Scribery

Open-Source User Session Recording

View on GitHub

The Scribery project is an effort to design and implement an Open-Source solution for recording user sessions on Linux systems.

Many companies need to have their systems used, or even managed by people they don’t entirely trust: contractors, outsourced support, peripheral IT staff, etc. It helps to know what these users or operators were doing on your systems, or even what they’re doing right now, so you can not only prevent repeated issues, but also stop an incident about to happen.

Government, medical and certain other organizations can be required by law to collect recordings of user sessions. Financial organizations require tight tracking of what's happening on their systems. Support desks also appreciate a way to look back at what exactly led to an issue, so they don’t need to talk through a user’s recollection of events.

We're working on supporting recording of text terminal sessions (e.g. login at the console, via SSH, or telnet). The recorded data includes what user enters into the terminal and sees on the screen, what commands the user executes, what files he/she accesses and how, and other data relevant to the session.

To support centralized architecture and to take the recording away from the user system where it cannot be kept safely, we stream it via the conventional logging system to a central storage. Then, the auditors, or support, can search, correlate, and playback the recordings from that central location.

The solution is being integrated with a central identity and policy management system, so that administrators could specify which users to record where centrally.

Components

Client side

Tlog-rec

A terminal I/O recording shim, which is put between the terminal and the user shell. Sends the recording to the logging server as JSON. A part of tlog.

SSSD

A system daemon responsible for telling the system when and how to start session recording, possibly on behalf of a central identity and policy management system. Optional.

Auditd

A general auditing system, which records additional session activity such as commands executed and files accessed. Optional.

Aushape

An audit log converter running under Auditd to convert audit events to JSON on the fly, to be passed to the logging server. Optional.

Logging server

Rsyslog, Fluentd, or Logstash - a logging server, which collects both the recorded terminal I/O, and audit messages, then massages and sends them to the central storage.

Server side

FreeIPA

A central identity and policy management solution responsible for controlling what is going to be recorded, for which users/groups, and on which hosts. Optional.

Elasticsearch

The central storage for the recordings. Can also serve as the storage of logs in general. Can be used for searching and correlation with the help of visualization solutions such as Kibana.

Tlog-play

A basic command-line session playback tool. Can be used to test the setup and quickly playback sessions from the command line. A part of tlog. Optional.

Web UI

A session playback web UI component, which can join the terminal I/O and audit data for searching and correlation within specific sessions. To be implemented.

Control and data flow

       Servers            Network               Clients
 _____________________               _______________________________
|  _________________  |             |  ___________________          |
| |                 | |             | |                   |         |
| |     FreeIPA     |====(control)===>|       SSSD        |         |
| |_________________| |             | |___________________|         |
|         /\          |             |     ||          /\            |
|         ||          |             |     ||          ||            |
|      (control)      |             |  (control)   (control)        |
|   ......||.......   |             |     ||  ........||.........   |
|  : Administrator :  |             |     || :   Administrator   :  |
|   '''''''''''''''   |             |     ||  '''||'''''''''||'''   |
|                     |             |     ||  (control)  (control)  |
|   ...............   |             |     ||     ||         ||      |
|  :    Auditor    :  |             |  ___\/_____\/__   ____\/____  |
|   ''/\'''''''/\''   |             | |              | |          | |
|     ||       ||     |             | |   Tlog-rec   | |  Auditd  | |
|   (data)   (data)   |             | |______________| |__________| |
|  ___||__   __||___  |             |        ||             ||      |
| |       | |       | |             |        ||          ___\/____  |
| | Tlog- | | WebUI | |             |        ||         |         | |
| | play  | | (TBD) | |             |        ||         | Aushape | |
| |_______| |_______| |             |        ||         |_________| |
|     /\       /\     |             |        ||             ||      |
|     ||       ||     |             |      (data)         (data)    |
|   (data)   (data)   |             |        ||             ||      |
|  ___||_______||___  |             |     ___\/_____________\/___   |
| |                 | |             |    |                       |  |
| |                 | |             |    |        Rsyslog        |  |
| |                 | |             |    | - - - - - - - - - - - |  |
| |  Elasticsearch  |<====(data)=========|        Fluentd        |  |
| |                 | |             |    | - - - - - - - - - - - |  |
| |                 | |             |    |        Logstash       |  |
| |_________________| |             |    |_______________________|  |
|_____________________|             |_______________________________|

See also the project's WIP design page at FreeIPA website.

Status and plans

At the moment the base terminal I/O recording and playback is implemented in tlog, its packages are available on GitHub and in the upcoming Fedora 24.

Right now we're working on integrating tlog with SSSD and FreeIPA, making Auditd stream messages to Elasticsearch and are starting implementing the web UI playback component.

Contacts

Please contact Nikolai Kondrashov if you have any questions or suggestions.