Forge Home

tlog

A module for managing Tlog

7,829 downloads

722 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.3.2 (latest)
  • 0.3.1
  • 0.3.0
  • 0.2.2
  • 0.2.1
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Oct 5th 2021
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.22.1 < 8.0.0
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-tlog', '0.3.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-tlog
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-tlog --version 0.3.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

simp/tlog — version 0.3.2 Oct 5th 2021

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents

Description

This module manages the installation and configuration of tlog for active terminal session recording.

By default, the logs will be recorded to journald with systems running systemd and syslog otherwise.

See REFERENCE.md for full API details.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

Usage

You can simply include the tlog class to have the software installed.

To enable automatic session recording, include the tlog::rec_session class. You MUST then add all users and/or groups that you want to monitor to the tlog::rec_session::shell_hook_users Array.

Note: Groups should be prefixed with a percent sign (%).

When this is enabled, it will automatically hook into login and interactive shells based on scripts placed into /etc/profile.d.

Example: Auditing the 'root' user and 'administrators' group

---
tlog::rec_session::shell_hook_users:
  - 'root'
  - '%administrators'

NOTE: If you want to be 100% certain that all sessions are logged, you should not rely on this hook but should, instead, set /usr/bin/tlog-rec-session as the user's primary shell. This is not feasible in many situations so these hooks have been provided for the 90% case.

Limitations

The tlog project is still evolving so there may be breaking changes that occur in the future. We highly encourage all users to file feature requests and bug reports with the upstream project.

TLOG does not record all sessions

iWhen root is set to use the tlog hook, if a user is logged into a system using a graphical display such as gnome and attempts to su to root from more than one terminal window in the same session, the second su will not be recorded.

This occurs because, in order to prevent looping, if the session id is the same for both shells, tlog does not start a second recording session. A ticket has been entered for this issue.

The above error does not affect ssh logins.

tlog-play from file

To playback tlog from a file, the file must only contain json entries from a single session. The default SIMP implementation of tlog records all sessions with some additional non-json formatted information in a file, causing playback of the raw log file to fail. To generate a usable tlog file for playback, grep and awk can be utilized to filter and format entries for a tlog session. Identify the file containing the raw tlog data. Performing a grep for tlog-rec-session in the logs directory can help locate log files. After identifying the raw log file, examine the contents of the file to identify the rec, a host-unique recording id, for the session to be replayed. The rec can then be used with grep to generate a new file containing only logs from that session in json format:

grep <rec> <raw log file> | awk -F"tlog-rec-session: " '{print $2}' > /tmp/tlog_for_playback

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

NOTE: You will need to make sure that the nodesets can install the tlog packages from a repository (or install them via beaker) for the tests to run successfully.

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.