1. technology and computing
2. software
3. databases

What is new in BalaBit Shell Control Box 4 LTS
October 09, 2014
Copyright © 1996-2014 BalaBit S.a.r.l.
Table of Contents
1. Preface ............................................................................................................................................ 3
1.1. Versions and releases of SCB ................................................................................................. 3
2. Changes specific to 4.0.2 .................................................................................................................. 4
3. New Citrix versions and real-time alerting ......................................................................................... 5
4. New OCR engine ............................................................................................................................. 6
5. Internal, on-box indexer ................................................................................................................... 7
6. New web-based search interface ....................................................................................................... 9
7. Integrating ticketing systems ........................................................................................................... 10
8. New virtual appliance ..................................................................................................................... 11
9. New hardware appliance ................................................................................................................. 12
10. New RDP versions ....................................................................................................................... 13
11. Connection database changes ........................................................................................................ 14
12. Improved integration with Lieberman ERPM ................................................................................. 15
13. General improvements and changes ............................................................................................... 16
14. The Audit Player .......................................................................................................................... 17
15. New documentation format ........................................................................................................... 18
www.balabit.com
2
Preface
1. Preface
Welcome to BalaBit Shell Control Box (SCB) version 4 LTS and thank you for choosing our product. This
document describes the new features and most important changes since the latest release of SCB. The main
aim of this paper is to aid system administrators in planning the migration to the new version of SCB. The
following sections describe the news and highlights of SCB 4 LTS.
This document covers the BalaBit Shell Control Box 4 LTS and Audit Player 2014.2 products.
1.1. Versions and releases of SCB
As of June 2011, the following release policy applies to BalaBit Shell Control Box:
■ Long Term Supported or LTS releases (for example, SCB 4 LTS) are supported for 3 years after
their original publication date and for 1 year after the next LTS release is published (whichever date
is later). The second digit of the revisions of such releases is 0 (for example, SCB 4.0.1). Maintenance
releases to LTS releases contain only bugfixes and security updates.
■ Feature releases (for example, SCB 4 F1) are supported for 6 months after their original publication
date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later).
Feature releases contain enhancements and new features, presumably 1-3 new feature per release.
Only the last feature release is supported (for example when a new feature release comes out, the
last one becomes unsupported within two months).
For a full description on stable and feature releases, see Stable and feature releases.
Warning
Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 4.0) to a feature
release (4.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 5.0) is
published.
www.balabit.com
3
Changes specific to 4.0.2
2. Changes specific to 4.0.2
If indexing is enabled for a connection that existed before upgrading to 4.0.2, and that connection already has
audit trails, those trails will also be indexed. Audit trails recorded after upgrading to 4.0.2 are not affected.
www.balabit.com
4
New Citrix versions and real-time alerting
3. New Citrix versions and real-time alerting
SCB 4 LTS adds support for the latest Citrix ICA protocol versions in order to control and audit more remote
access types. With this release, SCB covers mobile technologies like access to Windows applications from
tablets and smartphones.
■ SCB 4 LTS supports the following new Citrix client versions: Online plugin 13 and 14.
■ SCB 4 LTS supports the following new Citrix server versions: XenApp 6.5 on Windows 2008 R2,
XenDesktop 7.0 on Windows 2008 R2, Receiver for Windows 4.1, Receiver for Linux 13.0
In this release, SCB continues to extend its brand-new real-time alerting feature. SCB can monitor the user
activity in Citrix ICA sessions, detecting application start-up or any window appearing on the screen. SCB can
terminate or block connections that violate the user-configured rules, and can also send alerts in such cases.
This functionality can prevent malicious user-activities as they happen, instead of just recording or reporting
them.
www.balabit.com
5
New OCR engine
4. New OCR engine
SCB can extract the text content from graphical protocols like RDP, Citrix ICA, and VNC, to make searching
the content of these sessions possible via the user interface. Until now, SCB had support only for Latin characters.
