Respond to PR feedback

Restore the introductory section with minor copy-edits.
gravitational · Apr 15, 2022 · cd3562d · cd3562d
1 parent 14b646c
commit cd3562d
Showing 1 changed file with 21 additions and 30 deletions.
diff --git a/docs/pages/server-access/guides/bpf-session-recording.mdx b/docs/pages/server-access/guides/bpf-session-recording.mdx
@@ -8,6 +8,26 @@ videoBanner: 8uO5H-iYw5A
 This guide explains Enhanced Session Recording for SSH with BPF and how to set
 it up in your Teleport cluster.
 
+Teleport's default [SSH and Kubernetes session recording](../../architecture/nodes.mdx#session-recording)
+feature captures what is echoed to a terminal.
+
+This has inherent advantages. For example, because no input is captured, Teleport
+session recordings typically do not contain passwords that were entered into a terminal.
+
+The disadvantage is that there are several techniques for rendering session
+recordings less useful:
+
+- **Obfuscation**. For example, even though the command
+  `echo Y3VybCBodHRwOi8vd3d3LmV4YW1wbGUuY29tCg== | base64 --decode | sh` does not contain
+  `curl http://www.example.com`, when decoded, that is what is run.
+- **Shell scripts**. For example, if a user uploads and executes a script, the commands run within the script are not captured, only the output.
+- **Terminal controls**. Terminals support a wide variety of controls including the ability for users to disable terminal echo. This is frequently used when requesting credentials. Disabling terminal echo allows commands to be run without being captured.
+
+Furthermore, due to their unstructured nature, session recordings are difficult to
+ingest and perform monitoring and alerting on.
+
+Teleport Enhanced Session Recording mitigates all three concerns by providing advanced security and greater logging capabilities, and better correlates a user with their activities.
+
 ## Prerequisites
 
 (!docs/pages/includes/edition-prereqs-tabs.mdx!)
@@ -50,35 +70,6 @@ it up in your Teleport cluster.
 
 (!docs/pages/includes/tctl.mdx!)
 
-## Background
-
-Teleport Nodes submit SSH session traffic to the Auth Service for
-storage, copying what is echoed in a terminal. These recorded sessions can be
-replayed later via the `tsh play` command or in the Teleport Web UI.
-
-The advantage of this approach is that, since no input is captured, these
-session recordings do not contain passwords that were entered into a terminal.
-
-The disadvantage is that session recordings can be bypassed using several
-techniques:
-
-- **Obfuscation**. For example, even though the command
-  `echo Y3VybCBodHRwOi8vd3d3LmV4YW1wbGUuY29tCg== | base64 --decode | sh` does not contain
-  `curl http://www.example.com`, when decoded, that is what is run.
-- **Shell scripts**. For example, if a user uploads and executes a script, the
-  commands run within the script are not captured, simply the output.
-- **Terminal controls**. Terminals support a wide variety of controls including
-  the ability for users to disable terminal echo. This is frequently used when
-  requesting credentials. Disabling terminal echo allows commands to be run
-  without being captured.
-
-Furthermore, due to their unstructured nature, session recordings are difficult to
-ingest and perform monitoring and alerting on.
-
-Teleport Enhanced Session Recording mitigates all three concerns by providing
-advanced security, greater logging capabilities, and better correlates a user
-with their activities.
-
 ## Step 1/2. Configure a Teleport Node
 
 ### Install Teleport on your Node
@@ -161,7 +152,7 @@ $ teleport start
 Enhanced session recording events will be shown in Teleport's audit log, which
 you can inspect by visiting Teleport's Web UI.
 
-Sessions with Enhanced Session Recording will include the
+Events emitted via Enhanced Session Recording will include the
 `"enhanced_recording": true` field in events similar to the following:
 
 ```json