tlog
tlog copied to clipboard
Enable exclusions in the sssd-session-recording configuration
When configuring the scope of whom to log, the sssd-session-recording configuration file only allow none/all/some, and there is no way to configure "all, but".
In my case I would like to have the scope "all" but exclude the user running ansible, puppet and other such recurring jobs, as what I want to log is deviations, not my usual controlled management access.
Something like: [session_recording] scope = all,!ansible
Could this be an option, please?
@mzidek-rh @pbrezina Could you help me understand if the SSSD configuration interface would allow this type of exclusion or not?
Sure we could allow something like that in the configuration file. Is this something that tlog already supports and SSSD just does not allow to configure it?
@pbrezina Nothing is needed to enable this functionality on the tlog side AFAIK, only SSSD.
SSSD [session_recording] configuration section is used to override the shell as SESSION_RECORDING_SHELL used by NSS. See https://github.com/SSSD/sssd/pull/136/commits/b0cea9b316c9c6bc17b080be3d544fc07a2355f4 and https://github.com/SSSD/sssd/pull/136
So should this be an issue for https://github.com/SSSD/sssd instead?
@AndreasDavour yes, please file an issue there - most likely I will be the one implementing it still.
Thanks Justin. I will.
@justin-stephenson I created https://pagure.io/SSSD/sssd/issue/4128
Thanks.
Doesn't look like much is happening with the issue over there, right now. @justin-stephenson do you want to keep this issue open for reference, or should I close it?
@AndreasDavour it is up to you, but I am fine to keep this open until the fix is done in SSSD.
Let's keep this open for visibility then.