On Tue, Oct 22, 2019 at 12:51:27PM +0000, MAUPERTUIS, PHILIPPE wrote: > Hi list, > With Redhat 8 come tlogs for session recording. > It seems a promising tool to comply with PCI DSS requirement 10.2 which > requires Monitoring of all actions taken by any individual with root or > administrative privileges. > Redhat preferred way to configure tlog-rec-session is through sssd. > I have doubt about the interaction between the nss and the session-recording > sections. > The man states : > users (string) > A comma-separated list of users which should have session > recording enabled. > Matches user names as returned by NSS. I.e. after the possible > space > replacement, case changes, etc. > > Am I right to understand that if the nss filters some users (root for > example) with the filter_users directive, their sessions won't be recorded > even if defined in the session-recording session ?
Yes, that's my understanding, too. > If yes is there a way to find the discrepancies between the two sections? getent passwd -s sss $username, check if their shell is tlog-rec? btw I guess you could just use chsh to change the user's shell to tlog-rec.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org