Red Hat Training
A Red Hat training course is available for RHEL 8
Recording sessions
Using the Session Recording solution in Red Hat Enterprise Linux 8
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Submitting feedback through Jira (account required)
- Log in to the Jira website.
- Click Create in the top navigation bar.
- Enter a descriptive title in the Summary field.
- Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
- Click Create at the bottom of the dialogue.
Chapter 1. Getting started with Session Recording on RHEL
1.1. Session Recording in RHEL
The Session Recording solution in Red Hat Enterprise Linux 8 is based on the tlog
package. You can use the tlog
package and its associated web console session player to record and play back user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.
To not intercept raw passwords and other sensitive information, recording of the terminal input is disabled by default. Be aware that if you turn on recording of the terminal input, all entered passwords are captured in plaintext.
You can use this solution for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. As an administrator, you can configure session recording locally on RHEL 8 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play
command.
1.2. Components of Session Recording
There are three main components to the Session Recording solution: the tlog
utility, the SSSD service and a web console embedded user interface.
- tlog
-
The
tlog
utility is a terminal input/output (I/O) recording and playback program. It inserts thetlog-rec-session
tool between the user terminal and the user shell, and logs everything that passes through as JSON messages. - SSSD
- The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can use SSSD to specify which users or user groups to record. You can configure these settings from a command-line interface (CLI) or from the RHEL 8 web console interface.
- The RHEL 8 web console embedded interface
- The Session Recording page is part of the RHEL 8 web console interface and you can use it to manage recorded sessions.
You need administrator privileges to access the recorded sessions.
1.3. Limitations of Session Recording
These are the most notable limitations of the Session Recording solution.
- Recordings of root user are not reliable, because the root user can circumvent the recording process.
-
Session recording does not record the terminal in a
GNOME 3
graphical session. Recording terminals in graphical sessions is not supported because a graphical session has a single audit session ID for all terminals andtlog
is unable to distinguish between the terminals and prevent repeated recordings. If session recording is configured to log to the
journal
, the recorded user will see the act of recording the results of viewing the system journal or/var/log/messages
. Because viewing generates logs, which then print to the screen, this causes Session Recording to record this action, which generates more records, causing a loop of flooded output.You can use the following command to work around this problem:
# journalctl -f | grep -v 'tlog-rec-session'
You can also configure tlog to limit the output. For details, see
tlog-rec
ortlog-rec-session
manual pages.To record users executing remote access commands, you must configure session recording for that user on the target host. For example, to record the following remote access command, you need to configure session recording for the
admin
user on theclient
host:ssh admin@client rm -f /some/file
-
All recordings are lost on reboot because the
journal
is stored in-memory by default on RHEL 8. To export recordings see Exporting recorded sessions to a file.
Chapter 2. Deploying Session Recording on RHEL web console
This section describes how to deploy the Session Recording solution on the Red Hat Enterprise Linux web console.
To be able to deploy the Session Recording solution you need to have the following packages installed:
-
tlog
- SSSD
-
cockpit-session-recording
2.1. Installing tlog
Install the tlog
packages.
Procedure
Use the following command:
# yum install tlog
2.2. Installing cockpit-session-recording
The basic web console packages are a part of Red Hat Enterprise Linux 8 by default. To be able to use the Session Recording solution, you have to install the cockpit-session-recording
packages and start or enable the web console on your system:
Procedure
Install
cockpit-session-recording
.# yum install cockpit-session-recording
Start or enable the web console on your system:
# systemctl start cockpit.socket # systemctl enable cockpit.socket
or
# systemctl enable cockpit.socket --now
2.3. Enabling session recording for users and groups with SSSD from the CLI
If you use SSSD for authentication, you can configure session recording for users and groups from the command line.
Procedure
Open the
sssd-session-recording.conf
configuration file:# vi /etc/sssd/conf.d/sssd-session-recording.conf
NoteThe
sssd-session-recording.conf
file is created automatically once you have opened the configuration page in the web console interface.- To specify the scope of session recording, enter one of the following values for the scope option:
-
none
to record no sessions. -
some
to record only specified sessions. all
to record all sessions.-
(Optional) If you set the scope as
some
add the names of users and groups in comma-separated lists.
-
(Optional) If you set the scope as
Example 2.1. SSSD configuration
In the following example users example1
and example2
, and group examples
have session recording enabled.
[session_recording] scope = some users = example1, example2 groups = examples
2.4. Enabling session recording for users and groups with SSSD from the web UI
If you use SSSD for authentication, you can configure session recording for users and groups in the RHEL 8 web console.
Procedure
-
Connect to the RHEL 8 web console locally by entering
localhost:9090
or by entering your IP address<IP_ADDRESS>:9090
into your browser. Log in to the RHEL 8 web console.
ImportantYour user has to have administrator privileges to be able to view recorded sessions.
- Go to the Session Recording page in the menu on the left.
