#2893 [RFE] Conditionally wrap user terminal with tlog
Closed: Fixed 2 years ago Opened 3 years ago by mkosek.

Some hardened and confined infrastructure environments require not only secure authentication and authorization, but also audit by capturing the activity on the target terminal (input, output, what is on the screen).

There is open source project tlog that can provide this functionality.

There should be a way to configure whether the tlog shell should be started for
a user based on a configuration switch. The configuration should be designed carefully because eventually we may want to control session recording policy centrally from FreeIPA based on HBAC-like or HBAC rules, i.e. based on the users/groups and hosts/hostgroups.


Provided that tlog is a shell, can we simply use the overrides/idviews to set the user shell?

Fields changed

cc: => spbnick

Replying to [comment:1 jhrozek]:

Provided that tlog is a shell, can we simply use the overrides/idviews to set the user shell?

I am not sure we can because the shell in idview is the actual shell that user wants to use when he logs in. Tlog is a wrapper shell that should start the real shell the user actually wants.

So should we itroduce new option init_shell or wrapper_shell ?

Yes, something along those lines.

What is the time this feature should be done? Which upstream milestone?

For the time being moving to 1.14 Alpha and assigning to Nikolai. The feature should be self-contained, so we can move it to another milestone if needed.

cc: spbnick =>
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
owner: somebody => spbnick

Fields changed

rhbz: => todo

Nick, is there still some sssd work needed?

milestone: SSSD 1.14 alpha => SSSD 1.14.0

We agreed no work on the tlog integration in sssd needs to be done in this version.

milestone: SSSD 1.14.0 => SSSD 1.16 beta

Replying to [comment:11 jhrozek]:

We agreed no work on the tlog integration in sssd needs to be done in this version.

16? Not 15? Is it a placeholder or it is definitively moved a version after next?

Replying to [comment:12 dpal]:

Replying to [comment:11 jhrozek]:

We agreed no work on the tlog integration in sssd needs to be done in this version.

16? Not 15? Is it a placeholder or it is definitively moved a version after next?

We renamed 16 to 15 because we would like to have a very-quick turnaround release (15) to be able to include some features in Fedora-25 which has the 'features testable' deadline quite soon:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/thread/XU3CSTXXJQNW4LGNOQZKNRBWQBPSXOVZ/

I don't really have an issue with moving the RFE back to 15 if everything is ready in time, but the Fedora deadline is in about a month, so it really depends on how fast the tlog integration progresses.

Metadata Update from @mkosek:
- Issue assigned to spbnick
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue tagged with: PR

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD Future releases (no date set yet))
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)

2 years ago

Login to comment on this ticket.

Metadata