Questo contenuto non è disponibile nella lingua selezionata.

Chapter 4. Configuring a system for session recording by using RHEL system roles


Use the tlog RHEL system role to record and monitor terminal session activities on your managed nodes in an automatic fashion. You can configure the recording to take place per user or user group by means of the SSSD service.

The session recording solution in the tlog RHEL system role consists of the following components:

  • The tlog utility
  • System Security Services Daemon (SSSD)
  • Optional: The web console interface

4.1. Configuring session recording for individual users by using the tlog RHEL system role

Prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.

With that, you can enable recording the terminal output and input of a specific user during their sessions, when the user logs in on the console, or by SSH.

The playbook installs tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Deploy session recording
      hosts: managed-node-01.example.com
      tasks:
        - name: Enable session recording for specific users
          ansible.builtin.include_role:
            name: rhel-system-roles.tlog
      vars:
        tlog_scope_sssd: some
        tlog_users_sssd:
          - <recorded_user>
    tlog_scope_sssd: <value>
    The some value specifies you want to record only certain users and groups, not all or none.
    tlog_users_sssd:: <list_of_users>
    A YAML list of users you want to record a session from. Note that the role does not add users if they do not exist.
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  1. Check the SSSD drop-in file’s content:

    # cd /etc/sssd/conf.d/sssd-session-recording.conf

    You can see that the file contains the parameters you set in the playbook.

  2. Log in as a user whose session will be recorded, perform some actions, and log out.
  3. As the root user:

    1. Display the list of recorded sessions:

      # journalctl _COMM=tlog-rec-sessio
      Nov 12 09:17:30 managed-node-01.example.com -tlog-rec-session[1546]: {"ver":"2.3","host":"managed-node-01.example.com","rec":"07418f2b0f334c1696c10cbe6f6f31a6-60a-e4a2","user":"demo-user",...
      ...

      You require the value of the rec (recording ID) field in the next step.

      Note that the value of the _COMM field is shortened due to a 15 character limit.

    2. Play back a session:

      # tlog-play -r journal -M TLOG_REC=<recording_id>

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
  • /usr/share/doc/rhel-system-roles/tlog/ directory

4.2. Excluding certain users and groups from session recording by using the the tlog RHEL system role

You can use the tlog_exclude_users_sssd and tlog_exclude_groups_sssd role variables from the tlog RHEL system role to exclude users or groups from having their sessions recorded and logged in the systemd journal.

The playbook installs tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. The role creates an SSSD configuration drop file, and this file defines for which users and groups the login shell should be used. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Deploy session recording excluding users and groups
      hosts: managed-node-01.example.com
      tasks:
        - name: Exclude users and groups
          ansible.builtin.include_role:
            name: rhel-system-roles.tlog
          vars:
            tlog_scope_sssd: all
            tlog_exclude_users_sssd:
              - jeff
              - james
            tlog_exclude_groups_sssd:
              - admins
    tlog_scope_sssd: <value>
    The value all specifies that you want to record all users and groups.
    tlog_exclude_users_sssd: <user_list>
    A YAML list of users user names you want to exclude from the session recording.
    tlog_exclude_groups_sssd: <group_list>
    A YAML list of groups you want to exclude from the session recording.
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  1. Check the SSSD drop-in file’s content:

    # cat /etc/sssd/conf.d/sssd-session-recording.conf

    You can see that the file contains the parameters you set in the playbook.

  2. Log in as a user whose session will be recorded, perform some actions, and log out.
  3. As the root user:

    1. Display the list of recorded sessions:

      # journalctl _COMM=tlog-rec-sessio
      Nov 12 09:17:30 managed-node-01.example.com -tlog-rec-session[1546]: {"ver":"2.3","host":"managed-node-01.example.com","rec":"07418f2b0f334c1696c10cbe6f6f31a6-60a-e4a2","user":"demo-user",...
      ...

      You require the value of the rec (recording ID) field in the next step.

      Note that the value of the _COMM field is shortened due to a 15 character limit.

    2. Play back a session:

      # tlog-play -r journal -M TLOG_REC=<recording_id>

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
  • /usr/share/doc/rhel-system-roles/tlog/ directory
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.