'\" t
.\"     Title: sssd-session-recording
.\"    Author: The SSSD upstream - https://github.com/SSSD/sssd/
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 01/16/2025
.\"    Manual: File Formats and Conventions
.\"    Source: SSSD
.\"  Language: English
.\"
.TH "SSSD\-SESSION\-RECOR" "5" "01/16/2025" "SSSD" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sssd-session-recording \- Configuring session recording with SSSD
.SH "DESCRIPTION"
.PP
This manual page describes how to configure
\fBsssd\fR(8)
to work with
\fBtlog-rec-session\fR(8), a part of tlog package, to implement user session recording on text terminals\&. For a detailed configuration syntax reference, refer to the
\(lqFILE FORMAT\(rq
section of the
\fBsssd.conf\fR(5)
manual page\&.
.PP
SSSD can be set up to enable recording of everything specific users see or type during their sessions on text terminals\&. E\&.g\&. when users log in on the console, or via SSH\&. SSSD itself doesn\*(Aqt record anything, but makes sure tlog\-rec\-session is started upon user login, so it can record according to its configuration\&.
.PP
For users with session recording enabled, SSSD replaces the user shell with tlog\-rec\-session in NSS responses, and adds a variable specifying the original shell to the user environment, upon PAM session setup\&. This way tlog\-rec\-session can be started in place of the user shell, and know which actual shell to start, once it set up the recording\&.
.SH "CONFIGURATION OPTIONS"
.PP
These options can be used to configure the session recording\&.
.PP
scope (string)
.RS 4
One of the following strings specifying the scope of session recording:
.PP
"none"
.RS 4
No users are recorded\&.
.RE
.PP
"some"
.RS 4
Users/groups specified by
\fIusers\fR
and
\fIgroups\fR
options are recorded\&.
.RE
.PP
"all"
.RS 4
All users are recorded\&.
.RE
.sp
Default: "none"
.RE
.PP
users (string)
.RS 4
A comma\-separated list of users which should have session recording enabled\&. Matches user names as returned by NSS\&. I\&.e\&. after the possible space replacement, case changes, etc\&.
.sp
Default: Empty\&. Matches no users\&.
.RE
.PP
groups (string)
.RS 4
A comma\-separated list of groups, members of which should have session recording enabled\&. Matches group names as returned by NSS\&. I\&.e\&. after the possible space replacement, case changes, etc\&.
.sp
NOTE: using this option (having it set to anything) has a considerable performance cost, because each uncached request for a user requires retrieving and matching the groups the user is member of\&.
.sp
Default: Empty\&. Matches no groups\&.
.RE
.PP
exclude_users (string)
.RS 4
A comma\-separated list of users to be excluded from recording, only applicable with \*(Aqscope=all\*(Aq\&.
.sp
Default: Empty\&. No users excluded\&.
.RE
.PP
exclude_groups (string)
.RS 4
A comma\-separated list of groups, members of which should be excluded from recording\&. Only applicable with \*(Aqscope=all\*(Aq\&.
.sp
NOTE: using this option (having it set to anything) has a considerable performance cost, because each uncached request for a user requires retrieving and matching the groups the user is member of\&.
.sp
Default: Empty\&. No groups excluded\&.
.RE
.SH "EXAMPLE"
.PP
The following snippet of sssd\&.conf enables session recording for users "contractor1" and "contractor2", and group "students"\&.
.PP
.if n \{\
.RS 4
.\}
.nf
[session_recording]
scope = some
users = contractor1, contractor2
groups = students
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBsssd\fR(8),
\fBsssd.conf\fR(5),
\fBsssd-ldap\fR(5),
\fBsssd-ldap-attributes\fR(5),
\fBsssd-krb5\fR(5),
\fBsssd-simple\fR(5),
\fBsssd-ipa\fR(5),
\fBsssd-ad\fR(5),
\fBsssd-files\fR(5),
\fBsssd-sudo\fR(5),
\fBsssd-session-recording\fR(5),
\fBsss_cache\fR(8),
\fBsss_debuglevel\fR(8),
\fBsss_obfuscate\fR(8),
\fBsss_seed\fR(8),
\fBsssd_krb5_locator_plugin\fR(8),
\fBsss_ssh_authorizedkeys\fR(1), \fBsss_ssh_knownhosts\fR(1),
\fBsssd-ifp\fR(5),
\fBpam_sss\fR(8)\&.
\fBsss_rpcidmapd\fR(5)
\fBsssd-systemtap\fR(5)
.SH "AUTHORS"
.PP
\fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR