Tlog Session Recording
Tlog session recording.
Tlog is a package available in RHEL and CentOS 8 used to monitor terminal sessions. Once installed, sessions can be played back using the tlog-play command from the command line or via a cockpit dashboard. As a standard security measure it is important to be able to understand and log what users are doing especially as a requirement within PCI environments. Tlog installed on a bastion host is a great option to help achieve this.
Firstly, install tlog.
dnf install tlog
Configure sssd to record all user sessions.
vi /etc/sssd/sssd.conf
[domain/local]
id_provider = files
[sssd]
domains = local
services = nss, pam, ssh, sudo
[session_recording]
scope = all
Ensure the appropriate permissions are applied on sssd.conf and restart the service.
chmod 600 /etc/sssd/sssd.conf
systemctl restart sssd
By default, session recordings are logged to journald. To play back user sessions, execute the following command replacing the TLOG_REC ID as required.
tlog-play -r journal -M TLOG_REC=813301a8a07c4e43a9e490c820064ed0-1e8d-70563
Rsyslog is more familiar to many people and therefore would rather tlog entries be configured to use rsyslog rather than journald. Also rsyslog in many environments is configured to ship logs to remote rsyslog servers so this works well with existing log management. To change the writer facility, simply edit the tlog-rec-session.conf.
vi /etc/tlog/tlog-rec-session.conf
...
"writer" : "syslog"
Now the session recording will be located in the /var/log/secure log. A downside to this is that there is no easy way to play the session using tlog-play, unlike in the previous command using journald. However, one elegant way is to pull out all entries for the TLOG_REC ID and play the session from a separate file.
grep -i 813301a8a07c4e43a9e490c820064ed0-5d30-c7c59 /var/log/secure | sed 's/^.*({)/\1/' > /tmp/session.log
The session can now be played from the created file.
tlog-play -r file --file-path /tmp/session.log
And that is it - this is just a simple introduction to tlog but hopefully it shows the possibilities this new tool brings.