On Thu, Feb 25, 2016 at 03:09:25PM +0200, Nikolai Kondrashov wrote:
Hi everyone,
I'd like to continue the discussion of tlog integration, and also present you
the first release of tlog - a development preview, which has the configuration
interface necessary to implement the integration:
https://github.com/spbnick/tlog/releases/tag/v1
You're more than welcome to download RPMs, install, read tlog-rec(8) and
tlog-rec.conf(5), and experiment! Building from the Git tree and the tarball
works as well, if you're so inclined. I'm also attaching those manpages for
convenience.
OK, I will try to find some time to experiment with tlog, but probably
won't happen until next week, though.
Here are the integration plans so far, as discussed with Jakub on our
devconf.cz trip meetings and before on the list. Jakub, please correct me or
add details.
* We follow the route similar to that taken by SELinux rule control
implementation [1][2]. I.e. store the configuration in LDAP HBAC rules,
write to files on the client side and then specify them to tlog upon user
login.
This was an idea we had during a conversation on devconf. I think it
would be nice to also bring this idea up with the IPA developers on the
freeipa-devel list to get more feedback.
However, I'm also rather fond of the idea of specifying the whole
configuration through an environment variable instead of through a file
referenced by an environment variable - it's not big at all, and we'll avoid
the hassle of managing the files.
I implemented support for both in tlog (was easy).
* We'll have to make nss_sss report user's shell as tlog-rec (how?) and
specify the actual shell to tlog-rec via an environment variable, through
pam_sss (with SSS_PAM_ENV_ITEM messages). I.e.:
We already can override the user's shell on a global basis from the
config file and on a per-user basis with local overrides (or even IPA
overrides on an IPA client)
* Nss_sss would always report tlog-rec as the user's shell.
That would work with the user overrides. pam_sss would also have to pass
on the actual user's shell if the original shell was tlog, right?
* During login (e.g. through "login" or "sshd") pam_sss would add a
variable
to the user environment, containing, or pointing at, a tlog-rec
configuration (TLOG_REC_CONF_TEXT or TLOG_REC_CONF_FILE). That
configuration would contain the user's actual shell.
Just to be clear, the user's actuall shell wouldn't be bart of the tlog
configuration, just passed on from sssd to tlog, right?
About the config file, should we add a sssd option to specify a tlog
config? Also, can tlog fall-back to some compiled-in global config file in case
no particular config file is needed? (Can tlog work with just the global
config file and the user's original shell?)
I can also implement
support for a separate variable just for the shell (TLOG_REC_SHELL?) to
simplify the implementation for the start.
* Tlog-rec would read the system-wide configuration and overlay it with the
one specified in the environment, adding the specific user shell, and then
would spawn it.
Please also see the draft integration design page [3] for reference.
I hope to refine and extend it in the coming weeks to match FreeIPA standards.
Please chime in and suggest, object, discuss!
Also, please report tlog bugs at
https://github.com/spbnick/tlog/issues
Thank you!
Nick
[1]:
http://www.freeipa.org/page/SELinux_user_mapping
[2]:
http://www.freeipa.org/images/b/b9/Freeipa30_SELinuxUserMap.pdf
[3]:
http://www.freeipa.org/page/Session_Recording
tlog-rec(8) System Manager's Manual
tlog-rec(8)
NAME
tlog-rec - start a shell and log terminal I/O
SYNOPSIS
tlog-rec [OPTION...] [CMD_FILE [CMD_ARG...]]
tlog-rec -c [OPTION...] CMD_STRING [CMD_NAME [CMD_ARG...]]
DESCRIPTION
Tlog-rec is a terminal I/O logging program. It starts a shell under a
pseudo-TTY, connects it to the actual terminal and logs whatever passes
between them including user input, program output, and terminal window
size changes.
If no "-c" option is specified, then the first non-option argument
CMD_FILE specifies the location of a shell script the shell should read
and the following arguments (CMD_ARG) specify its arguments.
If the "-c" option is specified, then a non-option argument CMD_STRING
is required and should contain shell commands to execute, the following
arguments can specify first the script name (CMD_NAME, i.e. argv[0])
and then its arguments (CMD_ARG).
If no non-option arguments are encountered, then the shell is started
interactively.
Tlog-rec loads its parameters first from the systemwide configuration
file /usr/local/etc/tlog/tlog-rec.conf, then from the file pointed at
by TLOG_REC_CONF_FILE environment variable (if set), then from the con‐
tents of the TLOG_REC_CONF_TEXT environment variable (if set), and then
from command-line options. Parameters from each of these sources over‐
ride the previous one in turn.
OPTIONS
General options
-h, --help
Output a command-line usage message and exit
-s, --shell=SHELL
Spawn the specified SHELL
-l, --login
Make the shell a login shell
-c, --command
Execute shell commands
--notice=TEXT
Print TEXT message before starting recording
--latency=SECONDS
Cache captured data SECONDS seconds before logging
Value minimum: 1
--payload=BYTES
Limit encoded data to BYTES bytes
Value minimum: 32
--writer=STRING
Use STRING log writer (syslog/file, default syslog)
Value should be one of: "syslog", "file"
Logged data set options
--log-input[=BOOL]
Enable/disable logging user input
--log-output[=BOOL]
Enable/disable logging program output
--log-window[=BOOL]
Enable/disable logging terminal window size changes
File writer options
--file-path=FILE
Log to FILE file
Syslog writer options
--syslog-facility=STRING
Log with STRING syslog facility
Value should be one of: "auth", "authpriv",
"cron", "daemon",
"ftp", "kern", "local0", "local1",
"local2", "local3", "local4",
"local5", "local6", "local7",
"lpr", "mail", "news", "syslog",
"user", "uucp"
--syslog-priority=STRING
Log with STRING syslog priority
Value should be one of: "emerg", "alert",
"crit", "err", "warn‐
ing", "notice", "info", "debug"
ENVIRONMENT
TLOG_REC_CONF_FILE
Specifies the location of a configuration file to be read. The
configuration parameters in this file override the ones in the
systemwide configuration file /usr/local/etc/tlog/tlog-rec.conf.
TLOG_REC_CONF_TEXT
Specifies the configuration text to be read. The configuration
parameters in this variable override the ones in the file speci‐
fied with TLOG_REC_CONF_FILE.
FILES
/usr/local/etc/tlog/tlog-rec.conf
The systemwide configuration file
EXAMPLES
Start recording a login shell:
tlog-rec -l
Start recording a zsh session:
tlog-rec -s /usr/bin/zsh
Record everything but user input:
tlog-rec --log-input=off --log-output=on --log-window=on
Ask the recorded shell to execute a command:
tlog-rec -c whoami
SEE ALSO
tlog-rec.conf(5)
AUTHOR
Nikolai Kondrashov <spbnick(a)gmail.com>
Tlog February 2016 tlog-rec(8)
tlog-rec(5) File Formats Manual
tlog-rec(5)
NAME
tlog-rec.conf - tlog-rec configuration file
DESCRIPTION
tlog-rec.conf is a JSON-format configuration file for tlog-rec program.
Contrary to the strict JSON specification, both C and C++ style com‐
ments are allowed in the file.
The file must contain a single JSON object with the objects and fields
described below. Almost all of them are optional and assume a default
value. However, those that do require a value can still be omitted and
specified to tlog-rec in other ways: through environment variables or
command line.
OBJECTS AND FIELDS
Root object
shell (string)
The path to the shell executable that should be spawned.
Default: "/bin/bash"
notice (string)
A message which will be printed before starting recording and
the user shell. Can be used to warn the user that the session is
recorded.
Default: "\nATTENTION! Your session is being recorded!\n\n"
latency (integer)
The data which does not exceed maximum payload stays in memory
and is not logged until this number of seconds elapses.
Minimum: 1
Default: 10
payload (integer)
Maximum encoded data (payload) size per message, bytes. As soon
as payload exceeds this number of bytes, it is formatted into a
message and logged.
Minimum: 32
Default: 2048
log (object)
Logged data set object, see below.
writer (string)
The type of "log writer" to use for logging. The writer needs to
be configured using its dedicated parameters.
One of: "syslog", "file"
Default: "syslog"
file (object)
File writer object, see below.
syslog (object)
Syslog writer object, see below.
log - Logged data set object
input (boolean)
If specified as true, user input is logged.
Default: true
output (boolean)
If specified as true, terminal output is logged.
Default: true
window (boolean)
If specified as true, terminal window size changes are logged.
Default: true
file - File writer object
path (string)
The "file" writer log file path.
No default.
syslog - Syslog writer object
facility (string)
Syslog facility the "syslog" writer should use for the messages.
One of: "auth", "authpriv", "cron",
"daemon", "ftp", "kern",
"local0", "local1", "local2",
"local3", "local4", "local5",
"local6", "local7", "lpr",
"mail", "news", "syslog", "user",
"uucp"
Default: "authpriv"
priority (string)
Syslog priority the "syslog" writer should use for the messages.
One of: "emerg", "alert", "crit",
"err", "warning", "notice",
"info", "debug"
Default: "info"
EXAMPLES
A config specifying only a shell:
{
"shell": "/usr/bin/zsh"
}
A config disabling logging user input:
{
"log": {
"input": false
}
}
A config specifying logging to a file:
{
"writer": "file"
"file" : {
"path": "/var/log/tlog-rec.log"
}
}
SEE ALSO
tlog-rec(8),
http://json.org/
AUTHOR
Nikolai Kondrashov <spbnick(a)gmail.com>
Tlog February 2016 tlog-rec(5)
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org