Red Hat Summit第47章 Configuring session recording by using the CLI
Learn how to configure user terminal session recordings using the System Security Services Daemon (SSSD), and how to manage and play back these recordings using the tlog command-line utility.
47.1. Session recording overview and components
Session recording captures and saves a user’s terminal activity. This provides a detailed, unchangeable record of all commands, output, and error messages, which you can use for auditing, troubleshooting, and investigating a security incident.
SSSD enforces the recording policies you define, and the tlog utility handles the actual recording and playback.
- Components of the session recording
tlogutilityThe
tlogutility provides tools for recording and playing back terminal I/O.tlog-rec-sessionfunctions as an intermediary login shell and captures all data between the user’s terminal and shell. Alltlogrecordings are in JSON format. You can play back recorded sessions usingtlog-play. Note that by default, terminal input recording is disabled for security reasons. For detailed configuration options, see the/etc/tlog/tlog-rec-session.conffile and thetlog-rec-session.conf(5)man page on your system.SSSD
SSSD provides a set of daemons that manage access to remote directories and authentication mechanisms. When you configure session recording, SSSD overlays the user’s default shell with the
tlog-rec-sessionprogram.
- Limitations of session recording
- You can configure session recording for the root user, but the root user has the privileges to disable or bypass the recording process, which makes the session recording unreliable for auditing purposes.
-
Terminal sessions in a GNOME graphical session are not recorded. This is because all terminals within a graphical session share a single audit session ID, which prevents
tlogfrom distinguishing between them and capturing recordings correctly. A logging loop can occur when viewing the journal. When a recorded user views the system journal or
/var/log/messages, it generates new logs, which are then recorded and displayed, causing a loop of flooded output.To prevent the logging loop, view the journal in real time and filter out the log entries which create the loop:
journalctl -f | grep -v 'tlog-rec-session'You can also configure
tlogto limit the output. For details, seetlog-rec-session.confman pages.-
You must configure session recording on the target host for remote execution. For example, if you want to record a user’s session when they use
sshto connect to a remote system, configure the recording on the remote system they connect to. -
All recordings are lost on reboot if
systemd-journaldservice uses its default configuration to store the journal in-memory.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}