Chapter 1. Getting started with Session Recording on RHEL

1.1. Session Recording in RHEL

This section introduces the Session Recording solution and its purpose.

The Session Recording solution is provided within Red Hat Enterprise Linux 8 and it is based on the tlog package. The tlog package and its associated web console session player provide you with the ability to record and play back user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.

Important

Recording of the terminal input is turned off by default to not intercept raw passwords and other sensitive information. Be aware that if you turn on recording of the terminal input, all entered paswords will be captured in plaintext.

The solution can be used for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. System administrators are able to configure session recording locally on RHEL 8 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play command.

1.2. Components of Session Recording

There are three main components key to the Session Recording solution. The tlog utility, the SSSD service and a web console embedded user interface.

tlog

The tlog utility is a terminal input/output (I/O) recording and playback program. It inserts itself (specifically the tlog-rec-session tool) between the user terminal and the user shell, and logs everything that passes through as JSON messages.

SSSD

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can use SSSD to specify, which users or user groups should tlog record. This can be done either from a command-line interface (CLI) or from the RHEL 8 web console interface.

The RHEL 8 web console embedded interface

The Session Recording page is part of the RHEL 8 web console interface. The web console embedded interface for Session Recording enables you to manage recorded sessions.

Important

You have to have administrator privileges to be able to access the recorded sessions.

1.3. Limitations of Session Recording

In this section we list the most notable limitations of the Session Recording solution.

  • Be aware that tlog does not record terminal in the Gnome 3 graphical session. Recording terminals in graphical sessions is not supported because a graphical session has a single audit session ID for all terminals and tlog does not have a way to distinguish between the terminals and prevent repeated recordings.

  • When tlog recording is configured to log to the journal/syslog directory, the recorded user will see the act of recording the results of viewing the system journal or /var/log/messages. Because viewing generates logs, which then print to the screen, this causes Session Recording to record this action, which generates more records, causing a loop of flooded output.

    You can use a following command to work around this problem: 

    # journalctl -f | grep -v 'tlog-rec-session'

    You can also configure tlog to limit the output. For details, see`tlog-rec` or tlog-rec-session manual pages.