Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 1. Getting started with Session Recording on RHEL

1.1. Session Recording in RHEL

The Session Recording solution in Red Hat Enterprise Linux 8 is based on the tlog package. You can use the tlog package and its associated web console session player to record and play back user terminal sessions. You can configure the recording to take place per user or user group via the SSSD service. All terminal input and output is captured and stored in a text-based format in the system journal.

Important

To not intercept raw passwords and other sensitive information, recording of the terminal input is disabled by default. Be aware that if you turn on recording of the terminal input, all entered passwords are captured in plaintext.

You can use this solution for auditing user sessions on security-sensitive systems or, in the event of a security breach, reviewing recorded sessions as part of forensic analysis. As an administrator, you can configure session recording locally on RHEL 8 systems. You can review the recorded sessions from the web console interface or in a terminal using the tlog-play command.

1.2. Components of Session Recording

There are three main components to the Session Recording solution: the tlog utility, the SSSD service and a web console embedded user interface.

tlog
The tlog utility is a terminal input/output (I/O) recording and playback program. It inserts the tlog-rec-session tool between the user terminal and the user shell, and logs everything that passes through as JSON messages.
SSSD
The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. When configuring session recording, you can use SSSD to specify which users or user groups to record. You can configure these settings from a command-line interface (CLI) or from the RHEL 8 web console interface.
The RHEL 8 web console embedded interface
The Session Recording page is part of the RHEL 8 web console interface and you can use it to manage recorded sessions.
Important

You need administrator privileges to access the recorded sessions.

1.3. Limitations of Session Recording

These are the most notable limitations of the Session Recording solution.

  • Recordings of root user are not reliable, because the root user can circumvent the recording process.
  • Session recording does not record the terminal in a GNOME 3 graphical session. Recording terminals in graphical sessions is not supported because a graphical session has a single audit session ID for all terminals and tlog is unable to distinguish between the terminals and prevent repeated recordings.

  • If session recording is configured to log to the journal, the recorded user will see the act of recording the results of viewing the system journal or /var/log/messages. Because viewing generates logs, which then print to the screen, this causes Session Recording to record this action, which generates more records, causing a loop of flooded output.

    You can use the following command to work around this problem: 

    # journalctl -f | grep -v 'tlog-rec-session'

    You can also configure tlog to limit the output. For details, see tlog-rec or tlog-rec-session manual pages.

  • To record users executing remote access commands, you must configure session recording for that user on the target host. For example, to record the following remote access command, you need to configure session recording for the admin user on the client host: 

    ssh admin@client rm -f /some/file
  • All recordings are lost on reboot because the journal is stored in-memory by default on RHEL 8. To export recordings see Exporting recorded sessions to a file.