Language:
Format:

Language:
Format:

Chapter 27. Configuring a system for session recording by using the tlog RHEL system role

With the tlog RHEL system role, you can configure a system for terminal session recording on RHEL by using Red Hat Ansible Automation Platform.

27.1. The `tlog` system role

You can configure a RHEL system for terminal session recording on RHEL using the tlog RHEL system role.

You can configure the recording to take place per user or user group by means of the SSSD service.

Additional resources

/usr/share/ansible/roles/rhel-system-roles.ha_cluster/README.md file
/usr/share/doc/rhel-system-roles/ha_cluster/ directory

27.2. Components and parameters of the `tlog` system role

The Session Recording solution has the following components:

The tlog utility
System Security Services Daemon (SSSD)
Optional: The web console interface

The parameters used for the tlog RHEL system role are:

Role Variable	Description
tlog_use_sssd (default: yes)	Configure session recording with SSSD, the preferred way of managing recorded users or groups
tlog_scope_sssd (default: none)	Configure SSSD recording scope - all / some / none
tlog_users_sssd (default: [])	YAML list of users to be recorded
tlog_groups_sssd (default: [])	YAML list of groups to be recorded

Additional resources

/usr/share/ansible/roles/rhel-system-roles.ha_cluster/README.md file
/usr/share/doc/rhel-system-roles/ha_cluster/ directory

27.3. Deploying the `tlog` RHEL system role

Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.

The playbook installs the tlog RHEL system role on the system you specified. The role includes tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an SSSD configuration drop file that can be used by the users and groups that you define. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

You have prepared the control node and the managed nodes.
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
```
---
- name: Deploy session recording
  hosts: managed-node-01.example.com
  roles:
    - rhel-system-roles.tlog
  vars:
    tlog_scope_sssd: some
    tlog_users_sssd:
      - recorded-user
```
tlog_scope_sssd
The some value specifies you want to record only certain users and groups, not all or none.
tlog_users_sssd
Specifies the user you want to record a session from. Note that this does not add the user for you. You must set the user by yourself.
Validate the playbook syntax:
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
```
$ ansible-playbook ~/playbook.yml
```

Verification

Navigate to the folder where the SSSD configuration drop file is created:
```
# cd /etc/sssd/conf.d/
```
Check the file content:
```
# cat /etc/sssd/conf.d/sssd-session-recording.conf
```
You can see that the file contains the parameters you set in the playbook.
Log in as a user whose session will be recorded.
Play back a recorded session.

Additional resources

/usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
/usr/share/doc/rhel-system-roles/tlog/ directory

27.4. Deploying the `tlog` RHEL system role for excluding lists of groups or users

You can use the tlog system role to support the SSSD session recording configuration options exclude_users and exclude_groups. Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to exclude users or groups from having their sessions recorded and logged in the systemd journal.

The playbook installs the tlog RHEL system role on the system you specified. The role includes tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an /etc/sssd/conf.d/sssd-session-recording.conf SSSD configuration drop file that can be used by users and groups except those that you defined as excluded. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.

Prerequisites

You have prepared the control node and the managed nodes.
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
```
---
- name: Deploy session recording excluding users and groups
  hosts: managed-node-01.example.com
  roles:
    - rhel-system-roles.tlog
  vars:
    tlog_scope_sssd: all
    tlog_exclude_users_sssd:
      - jeff
      - james
    tlog_exclude_groups_sssd:
      - admins
```
tlog_scope_sssd
The value all specifies that you want to record all users and groups.
tlog_exclude_users_sssd
Specifies the user names of the users you want to exclude from the session recording.
tlog_exclude_groups_sssd
Specifies the group you want to exclude from the session recording.
Validate the playbook syntax:
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
```
$ ansible-playbook ~/playbook.yml
```

Verification

Navigate to the folder where the SSSD configuration drop file is created:
```
# cd /etc/sssd/conf.d/
```
Check the file content:
```
# cat sssd-session-recording.conf
```
You can see that the file contains the parameters you set in the playbook.
Log in as a user whose session will be recorded.
Play back a recorded session.

Additional resources

/usr/share/ansible/roles/rhel-system-roles.tlog/README.md file
/usr/share/doc/rhel-system-roles/tlog/ directory

Select Your Language

Chapter 27. Configuring a system for session recording by using the tlog RHEL system role

27.1. The `tlog` system role

27.2. Components and parameters of the `tlog` system role

27.3. Deploying the `tlog` RHEL system role

27.4. Deploying the `tlog` RHEL system role for excluding lists of groups or users

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Language and Page Formatting Options

Chapter 27. Configuring a system for session recording by using the tlog RHEL system role

27.1. The tlog system role

27.2. Components and parameters of the tlog system role

27.3. Deploying the tlog RHEL system role

27.4. Deploying the tlog RHEL system role for excluding lists of groups or users

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links

27.1. The `tlog` system role

27.2. Components and parameters of the `tlog` system role

27.3. Deploying the `tlog` RHEL system role

27.4. Deploying the `tlog` RHEL system role for excluding lists of groups or users