observeit: technical training for onboarding sales engineer by observeit – copyright 2015
TRANSCRIPT
OBSERVEIT:TECHNICAL TRAINING FOR ONBOARDING SALES ENGINEER
By ObserveIT – Copyright 2015
AGENDA1. ObserveIT Architecture 2. “One Click” Installation
(+Unix Installation)3. Configuring ObserveIT4. Basic Use Cases5. ObserveIT Deployment
Scenarios
WELCOME This Training is targeted at incoming Sales Engineers.
Before attending this course, students must have at least 2 years worth or equivalent knowledge of the following technologies and products:
Managing, maintaining, and securing Microsoft Windows Server 2008/2008 R2, 2012, 2012 R2, including Active Directory and Network Infrastructure server roles.Working knowledge of networking, for example, TCP/IP, Domain Name System (DNS) and DHCP.Working knowledge of CITRIX XenDesktop 7.X, Internet Information Services (IIS), and Microsoft SQL Server.Working knowledge of common management and monitoring tools such as Microsoft SSCM/SCOM, PSEXEC, or equivalent.Knowledge in installing, configuring, and administering Microsoft Windows Server 2008/2008 R2, 2012/2012 R2, and Microsoft Windows XP Pro/Vista/7/8.
WHAT IS OBSERVEIT• Platform for User Activity Monitoring.
• Screen-Scrapes window titles and takes screenshots of activity.
• Maps to major compliance and security challenges
• ObserveIT captures all activity, even for applications that do not produce their own internal logs.
• Identity Theft Detection
• Shared Account handling
• Key Logger for indexing.
OBSERVEIT:ARCHITECTURE
OBSERVEIT AGENT RECORDING Records user activity (Meta Data + Screen Capture)
Alerts on out of policy behavior
Supports Windows, Unix, Linux systems
Supports both physical and virtual environments
Sends recorded information to “ObserveIT Application Server” via HTTP, HTTPS, or IPsec connection
Recording is based on group or individual Recording Policy”
OBSERVEIT APP SERVER Manages the multiple variety of Agents in a central
location
Receives user activity data from the Agents
Filters, encrypts, and transfers the recorded data to a centralized database (SQL Server or File system
OBSERVEIT WEB CONSOLE IIS Web Application used to access recorded data and
interface with Database
Audit stored sessions, filter through activity, search for actions
Configuration of all recording, alerting, and access control Policies
OBSERVEIT DATABASES Create 4 distinct Databases that manage
- ObserveIT Data- ObserveIT images- ObserveIT Archive- ObserveIT Archive_Template
Data is Secured, Digitally Signed, and Encrypted with AES 2048
Data can be archived or sent to a file-share system for cheaper and less intensive storage
OBSERVEIT SUPPORTED PLATFORMS Windows Agents
- Windows 2000 - 2012 R2 Servers- Vista, XP, Win 7, Win 8/8.1- Thin clients and Embedded systems
Unix/Linux Agents- Solaris 9, 10, 11, Sparc and x86/x64- AIX 5.3 (TL10 or higher), AIX 6.1, or AIX 7.1, 32-bit/64-bit- HP-UX v 11.23 and 11.31, Itanium architecture (64-bit- RHEL/CentOS 5.0 – 5.10, 6.0 – 6.5, i386/x86_64- Oracle Linux 5.0 – 5.10, 6.0 – 6.5, i386/x86_64- SuSE 10 SP2-SP4, or SuSE 11 SP2-SP3; i386/x86_64- Ubuntu 10.04 LTS i386/amd64, or Ubuntu 12.04 LTS
i386/x86_64- Debian 6 and 7 (64-bit)
OBSERVEIT SUPPORTED PLATFORMS Windows Application Server
- Windows Server 2008 R2/2012 R2- .NET Framework 2.0, 3.5.1, 4.0- IIS 7 with IIS 6.0 Compatibility- IIS server can’t host WUSUS
Windows Database Server - SQL 2008, 2012, 2014
- Full Recovery mode- No support for case sensitive DBs
QUESTIONS & DEMOThe Instructor will do a 30 minute demo of the ObserveIT Solution.
OBSERVEIT “ONE-CLICK” INSTALLATION
INSTALLING OBSERVEITThe "One Click" installation method is the easiest way to deploy ObserveITIf needed, each of the ObserveIT components can be installed separately as part of a custom installationInstallation order:
• Database creation
• Web Console server
• Application server
• Windows Agents
“ONE-CLICK” INSTALLTo run the ObserveIT "One Click" installer, run the Setup.exe file.
