sssd-session-recording - Configuring session recording with SSSD
This manual page describes how to configure sssd(8) to work with
tlog-rec-session(8), a part of tlog package, to implement user session
recording on text terminals. For a detailed configuration syntax reference,
refer to the “FILE FORMAT” section of the sssd.conf(5)
SSSD can be set up to enable recording of everything specific
users see or type during their sessions on text terminals. E.g. when users
log in on the console, or via SSH. SSSD itself doesn't record anything, but
makes sure tlog-rec-session is started upon user login, so it can record
according to its configuration.
For users with session recording enabled, SSSD replaces the user
shell with tlog-rec-session in NSS responses, and adds a variable specifying
the original shell to the user environment, upon PAM session setup. This way
tlog-rec-session can be started in place of the user shell, and know which
actual shell to start, once it set up the recording.
These options can be used to configure the session recording.
One of the following strings specifying the scope of
No users are recorded.
Users/groups specified by users and groups
options are recorded.
All users are recorded.
A comma-separated list of users which should have session
recording enabled. Matches user names as returned by NSS. I.e. after the
possible space replacement, case changes, etc.
Default: Empty. Matches no users.
The following snippet of sssd.conf enables session recording for users
"contractor1" and "contractor2", and group
A comma-separated list of groups, members of which should
have session recording enabled. Matches group names as returned by NSS. I.e.
after the possible space replacement, case changes, etc.
NOTE: using this option (having it set to anything) has a
considerable performance cost, because each uncached request for a user
requires retrieving and matching the groups the user is member of.
Default: Empty. Matches no groups.
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5),
sssd-simple(5), sssd-ipa(5), sssd-ad(5),
sssd-files(5), sssd-sudo(5), sssd-session-recording(5),
sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
The SSSD upstream - https://pagure.io/SSSD/sssd/
scope = some
users = contractor1, contractor2
groups = students