From 27c30eb5f046d6c43276b139706110906cdacb9b Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Thu, 27 Apr 2017 17:53:47 +0300 Subject: [PATCH 18/93] MAN: Describe session recording configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Pavel Březina --- contrib/sssd.spec.in | 1 + src/man/Makefile.am | 2 +- src/man/include/seealso.xml | 4 + src/man/po/po4a.cfg | 1 + src/man/sssd-session-recording.5.xml | 162 +++++++++++++++++++++++++++++++++++ src/man/sssd.conf.5.xml | 99 +++++++++++++++++++++ 6 files changed, 268 insertions(+), 1 deletion(-) create mode 100644 src/man/sssd-session-recording.5.xml diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index cb1a09c42b9c71f91e7ef318c165953cfbe71525..74affd39f39908510394970ab8dadae87b4a7aaf 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -990,6 +990,7 @@ done %{_mandir}/man5/sssd-files.5* %{_mandir}/man5/sssd-simple.5* %{_mandir}/man5/sssd-sudo.5* +%{_mandir}/man5/sssd-session-recording.5* %if (0%{?with_secrets} == 1) %{_mandir}/man5/sssd-secrets.5* %endif diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 3a063614f085691652db32d76315375466e0d3de..0e35ac277658e76ca8346a077a6931bc5c95ae23 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -65,7 +65,7 @@ man_MANS = \ sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ sssd_krb5_locator_plugin.8 sss_groupshow.8 \ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ - sss_override.8 idmap_sss.8 sssctl.8 \ + sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ $(NULL) if BUILD_SAMBA diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml index 2e9c646c475887bce3612472975ade375edbd819..9b9a72ce257a9487f445bd40e7658259f091a01f 100644 --- a/src/man/include/seealso.xml +++ b/src/man/include/seealso.xml @@ -34,6 +34,10 @@ 5 , + + sssd-session-recording + 5 + , sss_cache8 , diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg index f325b1afaf081aa99f12baee1809d81de390abaa..e9492cfe1525b2f5e1f2a18b7703afd15b5f8fde 100644 --- a/src/man/po/po4a.cfg +++ b/src/man/po/po4a.cfg @@ -31,6 +31,7 @@ [type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml [type:docbook] sssd-files.5.xml $lang:$(builddir)/$lang/sssd-files.5.xml [type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml +[type:docbook] sssd-session-recording.5.xml $lang:$(builddir)/$lang/sssd-session-recording.5.xml [type:docbook] sssd-kcm.8.xml $lang:$(builddir)/$lang/sssd-kcm.8.xml [type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0" [type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0" diff --git a/src/man/sssd-session-recording.5.xml b/src/man/sssd-session-recording.5.xml new file mode 100644 index 0000000000000000000000000000000000000000..b53d4e1439a384132bb5a6d4f559dd7b17711a68 --- /dev/null +++ b/src/man/sssd-session-recording.5.xml @@ -0,0 +1,162 @@ + + + +SSSD Manual pages + + + + + sssd-sudo + 5 + File Formats and Conventions + + + + sssd-session-recording + Configuring session recording with SSSD + + + + DESCRIPTION + + This manual page describes how to configure + + sssd + 8 + to work with + + tlog-rec-session + 8 + , a part of tlog package, to implement user session + recording on text terminals. + For a detailed configuration syntax reference, refer to the + FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + SSSD can be set up to enable recording of everything specific + users see or type during their sessions on text terminals. E.g. + when users log in on the console, or via SSH. SSSD itself doesn't + record anything, but makes sure tlog-rec-session is started upon + user login, so it can record according to its configuration. + + + For users with session recording enabled, SSSD replaces the user + shell with tlog-rec-session in NSS responses, and adds a variable + specifying the original shell to the user environment, upon PAM + session setup. This way tlog-rec-session can be started in place + of the user shell, and know which actual shell to start, once it + set up the recording. + + + + + CONFIGURATION OPTIONS + + These options can be used to configure the session recording. + + + + scope (string) + + + One of the following strings specifying the scope + of session recording: + + + "none" + + + No users are recorded. + + + + + "some" + + + Users/groups specified by + users + and + groups + options are recorded. + + + + + "all" + + + All users are recorded. + + + + + + + Default: "none" + + + + + users (string) + + + A comma-separated list of users which should have + session recording enabled. Matches user names as + returned by NSS. I.e. after the possible space + replacement, case changes, etc. + + + Default: Empty. Matches no users. + + + + + groups (string) + + + A comma-separated list of groups, members of which + should have session recording enabled. Matches + group names as returned by NSS. I.e. after the + possible space replacement, case changes, etc. + + + NOTE: using this option (having it set to + anything) has a considerable performance cost, + because each uncached request for a user requires + retrieving and matching the groups the user is + member of. + + + Default: Empty. Matches no groups. + + + + + + + + EXAMPLE + + The following snippet of sssd.conf enables session recording for + users "contractor1" and "contractor2", and group "students". + + + +[session_recording] +scope = some +users = contractor1, contractor2 +groups = students + + + + + + + + diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 7c4cd1f2e5c453964def9c04967f9adc232bb776..b9eaf5eddb5c39125f7ce1c7a988c374378bbb32 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1518,6 +1518,105 @@ pam_account_locked_message = Account locked, please contact help desk. + + Session recording configuration options + + Session recording works in conjunction with + + tlog-rec-session + 8 + , a part of tlog package, to log what users see + and type when they log in on a text terminal. + See also + + sssd-session-recording + 5 + . + + + These options can be used to configure session recording. + + + + scope (string) + + + One of the following strings specifying the scope + of session recording: + + + "none" + + + No users are recorded. + + + + + "some" + + + Users/groups specified by + users + and + groups + options are recorded. + + + + + "all" + + + All users are recorded. + + + + + + + Default: "none" + + + + + users (string) + + + A comma-separated list of users which should have + session recording enabled. Matches user names as + returned by NSS. I.e. after the possible space + replacement, case changes, etc. + + + Default: Empty. Matches no users. + + + + + groups (string) + + + A comma-separated list of groups, members of which + should have session recording enabled. Matches + group names as returned by NSS. I.e. after the + possible space replacement, case changes, etc. + + + NOTE: using this option (having it set to + anything) has a considerable performance cost, + because each uncached request for a user requires + retrieving and matching the groups the user is + member of. + + + Default: Empty. Matches no groups. + + + + + + -- 2.14.1