Interactive Remote Control — ATO Compliance Reference

NIST 800-53 control mapping, configuration model, and audit-trail reference for TATER's interactive remote control feature. Designed for inclusion in FedRAMP Moderate / DoD IL4 authorization packages and SOC 2 / ISO 27001 audit evidence.

Overview

TATER's interactive remote control feature lets a SuperAdmin or Admin user start a real-time WebRTC session to a managed endpoint. Phase 2 (shipped 2026-05-07) adds end-user consent prompts (PE-3), mouse/keyboard input injection, bidirectional clipboard sharing, multi-monitor selection, and session recording (AU-14) on top of the original view-only baseline. Capabilities are individually toggleable per session and gated on a 30-second fail-closed end-user consent dialog. Phase 2.1 will add file transfer, H.264/VP8 video encoding, private TURN relay support, and Wayland (Linux) input injection.

NIST 800-53 Control Mapping

The feature implements the following controls. Cite this section in the System Security Plan (SSP) and continuous monitoring artifacts.

Control	Implementation	Evidence Location
AC-17 Remote Access	Three-layer gating: (1) org master switch in TATER Manage → Endpoint Fleet → Remote Control Org Policy card; (2) per-device opt-in via `remoteControlEnabled: true` in agent `config.json`; (3) role gate — SuperAdmin or Admin only. All three must be true.	Org switch: `Settings.remoteControlEnabled`. Per-device: agent config. Role: JWT validated by `auth.ts`.
AC-17(2) Cryptographic Protection	Mandatory DTLS encryption via WebRTC. The signaling layer (offer/answer/ICE) routes through the TATER API over HTTPS; the media plane is direct peer-to-peer with DTLS keying. Plaintext frames never traverse the wire.	Pion/webrtc v4 enforces DTLS by protocol. SDP records key fingerprint in audit log.
AC-17(3) Managed Access Control Points	Signaling traffic is relayed only through TATER's API endpoints (`POST /api/agents/{id}/rtc/sessions` for create; `POST /signal` for offer/answer/ICE). Sessions are addressable only by signed sessionId; the agent rejects unsolicited peer attempts.	API request logs. Cosmos `AgentRtcSessions` container.
AC-17(9) Disconnect / Disable Access	Hard caps enforced server-side and agent-side. Default `maxSessionMinutes: 30` (configurable up to 240); `idleTimeoutMinutes: 10` (configurable up to 60). Admin can manually end any session. Agent can refuse or terminate. Server timer also enforces the hard cap.	Session record's `maxSessionMinutes`, `idleTimeoutMinutes`, `endedAt`, `endReason`.
AC-2 / AC-3 / AC-6 Authorization	Role check via `authorize(user, ['Admin'])` on every session-management endpoint. Both SuperAdmin (cross-org) and Admin (org-scoped) have access; Auditor / Viewer / ServiceProvider do not.	Auth middleware in `auth.ts`; HTTP 403 on insufficient role.
AU-2 / AU-12 Audit Events	Every session lifecycle transition is audit-logged: create, state change (Pending → Negotiating → Connected → Ended/TimedOut/Failed), and delete. Each entry captures admin `oid`, deviceId, hostname, transition, duration, end reason, and ATO flag set.	TATER Activity Log filtered by entityType=AgentRtcSession.
AU-14 Session Audit	Optional session recording at ~0.5 fps (every 10th frame). JPEG frames stored encrypted at rest in Cosmos `AgentRtcRecordingFrames`, partitioned by tenant, with 30-day TTL. Playback timeline available in the Manage UI → Devices → Recording. Recording start fires a dedicated `recording-started` audit log entry. Off by default; toggleable per session.	Phase 2 (shipped). Schema: `recordingEnabled`, `recordingFrameCount`.
CM-7 Least Functionality	Off by default at every level. Org master switch defaults to false. Per-device flag defaults to false. Input injection, clipboard, and recording are individually toggleable per session and each require explicit consent. Phase 2 capabilities (input/clipboard/recording) all default to `false` unless the admin explicitly enables them at session start.	Defaults documented in `config.go` and `agentRtcSessions.ts`.
PE-3 Physical Access (User Consent)	The agent displays a native consent dialog on the endpoint listing every capability the admin requested (view, input, clipboard, recording) and the admin's identity. The user must Allow within 30 seconds — no response or Deny is treated as fail-closed (denied). Implementations: PowerShell `System.Windows.Forms.MessageBox` on Windows, `osascript display dialog` on macOS, `zenity` / `kdialog` / `xmessage` on Linux. Both grant and timeout-deny outcomes fire dedicated audit log entries.	Phase 2 (shipped). Schema fields: `consentObtainedAt`, `consentMethod` (`in-session-prompt` / `timeout-denied`).
IA-2 / IA-2(1) Identification & Authentication, MFA	MFA is enforced at the TATER application layer via Microsoft Entra ID Conditional Access. Admin role assignment + MFA-protected sign-in are prerequisites for any session creation.	Entra ID CA policies (customer-controlled). Audit log entries include the admin's authenticated `oid`.
AT-3 Role-Based Training	This documentation page surfaces the audit trail format and operational behavior for privileged users. Customers should reference it in their internal training program.	This page + Activity Log filter walkthrough.

