Auditing Sessions
If you have completed all the steps in the preceding chapters, the audit and monitoring service has been auditing your sessions as an administrator and the user account you created. This chapter describes how to view audited sessions, update the review status, and use queries to find the sessions in which you’re interested.
Using Audit Analyzer to Replay a Session
If you selected both Privilege Elevation Service and Auditing and Monitoring Service features, the Agent for Windows has been capturing your activity as you logged on and off and switched between roles. You can replay those recorded sessions to see detailed information about what you did during the evaluation. Before you can replay the sessions captured, however, you use Audit Analyzer to locate the sessions you are interested in using a set of predefined queries. For example, there are predefined queries for sessions that started Today and This Month and sessions where the Windows Command Prompt or Windows MMC tools were used.
To select and replay a session:
-
Open Audit Analyzer to view captured sessions grouped by predefined queries.
-
Select a predefined query, such as Today or Active Sessions, in the left pane to display a list of sessions in the right pane.
Note that the date queries show sessions that started during the specified time interval. If a session started three days ago and is still active, itis listed under This Week and Active Sessions, but not under Today or Yesterday.
-
Double-click a session to retrieve the session from the database and open the session replay window.
The session replay window displays information similar to the following:
The replay progress is shown in the play bar along the bottom of the window. If you double-click an event, you can watch the recording of just that event.
Magnifying the Recorded Session
You can click the magnifier in the replay window to enlarge a portion of the recorded screen. The magnifier appears as a magnifying-glass pointer in the replay pane. Click to toggle the magnifier on or off.
Controlling Playback Speed or Session Location
For normal playback operation, you can click Play or Pause to start or pause a session. You can also fast forward by clicking the Speed control. The Timepoint needle shows you the current location in the session. You can drag the needle to any point in the session. The Real-time icon to the right of the time bar indicates that the session plays in a smooth time sequence. If you want to play back the session moving swiftly from one user action to the next, click the icon to gray it out. The Session point indicates the date and time of the Timepoint needle.
Marking Sessions for Review or Action
You can use Audit Analyzer to manage the status of sessions that are pending review or action. For example, you can update the status of individual sessions using the following states:
- To be Reviewed
- Reviewed
- Pending for Action
- To be Deleted
After you have marked sessions to be reviewed or pending action, you can use the predefined queries Sessions to be Reviewed and Sessions Pending for Action to see only the sessions in those states.
To update the review status for a session:
-
Select a query then select an individual session.
-
Right-click and select Update Review Status, then select a review state.
For example, if the session is new and has not been reviewed, select To be reviewed.
-
Type a comment at the prompt, then click OK.
-
Click Sessions to be Reviewed in the left pane to see the session displayed.
You can also view the review status and comments for a session by right-clicking a session, then select Properties.
-
Select one or more sessions and update the review status to Reviewed.
Again, you will be prompted to provide a comment for the change in status. Type a new comment and click OK.
Using the Indexed Event List
If you don’t want to replay an entire session, you can use the indexed event list to view a summary of events recorded in a session, then selective start the replay at a specific event of interest.
To use the indexed event list:
-
Select a query then select an individual session.
-
Right-click and select Indexed Event List.
-
Select a session event in the lists to start the replay at that event.
Creating Custom Queries
Predefined queries searches the audit store database for sessions that meet the specific criteria. To see the search criteria, right-click a query, select Properties, then click the Definition tab.
You can write your own queries to search for sessions that meet specific criteria of your choosing. The following example illustrates how to build a query that finds all of the sessions that have been reviewed.
To create a custom query for sessions that have been reviewed:
-
Open Audit Analyzer.
-
Select Audit Sessions, right-click, then select New Shared Query.
-
Type Reviewed Sessions for the name of the query and enter a description for the query. For example, type Sessions that have been reviewed by department auditors.
-
Deselect UNIX session as the type of session to include.
-
Click Add to add criteria.
Notice that review = Reviewed appears in the Criteria field of the New Query dialog box.
-
Select Review Status from the Attribute list, select Reviewed, then click OK.
-
Click Add again.
-
Select Session Time, select the bottom radio button and Is in, then select this month and click OK.
