Bug 1656421 - cockpit-session-recording not recording sessions without chsh to tlog-rec-session
Summary: cockpit-session-recording not recording sessions without chsh to tlog-rec-ses...
Keywords:
Status: CLOSED DUPLICATE of bug 1466503
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: cockpit-session-recording
Version: 8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: Kirill Gliebov
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 13:42 UTC by Magnus Glantz
Modified: 2019-04-03 07:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-07 09:20:16 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Magnus Glantz 2018-12-05 13:42:35 UTC
Description of problem:
From our documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/deploying-session-recording 

- You are supposed to be able to record sessions without doing a manual chsh <user> to /usr/bin/tlog-rec-session, by clicking on the configuration gear in Cockpit after having installed tlog and cockpit-session-recording.

I have double checked that /etc/sssd/conf.d/sssd-session-recording.conf is in place with correct permissions

 [root@htb ~]# stat /etc/sssd/conf.d/sssd-session-recording.conf 
  File: /etc/sssd/conf.d/sssd-session-recording.conf
  Size: 30        	Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 886803      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:sssd_conf_t:s0
Access: 2018-12-05 14:32:55.707000000 +0100
Modify: 2018-12-05 14:32:55.707000000 +0100
Change: 2018-12-05 14:32:55.710000000 +0100
 Birth: -

[root@htb ~]# cat /etc/sssd/conf.d/sssd-session-recording.conf 
[session_recording]
scope=all

and have also restarted sssd.

/etc/tlog/tlog-rec-session.conf has been created as follows:

[root@htb ~]# cat /etc/tlog/tlog-rec-session.conf
{"shell":"/bin/bash","notice":"\nATTENTION! Your session is being recorded!\n\n","latency":10,"payload":2048,"log":{"input":true,"output":true,"window":true},"limit":{"rate":16384,"burst":32768,"action":"pass"},"file":{"path":""},"syslog":{"facility":"authpriv","priority":"info"},"journal":{"priority":"info","augment":true},"writer":"journal"}
[root@htb ~]# 


system-auth looks like this:

[root@htb ~]# cat /etc/pam.d/system-auth
# Generated by authselect on Thu Nov 29 15:05:46 2018
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8 Beta Snapshot 1 (latest at the time of writing)
cockpit-session-recording-1-23.el8.noarch
tlog-5-1.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install RHEL8 Beta Snapshot1 (latest at the time of writing)
2. Follow RHEL8 Beta documentation on cockpit-session-recording: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/deploying-session-recording
3. Notice that now sessions are recorded in cockpit

Actual results:
No sessions recorded via sssd 

Expected results:
Sessions recorded via sssd

Additional info:
Sessions do get recorded when using chsh <username> and setting users shell to /usr/bin/tlog-rec-session. But in our documentation we state "Be aware that this practice is not recommended to use"

Comment 1 Kirill Gliebov 2018-12-06 12:40:28 UTC
Thanks for the report. I am going to test this extensively. Actually, this was always something expected to work from the SSSD side. Perhaps, it might need some additional configuration of SSSD.

Comment 2 Scott Poore 2018-12-07 01:04:30 UTC
Hi Magnus,

Was sssd enabled with authselect?  Is the sssd config setup to handle local users?

Also, what is in /etc/sssd/sssd.conf?  is it configured to manage local users?  It may not be by default.

If not, can you try with this:

cat > /etc/sssd/sssd.conf <<EOF
[domain/local]
id_provider = files

[sssd]
domains = local
homedir_substring = /home
services = nss, pam, ifp, ssh, sudo

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]

EOF

chmod 0600 /etc/sssd/sssd.conf

systemctl restart sssd


FYI, I was able to reproduce your issue without sssd.conf so I'm hoping that's the issue there.  Maybe we just have a documentation issue?


Thanks,
Scott

Comment 3 Thorsten Scherf 2018-12-07 08:40:19 UTC
(In reply to Scott Poore from comment #2)
> Hi Magnus,
> 
> Was sssd enabled with authselect?  Is the sssd config setup to handle local
> users?
> 
> Also, what is in /etc/sssd/sssd.conf?  is it configured to manage local
> users?  It may not be by default.
> 
> If not, can you try with this:
> 
> cat > /etc/sssd/sssd.conf <<EOF
> [domain/local]
> id_provider = files
> 
> [sssd]
> domains = local
> homedir_substring = /home
> services = nss, pam, ifp, ssh, sudo
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [session_recording]
> 
> EOF
> 
> chmod 0600 /etc/sssd/sssd.conf
> 
> systemctl restart sssd
> 
> 
> FYI, I was able to reproduce your issue without sssd.conf so I'm hoping
> that's the issue there.  Maybe we just have a documentation issue?

I also run into this issue. When there is no /etc/sssd/sssd.conf in place, session recording does not work (for local users). But it should. Since RHEL8, SSSD is also serving local users and groups by default through the implicit FILES provider. There is no need to setup a sssd.conf file for this. Session Recording should be able to record those local user sessions.

Comment 4 Jakub Hrozek 2018-12-07 08:59:03 UTC
Does the session recording work if you create some minimal sssd.conf?

If yes, then this is a SSSD issue where the snippets are only considered if sssd.conf exists. We've known about this for a couple of months, but the proper fix[*] is not straightforward. If this is a high priority issue for RHEL-8 then maybe we could devise some temporary fix until the proper issue is fixed.

[*] the proper fix here would be to have a read-only /usr/lib/sssd/defaults/sssd.conf with all the defaults and treat the /etc/sssd.conf as an override of those read-only system-wide defaults.

Comment 5 Thorsten Scherf 2018-12-07 09:13:01 UTC
(In reply to Jakub Hrozek from comment #4)
> Does the session recording work if you create some minimal sssd.conf?

Yes.

# cat /etc/sssd/sssd.conf
[domain/local]
id_provider = files

[sssd]
domains = local

# systemctl restart sssd
# getent passwd -s sss tuser
tuser:x:1001:1001::/home/tuser:/usr/bin/tlog-rec-session

# rm /etc/sssd/sssd.conf
# systemctl restart sssd
# getent passwd -s sss tuser
tuser:x:1001:1001::/home/tuser:/bin/bash

Comment 6 Jakub Hrozek 2018-12-07 09:20:16 UTC
Thanks, then I'll mark the issue as a duplicate.

As the next step, we need to decide whether this should be fixed "somehow" for 8.1 or if documenting the limitation and having the proper fix in 8.1 is good enough.

*** This bug has been marked as a duplicate of bug 1466503 ***


Note You need to log in before you can comment on or make changes to this bug.