Click on the gear button in the right top corner.
Set your parameters in the SSSD Configuration table. Separate the lists of users and groups with commas.
Example 2.2. Configuration of recorded users with SSSD
2.5. Enabling session recording for users without SSSD
Red Hat does not recommend this option. The preferred option is to configure your recorded users via SSSD either from the command-line interface or directly from the RHEL 8 web console.
If you choose to manually change the user’s shell, their working shell will be the one that is listed in the tlog-rec-session.conf
configuration file.
If you do not want to use SSSD for specifying recorded user or user groups it is possible to directly change the shell of the user you want to record to /usr/bin/tlog-rec-session
:
Change the shell.
# sudo usermod -s /usr/bin/tlog-rec-session <user_name>
2.6. Exporting recorded sessions to a file
You can export your recorded sessions and their logs and copy them.
The following procedure shows how to export recorded sessions on a local system.
Prerequisites
Install the
systemd-journal-remote
package.# yum install systemd-journal-remote
Procedure
Create a directory to store exported recording sessions, such as `/tmp/dir:
# mkdir /tmp/dir
Run the
journalctl -o export
command to export system journal entries related to tlog recordings:# journalctl _COMM=tlog-rec _COMM=tlog-rec-sessio -o export | /usr/lib/systemd/systemd-journal-remote -o /tmp/dir/example.journal -
NoteThe
COMM=tlog-rec-sessio
COMM name is shortened due to a 15 character limit.
Chapter 3. Playing back recorded sessions
There are two methods for replaying recorded sessions:
-
the
tlog-play
tool - the RHEL 8 web console, also referred to as Cockpit.
3.1. Playback with tlog-play
You can use the tlog-play
tool to play back session recordings in a terminal. The tlog-play
tool is a playback program for terminal input and output recorded with the tlog-rec
tool. It reproduces the recording of the terminal it is under, but cannot change its size. For this reason the playback terminal needs to match the recorded terminal size for proper playback. The tlog-play
tool loads its parameters from the /etc/tlog/tlog-play.conf
configuration file. You can override those parameters with command line options described in the tlog-play
manual pages.
3.2. Playback with the web console
The RHEL 8 web console has a whole interface for managing recorded sessions. You can choose the session you want to review directly from the Session Recording page, where the list of your recorded session is.
Example 3.1. Example list of recorded sessions
The web console player supports window resizing.
3.3. Playing back recorded sessions with tlog-play
You can play back session recordings from exported log files or from the Systemd Journal.
Playing back from a file
You can play a session back from a file both during and after recording:
# tlog-play --reader=file --file-path=tlog.log
Playing back from the Journal
Generally, you can select Journal log entries for playback using Journal matches and timestamp limits, with the -M
or --journal-match
, -S
or --journal-since
, and -U
or --journal-until
options.
In practice however, playback from Journal is usually done with a single match against the TLOG_REC
Journal field. The TLOG_REC
field contains a copy of the rec
field from the logged JSON data, which is a host-unique ID of the recording.
You can take the ID either from the TLOG_REC
field value directly, or from the MESSAGE
field from the JSON rec
field. Both fields are part of log messages coming from the tlog-rec-session
tool.
Procedure
- You can play back the whole recording as follows:
# tlog-play -r journal -M TLOG_REC=<your-unique-host-id>
You can find further instructions and documentation in the tlog-play
manual pages.
Chapter 4. Configuring a system for session recording using the tlog
RHEL System Role
With the tlog
RHEL System Role, you can configure a system for terminal session recording on RHEL using Red Hat Ansible Automation Platform.
4.1. The tlog
System Role
You can configure a RHEL system for terminal session recording on RHEL using the tlog
RHEL System Role.
You can configure the recording to take place per user or user group by means of the SSSD
service.
Additional resources
- For more details on session recording in RHEL, see Recording Sessions.
4.2. Components and parameters of the tlog
System Role
The Session Recording solution has the following components:
-
The
tlog
utility - System Security Services Daemon (SSSD)
- Optional: The web console interface
The parameters used for the tlog
RHEL System Role are:
Role Variable | Description |
---|---|
tlog_use_sssd (default: yes) | Configure session recording with SSSD, the preferred way of managing recorded users or groups |
tlog_scope_sssd (default: none) | Configure SSSD recording scope - all / some / none |
tlog_users_sssd (default: []) | YAML list of users to be recorded |
tlog_groups_sssd (default: []) | YAML list of groups to be recorded |
-
For details about the parameters used in
tlog
and additional information about thetlog
System Role, see the/usr/share/ansible/roles/rhel-system-roles.tlog/README.md
file.
4.3. Deploying the tlog
RHEL System Role
Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.
Prerequisites
-
You have set SSH keys for access from the control node to the target system where the
tlog
System Role will be configured. -
You have at least one system that you want to configure the
tlog
System Role. - The Ansible Core package is installed on the control machine.
