Hi everyone, I'd like to continue the discussion of tlog integration, and also present you the first release of tlog - a development preview, which has the configuration interface necessary to implement the integration:
https://github.com/spbnick/tlog/releases/tag/v1 You're more than welcome to download RPMs, install, read tlog-rec(8) and tlog-rec.conf(5), and experiment! Building from the Git tree and the tarball works as well, if you're so inclined. I'm also attaching those manpages for convenience. Here are the integration plans so far, as discussed with Jakub on our devconf.cz trip meetings and before on the list. Jakub, please correct me or add details. * We follow the route similar to that taken by SELinux rule control implementation [1][2]. I.e. store the configuration in LDAP HBAC rules, write to files on the client side and then specify them to tlog upon user login. However, I'm also rather fond of the idea of specifying the whole configuration through an environment variable instead of through a file referenced by an environment variable - it's not big at all, and we'll avoid the hassle of managing the files. I implemented support for both in tlog (was easy). * We'll have to make nss_sss report user's shell as tlog-rec (how?) and specify the actual shell to tlog-rec via an environment variable, through pam_sss (with SSS_PAM_ENV_ITEM messages). I.e.: * Nss_sss would always report tlog-rec as the user's shell. * During login (e.g. through "login" or "sshd") pam_sss would add a variable to the user environment, containing, or pointing at, a tlog-rec configuration (TLOG_REC_CONF_TEXT or TLOG_REC_CONF_FILE). That configuration would contain the user's actual shell. I can also implement support for a separate variable just for the shell (TLOG_REC_SHELL?) to simplify the implementation for the start. * Tlog-rec would read the system-wide configuration and overlay it with the one specified in the environment, adding the specific user shell, and then would spawn it. Please also see the draft integration design page [3] for reference. I hope to refine and extend it in the coming weeks to match FreeIPA standards. Please chime in and suggest, object, discuss! Also, please report tlog bugs at https://github.com/spbnick/tlog/issues Thank you! Nick [1]: http://www.freeipa.org/page/SELinux_user_mapping [2]: http://www.freeipa.org/images/b/b9/Freeipa30_SELinuxUserMap.pdf [3]: http://www.freeipa.org/page/Session_Recording
tlog-rec(8) System Manager's Manual tlog-rec(8) NAME tlog-rec - start a shell and log terminal I/O SYNOPSIS tlog-rec [OPTION...] [CMD_FILE [CMD_ARG...]] tlog-rec -c [OPTION...] CMD_STRING [CMD_NAME [CMD_ARG...]] DESCRIPTION Tlog-rec is a terminal I/O logging program. It starts a shell under a pseudo-TTY, connects it to the actual terminal and logs whatever passes between them including user input, program output, and terminal window size changes. If no "-c" option is specified, then the first non-option argument CMD_FILE specifies the location of a shell script the shell should read and the following arguments (CMD_ARG) specify its arguments. If the "-c" option is specified, then a non-option argument CMD_STRING is required and should contain shell commands to execute, the following arguments can specify first the script name (CMD_NAME, i.e. argv[0]) and then its arguments (CMD_ARG). If no non-option arguments are encountered, then the shell is started interactively. Tlog-rec loads its parameters first from the systemwide configuration file /usr/local/etc/tlog/tlog-rec.conf, then from the file pointed at by TLOG_REC_CONF_FILE environment variable (if set), then from the con‐ tents of the TLOG_REC_CONF_TEXT environment variable (if set), and then from command-line options. Parameters from each of these sources over‐ ride the previous one in turn. OPTIONS General options -h, --help Output a command-line usage message and exit -s, --shell=SHELL Spawn the specified SHELL -l, --login Make the shell a login shell -c, --command Execute shell commands --notice=TEXT Print TEXT message before starting recording --latency=SECONDS Cache captured data SECONDS seconds before logging Value minimum: 1 --payload=BYTES Limit encoded data to BYTES bytes Value minimum: 32 --writer=STRING Use STRING log writer (syslog/file, default syslog) Value should be one of: "syslog", "file" Logged