To improve the accuracy and the language coverage of character recognition in graphical protocols like RDP,
Citrix ICA, and VNC, SCB 4 LTS uses a new Optical-Character-Recognition (OCR) engine. The new engine
supports languages based on the Latin-, Greek- and Cyrillic alphabets, as well as Chinese, Japanese and Korean
languages. That way, SCB can recognize texts from graphical audit trails in 100+ languages.
Note that real-time alerting and indexing using the Audit Player uses the old OCR engine.
Figure 1. Search results displayed for an RDP connections running a browser
Recognizing and OCR-ing CJK (Chinese, Japanese and Korean) languages must be licensed separately.
www.balabit.com
6
Internal, on-box indexer
5. Internal, on-box indexer
Earlier SCB versions used an indexer based on the Audit Player application that required an external server
running Microsoft Windows. This functionality is now available on the SCB appliance, without requiring
external servers. In addition, the new indexer service provides improved searching and reporting capabilities
over the recorded sessions, with more in-depth intelligence on the user activity.
The improved searching abilities provide easier post-mortem incident analysis, as auditors can access detailed
search results, for example, hits with precise timestamps or screenshots that contain the searched expression.
The new full-text searching capabilities provide search results ranked by relevance, many powerful query types,
and support for non-Latin characters.
www.balabit.com
7
Internal, on-box indexer
Figure 2. Search results ranked by relevance
Note that to create reports from audit trail content using the internal indexer, full-text indexing must be configured.
For details, see Section 15.6, Indexing and reporting on audit-trail content in The BalaBit Shell Control Box 4
LTS Administrator Guide.
www.balabit.com
8
New web-based search interface
6. New web-based search interface
To give you more insight, a quick overview, and the ability to interact with the audit trails, SCB 4 LTS provides
a brand-new audit trail pop-up window. This window displays relevant information about the audit trail, for
example, the username or the IP address of the destination server, the list of real-time alerts triggered by the
session, as well as the extracted window titles (for graphical protocols) and the commands (for terminal
connections).
For indexed trails, you can search the contents of the trails: SCB displays the timestamped list of results and
the respective screenshots for the matching audit trails. Once you find an interesting audit trail, you can easily
refine your search in the specific audit trail.
Figure 3. Search results for terminal sessions
For details, see Section 15.6, Indexing and reporting on audit-trail content in The BalaBit Shell Control Box 4
LTS Administrator Guide.
www.balabit.com
9
Integrating ticketing systems
7. Integrating ticketing systems
SCB 4 LTS provides a plugin framework to integrate SCB to external ticketing (or issue tracking) systems,
allowing you to request a ticket ID from the user before authenticating on the target server. That way, SCB can
verify that the user has a valid reason to access the server — and optionally terminate the connection if he does
not. Requesting a ticket ID currently supports the following protocols:
■ Secure Shell (SSH)
■ TELNET
■ TN3270
■ To request a plugin that interoperates with your ticketing system, contact the BalaBit Support Team.
■ For details on configuring SCB to use a plugin, see Section 17.5, Integrating ticketing systems in
The BalaBit Shell Control Box 4 LTS Administrator Guide.
www.balabit.com
10
New virtual appliance
8. New virtual appliance
The SCB Virtual Appliance is now officially supported on Microsoft Hyper-V. For details, see Appendix G,
BalaBit Shell Control Box Hyper-V Installation Guide in The BalaBit Shell Control Box 4 LTS Administrator
Guide.
www.balabit.com
11
New hardware appliance
9. New hardware appliance
BalaBit Shell Control Box 4 LTS supports new, improved hardware appliances that provide more computing
power and increased I/O speed to meet your increasing auditing and processing needs. Every SCB delivered
after June 30, 2014 will be shipped on the new hardware. If you have bought SCB earlier and would like to
buy a new appliance, contact your local BalaBit distributor, or directly <[email protected]>. The following
table summarizes the specification of the new appliances.
