Tlog is a terminal I/O recording and playback package for Linux. The session logs retain all the passed data and timing. Sessions are recorded in JSON format as to eventually deliver the data to a storage service (such as Elasticsearch) where it can be searched, queried and be played back.
If you have successfully run the RHEL 8 lab preparation playbook, then node1.example.com has already been properly configured for session logging. What follows are some basic exercises to demonstrate how this facility functions.
For these exercises, you will be using the host node1 as user root.
From host bastion, ssh to node1.
ssh node1Use sudo to elevate your priviledges.
sudo -iVerify that you are on the right host for these exercises.
workshop-tlog-checkhost.shYou are now ready to proceed with these exercises.
The system has been configured with an additional non-priviledged user called other-user. Run the following command to change to the other-user.
|
ℹ️
|
The command is 'su' + 'dash' + 'other-user'. Don’t forget the dash! |
su - other-userATTENTION! Your session is being recorded!
You should have gotten a message when switching to other-user that the session is being recorded.
Now to do a few activities worth logging. You can check out a directory listing, look at the host’s passwd and shadow files.
ls -l /etc-rw-r--r--. 1 root root 68 Apr 17 22:19 shells drwxr-xr-x. 2 root root 4096 Apr 17 21:54 skel -rw-r--r--. 1 root root 138 Sep 12 2019 sos.conf drwxr-xr-x. 3 root root 4096 Apr 17 21:58 ssh drwxr-xr-x. 2 root root 4096 Apr 17 21:55 ssl drwx------. 4 sssd sssd 4096 Apr 17 21:55 sssd -rw-r--r--. 1 root root 48 Apr 17 22:21 subgid -rw-r--r--. 1 root root 24 Apr 17 22:19 subgid- -rw-r--r--. 1 root root 48 Apr 17 22:21 subuid -rw-r--r--. 1 root root 24 Apr 17 22:19 subuid- -rw-r-----. 1 root root 1786 Aug 16 2019 sudo.conf -r--r-----. 1 root root 4328 Aug 16 2019 sudoers ...SNIP...
cat /etc/passwdroot:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin ...SNIP...
cat /etc/shadowcat: /etc/shadow: Permission denied
Oh wait, you need root priviledges to see the contents of /etc/shadow. You can use sudo for that!
sudo cat /etc/shadowroot:$6$9Jk5EGiB2aBl95kj$RIdiSqNdKt95zqddStFUY/zVKIUujWfGWJkLM5KQ.7zY88Kxxa0qm78qLMFRAqDO2qOrp.qZBaQAKcUFm1Is70:18370:0:99999:7::: bin:*:17988:0:99999:7::: daemon:*:17988:0:99999:7::: adm:*:17988:0:99999:7::: lp:*:17988:0:99999:7::: sync:*:17988:0:99999:7::: shutdown:*:17988:0:99999:7::: halt:*:17988:0:99999:7::: mail:*:17988:0:99999:7::: operator:*:17988:0:99999:7::: games:*:17988:0:99999:7::: ftp:*:17988:0:99999:7::: ...SNIP...
We are done with our limited nafarious activities, so proceed to exit
exitSession logs are configured to record in the system journal by default. A distinct advantage to this approach is that session recordings are also augmented with meta data which includes: user, session-id, host-id and a log-message-id. Let’s have a look.
journalctl -o verbose --output-fields=TLOG_USER,TLOG_REC TLOG_USER=other-userSat 2019-04-27 21:21:27.852913 EDT [s=bcde42e4c96048c3908657177414e202;i=700;b=b2333248c22a4c5f912a>
TLOG_USER=other-user
TLOG_REC=b2333248c22a4c5f912a245f6266582e-3cb9-e9bf9
Sat 2019-04-27 21:21:33.354695 EDT [s=bcde42e4c96048c3908657177414e202;i=701;b=b2333248c22a4c5f912a>
TLOG_USER=other-user
TLOG_REC=b2333248c22a4c5f912a245f6266582e-3cb9-e9bf9
Sat 2019-04-27 21:21:43.483301 EDT [s=bcde42e4c96048c3908657177414e202;i=702;b=b2333248c22a4c5f912a>
TLOG_USER=other-user
TLOG_REC=b2333248c22a4c5f912a245f6266582e-3cb9-e9bf9
Sat 2019-04-27 21:21:54.193564 EDT [s=bcde42e4c96048c3908657177414e202;i=707;b=b2333248c22a4c5f912a>
TLOG_USER=other-user
TLOG_REC=b2333248c22a4c5f912a245f6266582e-3cb9-e9bf9
Sat 2019-04-27 21:21:58.770887 EDT [s=bcde42e4c96048c3908657177414e202;i=70c;b=b2333248c22a4c5f912a>
TLOG_USER=other-user
TLOG_REC=b2333248c22a4c5f912a245f6266582e-3cb9-e9bf9
Each one of those entries makes up a chunk of a session recording. It is by way of searching the system journal and identifying the correct TLOG_REC for a specific session, that you can then play back the session using tlog-play.
We have taken the liberty of scripting this "search" to playback the last session log from the user cloud-user.
workshop-tlog-playback.shOnce you hit enter on the above command, you will see a note that "Playback Started…" and again when "Playback Finished…". Be patient until it completes and your root prompt returns.
|
ℹ️
|
Native command(s) to playback last tlog myTLOG=`journalctl -o verbose -n 1 --output-fields=TLOG_USER,TLOG_REC TLOG_USER=other-user | grep TLOG_REC`
tlog-play -r journal -M ${myTLOG}
|
Clearly we have taken the liberty to pre-configure TLOG for this lab. But, it was not very difficult. TLOG requires a couple of packages, a configuration file and simple restart of the sssd service.
yum install tlog cockpit-session-recordingHere is what the config file looks like /etc/sssd/conf.d/sssd-session-recording.conf
cat /etc/sssd/conf.d/sssd-session-recording.conf# This file deployed by Ansible playbook # /etc/sssd/conf.d/sssd-session-recording.conf [session_recording] scope = some users = other-user groups = other-user
And lastly, reload systemd and restart the sssd service.
systemctl daemon-reload
systemctl restart sssd