Buscar

Este contenido no está disponible en el idioma seleccionado.

Chapter 30. Configuring a system for session recording by using the RHEL system role

download PDF

Use the tlog RHEL system role to record and monitor terminal session activities on your managed nodes in an automatic fashion. You can configure the recording to take place per user or user group by means of the SSSD service.

The session recording solution in the tlog RHEL system role consists of the following components:

  • The tlog utility
  • System Security Services Daemon (SSSD)
  • Optional: The web console interface

30.1. Configuring session recording for individual users by using the tlog RHEL system role

Prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.

With that, you can enable recording the terminal output and input of a specific user during their sessions, when the user logs in on the console, or by SSH.

The playbook installs tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Deploy session recording
      hosts: managed-node-01.example.com
      tasks:
        - name: Enable session recording for specific users
          ansible.builtin.include_role:
            name: rhel-system-roles.tlog
      vars:
        tlog_scope_sssd: some
        tlog_users_sssd:
          - <recorded_user>
    tlog_scope_sssd: <value>
    The some value specifies you want to record only certain users and groups, not all or none.
    tlog_users_sssd:: <list_of_users>
    A YAML list of users you want to record a session from. Note that the role does not add users if they do not exist.
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  1. Check the SSSD drop-in file’s content:

    # cat cd /etc/sssd/conf.d/sssd-session-recording.conf

    You can see that the file contains the parameters you set in the playbook.

  2. Log in as a user whose session will be recorded.
  3. Play back a recorded session.

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
  • /usr/share/doc/rhel-system-roles/tlog/ directory

30.2. Excluding certain users and groups from session recording by using the the tlog RHEL system role

You can use the tlog_exclude_users_sssd and tlog_exclude_groups_sssd role variables from the tlog RHEL system role to exclude users or groups from having their sessions recorded and logged in the systemd journal.

The playbook installs tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Deploy session recording excluding users and groups
      hosts: managed-node-01.example.com
      tasks:
        - name: Exclude users and groups
          ansible.builtin.include_role:
            name: rhel-system-roles.tlog
          vars:
            tlog_scope_sssd: all
            tlog_exclude_users_sssd:
              - jeff
              - james
            tlog_exclude_groups_sssd:
              - admins
    tlog_scope_sssd: <value>
    The value all specifies that you want to record all users and groups.
    tlog_exclude_users_sssd: <user_list>
    A YAML list of users user names you want to exclude from the session recording.
    tlog_exclude_groups_sssd: <group_list>
    A YAML list of groups you want to exclude from the session recording.
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  1. Check the SSSD drop-in file’s content:

    # cat cd /etc/sssd/conf.d/sssd-session-recording.conf

    You can see that the file contains the parameters you set in the playbook.

  2. Log in as a user whose session will be recorded.
  3. Play back a recorded session.

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
  • /usr/share/doc/rhel-system-roles/tlog/ directory
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.