • 0 in reply to 

    rdp session is used to connect to the host in your PAM account. that is, via RDP Relay. If you do not enable this, you will not be able to connect via PAM with account spoofing.

    windows direct session is used to record actions without changing the account when connecting to the host directly.

    You can delete rdp session if you don't use Relay

  • 0 in reply to 

    Well noted.

    Thank you for your feedback.

    Regarding the video capture, I noticed the recordings cannot be longer than 2 mins; but that means the recording will not cover the full user session; is this adjustable? for I logged in to PAM, and checked video settings, and we cannot choose longer than 2 mins; which means if the user's session was 10 mins, PAM will only record 2 mins.

    Georgio