-
Verify the Criteria displays both rules, then click OK to complete the query.
After you click OK, the query is listed under Shared Queries.
-
Click the custom query to get the results.
Creating a Quick Query
You can also perform quick text string searches in Audit Analyzer.
To create a quick text string query for sessions:
-
Open Audit Analyzer.
-
Select Audit Sessions, right-click, then select New Quick Query.
-
Type a search string into the dialog box.
As you type, the Quick Query displays a list of possible matches that start with the text you are typing. If an item in the list is what you are lookingfor, select it, then click Find to display all matching sessions in the right pane.
Auditing Only Specific Events
The integration of access management and auditing makes it possible for you to audit only when a user switches to a specific desktop or role. Although you can use database queries in Audit Analyzer to find recorded events of a particular type, you can save space in your database by recording only those events in which you’re most interested.
Specifying which Roles or Desktops to Audit
To limit auditing to specific roles or desktops, you turn off more generalized auditing and enable auditing for just the roles you care about. The following example illustrates how to audit only when the user switches to a privileged desktop.
To audit only when the user switches to a privileged desktop:
-
Log in to the computer as the Administrator and open Access Manager.
-
Expand the console tree to the Authorization node for your evaluation zone.
-
Expand Role Definitions, select the DesktopAdmin role, right-click, then select Properties.
-
Click the Audit tab, select Audit if possible or Audit required.If auditing is required, users are prevented from using the role if auditing is not available or the agent is not running.
-
Log off and then log in as amy.adams.
-
Verify that you do not have elevated privileges by trying to change firewall settings in Control Panel.
-
Open a new desktop and select the DesktopAdmin role.
-
Perform operations, such as running the Firewall Control Panel and accessing the remote share on the Windows server, for which you need elevated privileges.
-
Switch back to your default desktop.
-
Open Audit Analyzer, select the Active Sessions node, and refresh the display.
-
Open the currently active session for the Windows client computer.
You should find that only the portion of the session when you were using the DesktopAdmin desktop was recorded.
Audit Trail of Privileged Events
Even when the auditing and monitoring service is not recording a session, it keeps a record of every event in which the user selected a role that provides elevated privileges.
To view audit trail events for elevated privileges:
-
Log in using your administrator account and open Access Manager.
-
Expand the console tree to the Authorization node for your evaluation zone.
-
Select the ControlPanelAdmin role, right-click, then select Properties.
-
Click the Audit tab and select Audit not requested/required.
-
Log off and then log in as amy.adams.
-
Verify that you do not have elevated privileges by trying to change firewall settings in Control Panel.
-
Right-click your Control Panel shortcut, select the ControlPanelAdmin role, and verify that you now have the rights to change firewall settings.
-
Close Control Panel and perform several more operations.
-
On the Windows client computer, open Audit Analyzer, select Active Sessions, and refresh the display.
-
Open the currently active session for your Windows client computer. You should find that none of your recent operations were recorded.
-
Right-click the Audit Events node, then select Query Audit Events.
-
In the dialog box, enter your search criteria, such as a role name, event time, or the type of event you are interested in locating, then clickOK. All of the events that match the criteria you specify are listed. Ifthe event involved an audited role and you are capturing video records ofaudited activity, you can right-click an event to Replay the activity recorded.
All of the events that match the criteria you specify are listed. If the event involved an audited role and you are capturing video records ofaudited activity, you can right-click an event to Replay the activity recorded.
Additional Auditing Tools
Because the evaluation computer has the complete auditing infrastructure, you have several additional tools available for managing different components of that infrastructure. For example, computers that have the Agent for Windows installed also have the following Auditing and Monitoring Service Settings. You also have access to the Audit Collector Control Panel, Audit Management Control Panel, and Audit Manager console. All of these programs are available from the Windows Start menu.
You use the control panels to configure and troubleshoot the component operations. Audit Manager provides a overview of all audit-related components. From Audit Manager, you can view the status of components, modify component properties and relationships, and manage audit store databases. You can also use Audit Manager to create audit roles, assign users to the audit roles, and manage permissions.
Audit Manager includes one Master Auditor role with full control over the installation. As the Master Auditor, you can manage and control all permissions for the installation.