Bestand wählen

User Session Recording for the Enterprise

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
delivery 1 the my name is Nikolai conditional freedom software engineer at trent
head I'm going to be talking about this project that we have of implementing the user session recorded in a way that is suitable for use in the enterprise vicious banks or hospitals or just commercial organizations yes I work at the common
look and see which has started not so long ago and they're focusing on for it's interlocks together from across all data red heads products and the putting in them and 1 place that its use of I work was
not this project User Session Recording project and I maintain 3 directives packages as well in my free time I maintain the teacher meant project which is about support and graphics there was a Linux and also I played with embedded but the you what the what's left of my time so has anybody ever used in if you like user session recorded before a while if how the is by set it up call has anybody been in accordance but I can OK has anybody here have ever reached that he has recorded user sessions what makes of the great the let's see the the
so the premises basic but some companies need to comply
with government regulations some need to just track contractors solar some visitors on their systems and they need to know what happened to their servers if something goes wrong and who did so that in in the ideal world you know people
want to record everything that users do
some some time companies input cameras behind people to see what they do and they want to store that somewhere else somewhere safe and they want to exist that search that analyzed and correlated and they want to plate there and back the exact like it happened and they were trying to figure out what happened there's plenty of commercial friends and the there are pretty good ones too and they go from dedicated hardware renewed put which you could put on your network and black 1 cable and another cable in it and then it'll interceptor of him provided if they have the keys but then there are just so so that you can install on your own hardware and there are things which a simpler like jump costs where you log and then you will get to the target system and intermediate system because everything and they're just say programs which are running on the exact down to target host which is been accorded the yeah and there could be many of them integrated identity management with access control where you
can for example which the session and the drafted and you see that something is going wrong a then the but then again most of them have some sort of central storage and searching and playback of course but and those are all commercial
friends so they're expensive sometimes very expensive this some really difficult licences like the server or impair the host proclaimed host and then it's commercial sort traits usually
costs source and you can't fix it and you can see how it works and you can't improve that Xu for customers were asking us for solving that would come from red headed from open-source just something that they could get for free and they could take a look inside and figure out how it works and fix it or maybe improve and they also want to support especially the bigger optimization so what we have so far in in open source itself not that much it's just script which is the classic but you have to work a lot if you want to have South Central Laura secure with it then there is a pseudo I IO again the he the security random it has a surgeon and has playback but it's not centralized and you can't stream at it just right so the recorded on the local host and the closest thing that there is this the TTY ordered in the kernel handled ordered sub-system uh which is also supported by oddity but it only this security-oriented and can centralized as interlocks could be but it's only for input it doesn't occur output and from what I heard from the developers is the current of wikitecture is it won't perform very well if try to use it for out
so what we're going to do and so the the the basics of the basic requirements record but what's happening what you can see what you but the user enters what the user executes successes it it over there the machine that there it is recorded as soon as possible and stored centrally and securely then you would need an to correlate this without events in the
system very you because that that's the only way to really figure out what's happening because just a recording of the screen is not enough and the you need of course to played back to see but the user soul and the need to control that center the so we have an idea to
just Shalit with the logs but because they already have decoded events in the logs we
have uh look servers which no wearable how to deliver and they have this whole infrastructure AT and there is a whole bunch of systems which allow you to correlate those looks searched and analyze and graph and everything and that allows us to really save on the maintenance and on the set of costs because we just set up logging and we have the old delivery infrastructure distortion analytics there the the the time this is not just like just be do recording closely related to those locks and you can no correlate them easily so and we wanted to decide on something to use for that central storage and search in solution and so far it seems it's going to be less accession give on
it's pretty pretty popular and of our common Logan's he was working on print and outdoor products that had and that's already in the hope and shit the and it's going to OpenStack a and B appealed seeing basically our peak cooked our look forward and solution of their yeah you basically saying stole and it all goes to 1 place is all parsed into structures and Jason in elastic search and you can search it In this is more or less structural way as long might as far as the locks can go so it's a sort of a turnkey solution which is being worked on by the other part of our of fighting the
so but have the central storage now we need to
figure out how to control the rest and how to log everything and how to makes sense a special afforded looks because they're not very well structured demonstrated to be and ingested by Elastic Search made to deliver that need choose something for the liver and that we need to play from back the and so on we
