What is new in BalaBit Shell Control Box 4 LTS October 12, 2015 Copyright 1996-2015 BalaBit SA
Table of Contents 1. Preface... 3 1.1. Versions and releases of SCB... 3 2. Changes specific to 4.0.6... 4 3. Changes specific to 4.0.4... 5 4. Changes specific to 4.0.2... 6 5. New Citrix versions and real-time alerting... 7 6. New OCR engine... 8 7. Internal, on-box indexer... 9 8. New web-based search interface... 11 9. Integrating ticketing systems... 12 10. New virtual appliance... 13 11. New hardware appliance... 14 12. New RDP versions... 15 13. Connection database changes... 16 14. Improved integration with Lieberman ERPM... 17 15. General improvements and changes... 18 16. The Audit Player... 19 17. New documentation format... 20 2
Preface 1. Preface Welcome to BalaBit Shell Control Box (SCB) version 4 LTS and thank you for choosing our product. This document describes the new features and most important changes since the latest release of SCB. The main aim of this paper is to aid system administrators in planning the migration to the new version of SCB. The following sections describe the news and highlights of SCB 4 LTS. This document covers the BalaBit Shell Control Box 4 LTS and Audit Player 2014.2 products. 1.1. Versions and releases of SCB As of June 2011, the following release policy applies to BalaBit Shell Control Box: Long Term Supported or LTS releases (for example, SCB 4 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SCB 4.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates. Feature releases (for example, SCB 4 F1) are supported for 6 months after their original publication date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new feature per release. Only the last feature release is supported (for example when a new feature release comes out, the last one becomes unsupported within two months). For a full description on stable and feature releases, see Stable and feature releases. Warning Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 4.0) to a feature release (4.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 5.0) is published. 3
Changes specific to 4.0.6 2. Changes specific to 4.0.6 SCB now integrates with BalaBit Blindspotter. This release adds ticketing support for the Remote Desktop (RDP) protocol. 4
Changes specific to 4.0.4 3. Changes specific to 4.0.4 You can configure a message for users accessing SCB for inband authentication. The message is displayed when they log in to SCB. You can configure the signing interval for audit trail signing and timestamping. 5
Changes specific to 4.0.2 4. Changes specific to 4.0.2 If indexing is enabled for a connection that existed before upgrading to 4.0.2, and that connection already has audit trails, those trails will also be indexed. Audit trails recorded after upgrading to 4.0.2 are not affected. 6
New Citrix versions and real-time alerting 5. New Citrix versions and real-time alerting SCB 4 LTS adds support for the latest Citrix ICA protocol versions in order to control and audit more remote access types. With this release, SCB covers mobile technologies like access to Windows applications from tablets and smartphones. SCB 4 LTS supports the following new Citrix client versions: Online plugin 13 and 14. SCB 4 LTS supports the following new Citrix server versions: XenApp 6.5 on Windows 2008 R2, XenDesktop 7.0 on Windows 2008 R2, Receiver for Windows 4.1, Receiver for Linux 13.0 In this release, SCB continues to extend its brand-new real-time alerting feature. SCB can monitor the user activity in Citrix ICA sessions, detecting application start-up or any window appearing on the screen. SCB can terminate or block connections that violate the user-configured rules, and can also send alerts in such cases. This functionality can prevent malicious user-activities as they happen, instead of just recording or reporting them. 7
New OCR engine 6. New OCR engine SCB can extract the text content from graphical protocols like RDP, Citrix ICA, and VNC, to make searching the content of these sessions possible via the user interface. Until now, SCB had support only for Latin characters. To improve the accuracy and the language coverage of character recognition in graphical protocols like RDP, Citrix ICA, and VNC, SCB 4 LTS uses a new Optical-Character-Recognition (OCR) engine. The new engine supports languages based on the Latin-, Greek- and Cyrillic alphabets, as well as Chinese, Japanese and Korean languages. That way, SCB can recognize texts from graphical audit trails in 100+ languages. Note that real-time alerting and indexing using the Audit Player uses the old OCR engine. Figure 1. Search results displayed for an RDP connections running a browser Recognizing and OCR-ing CJK (Chinese, Japanese and Korean) languages must be licensed separately. 8
Internal, on-box indexer 7. Internal, on-box indexer Earlier SCB versions used an indexer based on the Audit Player application that required an external server running Microsoft Windows. This functionality is now available on the SCB appliance, without requiring external servers. In addition, the new indexer service provides improved searching and reporting capabilities over the recorded sessions, with more in-depth intelligence on the user activity. The improved searching abilities provide easier post-mortem incident analysis, as auditors can access detailed search results, for example, hits with precise timestamps or screenshots that contain the searched expression. The new full-text searching capabilities provide search results ranked by relevance, many powerful query types, and support for non-latin characters. 9
Internal, on-box indexer Figure 2. Search results ranked by relevance Note that to create reports from audit trail content using the internal indexer, full-text indexing must be configured. For details, see Section 15.3, Indexing and reporting on audit-trail content in The BalaBit Shell Control Box 4 LTS Administrator Guide. 10
