Bug 1311081 - [RFE] Conditionally wrap user terminal with tlog
[RFE] Conditionally wrap user terminal with tlog
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
Aneta Šteflová Petrová
: FutureFeature, TechPreview
Depends On: 1308887
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-23 05:58 EST by Jakub Hrozek
Modified: 2017-11-18 20:47 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Technology Preview
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2016-02-23 05:58:00 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2893

Some hardened and confined infrastructure environments require not only secure authentication and authorization, but also audit by capturing the activity on the target terminal (input, output, what is on the screen).

There is open source project [https://github.com/spbnick/tlog tlog] that can provide this functionality.

There should be a way to configure whether the tlog shell should be started for
a user based on a configuration switch. The configuration should be designed carefully because eventually we may want to control session recording policy centrally from FreeIPA based on HBAC-like or HBAC rules, i.e. based on the users/groups and hosts/hostgroups.
Comment 2 Jakub Hrozek 2016-06-27 04:50:06 EDT
We agreed that no sssd changes will be needed in 7.3.
Comment 7 Jakub Hrozek 2017-07-27 08:07:56 EDT
Pushed upstream:
 * 27c30eb5f046d6c43276b139706110906cdacb9b
 * 53a4219e2f51cd0443931aa931505bf0b4bf5a45
 * 49d24ba630544632e29ed397627c97352523165d
 * 836dae913497e150bd0ec11eee1e256e4fcc0bb7
 * 382a972a80ac571cdbf70d88571f6de49fe1cd23
 * 24b3a7b91a54b5b55cfddb52b3d5ac565afdcff1
 * 200787df74510f6edc9387cf9c33f133ccfc0ae3
 * bac0c0df377de4469c8f9310179eef04c7b091fa
 * 90fb7d3e61423ff1375e9f552f4b58e5173ad3d1
 * 5ea60d18ddb8eaff25d274c22c7db7df57b6ec4d
 * 29dd456102dc995aa59a56483363087071bb84d6
 * 99b96048b79b0228c3f7c431ea12010f7bd5b362
 * d802eba25e7c1304e5036684261bcf41540532d8
 * 555f43b491f40e0237b8677565a748b929092bee
 * 9759333b3dd404c6787ef0186984c5d4256eb5bb
 * c31065ecc0793e836066035d0c692b050b5f6f55
 * cb89693cf5ccdedf69fa304c6d43d618a7bc18b2
Comment 8 Jakub Hrozek 2017-08-08 15:36:42 EDT
The SSSD part is ready, but until tlog itself will be present in RHEL, we can't market this RFE as a part of RHEL.

Adding nack/capacity (is there a better condnack? I wish there was nack/dependency)

Note You need to log in before you can comment on or make changes to this bug.