Este contenido no está disponible en el idioma seleccionado.
Chapter 1. Getting started with Session Recording on RHEL
1.1. Session Recording in RHEL
The Session Recording solution in Red Hat Enterprise Linux 8 is based on the tlog
package. You can use the tlog
package and its associated web console session player to record and play back user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.
To not intercept raw passwords and other sensitive information, recording of the terminal input is disabled by default. Be aware that if you turn on recording of the terminal input, all entered passwords are captured in plaintext.
You can use this solution for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. As an administrator, you can configure session recording locally on RHEL 8 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play
command.
1.2. Components of Session Recording
There are three main components to the Session Recording solution: the tlog
utility, the SSSD service and a web console embedded user interface.
- tlog
-
The
tlog
utility is a terminal input/output (I/O) recording and playback program. It inserts thetlog-rec-session
tool between the user terminal and the user shell, and logs everything that passes through as JSON messages. - SSSD
- The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can use SSSD to specify which users or user groups to record. You can configure these settings from a command-line interface (CLI) or from the RHEL 8 web console interface.
- The RHEL 8 web console embedded interface
- The Session Recording page is part of the RHEL 8 web console interface and you can use it to manage recorded sessions.
You need administrator privileges to access the recorded sessions.
1.3. Limitations of Session Recording
These are the most notable limitations of the Session Recording solution.
- Recordings of root user are not reliable, because the root user can circumvent the recording process.
-
Session recording does not record the terminal in a
GNOME 3
graphical session. Recording terminals in graphical sessions is not supported because a graphical session has a single audit session ID for all terminals andtlog
is unable to distinguish between the terminals and prevent repeated recordings. If session recording is configured to log to the
journal
, the recorded user will see the act of recording the results of viewing the system journal or/var/log/messages
. Because viewing generates logs, which then print to the screen, this causes Session Recording to record this action, which generates more records, causing a loop of flooded output.You can use the following command to work around this problem:
# journalctl -f | grep -v 'tlog-rec-session'
You can also configure tlog to limit the output. For details, see
tlog-rec
ortlog-rec-session
manual pages.To record users executing remote access commands, you must configure session recording for that user on the target host. For example, to record the following remote access command, you need to configure session recording for the
admin
user on theclient
host:ssh admin@client rm -f /some/file
-
All recordings are lost on reboot because the
journal
is stored in-memory by default on RHEL 8. To export recordings see Exporting recorded sessions to a file.