Chapter 27. Configuring a system for session recording by using the tlog RHEL system role
With the tlog
RHEL system role, you can configure a system for terminal session recording on RHEL by using Red Hat Ansible Automation Platform.
27.1. The tlog
system role
You can configure a RHEL system for terminal session recording on RHEL using the tlog
RHEL system role.
You can configure the recording to take place per user or user group by means of the SSSD
service.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.ha_cluster/README.md
file -
/usr/share/doc/rhel-system-roles/ha_cluster/
directory
27.2. Components and parameters of the tlog
system role
The Session Recording solution has the following components:
-
The
tlog
utility - System Security Services Daemon (SSSD)
- Optional: The web console interface
The parameters used for the tlog
RHEL system role are:
Role Variable | Description |
---|---|
tlog_use_sssd (default: yes) | Configure session recording with SSSD, the preferred way of managing recorded users or groups |
tlog_scope_sssd (default: none) | Configure SSSD recording scope - all / some / none |
tlog_users_sssd (default: []) | YAML list of users to be recorded |
tlog_groups_sssd (default: []) | YAML list of groups to be recorded |
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.ha_cluster/README.md
file -
/usr/share/doc/rhel-system-roles/ha_cluster/
directory
27.3. Deploying the tlog
RHEL system role
Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.
The playbook installs the tlog
RHEL system role on the system you specified. The role includes tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an SSSD configuration drop file that can be used by the users and groups that you define. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session
. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Deploy session recording hosts: managed-node-01.example.com roles: - rhel-system-roles.tlog vars: tlog_scope_sssd: some tlog_users_sssd: - recorded-user
tlog_scope_sssd
-
The
some
value specifies you want to record only certain users and groups, notall
ornone
. tlog_users_sssd
- Specifies the user you want to record a session from. Note that this does not add the user for you. You must set the user by yourself.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.d/
Check the file content:
# cat /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
- Log in as a user whose session will be recorded.
- Play back a recorded session.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.tlog/README.md
file -
/usr/share/doc/rhel-system-roles/tlog/
directory
27.4. Deploying the tlog
RHEL system role for excluding lists of groups or users
You can use the tlog
system role to support the SSSD session recording configuration options exclude_users
and exclude_groups
. Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to exclude users or groups from having their sessions recorded and logged in the systemd journal.
The playbook installs the tlog
RHEL system role on the system you specified. The role includes tlog-rec-session
, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an /etc/sssd/conf.d/sssd-session-recording.conf
SSSD configuration drop file that can be used by users and groups except those that you defined as excluded. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session
. Additionally, if the cockpit
package is installed on the system, the playbook also installs the cockpit-session-recording
package, which is a Cockpit
module that allows you to view and play recordings in the web console interface.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Deploy session recording excluding users and groups hosts: managed-node-01.example.com roles: - rhel-system-roles.tlog vars: tlog_scope_sssd: all tlog_exclude_users_sssd: - jeff - james tlog_exclude_groups_sssd: - admins
tlog_scope_sssd
-
The value
all
specifies that you want to record all users and groups. tlog_exclude_users_sssd
- Specifies the user names of the users you want to exclude from the session recording.
tlog_exclude_groups_sssd
- Specifies the group you want to exclude from the session recording.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.d/
Check the file content:
# cat sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
- Log in as a user whose session will be recorded.
- Play back a recorded session.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.tlog/README.md
file -
/usr/share/doc/rhel-system-roles/tlog/
directory