How to enable SSH session recording in CentOS 8

Learn how to enable SSH session recording in CentOS 8.

How to enable SSH session recording in CentOS 8

CentOS 8 has been released and it includes some really amazing features. One feature that many security admins will greatly appreciate is session recording. With this feature, CentOS will record any/all SSH sessions, which includes all of the user activity that occurs during the session. Once recorded, videos of these sessions can be played back by any admin with a Cockpit login.

What you'll need

To make this work, you'll need the following:

How to install necessary packages

Before that first session can be recorded, there are a few packages that must be installed. Open a terminal window and issue the following commands:

sudo dnf install tlog
sudo dnf install sssd
sudo dnf install cockpit-session-recording
sudo dnf install systemd-journal-remote

And that's all there is to the installation. At this point, whenever someone logs into the CentOS 8 server, they will be warned that the session is being recorded (Figure A).

Figure A


Your session is being recorded.

How to view sessions from Cockpit

Fire up a web browser and point it to https://SERVER_IP:9090 (where SERVER_IP is the IP address of your CentOS 8 server). Log in as an admin user and then click on Session Recording in the left navigation. 

In the resulting window (Figure B), you'll see all SSH logins since recording was enabled.

Figure B


Sessions have been recorded.

If you click on any one of those sessions, you can then click the associated play button to play back their sessions (Figure C).

Figure C


Playing back an SSH session.

And that's all there is to it. You can now view recordings of everything SSH users have done once they've logged onto your CentOS 8 server. But don't worry if the video is hard to follow. Below the player the entire log of the session will print out as the video plays. You can even search the log for specific entries and the results will appear in the log window as well as timestamps for the video.

Without a doubt, this is a feature every security admin will want to have on their servers.

Also see


Image: CentOS