Unix and Linux Monitoring
Record SSH, Telnet and Console Sessions
At a Glance
ObserveIT audits, records, and analyzes all user activity from the moment the user initiates a shell login through the end of the session. ObserveIT records user activity in any interactive shell running on Unix/Linux machines, whether remotely (by Telnet, SSH, rlogin etc.) or locally by console login.
Beyond capturing a screen video recording, ObserveIT captures important hidden information about each command, by capturing the underlying system calls and resources affected. This information can be used to instantly locate particular actions, even from within thousands of hours of video. This data is also used to generate administrator-customizable real-time alerts based on specific user activity triggers, providing proactive warnings to security personnel about any suspicious or out-of-policy user actions.
What is Recorded
- All interactive shell logins to the system, whether they are via SSH, Telnet, local console or other connection method.
- The data stream to and from the terminal on which the login took place
- Each command line activity on the system
- The system calls triggered by the command line or script that are executed by the user
Session Audit Lists
See the details of all Unix/Linux sessions, sorted and grouped according to user, server or based on any full-text search of the logs ObserveIT has captured.
In many cases, this report list is already enough information for your auditing and troubleshooting needs.
Capturing Every User Action
ObserveIT captures all the internal actions and the names of files/resources affected by command line operations.
- Command line: Each user command line entry is captured.
- Visual Screen Activity: Everything on the screen is visually recorded, including user input and screen output.
- System Calls: ObserveIT also captures system calls triggered by each user command. Every file create/delete/open/permission change, process creation and link creation is fully exposed (ex: If the user runs an alias script named innocentScript that includes system calls to delete files and change user permissions, this info will also be captured.)
- Resources affected: In addition, captures each file or resource affected by the user command (ex: If the user types rm *.txt, ObserveIT will show the exact name of each file that was deleted)
To see a full visual replay of the user session, simply click on the Replay icon.
- Replay Window: The replay window shows exactly what took place on-screen
- Command Summary List: Quick navigation list showing each command the user typed
- DVD-like navigation: Navigate quickly through any session, using fast-forward/rewind or by jumping between each user command (similar to DVD chapter).
- Start replay mid-session: You can launch the replay at the exact location that you need. (ex. If user spent 2 hours in a session, and you see a suspicious command at the 90 minute mark in the Audit List, launch the replay at that exact time.)
Real-time User Activity Alerts
User activity alerts are powerful and flexible rules which specify the circumstances in which a user’s action will cause an alert to be generated. The rich user behavior analytics generated by ObserveIT allow alerts to be based on both login events and on specific user actions that occur during a session. Alerts are highlighted during session video playback, generate emails and are highlighted in relevant locations throughout the ObserveIT console.
By making important user activity events visible in real time, it is possible to quickly and effectively respond to any deliberate or inadvertent threats to IT security, system integrity, regulatory compliance or company policies.
Security and Reliability
Unlike with Unix/Linux utilities that log user actions, users (even root users) are not able to close the Agent in any way. The Agent embeds itself into any shell that is derived from a login process. This mechanism is connected both to the shell and to the auditing process, thus disabling any opportunity of tampering or closing the agent without closing the shell.
The Agent transfers all captured data to the app server securely using advanced encryption algorithms.
Config and Communication with ObserveIT App Server
The Agent receives policy rules and configuration updates from the server, and filters the recording activity accordingly.
In the event of temporary loss of communication, data is buffered locally until network connection is restored.
The Agent provides activity and status indications to the server, for direct monitoring.
Interaction with the User
The Agent can be configured to alert the user that all actions are being monitored.
ObserveIT can also send custom messages to the user regarding company policy and server activity notifications