1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<reference>
<title>SSSD Manual pages</title>
<refentry>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
<refmeta>
<refentrytitle>sssd-sudo</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>sssd-session-recording</refname>
<refpurpose>Configuring session recording with SSSD</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
This manual page describes how to configure
<citerefentry>
<refentrytitle>sssd</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry> to work with
<citerefentry>
<refentrytitle>tlog-rec-session</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>, a part of tlog package, to implement user session
recording on text terminals.
For a detailed configuration syntax reference, refer to the
<quote>FILE FORMAT</quote> section of the
<citerefentry>
<refentrytitle>sssd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> manual page.
</para>
<para>
SSSD can be set up to enable recording of everything specific
users see or type during their sessions on text terminals. E.g.
when users log in on the console, or via SSH. SSSD itself doesn't
record anything, but makes sure tlog-rec-session is started upon
user login, so it can record according to its configuration.
</para>
<para>
For users with session recording enabled, SSSD replaces the user
shell with tlog-rec-session in NSS responses, and adds a variable
specifying the original shell to the user environment, upon PAM
session setup. This way tlog-rec-session can be started in place
of the user shell, and know which actual shell to start, once it
set up the recording.
</para>
</refsect1>
<refsect1 id='configuration-options'>
<title>CONFIGURATION OPTIONS</title>
<para>
These options can be used to configure the session recording.
</para>
<variablelist>
<varlistentry>
<term>scope (string)</term>
<listitem>
<para>
One of the following strings specifying the scope
of session recording:
<variablelist>
<varlistentry>
<term>"none"</term>
<listitem>
<para>
No users are recorded.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>"some"</term>
<listitem>
<para>
Users/groups specified by
<replaceable>users</replaceable>
and
<replaceable>groups</replaceable>
options are recorded.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>"all"</term>
<listitem>
<para>
All users are recorded.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
Default: "none"
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>users (string)</term>
<listitem>
<para>
A comma-separated list of users which should have
session recording enabled. Matches user names as
returned by NSS. I.e. after the possible space
replacement, case changes, etc.
</para>
<para>
Default: Empty. Matches no users.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>groups (string)</term>
<listitem>
<para>
A comma-separated list of groups, members of which
should have session recording enabled. Matches
group names as returned by NSS. I.e. after the
possible space replacement, case changes, etc.
</para>
<para>
NOTE: using this option (having it set to
anything) has a considerable performance cost,
because each uncached request for a user requires
retrieving and matching the groups the user is
member of.
</para>
<para>
Default: Empty. Matches no groups.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following snippet of sssd.conf enables session recording for
users "contractor1" and "contractor2", and group "students".
</para>
<para>
<programlisting>
[session_recording]
scope = some
users = contractor1, contractor2
groups = students
</programlisting>
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>
|
