ObserveIT Unix Auditor:
Records SSH, Telnet and Console Sessions
At a Glance
ObserveIT Unix Auditor is part of the ObserveIT Enterprise platform. It records all user activity from the minute the user initiates a shell login, through to the end of the session.
The Unix Auditor records user activity in any interactive shell running on the machine, and transfers the data to the ObserveIT Management Server. Recording begins whenever a user starts any interactive session on the system, whether remotely (by Telnet, SSH, rlogin etc.) or locally by console login.
ObserveIT captures important hidden information about each user command, by capturing the resources affected and system calls made by each command.
What is Recorded
- All interactive shell logins to the system, whether they are via SSH, Telnet, local console or other connection method.
- The data stream to and from the terminal on which the login took place
- Each command line activity on the system
- The system calls triggered by the command line or script that are executed by the user
Session Audit Lists
See the details of all Unix/Linux sessions, sorted and grouped according to user, server or based on any full-text search of the metadata ObserveIT has captured.
In many cases, this report list is already enough information for your auditing and troubleshooting needs.
Capturing Every User Action
ObserveIT captures all the internal actions and the names of files/resources affected by command line operations.
- Command line: Each user command line entry is captured.
- Visual Screen Activity: Everything on the screen is visually recorded, including user input and screen output.
- System Calls: ObserveIT also captures system calls triggered by each user command. Every file create/delete/open/permission change, process creation and link creation is fully exposed.
(ex: If the user runs an alias script named innocentScript that includes system calls to delete files and change user permissions, this info will also be captured.) - Resources affected: In addition, captures each file or resource affected by the user command.
(ex: If the user types rm *.txt, ObserveIT will show the exact name of each file that was deleted)
Video Replay
To see a full visual replay of the user session, simply click on the Replay icon.
- Replay Window: The replay window shows exactly what took place on-screen
- Command Summary List: Quick navigation list showing each command the user typed
- DVD-like navigation: Navigate quickly through any session, using fast-forward/rewind or by jumping between each user command (similar to DVD chapter).
- Start replay mid-session: You can launch the replay at the exact location that you need. (ex. If user spent 2 hours in a session, and you see a suspicious command at the 90 minute mark in the Audit List, launch the replay at that exact time.)
Security and Reliability
Unlike with Unix/Linux utilities that log user actions, users (even root users) are not able to close the Agent in any way. The Agent embeds itself into any shell that is derived from a login process. This mechanism is connected both to the shell and to the auditing process, thus disabling any opportunity of tampering or closing the agent without closing the shell.
The Agent transfers all captured data to the app server securely using advanced encryption algorithms.
Config and Communication with ObserveIT App Server
The Agent receives policy rules and configuration updates from the server, and filters the recording activity accordingly.
In the event of temporary loss of communication, data is buffered locally until network connection is restored.
The Agent provides activity and status indications to the server, for direct monitoring.
Interaction with the User
The Agent can be configured to alert the user that all actions are being monitored.
ObserveIT can also send custom messages to the user regarding company policy and server activity notifications
