-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/10/2014 04:33 AM, Ilya Frolov wrote: > On Fri, Jan 10, 2014 at 1:16 PM, Bryan Harris <bryanlharris@xxxxxx > <mailto:bryanlharris@xxxxxx>> wrote: > > Hello, > > I'm wondering if it is possible to use selinux network & process labeling, > iptables, and something like /usr/bin/script to create an environment > where we can enforce session recording for ssh sessions. > > We will soon have a requirement to record our actions on customer > environments, but at the same time we also need to block users who have > not activated the recording. Is selinux policy an appropriate way to > accomplish these requirements? I'd like to search for the details and > learn more, but if I'm taking the wrong approach I'd like to know that > before starting out. > > Any guidance is greatly appreciated. Thanks in advance. > > V/r, Bryan _______________________________________________ Selinux mailing > list Selinux@xxxxxxxxxxxxx <mailto:Selinux@xxxxxxxxxxxxx> To unsubscribe, > send email to Selinux-leave@xxxxxxxxxxxxx > <mailto:Selinux-leave@xxxxxxxxxxxxx>. To get help, send an email containing > "help" to Selinux-request@xxxxxxxxxxxxx > <mailto:Selinux-request@xxxxxxxxxxxxx>. > > > Hello Bryan, > > have a look at ttyrec -- you can set it as shell to do ssh session > recording per-user and without fiddling in kernel space, and you can > enforce it that way even without selinux for non-root users. > > If you are interested in restricting root user and maybe play with the > live system -- feel free to contact me offlist, i've done the similar > things for my selinux playbox, and (i'll check now) i think its still > alive. > > > regards, ilya > > > > _______________________________________________ Selinux mailing list > Selinux@xxxxxxxxxxxxx To unsubscribe, send email to > Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" > to Selinux-request@xxxxxxxxxxxxx. > You might want to look at pam_tty_audit also. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLP+eoACgkQrlYvE4MpobMrGgCbBYR6SKD+9jMAi55fWDZ7t9gE H/oAoJ+qhVbE4go/k59SBwyJCA/ViUoR =GPVQ -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
