user session recording
play

USER SESSION RECORDING An Open Source solution Fraser Tweedale - PowerPoint PPT Presentation

Jun 20, 2023 •157 likes •618 views

USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME Working at Red Hat Platform Engineering (Security) FreeIPA and Dogtag Certificate System 2 User Session Recording: An Open Source

  1. USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22

  2. ABOUT ME Working at Red Hat Platform Engineering (Security) ● FreeIPA and Dogtag Certificate System ● 2 User Session Recording: An Open Source solution - Fraser Tweedale

  3. WHY?

  4. THERE IS A DEMAND Customers need to... comply with government regulations ● track what contractors do on our systems ● know who broke our server, and how ● 4 User Session Recording: An Open Source solution - Fraser Tweedale

  5. AND A DREAM What companies and governments want: Record everything users do ● Store that somewhere safe ● Let us find who did that thing ● Show us how they did it ● 5 User Session Recording: An Open Source solution - Fraser Tweedale

  6. THERE IS A SUPPLY A number of commercial offerings: From application-level proxies on dedicated hardware ● To user-space processes on the target system ● Recording keystrokes, display, commands, apps, URLs, etc. ● Integrated with identity management, and access control ● With central storage, searching, and playback ● 6 User Session Recording: An Open Source solution - Fraser Tweedale

  7. BUT NOT GOOD ENOUGH Customers are not satisfied: Expensive ● Can’t fix it yourself ● Can’t improve it yourself ● 7 User Session Recording: An Open Source solution - Fraser Tweedale

  8. WHAT CAN BE BETTER? The customers want: Lower costs ● Open Source, so they can fix, or at least understand it better ● Commercial support ● 8 User Session Recording: An Open Source solution - Fraser Tweedale

  9. WAIT, WE HAVE IT ALREADY! Nope, not really: script(1) plus duct tape ● popular, but not security-oriented; lots of DIY ○ sudo(8) I/O logging ● security-oriented, has searching, but not centralized ○ TTY audit with auditd(8) ● security-oriented, can be centralized, only records input ○ 9 User Session Recording: An Open Source solution - Fraser Tweedale

  10. COMMON LOGGING Red Hat Common Logging : Centralised aggregation, correlation and visualisation of logs from Red Hat products ● Session recording solution ● 10 User Session Recording: An Open Source solution - Fraser Tweedale

  11. WHAT?

  12. SO, WHAT DO WE NEED? Most-requested features: Record what the user types, sees, executes, accesses ● Get logs off the machine ASAP ● Search, analyze, and correlate with other events ● Playback ● Centralised control ● 12 User Session Recording: An Open Source solution - Fraser Tweedale

  13. SOUNDS FAMILIAR! Let’s do it with logs! Audit system records processes executed, files accessed ● Logging servers know how to deliver ● Myriad storing/searching/analysis solutions ● 13 User Session Recording: An Open Source solution - Fraser Tweedale

  14. LEAN AND MEAN Why it’s better: Reuse log plumbing ● Allows easy correlation with all the other logs ● Not just an isolated “video of the terminal” ○ 14 User Session Recording: An Open Source solution - Fraser Tweedale

  15. FIRST... What to take out of the store/search/analyze zoo? Open Source ● Scalable ● Active community ● 15 User Session Recording: An Open Source solution - Fraser Tweedale

  16. YES, ELASTICSEARCH AND KIBANA! Our ViaQ project is bringing them to Red Hat product portfolio: https://github.com/ViaQ Normalize logs ● Put them into Elasticsearch ● Dashboards and analytics ● Part of OpenShift, coming to ● OpenStack and other Red Hat products! 16 User Session Recording: An Open Source solution - Fraser Tweedale

  17. THEN... How can we: Control centrally what, where and whom to record? ● Log what user types and sees? ● Make sense of audit logs? ● Deliver to Elasticsearch? ● Play everything back? ● 17 User Session Recording: An Open Source solution - Fraser Tweedale

  18. CENTRALISED CONTROL Naturally, FreeIPA and SSSD! Manage domains, hosts, groups, ● users, and more Cache credentials and ● authenticate offline Session Recording control ● being designed 18 User Session Recording: An Open Source solution - Fraser Tweedale

