Este contenido no está disponible en el idioma seleccionado.
Chapter 30. Configuring a system for session recording by using the RHEL system role
Use the tlog
RHEL system role to record and monitor terminal session activities on your managed nodes in an automatic fashion. You can configure the recording to take place per user or user group by means of the SSSD
service.
The session recording solution in the tlog RHEL system role consists of the following components:
-
The
tlog
utility - System Security Services Daemon (SSSD)
- Optional: The web console interface
30.1. Configuring session recording for individual users by using the tlog
RHEL system role
Prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd
journal.
With that, you can enable recording the terminal output and input of a specific user during their sessions, when the user logs in on the console, or by SSH.
The playbook installs tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Deploy session recording hosts: managed-node-01.example.com tasks: - name: Enable session recording for specific users ansible.builtin.include_role: name: rhel-system-roles.tlog vars: tlog_scope_sssd: some tlog_users_sssd: - <recorded_user>
tlog_scope_sssd: <value>
-
The
some
value specifies you want to record only certain users and groups, notall
ornone
. tlog_users_sssd:: <list_of_users>
- A YAML list of users you want to record a session from. Note that the role does not add users if they do not exist.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Check the SSSD drop-in file’s content:
# cat cd /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
- Log in as a user whose session will be recorded.
- Play back a recorded session.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.tlog/README.md
file -
/usr/share/doc/rhel-system-roles/tlog/
directory
30.2. Excluding certain users and groups from session recording by using the the tlog
RHEL system role
You can use the tlog_exclude_users_sssd
and tlog_exclude_groups_sssd
role variables from the tlog
RHEL system role to exclude users or groups from having their sessions recorded and logged in the systemd
journal.
The playbook installs tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Deploy session recording excluding users and groups hosts: managed-node-01.example.com tasks: - name: Exclude users and groups ansible.builtin.include_role: name: rhel-system-roles.tlog vars: tlog_scope_sssd: all tlog_exclude_users_sssd: - jeff - james tlog_exclude_groups_sssd: - admins
tlog_scope_sssd: <value>
-
The value
all
specifies that you want to record all users and groups. tlog_exclude_users_sssd: <user_list>
- A YAML list of users user names you want to exclude from the session recording.
tlog_exclude_groups_sssd: <group_list>
- A YAML list of groups you want to exclude from the session recording.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Check the SSSD drop-in file’s content:
# cat cd /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
- Log in as a user whose session will be recorded.
- Play back a recorded session.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.tlog/README.md
file -
/usr/share/doc/rhel-system-roles/tlog/
directory