This section introduces the session recording solution and its purpose. The session recording solution is provided within Red Hat Enterprise Linux 8 and it is based on the tlog package. The tlog package and its associated web console session player provide you with the ability to record and playback user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.

Note: Recording of the terminal input is turned off by default to not intercept raw passwords and other sensitive information.

The solution can be used for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. System administrators are able to configure session recording locally on RHEL 8.0 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play command.

COMPONENTS OF SESSION RECORDING

There are three main components key to the session recording solution. The tlog utility, the SSSD service and a web console embedded user interface.

  • Tlog: The tlog utility is a terminal input/output (I/O) recording and playback program. It inserts itself(specifically the tlog-rec-session tool) between the user terminal and the user shell, and logs everything that passes through as JSON messages.
  • SSSD: The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can useSSSD to specify, which users or user groups should tlog record. This can be done either from a command-line interface (CLI) or from the RHEL 8 web console interface. The RHEL 8 web console embedded interface
  • The Session Recording page is part of the RHEL 8 web console interface. The web console embedded interface for session recording enables you to manage recorded sessions. You have to have administrator privileges to be able to access the recorded sessions.

LIMITATIONS OF SESSION RECORDING

Be aware that tlog does not record terminal in the Gnome 3 graphical session. Recording sessions graphical sessions is not supported because a graphical session has a single audit session ID for all terminals and tlog does not have a way to distinguish between the terminals and prevent repeated recordings.

DEPLOYING SESSION RECORDING ON RHEL

In this section we cover how to deploy the session recording solution on a Red Hat Enterprise Linux system.

Install the tlog packages
# yum install tlog

To be able to use the session recording solution, you have to install the cockpit-session-recording packages and start or enable the web console on your system:

Install cockpit-session-recording
# yum install cockpit-session-recording

Start or enable the web console on your system:
# systemctl start cockpit.socket

CONFIGURING THE RECORDED USERS

Option 1: Configuring the Recorded Users with SSSD from the Web UI

For specifying recorded users or user groups using SSSD, list them directly in the RHEL 8 web console.

  1. Connect to the RHEL 8 web console locally by entering by entering your IP Address <IP_ADDRESS>:9090 to your browser
  2. Log in to the RHEL 8 web console.
  3. Go to the Session Recording page in the menu on the left of the interface
  4. Click on the gear button in the right top corner.
  5. Set your parameters in the SSSD Configuration table. Names in the Users and Groups lists should be divided by commas

Option 2: Configuring the Recorded Users with SSSD from the CLI

To specify which users or user groups you want to record from the command-line interface(CLI), modify open the sssd-session-recording.conf configuration file:
# vi /etc/sssd/conf.d/sssd-session-recording.conf

NOTE: The sssd-session-recording.conf file is created automatically once you have opened the configuration page in the web console interface.

Specify the scope of recorded users or user groups, either enter:

none: to record no sessions.
some: to record only specified sessions.
all: to record all sessions.

In case you choose some as a scope of recorded users or groups, add their names divided by commas to the file.

[session_recording]
scope = some
users = example1, example2
groups = examples

PLAYING BACK RECORDED SESSIONS

There are two possibilities for replaying already recorded sessions. The first one is to use the tlog-playtool. The second option is to manage your recorded sessions from the RHEL 8 web console, also referred to as Cockpit.

Option 1: Replaying with the Console

The RHEL 8 web console has a whole interface for managing recorded sessions. You can choose the session you want to review directly from the Session recording page, where the list of your recorded session is.

Option 2: Replaying in Command Line

Other option for playback of recorded sessions is using the tlog-play tool. The tlog-play tool is a playback program for terminal input and output recorded with the tlog-rec tool. It reproduces the recording of the terminal it is under, but cannot change its size. For this reason the playback terminal needs to match the recorded terminal size for proper playback. The tlog-play tool loads its parameters from the /etc/tlog/tlog-play.conf configuration file. The parameters can be overriden with command line options described in the tlog-play manual pages.

Recorded sessions can be played back either from a simple file or from Systemd Journal.

Playing back from Journal

Generally, you can select Journal log entries for playback using Journal matches and timestamp limits, with the -M or –journal-match, -S or –journal-since, and -U or –journal-until options. In practice however, playback from Journal is usually done with a single match against the TLOG_REC Journal field. The TLOG_REC field contains a copy of the rec field from the logged JSON data, which isa host-unique ID of the recording:

You can play back the whole recording as follows:
# journalctl | grep –i tlog-rec

And get the ID of the record, then
# tlog-play -r journal -M TLOG-REC=<session ID>

Recording and playing from a file

To record a session into a file, execute tlog-rec on the command line as such:
# tlog-rec –writer=file –file-path=tlog.log

This command will record our terminal session to a file named tlog.log and save it in the path specified in the command.

You can playback the recorded session during or after recording using tlog-play command.
# tlog-play –reader=file –file-path=tlog.log

Leave a Reply

Your email address will not be published. Required fields are marked *