Red Hat Bugzilla – Bug 1311081
[RFE] Conditionally wrap user terminal with tlog
Last modified: 2018-02-01 20:55:41 EST
This bug is created as a clone of upstream ticket:
Some hardened and confined infrastructure environments require not only secure authentication and authorization, but also audit by capturing the activity on the target terminal (input, output, what is on the screen).
There is open source project [https://github.com/spbnick/tlog tlog] that can provide this functionality.
There should be a way to configure whether the tlog shell should be started for
a user based on a configuration switch. The configuration should be designed carefully because eventually we may want to control session recording policy centrally from FreeIPA based on HBAC-like or HBAC rules, i.e. based on the users/groups and hosts/hostgroups.
We agreed that no sssd changes will be needed in 7.3.
The SSSD part is ready, but until tlog itself will be present in RHEL, we can't market this RFE as a part of RHEL.
Adding nack/capacity (is there a better condnack? I wish there was nack/dependency)