also have a big seemed working on 3 pianists as the Internet has the the which is basically a holonomic effective directory and by this and open-source project just that work on it a lot the true and among other things that allows you to join me in those domains to control the minds and make your own domains have trust relations between the mines and catch credentials on the on the laptops for example which you really can't log and then disconnect from too much still be able to looking and they have the year that's outdated on our behalf decisions yet not the local dated very design in this session recorded control right now we have some solutions is the part already so
for action log and the the user terminal the input and output domain made a tool called the log handed we considered
doing it and the kernel with again that would have been pretty the long process and that the auditors his coat it with the system wasn't ready for that anyway right so we made a user space program that this started in place of user login shell
sits between the user shall and the terminology a precursor of and that passes between it converts it to Jason and that looks for CIS local journal and it also has a tool that allows you to play back on the terminal pretty basic Our so have to go to a deal with the audit logs to get them to plastic social made a tool called 0 shape and we worked together with the it seem and they're still working now made that tool to convert the older folks adjacent which would be suitable for elastic solutions to XML father tools because we have customers who prefer XML uh we build and the schemas which you can use to validate the opposite Wallace strictly defined as far as we have gone so far at least of the it just looks for the slogan and that's it NO so for deliberate elastic
searcher already have our syslog which supports that and that you can of course is still fleeing dual extension for a if you're going the OpenShift opens the crude you can use our like you solution
we so for their actual playback for the year uh auditors and administrators repealed another
view I which will be it connects and elastic such plan that from there you should be able to see input output and commons and files success social those and we're planning to build it as a reusable component which you can perhaps built into your I and that and on the other it started making it and we Aristotle physical copies the the cockpit is uh the PI for managing your
service like particular servers and not only just a specific sir which is running on that is the vertical pit running but also others but mostly this just this server Mr. that that because it is simpler and easier as you will see that OK so this is
the basic shape of scenes we get the it terminal I or through the log and the other events the convert under the shape push them too many combinations of local servers bend elastic search and then you can use the GUI or keep on or something else which can be used know a succession of you OK this is so I'm
going to show you a little them all I looking into our system because the court in another for particularly user and we will stop the playback at the same time and see how will it goes and then we'll take a look quick look at the locks and journal and that an elastic such traditional gold going to also show you how this the proof of concept but you works and copy OK
this is you the the the OK
if got this are at the moment the yeah link is it worked OK it and it I wonder if it's the same solution
at the yeah its such there is a delay between the playback and they have the and the recorded
because I started much later so it's going to take a while to catch up yeah
and and no they're working on
that right now the most difficult part is uh jumping to arbitrary time because there you have to basically build
keyframes like and we do because the state of the terminal depends on what has happened foldaway before you yeah that's that's going to be 1 of the 1st controls that line and just write code for that right now this so it be it's it's quite easy to speed it up to play and to put a pause on it but not random not yet we have several ladies about that and we can talk about other if is interested OK so this is the
just a moment this is the locks that
came from this recording this is the 0 shade blocks which are co-owners that Jason already and you can see the previous hold it records here which probably resulted in the fall in 0 shape
blind but there's the
stuff here that the at this at the
recordings of history input and output you
can see some control characters you
and this is how it looks and component
on with you that especially for so here for example I look up the events the session for which we just executed and to world events such for and I'm looking forward the Lehman them
so this is from the law the so you can see the mean commentary here this is me trying to look for that in common the then the more the income and from hold it the so so for example the search for
agreed the we can see all the called the con was that her as cue to this is mixed up with some all decisions but anyway you can see the commons trade analyst of succession combined search men correlate the true
novelistic OK could it so we can already see or session here and copied because it was also look to journal can come in here and
see it's going to take a because it took long pauses but I'm going to make anyone
so as soon as I start and get some all output going decision should appear on the right and good various yeah the incoming and he was going on the thank you for the to the thing optimal Glogster to window sizes and you made the and you can resize the player here but so but this moment of we not measured reply intervened sizes they're just working on that along with the playback you can make it bigger but we just need to pass that information from From playback you on the so if you