New web-based search interface 8. New web-based search interface To give you more insight, a quick overview, and the ability to interact with the audit trails, SCB 4 LTS provides a brand-new audit trail pop-up window. This window displays relevant information about the audit trail, for example, the username or the IP address of the destination server, the list of real-time alerts triggered by the session, as well as the extracted window titles (for graphical protocols) and the commands (for terminal connections). For indexed trails, you can search the contents of the trails: SCB displays the timestamped list of results and the respective screenshots for the matching audit trails. Once you find an interesting audit trail, you can easily refine your search in the specific audit trail. Figure 3. Search results for terminal sessions For details, see Section 15.3, Indexing and reporting on audit-trail content in The BalaBit Shell Control Box 4 LTS Administrator Guide. 11
Integrating ticketing systems 9. Integrating ticketing systems SCB 4 LTS provides a plugin framework to integrate SCB to external ticketing (or issue tracking) systems, allowing you to request a ticket ID from the user before authenticating on the target server. That way, SCB can verify that the user has a valid reason to access the server and optionally terminate the connection if he does not. Requesting a ticket ID currently supports the following protocols: Secure Shell (SSH) Remote Desktop Protocol (RDP) TELNET TN3270 To request a plugin that interoperates with your ticketing system, contact the BalaBit Support Team. For details on configuring SCB to use a plugin, see Section 17.5, Integrating ticketing systems in The BalaBit Shell Control Box 4 LTS Administrator Guide. 12
New virtual appliance 10. New virtual appliance The SCB Virtual Appliance is now officially supported on Microsoft Hyper-V. For details, see Appendix G, BalaBit Shell Control Box Hyper-V Installation Guide in The BalaBit Shell Control Box 4 LTS Administrator Guide. 13
New hardware appliance 11. New hardware appliance BalaBit Shell Control Box 4 LTS supports new, improved hardware appliances that provide more computing power and increased I/O speed to meet your increasing auditing and processing needs. Every SCB delivered after June 30, 2014 will be shipped on the new hardware. If you have bought SCB earlier and would like to buy a new appliance, contact your local BalaBit distributor, or directly <sales@balabit.com>. The following table summarizes the specification of the new appliances. Product Redundant PSU Processor Memory Capacity RAID IPMI SCB T-1 No Intel(R) Xeon(R) X3430 @ 2.40GHz 2 x 4 GB 2 x 1 TB Software RAID Yes SCB T-4 Yes Intel(R) Xeon(R) E3-1275V2 @ 3.50GHz 2 x 4 GB 4 x 2 TB LSI MegaRAID SAS 9271-4i SGL Yes SCB T-10 Yes 2 x Intel(R) Xeon(R) E5-2630V2 @ 2.6GHz 8 x 4 GB 13 x 1 TB LSI 2208 (1GB cache) Yes Table 1. Hardware specifications 14
New RDP versions 12. New RDP versions SCB 4 LTS adds support for the RDP client and server applications of the Windows 2012R2 and Windows 8.1 platforms. 15
Connection database changes 13. Connection database changes As part of introducing the new indexer engine, the connection database that stores metadata and other information about the recorded sessions has been updated. If you use the SCB RPC API to access such data, or have custom SQL queries configured for custom reports, review the Section 18.4, Database tables available for custom queries in The BalaBit Shell Control Box 4 LTS Administrator Guide to check if the new database structure affects your use-case. 16
Improved integration with Lieberman ERPM 14. Improved integration with Lieberman ERPM SCB now supports scenarios when your Lieberman Enterprise Random Password Manager (ERPM) uses an external authentication method. For details, see Procedure 17.4.5, Using Lieberman ERPM to authenticate on the target hosts in The BalaBit Shell Control Box 4 LTS Administrator Guide. 17
General improvements and changes 15. General improvements and changes Bridge mode is deprecated. It is fully supported in SCB 4 LTS, but will be removed from SCB in an upcoming feature release. Do not use SCB in bridge mode unless you absolutely must. Earlier versions of the SCB RPC API are not supported in this release. To access SCB via the RPC API, make sure that your application is compatible with the current API version. For details, see the on-box API documentation at https://<ip-address-of-scb>/rpc.php/<techversion>?wsdl. It is now possible to encrypt only the upstream direction of the audited connections. That way, the contents of the connection can be freely accessed and replayed without using a decryption key, but the sensitive upstream data (most commonly, login passwords) is not displayed. It is not required to manually decompress the license file. Compressed licenses (for example.zip archives) can also be uploaded. In the SCB connection database, the connection_commands view of has been renamed to connection_events, and the commands table has been renamed to events. For graphical connections, it contains the window titles detected in the connection. The SCB web interface supports the following browsers: Mozilla Firefox 28.0 or newer and Microsoft Internet Explorer 9. The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled. The Audit trail rate limit option has been removed from the product. For details on the fixed issues see our issue tracking page. 18
The Audit Player 16. The Audit Player This section describes the main changes of the Audit Player version 2014.2 application. For details on the fixed issues see our issue tracking page. 19
New documentation format 17. New documentation format The multi-page HTML documentation of SCB 4 LTS uses a new format: The Contents is visible on every page, making it easier to navigate the documents. You can search the entire document using the Search tab on the sidepane, making it easier and faster to find what you are looking for. Code examples are syntax-highlighted. Every page has a download link to the PDF format of the document. You can comment on every page to provide us feedback, ask questions about the documentation, or get in touch with us with your BalaBit Shell Control Box related questions. Figure 4. The new documentation format 20