data set options --log-input[=BOOL] Enable/disable logging user input --log-output[=BOOL] Enable/disable logging program output --log-window[=BOOL] Enable/disable logging terminal window size changes File writer options --file-path=FILE Log to FILE file Syslog writer options --syslog-facility=STRING Log with STRING syslog facility Value should be one of: "auth", "authpriv", "cron", "daemon", "ftp", "kern", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7", "lpr", "mail", "news", "syslog", "user", "uucp" --syslog-priority=STRING Log with STRING syslog priority Value should be one of: "emerg", "alert", "crit", "err", "warn‐ ing", "notice", "info", "debug" ENVIRONMENT TLOG_REC_CONF_FILE Specifies the location of a configuration file to be read. The configuration parameters in this file override the ones in the systemwide configuration file /usr/local/etc/tlog/tlog-rec.conf. TLOG_REC_CONF_TEXT Specifies the configuration text to be read. The configuration parameters in this variable override the ones in the file speci‐ fied with TLOG_REC_CONF_FILE. FILES /usr/local/etc/tlog/tlog-rec.conf The systemwide configuration file EXAMPLES Start recording a login shell: tlog-rec -l Start recording a zsh session: tlog-rec -s /usr/bin/zsh Record everything but user input: tlog-rec --log-input=off --log-output=on --log-window=on Ask the recorded shell to execute a command: tlog-rec -c whoami SEE ALSO tlog-rec.conf(5) AUTHOR Nikolai Kondrashov <spbn...@gmail.com> Tlog February 2016 tlog-rec(8)
tlog-rec(5) File Formats Manual tlog-rec(5) NAME tlog-rec.conf - tlog-rec configuration file DESCRIPTION tlog-rec.conf is a JSON-format configuration file for tlog-rec program. Contrary to the strict JSON specification, both C and C++ style com‐ ments are allowed in the file. The file must contain a single JSON object with the objects and fields described below. Almost all of them are optional and assume a default value. However, those that do require a value can still be omitted and specified to tlog-rec in other ways: through environment variables or command line. OBJECTS AND FIELDS Root object shell (string) The path to the shell executable that should be spawned. Default: "/bin/bash" notice (string) A message which will be printed before starting recording and the user shell. Can be used to warn the user that the session is recorded. Default: "\nATTENTION! Your session is being recorded!\n\n" latency (integer) The data which does not exceed maximum payload stays in memory and is not logged until this number of seconds elapses. Minimum: 1 Default: 10 payload (integer) Maximum encoded data (payload) size per message, bytes. As soon as payload exceeds this number of bytes, it is formatted into a message and logged. Minimum: 32 Default: 2048 log (object) Logged data set object, see below. writer (string) The type of "log writer" to use for logging. The writer needs to be configured using its dedicated parameters. One of: "syslog", "file" Default: "syslog" file (object) File writer object, see below. syslog (object) Syslog writer object, see below. log - Logged data set object input (boolean) If specified as true, user input is logged. Default: true output (boolean) If specified as true, terminal output is logged. Default: true window (boolean) If specified as true, terminal window size changes are logged. Default: true file - File writer object path (string) The "file" writer log file path. No default. syslog - Syslog writer object facility (string) Syslog facility the "syslog" writer should use for the messages. One of: "auth", "authpriv", "cron", "daemon", "ftp", "kern", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7", "lpr", "mail", "news", "syslog", "user", "uucp" Default: "authpriv" priority (string) Syslog priority the "syslog" writer should use for the messages. One of: "emerg", "alert", "crit", "err", "warning", "notice", "info", "debug" Default: "info" EXAMPLES A config specifying only a shell: { "shell": "/usr/bin/zsh" } A config disabling logging user input: { "log": { "input": false } } A config specifying logging to a file: { "writer": "file" "file" : { "path": "/var/log/tlog-rec.log" } } SEE ALSO tlog-rec(8), http://json.org/ AUTHOR Nikolai Kondrashov <spbn...@gmail.com> Tlog February 2016 tlog-rec(5)
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org