Skip to content

Latest commit

 

History

History
240 lines (178 loc) · 7.44 KB

lab12_SessionRecording.adoc

File metadata and controls

240 lines (178 loc) · 7.44 KB
Raw

Lab 12: Session Recording

Table of Contents
Lab Length

  • Medium/Average (~15 mins)

Goal

  • Use Session Recording to help log and audit users' terminal sessions and correlate them with system logs

12.1: Introduction

The Terminal Session Recording project aims to log users' terminal sessions for the purposes of audit, security, and monitoring. It provides an interface in Cockpit to analyze these recordings and correlate them with system logs. This provides a comprehensive picture of the activity that took place.

In this lab, you first assume the role of a third-party contractor who breaks something on your system and then the role of a system administrator who needs to find out what has happened on that system.

12.1.1: Prerequisites

  • Install the required tlog and cockpit-session-recording packages

  • Configure them to record terminal activity for specific users

The tlog package allows you to records terminal activity by putting itself between the user and the terminal. Systemd Journal is used as a storage for recorded sessions.

The cockpit-session-recording package for Cockpit uses provided APIs to access the Systemd Journal and obtain sessions from it. It provides a JavaScript-based player, which produces text output, but with video player-style controls.

A few packages are already installed for you:

  • tlog

  • Cockpit

  • cockpit-session-recording

  • mc

  • nginx

  • vim

12.1.2: Accessing the Session Recording Lab System

All of the exercises in this lab are run on the sessionrecording.example.com host. You set up for user q to have its terminal session recorded.

12.2: Setting Up Recording

  1. Return to your Lab Information web page from the Lab 0: Setup Steps and click CONSOLE for your workstation bastion host:

    300

  2. Log in as lab-user with r3dh4t1! as the password:

    300

  3. Open a Firefox web browser:

    session recording firefox

  4. Go to https://sessionrecording.example.com:9090/:

    session recording firefox 1

  5. Log in as the root user with r3dh4t1! as the password:

    session recording cockpit login

  6. Click the Session Recording menu item:

    session recording menu

  7. In the upper right corner, click the cog button to access the configuration:

    session recording config

  8. Examine the configuration of tlog-rec-session.conf, shown in Cockpit in the General Configuration dialog:

    session recording tlog conf

  9. Click Log User’s Input to enable logging of the user’s input, then click Save:

    session recording tlog conf 1

  10. In the SSD Configuration dialog, entering Some for Scope and q for Users to set up the q user to be recorded using cockpit-session-recording, and then click Save:

    session recording sssd

    The q user is set up to be recorded.

12.3: Creating Sessions Recorded by tlog

In this section, you create some activity by one of the recorded users to be able to play it back in Cockpit.

  1. Open Terminal:

    session recording terminal

  2. Use SSH to log in to the same machine, using session1 as the password:

    [lab-user@sessionrecording]# ssh [email protected]

    session recording terminal1

  3. Upon login, expect to see a terminal message informing the user that the session is being recorded:

    session recording notice

    Remember that this session is being recorded. Later, you can try to resize the session window to see if that is supported.

  4. Launch GNU Midnight Commander (mc):

    [q@sessionrecording]$ mc

    Expect mc to launch:

    session recording mc

  5. Navigate to various directories to explore them, then press F10 or click Quit in the right corner.

12.4: Investigating Problems Using Session Recording

In this section, you imitate a real-world scenario by breaking the nginx web server configuration file and then address the problem using session recording in Cockpit.

  1. Edit the nginx configuration file:

    [q@sessionrecording]$ sudo vi /etc/nginx/nginx.conf

    session recording vi nginx

    session recording nginx

  2. In the line worker_connections 1024;, remove the ; to introduce an error:

    session recording nginx broken

  3. Restart the nginx server:

    [q@sessionrecording]$ sudo systemctl restart nginx

    The restart fails due to the error you created in the nginx.conf file.

    Expect to see an error message similar to this:

    session recording nginx error

12.5: Using Session Player from Cockpit UI

12.5.1: Exploring Session Recording

In this section, you log in to Cockpit and use cockpit-session-recording to investigate why the web server does not work.

  1. Go to your Lab Information webpage from Lab 0: Setup Steps and click CONSOLE for your workstation’s bastion host:

    300

  2. Log in as lab-user with r3dh4t1! as the password:

    300

  3. Open a Firefox web browser:

    session recording firefox

  4. Go to https://sessionrecording.example.com:9090/:

    session recording firefox 1

  5. Log in as root with r3dh4t1! as the password:

    session recording cockpit login

  6. Click the Session Recording menu item:

    session recording menu

  7. When your session appears in the list of sessions, click it to open it:

    session recording session list

    Expect your data to be different.

  8. Click Play to start the playback of the session (you can also press the hotkey p to achieve the same results):

    session recording play

    Tip

    You can also navigate the session frame by frame by clicking the "Skip Frame" button or the hotkey . (period):

    session recording skipframe

12.5.2: Using Other Session Recording Controls

  1. Try the speed controls:

    session recording speed control

  2. Restart the playback and fast-forward to the end:

    session recording fastforward

  3. Use the zoom controls:

    session recording zoom controls

  4. Switch between a selection of text and the drag-n-pan of zoomed content:

    session recording dragnpan

12.5.3: Locating the nginx Failure Cause

  1. Enter nginx in the search bar to search for the first instance of the nginx keyword in the session:

    session recording search button

    This shows the closest beginning of "frame" that matches the keyword entered.

    In Session Player, the action of restarting nginx looks similar to this:

    session recording cockpit nginx restart

    Expect to find the corresponding messages at the bottom of the page:

    session recording cockpit nginx error

  2. Click the timestamp event in the logs panel to jump to the same time in the session.

  3. Search for nginx.conf to find the time when the configuration file was edited, showing the nearest time:

    session recording search

  4. Rewind the player position to that time.