Product
Redundant Processor
PSU
SCB T-1
No
SCB T-4
Yes
SCB T-10 Yes
Memory
Capacity
RAID
IPMI
Intel(R) Xeon(R) X3430 @ 2 x 4 GB
2.40GHz
2 x 1 TB
Software RAID
Yes
Intel(R) Xeon(R) E3-1275V2 2 x 4 GB
@ 3.50GHz
4 x 2 TB
LSI MegaRAID SAS
9271-4i SGL
Yes
2 x Intel(R) Xeon(R)
E5-2630V2 @ 2.6GHz
13 x 1 TB LSI 2208 (1GB cache) Yes
8 x 4 GB
Table 1. Hardware specifications
www.balabit.com
12
New RDP versions
10. New RDP versions
SCB 4 LTS adds support for the RDP client and server applications of the Windows 2012R2 and Windows 8.1
platforms.
www.balabit.com
13
Connection database changes
11. Connection database changes
As part of introducing the new indexer engine, the connection database that stores metadata and other information
about the recorded sessions has been updated. If you use the SCB RPC API to access such data, or have custom
SQL queries configured for custom reports, review the Section 15.5, Database tables available for custom
queries in The BalaBit Shell Control Box 4 LTS Administrator Guide to check if the new database structure
affects your use-case.
www.balabit.com
14
Improved integration with Lieberman ERPM
12. Improved integration with Lieberman ERPM
■ SCB now supports scenarios when your Lieberman Enterprise Random Password Manager (ERPM)
uses an external authentication method. For details, see Procedure 17.4.5, Using Lieberman ERPM
to authenticate on the target hosts in The BalaBit Shell Control Box 4 LTS Administrator Guide.
www.balabit.com
15
General improvements and changes
13. General improvements and changes
■ Bridge mode is deprecated. It is fully supported in SCB 4 LTS, but will be removed from SCB in
an upcoming feature release. Do not use SCB in bridge mode unless you absolutely must.
■ Earlier versions of the SCB RPC API are not supported in this release. To access SCB via the RPC
API, make sure that your application is compatible with the current API version. For details, see the
on-box API documentation at https://<ip-address-of-SCB>/rpc.php/<techversion>?wsdl.
■ It is now possible to encrypt only the upstream direction of the audited connections. That way, the
contents of the connection can be freely accessed and replayed without using a decryption key, but
the sensitive upstream data (most commonly, login passwords) is not displayed.
■ It is not required to manually decompress the license file. Compressed licenses (for example .zip
archives) can also be uploaded.
■ In the SCB connection database, the connection_commands view of has been renamed to
connection_events, and the commands table has been renamed to events. For graphical
connections, it contains the window titles detected in the connection.
■ The SCB web interface supports the following browsers: Mozilla Firefox 28.0 or newer and Microsoft
Internet Explorer 9. The browser must support HTTPS connections, JavaScript, and cookies. Make
sure that both JavaScript and cookies are enabled.
■ The Audit trail rate limit option has been removed from the product.
■ For details on the fixed issues see our issue tracking page.
www.balabit.com
16
The Audit Player
14. The Audit Player
This section describes the main changes of the Audit Player version 2014.2 application.
■ For details on the fixed issues see our issue tracking page.
www.balabit.com
17
New documentation format
15. New documentation format
The multi-page HTML documentation of SCB 4 LTS uses a new format:
■ The Contents is visible on every page, making it easier to navigate the documents.
■ You can search the entire document using the Search tab on the sidepane, making it easier and faster
to find what you are looking for.
■ Code examples are syntax-highlighted.
■ Every page has a download link to the PDF format of the document.
■ You can comment on every page to provide us feedback, ask questions about the documentation, or
get in touch with us with your BalaBit Shell Control Box related questions.
Figure 4. The new documentation format
www.balabit.com
18