Privileged Users are the users with identities or credentials that allow them the capability to perform administrative functions on an IT asset.
Administrative functions performed by Privileged Users may include software or hardware installations, configuration changes, program execution, sensitive data exfiltration and much more.
Organizations choose to track Privileged User sessions primarily for forensic purposes, to satisfy regulatory requirements, and also for training & research purposes.
No matter what option or tool you choose; effective tracking of user activities requires the use of a dedicated component such as a jump-box and to enforce all Privileged sessions to pass-through the jump-box. Several PAM (Privileged Account Management) systems have Privileged User session monitoring and recording built in.
For example, PSM (Privileged Session Manager) from CyberArk can record user sessions and feed the data to a Threat analytics and analysis system for near real-time monitoring and alerting. The user session that passes through PSM can be configured to record in keystroke and/or video format.
If your organization is using a shared Privileged Account model then it is vital to monitor privileged user sessions for accountability and risk reduction purposes. Also consider integrating critical systems to an enterprise SIEM (Security Information & Event Management) solution.