In the main installation screen there are 3 separate configuration sections:
• SQL Server Settings• Web Application Settings
(web console and App server)• LicensingInstallation will also install an
agent Locally on the App server.
“ONE-CLICK” INSTALLTo install the databases you must specify the SQL instance name and credentials necessary to have access to the DB.
The following databases will be created• ObserveIT • ObserveIT_Data• ObserveIT_Archive_1• ObserveIT_Archive_templateThe following user will be created in the DB:ObserveITUser (do not delete or change the password) The user is responsible for handling the management of the 4 Databases and runs as a service.
VM SETUP AND OBSERVEIT “ONE-CLICK” INSTALLATION
FOLLOW STUDENT GUIDE SECTIONS
HANDS ON – “ONE CLICK” INSTALLATION
1 – introduction2 - Prerequisites & System Requirements3 - One-Click Installation5.11 – Installation ObserveIT Agent on CentOS5.12 – Installation ObserveIT Agent on Ubuntu
Length: 45 minutes
RECORDING AND WEB CONSOLE USAGE BASIC USE CASES
LOGGING ON TO THE CONSOLEUse the following URL to connect to the ObserveIT Web Console:
http://servername:4884/ObserveITIf this is your first time using the ObserveIT Web Console, you will be prompted to change the default "Admin" password.
OBSERVEIT WEB CONSOLEAreas to replay sessions and study the recorded data:
Server diary, user diary, DBA Activity, Activity alerts, search, and reports.
WINDOWS USER ACTIVITY RECORDING• Agent will record users and applications that are
specified in the recording policy.• Only user activity is recorded.• User idle time is not recorded – When a user is not
actively using his computer ObserveIT agent will sit idle.
• ObserveIT agent will generate alerts on predetermined behavior and stream them in real-time to the web console or email of admin.
• The agent creates • The OIT agent collects window titles of on-screen
applications and websites, software that has been installed, user data, application name, date and time.
UNIX/LINUX USER ACTIVITY RECORDING• Agent will record users and applications that are
specified in the recording policy.• All SSH in/out is recorded (not related to user
activity).• Idle time is only relevant for session timeout or by
designed sizing parameters. • Video analysis contains “System calls”, “function
calls”, commands, and scripts.• The OIT agent collects all user generated data by
sitting as a “man in the middle” within a TTY interactive session.
• The agent hooks into the user session and will terminate the session if tampered with.
QUESTIONS & DEMOThe Instructor will do an in-depth explanation of the:
1. Reports
2. Search
3. Alerting
4. Server Diary
5. User Diary
BASIC USE CASES:
FOLLOW STUDENT GUIDE SECTIONS:
HANDS ON – Basic use Cases
4. Basic Use Cases 4. 1 Simulating User Activity4.2 Auditing the User Activity5.13 Simulate User Activity on Unix5.14 View Linux Recorded Session
Length: 60 minutes
OBSERVEITDEPLOYMENT SCENARIOS
OBSERVEIT DEPLOYMENT SCENARIOSA typical ObserveIT installation consists of multiple monitored servers (or Agents), each installed on a separate physical or virtual Windows-based or Unix-based operating system.
There are 4 typical types of deployment scenarios:
• Small deployment• Medium deployment• Large and High-Availability deployment• Terminal/Citrix Remote Access gateway deployment
OBSERVEIT SMALL DEPLOYMENTThe most important number that drives the sizing of an ObserveIT deployment is the number of Concurrent Connected Users (CCUs) you plan to monitor.
• 1 Application Server (2 for HA).• Recommended to use a database on a separate server from the
Application Server, but it is OK to have them together.• SQL production database disk for user-activity logs: 390 GB ultra-fast disk
IOPS (for the current month).• SQL production database or file system storage disk for graphical images:
1 TB ultra-fast disk IOPS (for each archived month).• Note - for longer data rotation, please user the built-in archive
mechanism that can be stored according to your needs online or offline.
OBSERVEIT SMALL DEPLOYMENT
“All in one”Database Server
Application ServerWeb Console
ObserveIT Admin
Agent
Agent
Agent
HTTP Traffic HTTP Traffic
OBSERVEIT MEDIUM DEPLOYMENTThe medium or standard deployment consists of 500 Concurrently connected users.
• 2 Application Servers (3 for HA) with load balancing.• Database server must be on separate server from the Application Server.• SQL production database disk for user-activity logs: 780 GB ultra-fast disk
IOPS (for the current month).• SQL production database or file system storage disk for graphical images:
2 TB ultra-fast disk IOPS (for each archived month).• Note - for longer data rotation, please use the built-in archive mechanism
that can be stored according to your needs online or offline.
• Recommendation: The ObserveIT Application Servers should communicate with a central clustered Microsoft SQL Server Enterprise Edition 2008 or higher.
OBSERVEIT MEDIUM DEPLOYMENT
Application ServerWeb Console
Agent
Agent
Agent
Database Server
ObserveIT Admin
HTTP Traffic SQL Traffic
HTTP Traffic
RAID network
File System
OBSERVEIT LARGE DEPLOYMENTThe large or high availability deployment consists of 1000 Concurrently connected users.
• 4 Application Servers (5 for HA) with load balancing.• Database Server must be on separate server from the application server.• SQL Production database disk for user-activity logs: 1.5 GB ultra-fast disk
IOPS (for the current month).• SQL Production database or file system storage disk for graphical images:
4 TB ultra-fast disk IOPS (for each archived month).• Note – for longer data rotation, please use the built-in archive mechanism
that can be stored according to your needs online or offline.
• Requirement: The ObserveIT Application Servers should communicate with a central clustered Microsoft SQL Server Enterprise Edition 2008 or higher (enterprise recommended).
OBSERVEIT LARGE DEPLOYMENT
Agent
Agent
Agent
MS SQL Failover Cluster
SQL TrafficActive Application Server 1
SQL
Active Application Server 2
SQL
HTTP Traffic
DNS Server
192.168.100.11
192.168.100.12
DNS Records:oitsrv A 192.168.100.11oitsrv A 192.168.100.12Round Robin enabled and record cache set to 0
OBSERVEIT LARGE DEPLOYMENT 2Agent
Agent
Agent
MS SQL Failover Cluster
SQL TrafficActive Application Server 1
SQL
Active Application Server 2
SQL
HTTP Traffic
DNS Server
192.168.100.11
192.168.100.12
DNS Records:oitsrv A 192.168.100.11oitsrv A 192.168.100.12Round Robin enabled and record cache set to 0
Load Balancing Cluster
RAID network
File System
OBSERVEIT TS/CITRIX DEPLOYMENT
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Corporate Servers (no agent installed)
Remote and local users
OBSERVEIT HYBRID DEPLOYMENT
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Sensitive production servers (agent installed)
Remote and local users
Direct login (not via gateway)
OBSERVEIT PUPM ACTIVE-X DEPLOYMENTUser desktop Machine10.2.56.74
Test W2012 machine
10.2.3.17
Machine “17” is in “My Privileged Accounts” list in the PUPM server
RDP to 10.2.3.17
OIT Server 10.2.56.76Contains the
installation CAB
ObserveIT
Agent CAB Transfer
Login to this machine only
PUPM Server10.2.56.78
OBSERVEIT INTEGRATION WITH ADAuthentication Requirement:• Web Console user authentication.• Secondary Identification feature activation.
Data Query Requirement:• Identity theft detection (email to user or admin).• One time password (sms to users phone).
OBSERVEIT INTEGRATION WITH AD
Database ServerApplication ServerWeb Console
LDAP Traffic(TCP 389)
Windows Server 2003/2008
Domain Controller
ObserveIT Admin
Agent
Agent
Agent
HTTP Traffic SQL Traffic
HTTP Traffic
OBSERVEITINDIVIDUAL COMPONENTS
OBSERVEIT COMPONENTSObserveIT Agent
• Windows Agent• Unix/Linux Agent• Citrix Agent
ObserveIT Backend
• Application Server• Web Console• SQL Database
OBSERVEIT AGENTThe ObserveIT Agent is software that is installed on servers, desktops, laptops, terminal servers, Linux/Unix, Citrix environments, etc. to collect all user activity occurring on those systems. Agents capture screen images throughout each user session, and produce the associated user activity logs. These images and logs are sent to the Application Server in real-time. If an agent cannot connect to the Application Server, it will temporary store the user activity data and send it to the Application Server when it reconnects.
There are 2 versions of the Agent:Windows version – Can support all major versions of Microsoft Windows operating systems (32 and 64-bit)Unix/Linux version – runs on major production flavors of Unix/Linux (32 and 64-bit)
Oracle Linux HP-UXRHEL/CentOS AIXUbuntu SolarisDebian SLES (SuSE Linux)
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent is a software component that is
installed on any Windows-based operating system (servers and desktop versions) that you wish to record.