would set up to walk with just the the just just just Olog under diplomats typical Linux system without any control for anything else it would work but but this obviously the so for example take looking session on consul so have user authenticates to in their Pam is usually and this to your performance has to tell looking that at the locus the shell you can't do that pipe was basically put in the shell into it is the best ability but then look starts still because as the shell and look at the actual shelter start from this configuration or environment in wanting to look starts at under PTY and then passes over fit between the P. y and the actual terminal and looks the same but they were a part so as to assist local journal but if you
want to control was the which which was sexual version of long ago it hasn't made it into a new releases yet but it's master and it works you can configure assesses the 2 the the phone Telidon configuration but social accord is enabled and these users and these groups should be accorded than when the a user looks same so this is the source did not request Send this request and the foreigners as requested the transduction action shall be too log substitutes at an event this session is set up using PAM as this is the as an environment variable scene which social to start so when to look stars because of that environment variables does the shell so that way you can have a shells and user specifies how little that directly or a negative directory or in the PAP and the don't care about the shells internal recorded tolerant host and the user will still get the right child and the
before free APA we have to plan to use the system similar to a single Linux mappings you assign configuration Deutsche Bank roles and in this case is going to be configuration for the local that this is the on the client machine features both the configurations which bankrolls matches them to use of history haustive Office the accuser and then basically persist a configuration and passes total look very environment again so yes the
log records input output and sizes you can configure analysis if you like and you can write to a journal or
Justice local Autofile file for tests for example and you can also configure decide like do you want warranted directives for real-time recorded or do you want to save on the extra overhead of building
that information I and yet still has to has tool played can play back from elastic such as we just saw from Journal as we just saw in the cockpit or from pile if you want to test so how did
this how be the log messages structure they're basically top and the stream In the messages because it's logging we have 2 messages that this for input and output separately in separate fields because we want them to remain searchable they are common in time at the same time the future store them in the same field they will be interspersed and you will be able to social but will preserve everything in in units binary and if there is single UTF-8 which cannot be encoded in Jason's than be just put it in as the narrative bytes so we can extract the offended somebody just dumped archive on their screen you can extract that but they also store the died in his music precision separate in a separate field and the I was up and will
shape this shape functions quite simply know kernel the kernel supplies the coded messages stored at the from that Lincoln the it that has a special demon for plug-ins like a dispatcher demon you can have multiple plug-ins 1 of them could be 0 shape which were then encoded in Jason and just look at the syslog and then you can use but real conservative push the Search so we are trying to
keep the whole event structure mean that all the same names for the same no hierarchy but we have to encode it into something more strictly defined and just plain text that the trend and we have to both the external and Jason schema similar but just just encoding they're basically having the same structure and the here for example a user executing PS common but this is very ahead of the change but basically that's how it could look the and the In Wonderland can be a handful local by a serious of log messages they can spend several like to compute plant of detail about the event but we record everything in a single object that that you don't have to the salary searching for them
so at the moment copy QI is very basic and various sorted to a trick to get it off quickly who To logreg crickets special synthetic about a coordinate which is unique on the host and the requisite as a journal field so that then copied could request by the all the to look messages and then just aggregated very coordinating providing this list here I this 1
and then to play the accordion be basic there aren't iLoc-Plant host it's the playback tool and copper transit under PTY forwards ever affinities to the just replace terminal that you on the screen here this and that's going to be probably the
1st release and then we will have to do the the most difficult part of they can be played back in the ninjo script browser so it'll probably be some of determine a little later that are it'll probably
extend GS so we're going to modify that provide a time in the playback controls and cold the
so this is but is there is there is no feature requested lyrical from here where people ask for can we just please avoid recorded passwords and and so now I'm not aware of a way to do that purely from user space which we're doing out the ordered sub-system has the 2 2 widely and folded system the the text of and there is the call fold in the kernel and then not look anything but we concluded from user space as far as I know so the plan is either just enough recorded input because B also occur toward it it doesn't matter that much but we don't recording but because we get all the underlying events trends or or there is an option which will implement maybe we just can turn off the input accordance to Logan enable ordered to I hold it in and then we can just play that back and pick it up from there would have this we're thinking about what accordion graphical sessions because uh but cannot separated from the it's when his elite these multiple terminals of can be started there the so the just entree cadet but we don't know how to detect that well it going to do that and in general I think that the best ideas to record the whole graphical session screen if you need to record the critical session that then that yeah there's the term said Convention converge conversion because of some people still don't use UTF-8 the this this the beers rate uh the ability to convert that somehow but of course there's going to be a mismatch between encoding standard might produce garbage so we don't need to keep the original anyway in binary form and provide the converted text uh just for searching purposes so you could search for standard that if you find something you can now is very compared to binary data to recover what was that if necessary the this and that of course the playback controls we chased talked about already
