We have a question regarding session recording. Is there a quick way to tell or search what Target Account is being used during a session recording? For example if Audit requests we provide all session recordings for Target Account XYZ, how can we accomplish this? In the Session recording screen, all we see are the Dates, End User, Device, etc. But not the account being used.
Release : any (as of May 2022)
Component : PRIVILEGED ACCESS MANAGEMENT
As of May 2022 the Sessions > Session Recordings page has no information on the target account being used in any PAM release, and cannot be filtered by target account.
To find session recordings for a given target account. the best way for now is to look for PAM-CMN-1420 messages in the session logs, like
PAM-CMN-1420: Auto-login initiated with target account Name : root and target account Id : 58001
These should be followed by PAM-SPFD-0027 (recording start) and PAM-SPFD-0028 (recording end) messages, e.g.
PAM-SPFD-0027: CA PAM[786715]: Starting processing of session recording;
...
PAM-SPFD-0028: CA PAM[786715]: Closing processing of session recording;
The number in brackets (786715) is a process id (PID) that can be used to match the two messages.
The PAM-CMN-1420 message shows the ID of the target account, which is unique. You can use the remote CLI or a Rest API call to get the ID of an account of interest, if the account name is not unique. Or launch an access session using the account of interest for auto-login and observe the ID in the PAM-CMN-1420 message.
The message will include the target device name and the PAM username. In a cluster environment, you don't want to look for PAM-CMN-1420 messages on individual PAM nodes, but on the syslog or Splunk server that all your PAM nodes send their syslog messages to. Once you identified the activity of interest, you can go back to the Session Recordings page in PAM, filter by user and maybe by device name, and find the recording of interest based on start time. It should match the time of the PAM-CMN-1420 message within a few seconds.
Once you view a session recording, the target account used for auto-login should be shown in the User Info section on the left for RDP sessions and SSH sessions using a TCP/UDP service. For the built-in SSH access method this information is not provided, but the account name typically is seen in the shell prompt, i.e. in the recorded text.