The ObserveIT Agent is a user-mode executable that binds to every Desktop User Session.
It can be installed on any version of Windows, starting from NT 4.0 up to Windows 8.1 and Windows Server 2012 R2. Supports:
• 32-bit machine• 64-bit machine
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent Minimum requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD
ProcessorMemory – 2 GB RAM or moreDisk Space – At least 200 MB of free hard disk
space.NET Framework – Version 2.0 must always be
installedNetwork Adapter – 100MB/1GB Ethernet
Adapter
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent capturing data:
• As soon as a user creates a session on a monitored server, the Agent is started and begins recording – based upon a pre-determined recording policy.
• The ObserveIT Agent is triggered by user activities such as keyboard and mouse events.
• Idle time – when a user is reading, or inactive – is not recorded.
• When triggered, the Agent performs a screen capture.
• At the same moment it captures textual metadata of what is seen on the screen (window title, executable name, date, time, user name, etc.).
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent Offline Mode:
• The ObserveIT Agent can be configured to allow offline caching of recorded data.
• This is useful in the event of network malfunctions or disconnection, and for NLB scenarios.
• When network connectivity is reestablished, the Agent transmits the locally cached data back to the Application Server.
• In order not to fill the local disk, by default, the local cache holds 1000 screenshots. This number is configurable.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent Keyboard stroke image creation:
• Low (Default) – Every keystroke based on 1 second interval.
• Medium – Every keystroke based on 0.5 second intervals.• High – Every keystroke generates an image.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent API (Application Programming Interface):
• ObserveIT Agents have an API built into them.
• You may use various programming and scripting languages or custom DLLs (Dynamic Link Libraries) incorporated into your software to connect to this API and control the Agents’ status.
• For example, it is possible to start, stop, pause, resume and end recorded sessions. It is possible to start recording based on process IDs, on process names and on web URLs.
• Recording additional processes can be done into the existing session, or into a new session, thus creating a separate session for each recorded process.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent Security (What stops a user from stopping the Agent?):
• The ObserveIT Agent is protected by a watchdog mechanism that restarts the Agent in case the process is ended.
• If a user stops the watchdog process, it is re-started by the ObserveIT Agent.
• If a malicious user manages to stop both processes at the same time, the ObserveIT health check system will alert the administrator that an Agent is no longer recording, which gives clear indication that someone has deliberately stopped the agent.
• The agent can also be set up with a password to protect it against unauthorized uninstallation.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Network Security:
• Communication can secured by enabling SSL (Secure Sockets Layer).
• If needed, an Ipsec (Internet Protocol Security) tunnel can also be used to protect the Agent to Server traffic.
Application ServerWeb Console
HTTPS Trafficor IPSec Tunnel
OASIS standards for WS-Secure conversation, including Token Exchange, Digital Signature and Transaction Time-
To-Live limit
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Resource Usage:
• The ObserveIT Agent is a user-mode process, which only runs when a user session is active.
• The ObserveIT Agent only consumes resources when a user is logged on to the monitored server(s).
• average of 10MB of RAM/Session• average of 1%-5% CPU utilization/Session (only at the
moment of capturing data).• When multiple concurrent sessions are active (i.e. on a
Citrix/Terminal Server), this resource usage must be added to the memory calculation for the server sizing plan.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Resource Usage:
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Network Connections:
Application ServerWeb Console
HTTP Traffic(by default -TCP 4884)
• During installation, the ObserveIT setup creates an additional website in IIS that listens on TCP port 4884.
• The ObserveIT Agent transmits the captured screenshots and textual metadata to the ObserveIT Application Server via HTTP via this port.
• This port can be changed (for example - TCP port 80).
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Network Usage:
• Each screenshot is between 5-15 KB (depending on screen resolution and changes on screen)
• Agent only captures user actions and trims idle time, so bandwidth usage is relatively small (50KB packet transfer at one time).
• ObserveIT Agents are configured to record in grayscale, but color recording can also be enabled.
• When the following conditions are met, only grayscale recording will be used:
• A high screen resolution is detected – bigger than 1680 x 1050
• Multiple monitors are used
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Network Usage:
• Installation is performed over a standard Windows installer package (.MSI) that is well supported by software distribution applications and Group Policy (GPO).
• Agents can be easily configured to automatically install itself by using a simple batch file.