the so all shape the main challenge was 0 shape is that what locus mass it's basically you built painted in the kernel kernel basically for what's legal strings switched and puts together of basic like prints which is supposed to be
lost and there you would include some contend that kind of issues between user space and the kernel where you space suddenly finds all but the kernel has changed some form of and they can no longer possible and the kernel doesn't consider that the binary PIE dataset class we are present data not think so whatever diluted and about the general to developers have to do a good job in dealing with it but still is probably nobody knows so all the possible looks to the kernel can produce but there is a plan to eventually speech to some new binary protocol for audit logging but it's the even from the most existing people it's just not going to happen very soon so this is a so we're going to do with what they have and the yield to develop Ursula they keep the dictionary folder records and type in feels that the nor can happen but we need more information than that we need to know the types of their of things so that going to work with them to improve that catalog so they can make a more strict schema therefore making it more useful because you can know exactly what will happen and again there is the needs to be character we encoding conversion because some file names can be rewritten called the then we'll have to see how deal with their mistranslations and that garbage and the coat that and Jason OK and for review idea are yeah so their use in journals a storage right now basically deregister especially recorded as just citrus of journal messages and we need to search that and we need to the correlate and we need to list the sessions and so far with just a few sessions even though they could be long once it is working but it might will become very very slow so all the guys and that the our team is going to do is copy can cook the next test which is going to happen in October of Berlin are in their head offices if you'd like to come subtly somebody wants to come there if you need to write so to the Middle East and ask and the rate of 2 . 2 in Berlin there's going to be all systems goal conference and I'm going to go there and maybe talk about this journal thing if it makes sense for we should switch to sell tells you the the again the playback control so well behaved the playback done on the host and forward it to determine all it is easier to start but it's harder to continue with implementing the playback control like the random position for example because we don't have the access to the title of the later studies in there and and the yeah to correlated audit blocks that you could see what was happening behind the scenes like you would see the screen and the audit events
happening as the session goes we need to
somehow communicate the current playback position and that might be interesting thank I mean OK
so you should like to try and uh an older version of the locus in 2 repose and you can
always of course build it from source How about the Jornal support in particular was wasn't released yet it's just Maastricht I'm going to revisit some expect because so the the basic thing to try is just told to locus at this bike maybe from API locked file and see how that looks and tried to play back of the there is also the also instructions immediately to vote setting up as elastic source so that everything from of the user and the user can pure passes can help to forward that and that I will be glad to hear any he she reports for course will requests they're actually people asking for rate control where are B 1 2 would generate that the flocks when the person just aren't there few random or solvent on the screen so there is a polar question from last did at some government minization trying to implement that but then they think they're going to do it can also this sort then all shape is even the series just uh all you have to build it that there's actually been released its also the fresh so you can just get PM and she did your own audit log it won't applauded anywhere but until converted so to Jason proximal as you want as you lost and the you can see what's the structure and how it looks and if it's to and again there is the instruction of forward into a succession the we truncate and that this is the most difficult part of somebody's she there in the determined the the they can get our proof of concept branch and there is the IPC Epstein instructions some building and running copied from source they can't then they installed the log configured to write a journal created a user to be recorded looking that user and stuff should magically appear on Monday cooperative you I In this session has just use as you just all their but that magic my request some work contains
temporarily thank you anybody curious something ship we we will make StreetTalk off are there any plans to implement elastic search support in the that in the freezer at least
