The Scribery project is an effort to design and implement an Open-Source solution for recording user sessions on Linux systems.
Many companies need to have their systems used, or even managed by people they don’t entirely trust: contractors, outsourced support, peripheral IT staff, etc. It helps to know what these users or operators were doing on your systems, or even what they’re doing right now, so you can not only prevent repeated issues, but also stop an incident about to happen.
Government, medical and certain other organizations can be required by law to collect recordings of user sessions. Financial organizations require tight tracking of what's happening on their systems. Support desks also appreciate a way to look back at what exactly led to an issue, so they don’t need to talk through a user’s recollection of events.
We're working on supporting recording of text terminal sessions (e.g. login at the console, via SSH, or telnet). The recorded data includes what user enters into the terminal and sees on the screen, what commands the user executes, what files he/she accesses and how, and other data relevant to the session.
To support centralized architecture and to take the recording away from the user system where it cannot be kept safely, we stream it via the conventional logging system to a central storage. Then, the auditors, or support, can search, correlate, and playback the recordings from that central location.
The solution is being integrated with a central identity and policy management system, so that administrators could specify which users to record where centrally.
A terminal I/O recording shim, which is put between the terminal and the user shell. Sends the recording to the logging server as JSON. A part of tlog.
A system daemon responsible for telling the system when and how to start session recording, possibly on behalf of a central identity and policy management system. Optional.
A general auditing system, which records additional session activity such as commands executed and files accessed. Optional.
An audit log converter running under Auditd to convert audit events to JSON on the fly, to be passed to the logging server. Optional.
A central identity and policy management solution responsible for controlling what is going to be recorded, for which users/groups, and on which hosts. Optional.
The central storage for the recordings. Can also serve as the storage of logs in general. Can be used for searching and correlation with the help of visualization solutions such as Kibana.
A basic command-line session playback tool. Can be used to test the setup and quickly playback sessions from the command line. A part of tlog. Optional.
A session playback web UI component, which can join the terminal I/O and audit data for searching and correlation within specific sessions. To be implemented.
Control and data flow
Servers Network Clients _____________________ _______________________________ | _________________ | | ___________________ | | | | | | | | | | | FreeIPA |====(control)===>| SSSD | | | |_________________| | | |___________________| | | /\ | | || /\ | | || | | || || | | (control) | | (control) (control) | | ......||....... | | || ........||......... | | : Administrator : | | || : Administrator : | | ''''''''''''''' | | || '''||'''''''''||''' | | | | || (control) (control) | | ............... | | || || || | | : Auditor : | | ___\/_____\/__ ____\/____ | | ''/\'''''''/\'' | | | | | | | | || || | | | Tlog-rec | | Auditd | | | (data) (data) | | |______________| |__________| | | ___||__ __||___ | | || || | | | | | | | | || ___\/____ | | | Tlog- | | WebUI | | | || | | | | | play | | (TBD) | | | || | Aushape | | | |_______| |_______| | | || |_________| | | /\ /\ | | || || | | || || | | (data) (data) | | (data) (data) | | || || | | ___||_______||___ | | ___\/_____________\/___ | | | | | | | | | | | | | | | Rsyslog | | | | | | | | - - - - - - - - - - - | | | | Elasticsearch |<====(data)=========| Fluentd | | | | | | | | - - - - - - - - - - - | | | | | | | | Logstash | | | |_________________| | | |_______________________| | |_____________________| |_______________________________|
Status and plans
At the moment the base terminal I/O recording and playback is implemented in tlog, its packages are available on GitHub and in Fedora. We have basic functionality of converting audit logs to JSON implemented in Aushape, which is available on GitHub.
Right now we're working on integrating tlog with SSSD and FreeIPA, and are starting implementing the web UI playback component.
Please contact Nikolai Kondrashov if you have any questions or suggestions.