Configuring Terminal Session Recording In Redhat Linux 8 Using Cockpit

In this tutorial we will see how can we configure our Redhat Linux system to record terminal session.Once you configure the system to record terminal session. You can play these records to see what commands and actions has been performed in the system. It might be useful to record troubleshooting steps perform by a senior admin and use later by any junior admin. Or incase you can review if something nasty happend with the system.

Pre-requisite

Your system should be upto date and connected with internet ( if required) and cockpit package should be installed and configured.

Please follow below mentioned steps in order to configure your Redhat system to record terminal session

Step 1:

Install these two software packages (i) cockpit-session-recording and (ii) tlog. Run below command from your terminal

yum -y install cockpit-session-recording tlog

Output:

The first package, cockpit-session-recording will add an additional feature in Web Console which you will be using to enable and configure session recording. The tlog package will provide the tools which will be used to record and view the recorded terminal sessions.

Step 2:

Now open web console by typing the ip or machine hostname in browser

Output:

Step 3:

- Now because you have installed cockpit-session-recording , You can find the session manager option in Web-Console, Click on it,

- Because we have just installed the application so it is reporting No Session Record

- Click on the ⚙ icon shown in the upper right-hand corner

- It will be taken to the configuration settings for session recording.

- In general setting, rest all setting default and go to bottom at SSSD Configuration

- In "Scope" option select all, which will enable session recording for all users.

Output:

Step 4:

- Now get back to terminal and verify configuration.

- Read /etc/sssd/conf.d/sssd-session-recording.conf configuration file.

- You can review it to verify that the scope has been set to all so that all sessions for all users and groups will be recorded.

Output:

- Changes to the other configuration options displayed by Web Console would have stored those changes in etc/tlog/tlog-rec-session.conf file. For example, the executable shell which will be used to record session.

Step 5:

- To record a session , You have to login in shell from any user account from your terminal. Use any user account other than root account to record a session.

ssh user1@localhost

- As soon you will enter the password , a notice will show on terminal regarding 'recording session'

- Run some commands , in order to capture and record our session and exit

Step 6:

- Now again go to Web Console for your sysytem

- Navigate to "session recording" option

- You will find a new recording session available there

- You can play the recording session direct from web console by clicking on it >> play button

Step 7:

- If you want to play your recording session from terminal you can do that also , just run below command from terminal

- In the default configuration, recorded session data is sent to the journald managed log. As a result, to determine the available session data, you will use the journalctl.

- The following command will search through the journal log and locate strings that contain the "rec" string, plus the identifier included in that message.

journalctl -o verbose | grep -P "\"rec\".*?\,"

Output:

- To replay the session, run tlog-play command with the session identifier as mentioned below

tlog-play -r journal -M TLOG_REC=b9dd6a8391714e42be4f6f885875d48f-22ea-c2f05

- Replace the rec session ID with your recording session ID

- To play the very first recording session , run below command

tlog-play -r journal -M TLOG_REC=$(journalctl -o verbose | grep -P "\"rec\".*?\." | cut -d, -f3 | cut -d: -f2 | head -n 1 | sed -e s/\"//g)

- To interept recording session replay press ctrl + c

Post a Comment

0 Comments