  19. RECORD INPUT AND OUTPUT We made a tool for that - tlog http://scribery.github.io/tlog A shim between the terminal and the ● shell, started at login Converts terminal activity to JSON ● Logs to syslog or journal ● Playback to terminal ● 19 User Session Recording: An Open Source solution - Fraser Tweedale

  20. MAKE SENSE OF AUDIT LOGS? We made a tool for that too - aushape http://scribery.github.io/aushape/ Listens for audit events ● Converts them to JSON or XML ● Both have official schemas ● Logs to syslog ● Developed with the help from auditd ● 20 User Session Recording: An Open Source solution - Fraser Tweedale

  21. DELIVER TO ELASTICSEARCH Any popular logging service: RSYSLOG * Or our coming solution: ViaQ * Distributed by Red Hat now 21 User Session Recording: An Open Source solution - Fraser Tweedale

  22. PLAY EVERYTHING BACK? We’re building a Web UI Playback data from Elasticsearch ● See input, output, commands ● executed and files accessed Search for input, output, commands ● and files Reuse and integrate ● PoC: Cockpit plugin, journal storage ● 22 User Session Recording: An Open Source solution - Fraser Tweedale

  23. ALL TOGETHER NOW Auditd Aushape Fluentd Tlog Rsyslog Logstash WebUI Elasticsearch Kibana 23 User Session Recording: An Open Source solution - Fraser Tweedale

  24. DEMO!

  25. IN THIS DEMO... A recorded user logs in ● Playback of the session is started at the same time ● Some work is done on the terminal ● Terminal I/O and converted audit logs are seen in journal ● Logs in Elasticsearch are displayed by Kibana ● Guest appearance: recordings in Cockpit ● 25 User Session Recording: An Open Source solution - Fraser Tweedale

  26. HOW?

  27. HOW TLOG WORKS? Console login example 1 PAM Starting a console session: 1 login 2 User authenticates to login via PAM 1. NSS NSS tells login : tlog is the shell 2. login starts tlog 3. 3 syslog 6 6 Env/config tell tlog the actual shell 4. tlog tlog starts the actual shell in a PTY 5. journal tlog logs everything passing 5 6 6. between its terminal and the PTY , via PTY syslog(3) or sd-journal(3) shell 27 User Session Recording: An Open Source solution - Fraser Tweedale

  28. CONTROL TLOG WITH SSSD Console login example PAM When a recorded user logs in: 2 2 pam_sss 1. SSSD finds a match for the user in its configuration login SSSD pam_sss stores the actual user shell 2. NSS in the PAM environment 4 1 3 nss_sss 3 nss_sss tells login : tlog is the 3. tlog conf shell login starts tlog with PAM env 4. 5 tlog starts the actual user shell 5. shell retrieved from environment 28 User Session Recording: An Open Source solution - Fraser Tweedale

  29. CONTROL TLOG WITH FREEIPA Plan so far PAM Which users to record on which hosts: FreeIPA Recording configurations are linked ● NSS HBAC conf to HBAC rules, like SELinux maps rule When users login: conf SSSD HBAC SSSD fetches applicable rules ● conf rule SSSD decides if recording is enabled ● Proceed as on previous slide ● 29 User Session Recording: An Open Source solution - Fraser Tweedale

  30. EXTRA TLOG FEATURES Also control: What to record: input/output/window resizes ● “ You are being recorded ” notice ● Where to write: sd-journal(3) , syslog(3) , or file ● Low latency vs. low overhead ● Basic playback on the terminal: From elasticsearch, journal or file ● 30 User Session Recording: An Open Source solution - Fraser Tweedale

  31. TLOG SCHEMA { Optimized for streaming and searching: " ver " : "2.2", " host " : "tlog-client.example.com", Chopped into messages for ● " rec " : "c8aa248c81264f5d98d1..." streaming, which can be merged " user " : "user1", " term " : "xterm", Input and output stored separately ● " session " : 23, All I/O preserved ● " id " : 1, Invalid UTF-8 stored separately " pos " : 0, ● " timing " : "=56x22+98>23", Timing separate, ms precision ● " in_txt " : "", Window resizes preserved " in_bin " : [ ], ● " out_txt " : "[user1@tlog-client ~]$ ", " out_bin " : [ ] } 31 User Session Recording: An Open Source solution - Fraser Tweedale

