add session recording mechanism
This commit is contained in:
parent
5572a94e77
commit
a669e4cbeb
@ -5,6 +5,11 @@
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: restart_sssd
|
||||
ansible.builtin.service:
|
||||
name: sssd
|
||||
state: restarted
|
||||
|
||||
- name: restart_httpd
|
||||
ansible.builtin.service:
|
||||
name: httpd
|
||||
|
38
init-rocky-session-recording.yml
Normal file
38
init-rocky-session-recording.yml
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
# Sets up session recording via tlog. This does similar work to the
|
||||
# linux-system-roles.tlog role, but with modifications. The expectation
|
||||
# is that the system is enrolled to FreeIPA.
|
||||
- name: Configure session recording
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
# This is to try to avoid the handler issue in pre/post tasks
|
||||
handlers:
|
||||
- import_tasks: handlers/main.yml
|
||||
|
||||
pre_tasks:
|
||||
- name: Check if ansible cannot be run here
|
||||
stat:
|
||||
path: /etc/no-ansible
|
||||
register: no_ansible
|
||||
|
||||
- name: Verify if we can run ansible
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "not no_ansible.stat.exists"
|
||||
success_msg: "We are able to run on this node"
|
||||
fail_msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Loading Variables from OS Common
|
||||
import_tasks: tasks/tlog.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
ansible.builtin.file:
|
||||
path: /var/log/ansible.run
|
||||
state: touch
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
...
|
44
tasks/tlog.yml
Normal file
44
tasks/tlog.yml
Normal file
@ -0,0 +1,44 @@
|
||||
---
|
||||
- name: Install necessary packages
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- tlog
|
||||
- sssd
|
||||
|
||||
- name: Configure SSSD on the system for files domain
|
||||
community.general.ini_file:
|
||||
path: "/etc/sssd/sssd.conf"
|
||||
section: sssd
|
||||
option: enable_files_domain
|
||||
value: "true"
|
||||
notify: restart_sssd
|
||||
|
||||
- name: Add session recording configuration
|
||||
ansible.builtin.template:
|
||||
src: "etc/sssd/conf.d/session-recording.conf"
|
||||
dest: "/etc/sssd/conf.d/session-recording.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
notify: restart_sssd
|
||||
|
||||
- name: Enable the files domain through authselect
|
||||
command: >
|
||||
/usr/bin/authselect select custom/sssd-rocky
|
||||
without-nullok
|
||||
with-faillock
|
||||
with-mkhomedir
|
||||
with-sudo
|
||||
with-files-domain
|
||||
--force
|
||||
notify: restart_sssd
|
||||
changed_when: true
|
||||
|
||||
- name: Configure tlog itself
|
||||
ansible.builtin.template:
|
||||
src: "etc/tlog/tlog-rec-session.conf"
|
||||
dest: "/etc/tlog/tlog-rec-session.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
...
|
3
templates/etc/sssd/conf.d/session-recording.conf
Normal file
3
templates/etc/sssd/conf.d/session-recording.conf
Normal file
@ -0,0 +1,3 @@
|
||||
# RESF Managed
|
||||
[session_recording]
|
||||
scope = all
|
83
templates/etc/tlog/tlog-rec-session.conf
Normal file
83
templates/etc/tlog/tlog-rec-session.conf
Normal file
@ -0,0 +1,83 @@
|
||||
// Managed by the RESF
|
||||
//
|
||||
// Tlog-rec-session system-wide configuration. See tlog-rec-session.conf(5) for details.
|
||||
// This file uses JSON format with both C and C++ comments allowed.
|
||||
//
|
||||
{
|
||||
// The path to the shell executable which should be spawned.
|
||||
// "shell" : "/bin/bash",
|
||||
|
||||
// A message which will be printed before starting
|
||||
// recording and the user shell. Can be used to warn
|
||||
// the user that the session is recorded.
|
||||
"notice" : "\n** Session recording now in progress\n\n",
|
||||
|
||||
// The number of seconds to cache captured data for before logging.
|
||||
// The encoded data which does not reach payload size
|
||||
// stays in memory and is not logged until this number of
|
||||
// seconds elapses.
|
||||
// "latency" : 10,
|
||||
|
||||
// The maximum encoded data (payload) size per message, bytes.
|
||||
// As soon as payload exceeds this number of bytes,
|
||||
// it is formatted into a message and logged.
|
||||
// "payload" : 2048,
|
||||
|
||||
// Logged data set parameters
|
||||
"log": {
|
||||
// If true, user input is logged.
|
||||
// "input" : false,
|
||||
|
||||
// If true, terminal output is logged.
|
||||
// "output" : true,
|
||||
|
||||
// If true, terminal window size changes are logged.
|
||||
// "window" : true
|
||||
},
|
||||
|
||||
// Logging limit parameters
|
||||
"limit": {
|
||||
// The maximum rate messages could be logged at, bytes/sec.
|
||||
// "rate" : 16384,
|
||||
|
||||
// The number of bytes by which logged messages are allowed to exceed
|
||||
// the rate limit momentarily, i.e. "burstiness".
|
||||
// "burst" : 32768,
|
||||
|
||||
// The logging limit action.
|
||||
// If set to "pass" no logging limits will be applied.
|
||||
// If set to "delay", logging will be throttled.
|
||||
// If set to "drop", messages exceeding limits will be dropped.
|
||||
// "action" : "pass"
|
||||
},
|
||||
|
||||
// File writer parameters
|
||||
"file": {
|
||||
// The "file" writer log file path.
|
||||
// "path" : ""
|
||||
},
|
||||
|
||||
// Syslog writer parameters
|
||||
"syslog": {
|
||||
// The syslog facility "syslog" writer should use for messages.
|
||||
// "facility" : "authpriv",
|
||||
|
||||
// The syslog priority "syslog" writer should use for messages.
|
||||
// "priority" : "info"
|
||||
},
|
||||
|
||||
// Journal writer parameters
|
||||
"journal": {
|
||||
// The syslog-style priority "journal" writer should use for messages.
|
||||
// "priority" : "info",
|
||||
|
||||
// If true, the "journal" writer copies the following JSON fields
|
||||
// to Journal fields: user -> TLOG_USER, session -> TLOG_SESSION,
|
||||
// rec -> TLOG_REC, and id -> TLOG_ID.
|
||||
// "augment" : true
|
||||
},
|
||||
|
||||
// The type of "log writer" to use for logging. The writer needs
|
||||
// to be configured using its dedicated parameters.
|
||||
// "writer" : "journal"
|
||||
}
|
Loading…
Reference in New Issue
Block a user