Enabling Remote Control for Your Organization

Step 1 — Org Master Switch

SuperAdmin or Admin opens TATER Manage → Endpoint Fleet. The "Remote Control Org Policy" card at the top shows the current state. Click Enable; confirm the dialog. The toggle persists in Settings Cosmos doc as remoteControlEnabled: true. This is your AC-17 / CM-7 master switch.

Step 2 — Per-Device Opt-In

For each endpoint that should accept remote-control sessions, edit the agent's config.json:

{
  "apiBase": "https://api.tatersecurity.com/api",
  "apiKey": "...",
  "tenantId": "...",
  "organizationId": "...",
  "remoteControlEnabled": true,
  "remoteControlMaxSessionMinutes": 30,
  "remoteControlIdleTimeoutMinutes": 10,
  "remoteControlFrameRate": 5
}

Restart the agent (or wait for next config reload). The agent will start polling the API for sessions.

Step 3 — Starting a Session

In TATER Manage → Endpoint Fleet, click the 🖥 Remote button on any device row. Configure session limits in the modal (max minutes, idle timeout). Click Start Session. The agent will receive the request, open a Pion/webrtc peer connection, and start streaming JPEG frames at 5 fps over the data channel. The admin browser displays them on a canvas element.

Auditing Sessions

Every session lifecycle event is logged. To audit:

Open TATER → Activity Log
Filter by entityType=AgentRtcSession
Each entry shows: who created, which device, state transitions, total duration, end reason
For SIEM forwarding, ensure your TATER SIEM integration is configured (Settings → SIEM); session events propagate via the standard CEF/webhook channel

Phase 2 (Shipped 2026-05-07)

✓ End-user consent prompt — PE-3 / HIPAA / CMMC Level 3. Native dialog on the endpoint with 30-second fail-closed timeout. Capability list and admin identity displayed.
✓ Mouse/keyboard input injection — Native Win32 SendInput on Windows (no CGO), xdotool shell-out on Linux X11, cliclick / osascript on macOS. Coordinates normalized 0–1 over the wire and denormalized at the agent against the selected monitor's bounds.
✓ Clipboard sharing — Bidirectional via dedicated clipboard data channel. PowerShell Get-Clipboard/Set-Clipboard on Windows, pbcopy/pbpaste on macOS, xclip/xsel on Linux. Gated on a separate consent prompt and toggleable per session.
✓ Session recording (AU-14) — ~0.5 fps sampled JPEG frames, encrypted at rest, 30-day TTL, in-app playback timeline with frame scrubber.
✓ Multi-monitor selection — Display picker in the admin modal. Capture by index using kbinani/screenshot's GetDisplayBounds; supports any number of attached displays.

Phase 2.1 Deferred

File transfer — bounded by max-size and per-direction consent.
H.264/VP8 video encoding — replaces the JPEG-over-data-channel placeholder for higher quality at lower bandwidth (target: 30 fps at 2–4 Mbps).
Wayland input injection (Linux) — ydotool integration with build-time selector; current Phase 2 only supports X11.
macOS scroll & alpha-key codes — cliclick doesn't emit scroll events natively; AppleScript keystroke covers letters/digits but key-code map is small.
Private TURN relay — for federal customers requiring all media to traverse a sanctioned VPN.

See INTERACTIVE-REMOTE-CONTROL-PLAN.md for the full multi-week scoping document.

Security Considerations

STUN servers — Phase 1 uses Google's public STUN servers for NAT discovery. STUN does not carry media; only NAT-traversal candidates. For federal customers wanting all traffic on private networks, configure a private TURN relay (Phase 2).
SDP fingerprint validation — DTLS keying material is exchanged via signaling. The TATER API relays signaling messages but does not interpret them; man-in-the-middle attacks are mitigated by the API's TLS layer.
Service-mode capture on Windows — the agent skips remote control when running as a Windows service (LOCAL SYSTEM context can't see the user's interactive desktop). Tray-mode binary in the user session is required.
Session ID guessing — sessionIds are 16-byte random hex (rtc-{32 hex chars}). The agent only attaches to sessions returned by its authenticated API call, not arbitrary IDs.