backing JavaScript library so you'd be doing have to read from triangle inculcated or well you effort is of something about releasing a separate JavaScript library for the web interface maybe yeah there's going to be a time component which you can use and the playback from Journal is just for local according just to get started and eventually will have perhaps even cockpit support for elastic search of our mature if that makes sense because scope is mostly for managing this 1 server and you would look to some other server and then the playback session recorded from the server you have to look into that server to get session from there but we're going to do that anyway we'll need to play back from plastics which you can use to look play the playback from ElasticSearch right now this shows that there is no overview wife that it not just talking about more like a central solution for a reading or displaying the recorded sessions for multiple sources and maybe not integrated into cockpit building your own stuff get where the airplane for that we just looked at the moment haven't selected 1 place we're going to put this so it might be clot forms for free AP they view II or something like that and is to decide that we actually we just fortunate to make it embeddable something that's easier thing so absolutely that's our present targeted trying to work hard to was it because you hire whose work in the but you I am it's going to be better I have a couple of questions at the 1st this is correctly that look the same messages sent twice 1 from all the T 1 from from all modest III and 1 from Europe human how you don't have to send them anywhere you you know that there ultimately didn't we it is that it that what you saw is that our Journal of the peaks of the it's all ordered messages from the kernel you concerned that of I'm think Journal the configuration and just set up or the which can then be set up describe the phone messages and thus put it to the plug-ins where the after and you have to do that manually that's what I want you have so what we are going to implement maybe like a manciple playbook or solvent such an account and the promise elastic such as always of ever when you have access to elastic search you can search for every so you see everything is there any possibility is that we can say I'm not everybody is allowed to see everybody else's recordings and that's what the that it by a Q project is working on in our other part so they're doing access control based on exists for various tenants some OpenShift clusters so they have separate axis and you can control the the of the other questions as you very easy to bypass simply by using change shell and give me the batch again the hurricane when you when you use change shell the command line and specifying a I want to use best then you disable the logging isn't that easy of well what if you wrote that everything is easy but no change cellists is everybody can do that everybody can specifies only look and show how can they be as few of arise normally when you don't on the table and the last question is um that's anywhere regulatory body accepted that or is this have you talk with any regulatory good body if that is something that can for example for a government or banking application at the set acceptable world to review have several banks the light and talking and asking for this and make and requests and the Australian that security services are interested in the ordered part so there is some interest the guy in the shell it's so you can't always do that to change the shell you can have the you do so simply APU can have policies on that yeah OK thanks the the we just my question is is there any way to make it best sales for the user but these things still the mean you know him to be aware of it because if I'm not aware that am being recorded so I behave if I a how word that I'm not being recorded so I do whatever I want while allowing users behave that's already good and the and they're but then you you will actually if the user is clueless you can just disabled the notice and they might not know but if they look at the process table it will see that and other parts which you can do you can set up the jump hosts a transparent jump host the user looks little by system like a public it should go system where it does magically looks the main and another system and the recorder this happening and the jump host transparently and the table and see that OK thank you we we we can and adults all right thank you very much thank you for coming in for the questions to
Domain <Netzwerk>
Wiederkehrender Zustand
PASS <Programm>
Gruppe <Mathematik>
Abgeschlossene Menge
Radikal <Mathematik>
Skript <Programm>
Lesen <Datenverarbeitung>
Tabelle <Informatik>
Home location register
Selbst organisierendes System
Schar <Mathematik>
Demoszene <Programmierung>
Virtuelle Maschine
Cluster <Rechnernetz>
Verzweigendes Programm
Plug in
Binder <Informatik>
Nabel <Mathematik>
Wort <Informatik>
Bridge <Kommunikationstechnik>
Weg <Topologie>
Computerunterstütztes Verfahren
Kernel <Informatik>
Serielle Schnittstelle
MIDI <Musikelektronik>
Große Vereinheitlichung
Spannungsmessung <Mechanik>
Lineares Funktional
Speicher <Informatik>
Konfiguration <Informatik>
Arithmetisches Mittel
Projektive Ebene
Faltung <Mathematik>
Software Engineering
Hierarchische Struktur
Nichtlinearer Operator
Kartesische Abgeschlossenheit
Data Mining
Physikalisches System
Proxy Server
Speicher <Informatik>
Einfach zusammenhängender Raum
Physikalisches System
Umsetzung <Informatik>
Kernel <Informatik>
Offene Menge
Umsetzung <Informatik>
Nabel <Mathematik>
Desintegration <Mathematik>
Gesetz <Physik>
Streaming <Kommunikationstechnik>
Regulator <Mathematik>
Elastische Deformation
Shape <Informatik>
Gebäude <Mathematik>
Güte der Anpassung
Zeiger <Informatik>
Web log
Dienst <Informatik>
Wurzel <Mathematik>
Rechter Winkel
Elektronischer Fingerabdruck
Cloud Computing
Klasse <Mathematik>
Automatische Handlungsplanung
Dienst <Informatik>
Analytische Menge
Open Source
Affiner Raum
Skript <Programm>
Elastische Deformation
Demo <Programm>
Protokoll <Datenverarbeitungssystem>
Open Source
Profil <Strömung>
Elektronische Publikation
Data Dictionary
Körper <Physik>
Demoszene <Programmierung>
Overhead <Kommunikationstechnik>
Dämon <Informatik>
Kartesische Koordinaten
Einheit <Mathematik>
Prozess <Informatik>
Figurierte Zahl
Funktion <Mathematik>
Inklusion <Mathematik>
Installation <Informatik>
Abstimmung <Frequenz>
Funktion <Mathematik>
Twitter <Softwareplattform>
Overhead <Kommunikationstechnik>
Virtuelle Maschine
Gebäude <Mathematik>
Obere Schranke
Pi <Zahl>
Zusammenhängender Graph
Elektronische Publikation
Einfache Genauigkeit
Keller <Informatik>
Mapping <Computergraphik>
Shape <Informatik>


Formale Metadaten

Titel User Session Recording for the Enterprise
Untertitel An Open-Source Effort by Red Hat
Serientitel FrOSCon 2017
Autor Kondrashov, Nikolai
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32279
Herausgeber Free and Open Source software Conference (FrOSCon) e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract A presentation on an effort to implement Linux User Session Recording for the Enterprise using new and existing open-source software.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme