diff --git a/handlers/main.yml b/handlers/main.yml index 5e42247..40c45df 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,6 +5,11 @@ name: sshd state: restarted +- name: restart_sssd + ansible.builtin.service: + name: sssd + state: restarted + - name: restart_httpd ansible.builtin.service: name: httpd diff --git a/init-rocky-session-recording.yml b/init-rocky-session-recording.yml new file mode 100644 index 0000000..027ecf4 --- /dev/null +++ b/init-rocky-session-recording.yml @@ -0,0 +1,38 @@ +--- +# Sets up session recording via tlog. This does similar work to the +# linux-system-roles.tlog role, but with modifications. The expectation +# is that the system is enrolled to FreeIPA. +- name: Configure session recording + hosts: all + become: true + + # This is to try to avoid the handler issue in pre/post tasks + handlers: + - import_tasks: handlers/main.yml + + pre_tasks: + - name: Check if ansible cannot be run here + stat: + path: /etc/no-ansible + register: no_ansible + + - name: Verify if we can run ansible + ansible.builtin.assert: + that: + - "not no_ansible.stat.exists" + success_msg: "We are able to run on this node" + fail_msg: "/etc/no-ansible exists - skipping run on this node" + + tasks: + - name: Loading Variables from OS Common + import_tasks: tasks/tlog.yml + + post_tasks: + - name: Touching run file that ansible has ran here + ansible.builtin.file: + path: /var/log/ansible.run + state: touch + mode: '0644' + owner: root + group: root +... diff --git a/tasks/tlog.yml b/tasks/tlog.yml new file mode 100644 index 0000000..8740549 --- /dev/null +++ b/tasks/tlog.yml @@ -0,0 +1,44 @@ +--- +- name: Install necessary packages + ansible.builtin.dnf: + name: + - tlog + - sssd + +- name: Configure SSSD on the system for files domain + community.general.ini_file: + path: "/etc/sssd/sssd.conf" + section: sssd + option: enable_files_domain + value: "true" + notify: restart_sssd + +- name: Add session recording configuration + ansible.builtin.template: + src: "etc/sssd/conf.d/session-recording.conf" + dest: "/etc/sssd/conf.d/session-recording.conf" + owner: root + group: root + mode: '0600' + notify: restart_sssd + +- name: Enable the files domain through authselect + command: > + /usr/bin/authselect select custom/sssd-rocky + without-nullok + with-faillock + with-mkhomedir + with-sudo + with-files-domain + --force + notify: restart_sssd + changed_when: true + +- name: Configure tlog itself + ansible.builtin.template: + src: "etc/tlog/tlog-rec-session.conf" + dest: "/etc/tlog/tlog-rec-session.conf" + owner: root + group: root + mode: '0644' +... diff --git a/templates/etc/sssd/conf.d/session-recording.conf b/templates/etc/sssd/conf.d/session-recording.conf new file mode 100644 index 0000000..9043f8f --- /dev/null +++ b/templates/etc/sssd/conf.d/session-recording.conf @@ -0,0 +1,3 @@ +# RESF Managed +[session_recording] +scope = all diff --git a/templates/etc/tlog/tlog-rec-session.conf b/templates/etc/tlog/tlog-rec-session.conf new file mode 100644 index 0000000..a39d235 --- /dev/null +++ b/templates/etc/tlog/tlog-rec-session.conf @@ -0,0 +1,83 @@ +// Managed by the RESF +// +// Tlog-rec-session system-wide configuration. See tlog-rec-session.conf(5) for details. +// This file uses JSON format with both C and C++ comments allowed. +// +{ + // The path to the shell executable which should be spawned. + // "shell" : "/bin/bash", + + // A message which will be printed before starting + // recording and the user shell. Can be used to warn + // the user that the session is recorded. + "notice" : "\n** Session recording now in progress\n\n", + + // The number of seconds to cache captured data for before logging. + // The encoded data which does not reach payload size + // stays in memory and is not logged until this number of + // seconds elapses. + // "latency" : 10, + + // The maximum encoded data (payload) size per message, bytes. + // As soon as payload exceeds this number of bytes, + // it is formatted into a message and logged. + // "payload" : 2048, + + // Logged data set parameters + "log": { + // If true, user input is logged. + // "input" : false, + + // If true, terminal output is logged. + // "output" : true, + + // If true, terminal window size changes are logged. + // "window" : true + }, + + // Logging limit parameters + "limit": { + // The maximum rate messages could be logged at, bytes/sec. + // "rate" : 16384, + + // The number of bytes by which logged messages are allowed to exceed + // the rate limit momentarily, i.e. "burstiness". + // "burst" : 32768, + + // The logging limit action. + // If set to "pass" no logging limits will be applied. + // If set to "delay", logging will be throttled. + // If set to "drop", messages exceeding limits will be dropped. + // "action" : "pass" + }, + + // File writer parameters + "file": { + // The "file" writer log file path. + // "path" : "" + }, + + // Syslog writer parameters + "syslog": { + // The syslog facility "syslog" writer should use for messages. + // "facility" : "authpriv", + + // The syslog priority "syslog" writer should use for messages. + // "priority" : "info" + }, + + // Journal writer parameters + "journal": { + // The syslog-style priority "journal" writer should use for messages. + // "priority" : "info", + + // If true, the "journal" writer copies the following JSON fields + // to Journal fields: user -> TLOG_USER, session -> TLOG_SESSION, + // rec -> TLOG_REC, and id -> TLOG_ID. + // "augment" : true + }, + + // The type of "log writer" to use for logging. The writer needs + // to be configured using its dedicated parameters. + // "writer" : "journal" +}