• Agents can be auto-configured by using DNS.
• A password can be used to prevent rouge Agent installation/uninstallation
• No reboot is required!
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Automatic Installation:
• A sample batch file called ObserveIT.ClientInstall.cmd is included in the ObserveITAgent setup directory.
• Installation parameters:• SERVERURL (mandatory) - Directs it to communicate with the specified
Application Server. You can also specify the port number. • SERVERURL=”http://servername:4884/ObserveITApplicationServer”• SRVPOLTMPL (optional) - Server Policies Template to inherit policy-
based configuration from upon installation.• SRVPOLTMPL="00000000-0000-0000-0000-000000000000" • PWD (optional) - The password that is defined on the ObserveIT
Application Server • PWD=""• PROVIDER (optional) - Configures which computer name will control
the Agent's API (for stopping and/or starting the Agent's recording). By default, and unless specified, the computer that will be able to control the Agent's API is the localhost (meaning, the computer on which the Agent is installed). You must specify a computer name. IP addresses cannot be used.
• PROVIDER=“oitsrv"
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – ActiveX Installation:
• ObserveIT Windows Agents can be installed on monitored machines by means of an Active-X installation, which would most likely be embedded into the company’s intranet portals or on other mission-critical web-based applications.
• Once integrated with the website, whenever a user opens the web
browser and connects to the relevant website, they will be prompted to download and install the Active-X installation of the Agent.
• Once installed and based on the configured settings, all the user actions that are performed inside that specific website or application will be recorded, while other applications or site will be excluded.
• Once the user closes the website, the Agent will cease to function.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Hidden Installation from “Add/Remove Program List:• After the ObserveIT Agent is installed, the software will appear in the
Add/Remove Programs applet in Control Panel. In addition, when running, a tray icon will appear in the tray notification area. In some cases, administrators might want the Agent to run in a hidden manner.
• The ObserveIT agent installation file comes with the option of Custom installation: If chosen, this option will allow you to configure ObserveIT to run without displaying in the Add/remove programs.
• The agent can also be tied to a pre-existing recording policy which will allow the Admin to choose a policy without the show tray icon.
OBSERVEIT WINDOWS AGENTThe ObserveIT Agent – Hide the Agent’s Icon:
• In order to hide the Agent's icon from the tray notification area you will need to create a new Server Policy, or modify an existing one.
OBSERVEITUNIX/LINUX AGENT
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent is a user mode executable that binds to every user’s terminal interactive connection:• Acting as a man in the middle the Agent can collect all TTYI/O, System
calls, and functions a user performs or illicit. • It can be installed on Solaris x86/x86_64 / SPARC architectures and
Linux RedHat/Centos 6.x releases, Ubuntu, AIX, and Debian.
• It can be installed on 32-bit and 64-bit flavors of the supported operating systems.
• The Unix/Linux agent can monitor SSH, Telnet, Putty, and Rlogin sessions.
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent Minimum requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD
ProcessorMemory – 2 GB RAM or moreDisk Space – At least 1GB of free hard disk
spaceNetwork Adapter – 100MB/1GB Ethernet
AdapterLinux: i386, x86-64Solaris: Sparc, i386, x86-64HP-UX: ItaniumAIX: PowerPC
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent Solaris 10 System
Requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
Solaris 9, update 9; Sparc, Solaris 10, update 4 to update 11; x86/x64 or Sparc Solaris Whole Root Zones are supported; you must install an ObserveIT Agent in each zone.
Solaris 11, update 1; x86/x64 or SparcNote: The Solaris 10 Zones application and resource management feature allows operating systems to appear as virtual environments (zones) that are isolated and secure, thus providing the operating system independence with some level of centralized resource management.