  32. HOW AUSHAPE WORKS Kernel Elasticsearch From the kernel to Elasticsearch: Kernel sends messages to auditd netlink ● JSON auditd passes messages to Auditd ● audispd Fluentd binary audispd distributes them to plugins, ● Audispd including aushape Rsyslog aushape formats JSON audit log ● aushape logs it through syslog(3) Logstash Aushape ● Fluentd/rsyslog/Logstash deliver it to ● Elasticsearch JSON log 32 User Session Recording: An Open Source solution - Fraser Tweedale

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

USER SESSION RECORDING IN COCKPIT Nikolai Kondrashov Software Engineer 03.02.2018 INTRODUCTION

USER SESSION RECORDING IN COCKPIT Nikolai Kondrashov Software Engineer 03.02.2018 INTRODUCTION

USER SESSION RECORDING IN COCKPIT Nikolai Kondrashov Software Engineer 03.02.2018 INTRODUCTION Nikolai spbnick Kondrashov, a software engineer Working at Red Hat Common Logging team Focusing on the User Session Recording project

475 views • 30 slides
Pediatric Therapy User Group May 22, 2020 Kathryn Rigda, PT Todays Webinar Presenters:

Pediatric Therapy User Group May 22, 2020 Kathryn Rigda, PT Todays Webinar Presenters:

Pediatric Therapy User Group May 22, 2020 Kathryn Rigda, PT Todays Webinar Presenters: Kathryn Rigda, PT, Lorraine Welty A recording of this session will be available on the User Group website The recording, slide deck & all referenced

534 views • 34 slides
Session Goals Session Goals 1. Learn value of designing for the user 2. Become familiar with

Session Goals Session Goals 1. Learn value of designing for the user 2. Become familiar with

Desig Designin ing with with the User in the User in Mind / Mind / Session Session 1 1 Dani Dani Rick Ricker ert, Senior Business Analyst, Utah Dept of Human Services Mik Mike K Kenne nney, Executive Director, Kinnect Ohio Sean Pear

337 views • 6 slides
Totaltime Time Recording www.ClockingSystems.co.uk Totaltime Time Recording Components

Totaltime Time Recording www.ClockingSystems.co.uk Totaltime Time Recording Components

Totaltime Time Recording www.ClockingSystems.co.uk Totaltime Time Recording Components Time recording terminal Totaltime mobile Wall mount for Totaltime mobile User cards M16 Transport card M256 PC smart card

997 views • 65 slides
P A C E Awareness Session- Childrens Origin NIPEC Recording Care Project SINCE 2009..

P A C E Awareness Session- Childrens Origin NIPEC Recording Care Project SINCE 2009..

Care Planning P A C E Awareness Session- Childrens Origin NIPEC Recording Care Project SINCE 2009.. Improve the standards of nurse record keeping practice in the region Recording Care ...... Whats the point? Why Keep Records I

669 views • 36 slides
P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the

P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the

Care Planning P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the standards of nurse record keeping practice in the region Recording Care ...... Whats the point? Why Keep Records I I Int

527 views • 36 slides
Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom

Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom

Session 20 Session 20 Tool Time Tuesday Tool Time Tuesday Textbooks; Recording Classes; Zoom Registration Textbooks; Recording Classes; Zoom Registration Hello! Hello! Laurissa Gann, MSLS, AHIP Lesli Moore, MLS Research Medical Library

321 views • 21 slides
A recording of this webinar and all slides used in this session will be sent out to all registered

A recording of this webinar and all slides used in this session will be sent out to all registered

A recording of this webinar and all slides used in this session will be sent out to all registered participants If you do not receive an email within 5 business days, please contact our Events team at rsvp@pitcher.com.au 1 Pitcher Partners is

518 views • 27 slides
This presentation, the Reopening Guide and a recording of this session will be available at:

This presentation, the Reopening Guide and a recording of this session will be available at:

This presentation, the Reopening Guide and a recording of this session will be available at: www.jcrcny.org/reopening Michael el S Snow Director of Jewish Affairs Governor Andrew Cuomo Nad adine e Ko Kochavi Director of Synagogue

773 views • 28 slides
Meet the Progressive Web App Module See Also Session recording Understanding Progressive Web

Meet the Progressive Web App Module See Also Session recording Understanding Progressive Web

Christoph Weber - Director of Technical Services Alex Borsody - Developer Meet the Progressive Web App Module See Also Session recording Understanding Progressive Web Apps and Why You Should Care By Mark Shropshire Friday, 4:00pm - 4:50pm

895 views • 24 slides
Solution Recording and Playback: Vortex Shedding This tutorial demonstrates how to use the

Solution Recording and Playback: Vortex Shedding This tutorial demonstrates how to use the

STAR-CCM+ User Guide 6663 Solution Recording and Playback: Vortex Shedding This tutorial demonstrates how to use the solution recording and playback module for capturing the results of transient phenomena. The particular scenario being modeled

377 views • 27 slides
A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog

A Prospective Analysis of In a nutshell Analog Audio Recording with To access an analog synthesizer online, for high-quality recording Web Servers With batched access, it optimizes user and system time Lucas Zawacki A prototype

263 views • 4 slides
OPR E-recording CDCAT-Georgetow n 2018 Nancy E. Rister Electronic Recording- it isnt that

OPR E-recording CDCAT-Georgetow n 2018 Nancy E. Rister Electronic Recording- it isnt that

OPR E-recording CDCAT-Georgetow n 2018 Nancy E. Rister Electronic Recording- it isnt that different from traditional paper recording. Think of e-recording as e-Delivery. We still control the recordability. Recording and indexing are still

707 views • 45 slides
Sub-hourly settlement Stakeholder session 3 Sept. 23, 2020 Public Notice In accordance with

Sub-hourly settlement Stakeholder session 3 Sept. 23, 2020 Public Notice In accordance with

Sub-hourly settlement Stakeholder session 3 Sept. 23, 2020 Public Notice In accordance with its mandate to operate in the public interest, the AESO will be audio recording this session and making the recording available to the general public

645 views • 62 slides
Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session,

Office Hours: ESG-CV Notice September 3, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&A content will be posted to the HUD Exchange within 2-3 business days Event

645 views • 39 slides
Prepare for Your Presentation Recording Session & Live Broadcast Dont let these words send

Prepare for Your Presentation Recording Session & Live Broadcast Dont let these words send

Prepare for Your Presentation Recording Session & Live Broadcast Dont let these words send you into panic mode! Even the most seasoned professionals can have trouble making meaningful connections with their audience when theyre

76 views • 4 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI,

Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI,

Infinite transducers on terms denoting graphs Ir` ene Durand and Bruno Courcelle LaBRI, Universit e de Bordeaux June, 2013 European Lisp Symposium, ELS2013 Objectives What : Compute information about finite graphs Verify properties

683 views • 30 slides
Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo Introduc=on to Sudo Sudo allows a system administrator to give users the ability

439 views • 24 slides
Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7

Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7

Configuring and Analyzing Kernel Crash Dumps Stefan Seyfried B1 Systems GmbH Osterfeldstrae 7 85088 Vohburg Germany < seyfried@b1-systems.de > 1 Configuring and Analyzing Kernel Crash Dumps Did you ever want to investigate that

90 views • 6 slides
Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics

Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics

Lecture 11: Parallelism and Locality in Scientific Codes David Bindel 1 Mar 2010 Logistics Thinking about projects: Informal proposal in one week (March 8) Free-for-all at end of class HW 2 notes (how I spent my weekend) Code

430 views • 30 slides
Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of automata Bruno Courcelle and Irne Durand Bordeaux University, LaBRI (CNRS laboratory) Demonstration of the software TRAG Written by Irne Durand and

754 views • 52 slides
Batch Systems Running calculations on HPC resources Outline What is a batch system? How

Batch Systems Running calculations on HPC resources Outline What is a batch system? How

Batch Systems Running calculations on HPC resources Outline What is a batch system? How do I interact with the batch system Job submission scripts Interactive jobs Common batch systems Converting between different batch

543 views • 17 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides

More recommend