Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 4. Configuring a system for session recording using the tlog RHEL System Role
With the tlog RHEL System Role, you can configure a system for terminal session recording on RHEL using Red Hat Ansible Automation Platform.
4.1. The tlog System Role
You can configure a RHEL system for terminal session recording on RHEL using the tlog RHEL System Role.
You can configure the recording to take place per user or user group by means of the SSSD service.
Additional resources
- For more details on session recording in RHEL, see Recording Sessions.
4.2. Components and parameters of the tlog System Role
The Session Recording solution has the following components:
-
The
tlogutility - System Security Services Daemon (SSSD)
- Optional: The web console interface
The parameters used for the tlog RHEL System Role are:
| Role Variable | Description |
|---|---|
| tlog_use_sssd (default: yes) | Configure session recording with SSSD, the preferred way of managing recorded users or groups |
| tlog_scope_sssd (default: none) | Configure SSSD recording scope - all / some / none |
| tlog_users_sssd (default: []) | YAML list of users to be recorded |
| tlog_groups_sssd (default: []) | YAML list of groups to be recorded |
-
For details about the parameters used in
tlogand additional information about thetlogSystem Role, see the/usr/share/ansible/roles/rhel-system-roles.tlog/README.mdfile.
4.3. Deploying the tlog RHEL System Role
Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to log session recording data to the systemd journal.
Prerequisites
-
You have set SSH keys for access from the control node to the target system where the
tlogSystem Role will be configured. -
You have at least one system that you want to configure the
tlogSystem Role. - The Ansible Core package is installed on the control machine.
-
The
rhel-system-rolespackage is installed on the control machine.
Procedure
Create a new
playbook.ymlfile with the following content:--- - name: Deploy session recording hosts: all vars: tlog_scope_sssd: some tlog_users_sssd: - recorded-user roles: - rhel-system-roles.tlogWhere,
tlog_scope_sssd:-
somespecifies you want to record only certain users and groups, notallornone.
-
tlog_users_sssd:-
recorded-userspecifies the user you want to record a session from. Note that this does not add the user for you. You must set the user by yourself.
-
Optionally, verify the playbook syntax.
# ansible-playbook --syntax-check playbook.ymlRun the playbook on your inventory file:
# ansible-playbook -i IP_Address /path/to/file/playbook.yml -v
As a result, the playbook installs the tlog RHEL System Role on the system you specified. The role includes tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an SSSD configuration drop file that can be used by the users and groups that you define. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.
Verification steps
To verify that the SSSD configuration drop file is created in the system, perform the following steps:
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.dCheck the file content:
# cat /etc/sssd/conf.d/sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
4.4. Deploying the tlog RHEL System Role for excluding lists of groups or users
You can use the tlog System Role to support the SSSD session recording configuration options exclude_users and exclude_groups. Follow these steps to prepare and apply an Ansible playbook to configure a RHEL system to exclude users or groups from having their sessions recorded and logged in the systemd journal.
Prerequisites
-
You have set SSH keys for access from the control node to the target system on which you want to configure the
tlogSystem Role. -
You have at least one system on which you want to configure the
tlogSystem Role. - The Ansible Core package is installed on the control machine.
-
The
rhel-system-rolespackage is installed on the control machine.
Procedure
Create a new
playbook.ymlfile with the following content:--- - name: Deploy session recording excluding users and groups hosts: all vars: tlog_scope_sssd: all tlog_exclude_users_sssd: - jeff - james tlog_exclude_groups_sssd: - admins roles: - rhel-system-roles.tlogWhere,
tlog_scope_sssd:-
all: specifies that you want to record all users and groups.
-
tlog_exclude_users_sssd:- user names: specifies the user names of the users you want to exclude from the session recording.
tlog_exclude_groups_sssd:-
adminsspecifies the group you want to exclude from the session recording.
-
Optionally, verify the playbook syntax;
# ansible-playbook --syntax-check playbook.ymlRun the playbook on your inventory file:
# ansible-playbook -i IP_Address /path/to/file/playbook.yml -v
As a result, the playbook installs the tlog RHEL System Role on the system you specified. The role includes tlog-rec-session, a terminal session I/O logging program, that acts as the login shell for a user. It also creates an /etc/sssd/conf.d/sssd-session-recording.conf SSSD configuration drop file that can be used by users and groups except those that you defined as excluded. SSSD parses and reads these users and groups, and replaces their user shell with tlog-rec-session. Additionally, if the cockpit package is installed on the system, the playbook also installs the cockpit-session-recording package, which is a Cockpit module that allows you to view and play recordings in the web console interface.
Verification steps
To verify that the SSSD configuration drop file is created in the system, perform the following steps:
Navigate to the folder where the SSSD configuration drop file is created:
# cd /etc/sssd/conf.dCheck the file content:
# cat sssd-session-recording.conf
You can see that the file contains the parameters you set in the playbook.
Additional resources
-
See the
/usr/share/doc/rhel-system-roles/tlog/and/usr/share/ansible/roles/rhel-system-roles.tlog/directories. - The Recording a session using the deployed Terminal Session Recording System Role in the CLI.
4.5. Recording a session using the deployed tlog System Role in the CLI
After you have deployed the tlog System Role in the system you have specified, you are able to record a user terminal session using the command-line interface (CLI).
Prerequisites
-
You have deployed the
tlogSystem Role in the target system. -
The SSSD configuration drop file was created in the
/etc/sssd/conf.ddirectory. See Deploying the Terminal Session Recording RHEL System Role.
Procedure
Create a user and assign a password for this user:
# useradd recorded-user # passwd recorded-user
Log in to the system as the user you just created:
# ssh recorded-user@localhost- Type "yes" when the system prompts you to type yes or no to authenticate.
Insert the recorded-user’s password.
The system displays a message about your session being recorded.
ATTENTION! Your session is being recorded!
After you have finished recording the session, type:
# exitThe system logs out from the user and closes the connection with the localhost.
As a result, the user session is recorded, stored and you can play it using a journal.
Verification steps
To view your recorded session in the journal, do the following steps:
Run the command below:
# journalctl -o verbose -rSearch for the
MESSAGEfield of thetlog-recrecorded journal entry.# journalctl -xel _EXE=/usr/bin/tlog-rec-session
4.6. Watching a recorded session using the CLI
You can play a user session recording from a journal using the command-line interface (CLI).
Prerequisites
- You have recorded a user session. See Recording a session using the deployed tlog System Role in the CLI .
Procedure
On the CLI terminal, play the user session recording:
# journalctl -o verbose -rSearch for the
tlogrecording:$ /tlog-recYou can see details such as:
- The username for the user session recording
-
The
out_txtfield, a raw output encode of the recorded session - The identifier number TLOG_REC=ID_number
- Copy the identifier number TLOG_REC=ID_number.
Playback the recording using the identifier number TLOG_REC=ID_number.
# tlog-play -r journal -M TLOG_REC=ID_number
As a result, you can see the user session recording terminal output being played back.