Prerequisites: libaio, libc, libcrypto, libcrypto_extra, libdl, libdoor, libgen, libm, libmd, libmp, libnsl, libpthread, librt, libscf, libsocket, libssl, libssl_extra, libumem, libuuid, libuutil, libxml2, libxnet, libz
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent AIX 5.3 System
Requirements:
Hardware RequirementsCPU – 1.3 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
AIX 5.3 (TL10 or higher), AIX 6.1, or AIX 7.1; 32-bit/64-bit
Prerequisites: libc, libcrypt, libcrypto, libdl, libiconv, libnsl, libpthread, libpthreads, libpthreads_compat, libssl, libthread, libtli, libxml2
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent HP-UX System
Requirements:
Hardware RequirementsCPU – 1.3 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
HP-UX versions 11.23 and 11.31, Itanium architecture (64-bit)
Prerequisites: libc, libcrypto, libdl, libgen, libiconv, liblzma, libm, libnsl, libpthread, libssl, libxml2, libxnet, libxti, libz
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent RHEL/CentOS System
Requirements:
Hardware RequirementsCPU – 1.3 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
RHEL/CentOS 5.0-5.10, or 6.0-6.5; i386/x86_64
Prerequisites: ld-linux, libc, libcom_err, libcrypto, libdl, libgssapi_krb5, libk5crypto, libkeyutils, libkrb5, libkrb5support, libm, libnsl, libpthread, libresolv, librt, libselinux, libssl, libutil, libuuid, libxml2, libz
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent Oracle Linux System
Requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
Oracle Linux 5.0-5.10, or 6.0-6.5; i386/x86_64
Prerequisites: ld-linux, libc, libcom_err, libcrypto, libdl, libgssapi_krb5, libk5crypto, libkeyutils, libkrb5, libkrb5support, libm, libnsl, libpthread, libresolv, librt, libselinux, libssl, libutil, libuuid, libxml2, libz
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent SLES (SuSE) System
Requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
SLES SuSE 10 SP2-SP4, or SuSE 11 SP2-SP3; i386/x86_64
Prerequisites: ld-linux, libc, libcrypto, libdl, libm, libnsl, libpthread, librt, libssl, libutil, libuuid, libxml2, libz
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent Debian System
Requirements:
Hardware RequirementsCPU – 2.4 GHz or faster Intel or AMD ProcessorMemory – 1 GB RAM or more
Debian 6 and 7 (64-bit)
Prerequisites: ld-linux, libc, libcrypto, libdl, libm, libnsl, libpthread, librt, libssl, libutil, libuuid, libxml2, libz, liblzma
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Capturing Data:
• When a user creates a session on a server, the Agent is started and begins recording, based upon a pre-determined recording policy, which is being downloaded from the Application Server.
• The ObserveIT Unix/Linux Agent is triggered by Command Line Interface (CLI) events. When a user is inactive, the Agent is not recording.
• The Agent is active only when CLI activity is detected. Even if the Agent is active.
• When triggered, the Agent captures commands and their output. It also captures selected system calls metadata (Like OPEN/CHOWN/UNLINK and other file operations system calls).
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Capturing Data:
The ObserveIT Unix/Linux Agent captures all the internal actions and the names of files/resources affected by command line operations.
• Command line: Each user command line entry is captured. • Visual Screen Activity: Everything on the screen is
visually recorded, including user input and screen output. • System Calls: ObserveIT also captures system calls
triggered by each user command. Every file create/delete/open/permission change, process creation and link creation is fully exposed. (ex: If the user runs an alias script named innocentScript that includes system calls to delete files and change user permissions, this info will also be captured.)
• Resources affected: In addition, captures each file or resource affected by the user command. (ex: If the user types rm *.txt, ObserveIT will show the exact name of each file that was deleted)
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Architecture:
• The Unix/Linux Agent uses technique known as "library/function interposition" in order to hook/inject itself into processes.
• It remains inactive until the moment it detects creation of the interactive session (by the virtue of the creation of a new pseudo tty device).
• When activated, it spawns an auxiliary process (logger) that receives metadata ("interesting" system calls and library functions) reports sent by the agent hooked into the child processes.
• The logger process also collects all the interactive (keyboard input/output) data passing through the original pseudo tty device.
• When interactive session terminates, the logger also exits after making sure all the data has been sent to the server.
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Network Utilization:
• A typical CLI event is considered from the moment Enter is pressed till 1KB of data is accumulated, or after a maximum of 5 seconds from the last event.
• A session that has a high CLI activity usage and intensity will produce more data, therefore, more packets will be sent from the Agent to the Application server.
• Data of a typical average user event including metadata will consist of 10 – 20 KB.
• Since the Agent only captures user actions and trims idle time, bandwidth usage is relatively narrow.
• Client-side or server-side compression can be used to reduce the size of the traffic transmitted by the Agents to the Application Server, but will incur additional CPU resource usage on the client-side.
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Network Utilization:
• The ObserveIT Agent uses an average of 5-20 MB of RAM, about 0.1% CPU utilization when idle and 0.7% CPU utilization in average when recording.
• The ObserveIT Agent only consumes resources when a user is logged on to the monitored server(s).
