Chapter 1. Getting started with Session Recording on RHEL
1.1. Session Recording in RHEL
This section introduces the Session Recording solution and its purpose.
The Session Recording solution is provided within Red Hat Enterprise Linux 8 and it is based on the tlog package. The tlog package and its associated web console session player provide you with the ability to record and play back user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.
Recording of the terminal input is turned off by default to not intercept raw passwords and other sensitive information.
The solution can be used for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. System administrators are able to configure session recording locally on RHEL 8 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play command.
1.2. Components of Session Recording
There are three main components key to the Session Recording solution. The tlog utility, the SSSD service and a web console embedded user interface.
tlog
The tlog utility is a terminal input/output (I/O) recording and playback program. It inserts itself (specifically the tlog-rec-session tool) between the user terminal and the user shell, and logs everything that passes through as JSON messages.
SSSD
The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can use SSSD to specify, which users or user groups should tlog record. This can be done either from a command-line interface (CLI) or from the RHEL 8 web console interface.
The RHEL 8 web console embedded interface
The Session Recording page is part of the RHEL 8 web console interface. The web console embedded interface for Session Recording enables you to manage recorded sessions.
You have to have administrator privileges to be able to access the recorded sessions.
1.3. Limitations of Session Recording
In this section we list the most notable limitations of the Session Recording solution.
-
Be aware that
tlogdoes not record terminal in theGnome 3graphical session. Recording terminals in graphical sessions is not supported because a graphical session has a single audit session ID for all terminals andtlogdoes not have a way to distinguish between the terminals and prevent repeated recordings. When tlog recording is configured to log to the
journal/syslogdirectory, the recorded user will see the act of recording the results of viewing the system journal or/var/log/messages. Because viewing generates logs, which then print to the screen, this causes Session Recording to record this action, which generates more records, causing a loop of flooded output.You can use a following command to work around this problem:
# journalctl -f | grep -v 'tlog-rec-session'
You can also configure tlog to limit the output. For details, see`tlog-rec` or
tlog-rec-sessionmanual pages.