X Window System Session Capturing


The X Window System (also called X or X11) is the most common graphical display system for UNIX and Linux platforms. The user runs an X Server that renders the graphical applications, or X Clients, and interprets keyboard and mouse events and other input and output events. Each X Client is configured to connect most commonly using TCP/IP either on a local host, across an IP network or even across the Internet.

The X11 capture feature provides two areas of functionality:

  • Encrypts X Windows communications to enhance security
  • Provides a full session capture of every graphical session so the session can be logged and audited

To automatically allow X Clients to run, two items must be in place to locate the X Server and then authenticate to the service:

  • The environment variable DISPLAY
  • Authentication key

These items are commonly configured by the X Server into the users environment when they log in to the host. After you verify the items are in place, you can start using X11 forwarding.

DISPLAY Variable

The environment variable DISPLAY provides:

  • The X Server location in the form of an IP address, host name, or fully qualified DNS domain name
  • A display number that indicates the TCP/IP port that the X Server is listening on
DISPLAY= Example of IPv4 and display 0
DISPLAY=myhost:1.0 Host name and display 1
DISPLAY=myhost.mydomain.com:0.0 Fully qualified address and display 0
DISPLAY=[::1]:0.0 IPv6 display 0

Each display on the X Server has its own display number, zero denotes TCP/IP port 6000, one is 6001, etc. This allows X Servers that have multiple displays to address each individually.

Authentication Key

This preshared key authenticates each application. By default, a list of the keys is located in $HOME/.Xauthority, and can be viewed and modified using the xauth command.

$ xauth list
pbuild/unix:16MIT-MAGIC-COOKIE-1 2c7ca46175aec0e4539b9e2119acff0d

The key is generally a randomly generated number created when the X Server session is created, and then used throughout the session by the X Clients.

Architecture Overview

A diagram of the X Window System session capturing process flow in Privilege Management for Unix and Linux.

X11 capture policy settings

When you run pbrun -X from the command line, by default, you can use the X11 forwarding, and the remote process is configured automatically to allow the X11 Client applications to run.

  • xwinforward (true or false): Allow or deny X11 forwarding.
  • xwinreconnect (true or false): The X11 tunnel is created between pbrun and pblocald to allow effective and efficient communications between the two ends of the tunnel. However, if there are networking considerations this option specifies that the tunnel is created using the existing Privilege Management for Unix and Linux network optimizing policy settings (for example, noreconnect).

If X11 forwarding is enabled it is only a matter of setting an iolog and the full X11 session is captured.

Viewing Session Capture Output

You can run pbreplay to output the captured X11 events. Events such as creating and destroying windows, textual window updates, text input, and mouse clicks are displayed as a summary alongside any output from the parent process.

In Privilege Management for Unix and Linux V8.5, pbreplay has a -X option added that you can use with the -a option to output the captured X11 events.

pbreplay -o -aX <path/to/iolog>

You can use the following command to output all captured data. However, a large amount of data is displayed.

pbreplay -o -aXV <path/to/iolog>
Summarized X11 output
pbreplay -o -aX /tmp/iolog.8TO9HF
[root@pbuild src]# gnome-terminal