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Security:
• Unlike other Unix/Linux utilities that log user actions, users (even root users) are not able to close the Agent in any way.
• The Agent embeds itself into any shell that is derived from a login process. This mechanism is connected both to the shell and to the auditing process, thus disabling any opportunity of tampering or closing the agent without closing the shell.
• The Agent transfers all captured data to the ObserveIT Application Server securely, using advanced encryption algorithms.
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Security:
• When triggered, the Agent performs capture of CLI activity. At the same moment it captures system calls metadata that are operated by the commands.
• The ObserveIT Agent auxiliary process (logger) sits between the pseudo tty and the interactive shell (man-in-the-middle).
• If this process is terminated it will cause the interactive session (shell) to be terminated as well.
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Solaris:
• Agent installation is simple, and can be a one-step or a two-step process:
• Installation + Agent registration:
• ./observeit-agent-solaris10-i386-release-5.5.xx.run -- -I –s <ServerIP>:<Port>
• No reboot is required!• Agent health check:• /usr/lib/obit/oitcheck
OBSERVEIT UNIX/LINUX AGENTThe ObserveIT Agent – Linux:
• Here too, Agent installation can be a one-step or a two-step process:
• Installation + Agent registration:• ./observeit-agent-linux-5.5.xx.run -- -I -s <ServerIP>:<Port>
• No reboot is required!• Agent health check:• /usr/sbin/oitcheck
OBSERVEITAPPLICATION SERVER
OBSERVEIT APPLICATION SERVERThe Application Server is the central aggregation point for
all user activity data collected by agents and is also responsible for getting all collected user activity data from agents into the Database. Each ObserveIT Application Server can handle up to 250 CCUs. It is important to note that the number of agents is not a critical aspect of sizing for the Application Server, it is the number of CCUs those agents are monitoring that is important:• After being captured by the Agent, both the textual
metadata and graphic image are bundled into a packet, and sent to the ObserveIT Application Server.
• The ObserveIT Application Server is a stateless ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS).
• The ObserveIT Application Server receives the data from the Agent, validates it, and then stores it into the ObserveIT Database.
• In addition, the Application Server periodically provides configuration information to the Agents.
OBSERVEIT APPLICATION SERVERThe Application Server Minimum system requirements:
Hardware Requirements• Operating system: Windows Server 2008 and higher• CPU: 4-8 cores • RAM: 8-16 GB • Hard disk: 80 GB• Machine can be virtual if all performance issues are taken into
consideration.
Software Requirements• Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is
recommended that you always use the latest Service Pack for your operating system). Both 32-bit and 64-bit versions are supported.
• Microsoft Internet Information Server (IIS) 6.0 or higher with ASP .NET (version depends on the version of Windows Server that you're using)
• .NET Framework (version 4.0 must always be installed).
OBSERVEITDATABASE SERVER
OBSERVEIT DATABASE SERVERThe Database server stores all ObserveIT user activity logs,
reports and configuration settings. Graphical images can either be stored inside the SQL database or on a file system.Average disk space for an eight-hour desktop working session is 0.2 GB per user. This number is composed of two parts: user activity logs (30% of the total storage) and screen images (70% of the total storage). This will be drastically reduced if a custom recorded policy is enabled that excludes applications and/or users from the recording:
• All the data captured by ObserveIT is stored in a Microsoft SQL Server database, on the Database Server.
• This information is stored along with the User Activity Logsdescribing what is seen on the screen.
• This provides the ability for very powerful searches across the entire enterprise.
OBSERVEIT DATABASE SERVERThe Database Server Minimum system requirements:
Hardware Requirements• Operating system: Windows Server 2008 and higher• CPU: 4-8 cores • RAM: 8-16 GB • Hard disk: 80GB• SQL Logs Hard Disk: 500GB (1 TB)• Recommendation that the machine be physical for large deployment
Software Requirements• Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is
recommended that you always use the latest Service Pack for your operating system).
• SQL Server 2008/2008 R2/2012 with the latest Service Pack• SQL Server 2008 R2 Express Edition• Note: It is recommended that you use a regular full-featured version of
SQL Server, as the Express Edition has database size limitations (for example, 10 GB in SQL Server 2008 R2 Express).
OBSERVEIT DATABASE SERVERThe ObserveIT Database – Using a Local File System Store:
• Screenshots can be stored in a centralized file-systyem location (NAS/SAN).
• ObserveIT still requires SQL Server to store all the recorded metadata, image pointers and configuration settings to the Microsoft SQL Server.
