1656421 – cockpit-session-recording not recording sessions without chsh to tlog-rec-session

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1656421 - cockpit-session-recording not recording sessions without chsh to tlog-rec-session

Summary: cockpit-session-recording not recording sessions without chsh to tlog-rec-ses...

Keywords:
Status:	CLOSED DUPLICATE of bug 1466503
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cockpit-session-recording
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Kirill Gliebov
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-05 13:42 UTC by Magnus Glantz
Modified:	2022-03-13 16:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-07 09:20:16 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Magnus Glantz 2018-12-05 13:42:35 UTC

Description of problem:
From our documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/deploying-session-recording 

- You are supposed to be able to record sessions without doing a manual chsh <user> to /usr/bin/tlog-rec-session, by clicking on the configuration gear in Cockpit after having installed tlog and cockpit-session-recording.

I have double checked that /etc/sssd/conf.d/sssd-session-recording.conf is in place with correct permissions

 [root@htb ~]# stat /etc/sssd/conf.d/sssd-session-recording.conf 
  File: /etc/sssd/conf.d/sssd-session-recording.conf
  Size: 30        	Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 886803      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:sssd_conf_t:s0
Access: 2018-12-05 14:32:55.707000000 +0100
Modify: 2018-12-05 14:32:55.707000000 +0100
Change: 2018-12-05 14:32:55.710000000 +0100
 Birth: -

[root@htb ~]# cat /etc/sssd/conf.d/sssd-session-recording.conf 
[session_recording]
scope=all

and have also restarted sssd.

/etc/tlog/tlog-rec-session.conf has been created as follows:

[root@htb ~]# cat /etc/tlog/tlog-rec-session.conf
{"shell":"/bin/bash","notice":"\nATTENTION! Your session is being recorded!\n\n","latency":10,"payload":2048,"log":{"input":true,"output":true,"window":true},"limit":{"rate":16384,"burst":32768,"action":"pass"},"file":{"path":""},"syslog":{"facility":"authpriv","priority":"info"},"journal":{"priority":"info","augment":true},"writer":"journal"}
[root@htb ~]# 


system-auth looks like this:

[root@htb ~]# cat /etc/pam.d/system-auth
# Generated by authselect on Thu Nov 29 15:05:46 2018
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8 Beta Snapshot 1 (latest at the time of writing)
cockpit-session-recording-1-23.el8.noarch
tlog-5-1.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install RHEL8 Beta Snapshot1 (latest at the time of writing)
2. Follow RHEL8 Beta documentation on cockpit-session-recording: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/deploying-session-recording
3. Notice that now sessions are recorded in cockpit

Actual results:
No sessions recorded via sssd 

Expected results:
Sessions recorded via sssd

Additional info:
Sessions do get recorded when using chsh <username> and setting users shell to /usr/bin/tlog-rec-session. But in our documentation we state "Be aware that this practice is not recommended to use"

Comment 1 Kirill Gliebov 2018-12-06 12:40:28 UTC

Thanks for the report. I am going to test this extensively. Actually, this was always something expected to work from the SSSD side. Perhaps, it might need some additional configuration of SSSD.

Comment 2 Scott Poore 2018-12-07 01:04:30 UTC

Hi Magnus,

Was sssd enabled with authselect?  Is the sssd config setup to handle local users?

Also, what is in /etc/sssd/sssd.conf?  is it configured to manage local users?  It may not be by default.

If not, can you try with this:

cat > /etc/sssd/sssd.conf <<EOF
[domain/local]
id_provider = files

[sssd]
domains = local
homedir_substring = /home
services = nss, pam, ifp, ssh, sudo

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]

EOF

chmod 0600 /etc/sssd/sssd.conf

systemctl restart sssd


FYI, I was able to reproduce your issue without sssd.conf so I'm hoping that's the issue there.  Maybe we just have a documentation issue?


Thanks,
Scott

Comment 3 Thorsten Scherf 2018-12-07 08:40:19 UTC

(In reply to Scott Poore from comment #2)
> Hi Magnus,
> 
> Was sssd enabled with authselect?  Is the sssd config setup to handle local
> users?
> 
> Also, what is in /etc/sssd/sssd.conf?  is it configured to manage local
> users?  It may not be by default.
> 
> If not, can you try with this:
> 
> cat > /etc/sssd/sssd.conf <<EOF
> [domain/local]
> id_provider = files
> 
> [sssd]
> domains = local
> homedir_substring = /home
> services = nss, pam, ifp, ssh, sudo
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [session_recording]
> 
> EOF
> 
> chmod 0600 /etc/sssd/sssd.conf
> 
> systemctl restart sssd
> 
> 
> FYI, I was able to reproduce your issue without sssd.conf so I'm hoping
> that's the issue there.  Maybe we just have a documentation issue?

I also run into this issue. When there is no /etc/sssd/sssd.conf in place, session recording does not work (for local users). But it should. Since RHEL8, SSSD is also serving local users and groups by default through the implicit FILES provider. There is no need to setup a sssd.conf file for this. Session Recording should be able to record those local user sessions.

Comment 4 Jakub Hrozek 2018-12-07 08:59:03 UTC

Does the session recording work if you create some minimal sssd.conf?

If yes, then this is a SSSD issue where the snippets are only considered if sssd.conf exists. We've known about this for a couple of months, but the proper fix[*] is not straightforward. If this is a high priority issue for RHEL-8 then maybe we could devise some temporary fix until the proper issue is fixed.

[*] the proper fix here would be to have a read-only /usr/lib/sssd/defaults/sssd.conf with all the defaults and treat the /etc/sssd.conf as an override of those read-only system-wide defaults.

Comment 5 Thorsten Scherf 2018-12-07 09:13:01 UTC

(In reply to Jakub Hrozek from comment #4)
> Does the session recording work if you create some minimal sssd.conf?

Yes.

# cat /etc/sssd/sssd.conf
[domain/local]
id_provider = files

[sssd]
domains = local

# systemctl restart sssd
# getent passwd -s sss tuser
tuser:x:1001:1001::/home/tuser:/usr/bin/tlog-rec-session

# rm /etc/sssd/sssd.conf
# systemctl restart sssd
# getent passwd -s sss tuser
tuser:x:1001:1001::/home/tuser:/bin/bash

Comment 6 Jakub Hrozek 2018-12-07 09:20:16 UTC

Thanks, then I'll mark the issue as a duplicate.

As the next step, we need to decide whether this should be fixed "somehow" for 8.1 or if documenting the limitation and having the proper fix in 8.1 is good enough.

*** This bug has been marked as a duplicate of bug 1466503 ***

Note You need to log in before you can comment on or make changes to this bug.