Auditing of BeyondTrust Remote Support (On-Premises)
BeyondTrust provides two types of support session logging. All the events of an individual support session are logged as a text-based log. This log includes representatives involved, permissions granted by the customer, chat transcripts, system information, and any other actions taken by the BeyondTrust representative. This data is available on the appliance in an un-editable format for up to 90 days, but it can be moved to an external database using the BeyondTrust API or the BeyondTrust Integration Client. All support sessions are assigned a unique session ID referred to as an LSID. The session LSID is a 32-character string that is a unique GUID for each session. The LSID is stored as part of each session log for every session conducted.
BeyondTrust also allows enabling video session recordings. This records the visible user interface of the customer screen for the entire screen sharing session. The recording also contains metadata to identify who is in control of the mouse and keyboard at any given time during the playback of the recorded session. The period of time these recordings remain available depends on the amount of session activity and the available storage, up to 90 days maximum. As with the support session logging, these recordings can be moved to an external file store using the BeyondTrust API or the BeyondTrust Integration Client.
Each Secure Remote Access Appliance model has a certain amount of available disk space. If this space becomes filled, the oldest data is automatically deleted, even if the number of days set to keep logging data has not been reached. The BeyondTrust Integration Client can be used to export data off the appliance and store it if needed to comply with security policies. BeyondTrust can also be configured to store data for a shorter period of time to help comply with security policies.
The Integration Client (IC) is a Windows application that uses the BeyondTrust API to export session logs, recordings, and backups from one or more Secure Remote Access Appliances according to a defined periodic schedule. The IC uses plug-in modules to determine the repository for the exported data.
BeyondTrust provides two IC plug-in modules. One handles export of reports and video recordings to a file system destination. The second exports select report information (a subset of the entire data collection) to a Microsoft SQL Server database. Setup of the IC for SQL Server includes all of the procedures needed to automatically define the necessary database, tables, and fields.
In practice, the Integration Client is used to export support session data that must be retained for legal and compliance reasons. The reports and recordings are archived in a file system, indexed by the Secure Remote Access Appliance and session IDs. Data stored in the SQL Server tables may be queried to locate the BeyondTrust session ID corresponding to given search criteria such as date, representative, or IP address.
All authentication events, such as when a representative logs into the representative console or accesses the /login or /appliance web interface, generate a syslog event which can be logged on a syslog server. Additionally, any configuration change that is made to the appliance also generates a syslog event showing the change that was made and by which user. If the syslog configuration itself is ever modified, it results in an administrative email sent by the appliance to the configured administrative email account for the appliance.