• The amount of data recorded by the ObserveIT Agents is not a constant number, but based upon the profile of a typical recorded user session.
• You need to determine the amount of user actions per typical session, and the amount of such sessions per day/week/month.
• The overall size of the database can be predicted based on typical session sizes that were captured during the POC phase.
OBSERVEIT DATABASE SERVERThe ObserveIT Database – Database Sizing:
• Screenshots are affected by Client Screen Resolution• Client using multiple monitors• Filtering applications
• Typical average user action screenshot ~5 – 15 KB in size. • Each screenshot size is affected by a number of parameters:• Gray scale or color recording – the default is gray scale. • Client screen resolution – the higher the screen resolution, the
more data is captured.• Client using multiple monitors - clients using 2 monitors
will generally generate almost twice the amount of captured data than a client working with just one monitor.
• Filtering applications – by default, all applications are recorded in normal sessions. You can filter them and record only specified applications.
• File location: C:\Program Files\ObserveIT\ObserveITAgent\bin\
rcdcl.exe.config
OBSERVEIT DATABASE SERVERThe ObserveIT Database – Database Sizing:
• An existing ObserveIT client with around 1000 servers averages 500GB per year with a moderate level of activity.
• Servers with multiple concurrent user sessions such as Terminal or Citrix servers require more space, depending on the amount of user activity.
• This modest requirement is because • No Idle time is recorded• Using gray scale• Data compression
• Filter the applications that are recorded (i.e. only record management tools, LOB applications, or all except specific applications).
OBSERVEIT DATABASE SERVERThe ObserveIT Database – Database Sizing:
Data is, by default, never deleted from the ObserveIT database.
To help reduce database sizes:• Archive old data that may be needed in the future and store it in
an offline database. • Filter the applications that are recorded (i.e. only record
management tools, LOB applications, or all except specific applications).
• A feature to purge data can be enabled to remove all data collected for a server from a Database.
• Individual sessions can be removed via a query run directly into the database.
• For security protection ObserveIT does not allow the deletion of data up to 72 hours from its creation to be deleted.
OBSERVEIT DATABASE SERVERThe ObserveIT Database – Database Security:
Data is, by default, never deleted from the ObserveIT database.
To help reduce database sizes:• When enabling DB Security, the data is digitally signed and
encrypted when it is stored in the database.• A water mark is displayed on each slide.• Access to the data is limited by permissions defined within the
Web Management Console.• Encryption via Certificate can be enabled to secure data both at
Rest and in transit.• Screencaptures are stored in a SQL database or on a file system. • encrypted by Rijndael 256-bit key (AES encryption). • In order to protect this key, it is encrypted by 2048-bit X509
certificate (with an RSA encryption key).
• Tip: ObserveIT stores all data inside SQL databases. By utilizing your existing backup solutions you can easily backup your SQL server, and thus protect your ObserveIT data and configuration.
OBSERVEITWEB CONSOLE SERVER
OBSERVEIT WEB CONSOLEThe ObserveIT Web Console – Main tasks:
The Web Console provides ObserveIT’s web-based user interface. Reporting, analytics, alerting, user session playback and configuration management are all performed via the Web Console. A single Web Console is deployed per an ObserveIT deployment.
• Web Console main tasks:• replay sessions• Search, report, and alert• Configuration
• ASP.NET application that runs in the context of a Microsoft Internet Information Server (IIS).
• Granular permissions can be granted for specific ObserveIT Administrators (called Console Users) to only view data recorded on specific servers or specific users.
• Access to the Web Management Console is audited.• Only way to access the information stored in the ObserveIT
Database.
OBSERVEIT WEB CONSOLE The Web Console Server Minimum system requirements:
Hardware Requirements• Operating system: Windows Server 2008 and higher• CPU: 4-8 cores • RAM: 8-16 GB • Hard disk: 80GB• Machine can be virtual if all performance issues are taken into
consideration.
Supported Browsers• Internet Explorer (IE) – 9, 10, and 11• Mozilla Firefox – 31 and Higher• Google Chrome – 36 and higher
Software Requirements• Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is
recommended that you always use the latest Service Pack for your operating system). Both 32-bit and 64-bit versions are supported.
• Microsoft Internet Information Server (IIS) 6.0 or higher with ASP .NET (version depends on the version of Windows Server that you're using)
• .NET Framework (version 3.5 must always be installed).
OBSERVEITCUSTOM INSTALLATION