Audit Reporting in Shell Control Box

Published on 20 November 2015

Shell Control Box (SCB), Balabit’s privileged user monitoring appliance, features a comprehensive reporting system, which receives unfairly little attention. SCB users can generate varied reports which support compliance needs, security operations and decision making processes. In this post, I summarize SCB’s reporting capabilities and their benefits for users.

SCB periodically creates reports on the activity of the privileged users, its system information, as well as the processed traffic. In addition, you can use the connection database for creating custom reports from connection statistics. These reports are available in PDF format. The reports can be sent to predefined e-mail addresses. Important to note that SCB is a host-independent security appliance and the access to the reports can be granularly controlled. To prevent manipulation and provide reliable information for the audit reporting, SCB timestamps, encrypts and signs all audit trails. This prevents anyone from modifying the audited information – not even the administrator of SCB can tamper the encrypted data (and reports).

1. Content Reports

SCB can execute searches and generate reports automatically for every new audit trail contents. These content reports provide detailed documentation about privileged users activity on remote IT systems. Reports include, but not limited to:

  • Usernames,
  • Address of the source & destination hosts,
  • TOP10 most used commands,
  • TOP10 least used commands,
  • Privilege escalations,
  • Password changes, etc.

Reports can be generated for fixed periods:

  • Daily reports,
  • Weekly reports,
  • Monthly reports,

The content reports provide valuable information in case of post-mortem incident investigation or regular security checks.

2. Operational Reports

The operational reports of SCB contain the following information:

  • Configuration changes: SCB creates reports from the configuration changes. The details and descriptions of the modifications are searchable and can be browsed from the web interface, simplifying the auditing of SCB. The report lists the number of SCB configuration changes per page and per user. The frequency of the configuration changes is also displayed on a chart.
  • Main reports: Contains statistics about the total traffic that passed SCB, including the number of sessions that passed for every connection policy, the used usernames, clients, and servers, and so on.
  • Reports by connection: Contains separate statistics about every connection policy configured on SCB.
  • System health information: Displays information about the file-system and network use of SCB, as well as the average load.

Operational reports can be useful in supporting internal/external audits or supporting daily IT operations.

SCB Operational Report Sample 1.

SCB Operational Report Sample 1.


SCB Operational Report Sample 2.

SCB Operational Report Sample 2.

3. PCI DSS Reports

To help you comply with the regulations of the PCI DSS, SCB can generate reports on the compliance status of SCB. It is a tool to enhance and complement your compliance report by providing information available in SCB. The report corresponds with the document “Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.0”. Presenting an independent, tamper-proof compliance report for a PCI DSS audit can impress the auditors and increase your chance of passing the audit. (ISO 27001 reports are also arriving soon…)

Sample of SCB PCI DSS report

Sample of SCB PCI DSS report

4. Custom reports

There can be cases where pre-defined reports can’t fulfill the user needs. That’s why SCB supports the creation of custom reports and statistics, including user-created statistics and charts based on search results, the contents of audit trails, and other customizable content. The following sources (statistics or other queries) are available as reporting sub-chapters:

  • The indexed contents of audit trails,
  • The statistics of an audit trail search,
  • Statistics of the occurrences of the search keywords, as well as screenshots from the audit trail.
  • Custom queries of the connection database – you can create statistics from any custom SQL-queries from the SCB connection database:


The following query generates a list of audit trail downloads within the reported interval, excluding administrator downloads:

from audit_trail_downloads,
where channels._connection_channel_id =
and audit_trail_downloads.download_time <= :range_start
and audit_trail_downloads.download_time > :range_end
and audit_trail_downloads.username != 'admin'
order by audit_trail_downloads.download_time;

Learn more on configuring SCB reports here.

by Gabor Marosvar

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

Audit Reporting in Shell Control Box

Shell Control Box (SCB), Balabit' privileged u er monitoring appliance, feature  a comprehen ive reporting y tem, which...

Best Practice for Incident Forensics

Today ecurity incident are a que tion of when, not if: every company, mall and large, face the threat of being a...

Calibrating anomaly scores

In thi blog po t, we are going to di cu how to calibrate anomaly core to make ure that the core are tru ted...

“Lorem ipsum dolor sit amet, consectetur adipisicing elit. Sint minima earum velit, dolorem fuga impedit onsectetur adipisicing dolorem.”

– Lorem ipsum, Lorem ipsum