Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SSSD-SESSION-RECOR(5)	 File Formats and Conventions	 SSSD-SESSION-RECOR(5)

       sssd-session-recording -	Configuring session recording with SSSD

       This manual page	describes how to configure sssd(8) to work with	tlog-
       rec-session(8), a part of tlog package, to implement user session
       recording on text terminals. For	a detailed configuration syntax
       reference, refer	to the "FILE FORMAT" section of	the sssd.conf(5)
       manual page.

       SSSD can	be set up to enable recording of everything specific users see
       or type during their sessions on	text terminals.	E.g. when users	log in
       on the console, or via SSH. SSSD	itself doesn't record anything,	but
       makes sure tlog-rec-session is started upon user	login, so it can
       record according	to its configuration.

       For users with session recording	enabled, SSSD replaces the user	shell
       with tlog-rec-session in	NSS responses, and adds	a variable specifying
       the original shell to the user environment, upon	PAM session setup.
       This way	tlog-rec-session can be	started	in place of the	user shell,
       and know	which actual shell to start, once it set up the	recording.

       These options can be used to configure the session recording.

       scope (string)
	   One of the following	strings	specifying the scope of	session

	       No users	are recorded.

	       Users/groups specified by users and groups options are

	       All users are recorded.

	   Default: "none"

       users (string)
	   A comma-separated list of users which should	have session recording
	   enabled. Matches user names as returned by NSS. I.e.	after the
	   possible space replacement, case changes, etc.

	   Default: Empty. Matches no users.

       groups (string)
	   A comma-separated list of groups, members of	which should have
	   session recording enabled. Matches group names as returned by NSS.
	   I.e.	after the possible space replacement, case changes, etc.

	   NOTE: using this option (having it set to anything) has a
	   considerable	performance cost, because each uncached	request	for a
	   user	requires retrieving and	matching the groups the	user is	member

	   Default: Empty. Matches no groups.

       The following snippet of	sssd.conf enables session recording for	users
       "contractor1" and "contractor2",	and group "students".

	   scope = some
	   users = contractor1,	contractor2
	   groups = students

       sssd(8),	sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
       sssd-ipa(5), sssd-ad(5),	sssd-sudo(5), sssd-session-recording(5),
       sss_cache(8), sss_debuglevel(8),	sss_groupadd(8), sss_groupdel(8),
       sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8),
       sss_usermod(8), sss_obfuscate(8), sss_seed(8),
       sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
       sss_ssh_knownhostsproxy(8), sssd-ifp(5),	pam_sss(8).  sss_rpcidmapd(5)

       The SSSD	upstream -

SSSD				  09/21/2021		 SSSD-SESSION-RECOR(5)


Want to link to this manual page? Use this URL:

home | help