Proofpoint | ObserveIT On-Premises Insider Threat Management

Data Recording Policy

The following features enable you to configure a data recording policy which controls how much data is recorded during user sessions:

• Recording in Commands Only or Standard mode

• Limiting Output Data Recording

• Configuring recording using SFTP

These features are supported on Unix-based server policies only.

Recording in Commands Only, Standard, or Advanced Mode

On Unix/Linux-based operating systems, the ObserveIT Agent records:

• All interactive shell logins to the system, whether via SSH, Telnet, or local console.

• Each command line activity on the system.

• Every activity displaying screen output is visually recorded.

• System functions that were executed by commands or scripts that were executed by the user.

Recording on Unix/Linux-based operating systems can be handled in these modes:

• Commands only mode (default mode) is used to record session commands without terminal output. This recording mode is recommended for integration with SIEM solutions. Recording in this mode can prevent overloading the server when running commands that generate a large volume of data (for example, viewing large log files). This recording mode is also recommended for privacy reasons to prevent personal data from being recorded.

• Standardmode is used to record commands and terminal output.

In the ObserveIT Web Console, you can configure the recording mode manually per endpoint (Agent) from the Configuration > Endpoints page, or by using Recording Policies to configure many endpoints (Agents) simultaneously.

To configure the recording mode using Recording Policies

1. In the Configuration > Endpoint Management > Recording Policies page, click Create or select a server policy template (Unix-based policy).

2. In the Data Recording Policy section of the Recording Policy Template page, select the recording mode.

3. Click Save to save the changes.

Setting changes will take effect on new user sessions, after the current sessions are closed. Note that before saving, you can revert to the default settings by clicking the Default button.

Limiting Output Data Recording

During session recording in a Unix/Linux environment, if there is no user input and the volume of output exceeds the defined limit, the recording of output data will stop. Recording will resume in a new session with new user activity. By limiting output data recording, you can control the volume of recorded output data for a session when there is no user activity (for example, when running the "tail -f" command on the OS messages/syslog file and a high volume of logging messages are written to that file). You can also limit the number of commands that can be executed when a script is run without user input.

In the ObserveIT Web Console, on Unix and Linux-based server policies, you can configure a recording policy for limiting output data recording, by specifying a maximum output data size that is allowed to be recorded before a session is closed when there is no user input.

You can configure output data recording thresholds per endpoint (Agent) from the Configuration > Endpoints page, or by using Recording Policies to configure many endpoints (Agents) simultaneously.

To configure thresholds for output data recording using Recording Policies

1. In the Configuration > Endpoint Management > Recording Policies page, click Create or select a server policy template (Unix-based policy).

2. In the Data Recording Policy section of the Recording Policy Template page, select the check boxes next to the required options (by default they are all selected).

   • Stop recording session output beyond: This option enables you to define a limit (in KB or MB) to the session output data recording size before new user input is received. The default size is 1000 kilobytes; zero means that there is no data size limit.

   • Stop recording command output beyond: This option enables you to define a limit (in KB or MB) to the volume of command output, before a new command or user input is received. This output limit applies to each command; a new command will start a new session for recording. The default size is 500 kilobytes; zero means that there is no data size limit.

   • Stop recording commands beyond: This option enables you to define a limit to the number of commands that can be executed when a script is run without new user input. The default limit is 9,000. You can configure up to a maximum of 20,000 commands.

3. Click Save to save the changes.

Setting changes will take effect on new user sessions, after the current sessions are closed. Note that before saving, you can revert to the default settings by clicking the Default button.

Configuring Recording Using SFTP

By default, ObserveIT enables the recording of Unix/Linux sessions using the SFTP protocol. You can choose whether to start recording sessions using SFTP on any command or on all commands other than ls:

• Start SFTP recording upon any command

• Start SFTP recording only upon commands other than LS

If you want to disable recording using the SFTP protocol

1. Deselect the Enable SFTP recording check box.

2. Click Save to save the changes.