-
The
rhel-system-roles
package is installed on the control machine.
Procedure
Create a new
playbook.yml
file with the following content:--- - name: Deploy session recording hosts: all vars: tlog_scope_sssd: some tlog_users_sssd: - recorded-user roles: - rhel-system-roles.tlog
Where,
tlog_scope_sssd
:-
some
specifies you want to record only certain users and groups, notall
ornone
.
-
tlog_users_sssd
:-
recorded-user
specifies the user you want to record a session from. Note that this does not add the user for you. You must set the user by yourself.
-
Optionally, verify the playbook syntax.
# ansible-playbook --syntax-check playbook.yml
Run the playbook on your inventory file:
# ansible-playbook -i IP_Address /path/to/file/playbook.yml -v
As a result, the playbook installs the tlog
RHEL System Role on the system you specified. The role includes tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an SSSD configuration drop file that can be used by the users and groups that you define. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session
. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Verification steps
To verify that the SSSD configuration drop file is created in the system, perform the following steps:
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.d
Check the file content:
# cat /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
4.4. Deploying the tlog
RHEL System Role for excluding lists of groups or users
You can use the tlog
System Role to support the SSSD session recording configuration options exclude_users
and exclude_groups
. Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to exclude users or groups from having their sessions recorded and logged in the systemd journal.
Prerequisites
-
You have set SSH keys for access from the control node to the target system on which you want to configure the
tlog
System Role. -
You have at least one system on which you want to configure the
tlog
System Role. - The Ansible Core package is installed on the control machine.
-
The
rhel-system-roles
package is installed on the control machine.
Procedure
Create a new
playbook.yml
file with the following content:--- - name: Deploy session recording excluding users and groups hosts: all vars: tlog_scope_sssd: all tlog_exclude_users_sssd: - jeff - james tlog_exclude_groups_sssd: - admins roles: - rhel-system-roles.tlog
Where,
tlog_scope_sssd
:-
all
: specifies that you want to record all users and groups.
-
tlog_exclude_users_sssd
:- user names: specifies the user names of the users you want to exclude from the session recording.
tlog_exclude_groups_sssd
:-
admins
specifies the group you want to exclude from the session recording.
-
Optionally, verify the playbook syntax;
# ansible-playbook --syntax-check playbook.yml
Run the playbook on your inventory file:
# ansible-playbook -i IP_Address /path/to/file/playbook.yml -v
As a result, the playbook installs the tlog
RHEL System Role on the system you specified. The role includes tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an /etc/sssd/conf.d/sssd-session-recording.conf
SSSD configuration drop file that can be used by users and groups except those that you defined as excluded. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session
. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Verification steps
To verify that the SSSD configuration drop file is created in the system, perform the following steps:
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.d
Check the file content:
# cat sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
Additional resources
-
See the
/usr/share/doc/rhel-system-roles/tlog/
and/usr/share/ansible/roles/rhel-system-roles.tlog/
directories. - The Recording a session using the deployed Terminal Session Recording System Role in the CLI.
4.5. Recording a session using the deployed tlog
System Role in the CLI
After you have deployed the tlog
System Role in the system you have specified, you are able to record a user terminal session using the command-line interface (CLI).
Prerequisites
-
You have deployed the
tlog
System Role in the target system. -
The SSSD configuration drop file was created in the
/etc/sssd/conf.d
directory. See Deploying the Terminal Session Recording RHEL System Role.
Procedure
Create a user and assign a password for this user:
# useradd recorded-user # passwd recorded-user
Log in to the system as the user you just created:
# ssh recorded-user@localhost
- Type "yes" when the system prompts you to type yes or no to authenticate.
Insert the recorded-user’s password.
The system displays a message about your session being recorded.
ATTENTION! Your session is being recorded!
After you have finished recording the session, type:
# exit
The system logs out from the user and closes the connection with the localhost.
As a result, the user session is recorded, stored and you can play it using a journal.
Verification steps
To view your recorded session in the journal, do the following steps:
Run the command below:
# journalctl -o verbose -r
Search for the
MESSAGE
field of thetlog-rec
recorded journal entry.# journalctl -xel _EXE=/usr/bin/tlog-rec-session
4.6. Watching a recorded session using the CLI
You can play a user session recording from a journal using the command-line interface (CLI).
Prerequisites
- You have recorded a user session. See Recording a session using the deployed tlog System Role in the CLI .
Procedure
On the CLI terminal, play the user session recording:
# journalctl -o verbose -r
Search for the
tlog
recording:$ /tlog-rec
You can see details such as:
- The username for the user session recording
-
The
out_txt
field, a raw output encode of the recorded session - The identifier number TLOG_REC=ID_number
- Copy the identifier number TLOG_REC=ID_number.
Playback the recording using the identifier number TLOG_REC=ID_number.
# tlog-play -r journal -M TLOG_REC=ID_number
As a result, you can see the user session recording terminal output being played back.