Merge branch 'next-release'

* next-release:
  (SIMP-5098) Re-introduce tlog docss (#243) (#244) (#245)

CHANGELOG

@@ -1,3 +1,7 @@
+* Wed Oct 03 2018 Trevor Vaughan <tvaughan@onyxpoint.com>
+- Removed 'sudosh' information
+- Added 'tlog' information
+
 * Fri Sep 28 2018 Jeanne Greulich <jeanne.greulich@onyxpoint.com>
 - Remove obsolete 'HOWTO Configure a Puppet Master behind a NAT'
   and 'HOWTO Configure iptables NAT Rules'

docs/contributors_guide/maintenance/iso_release_procedures/Pre_Release_Checklist.rst

@@ -67,7 +67,6 @@ the RPMs for those projects exist by executing the ``pkg:check_published`` Rake
      ...
      Found Existing Remote RPM: pupmod-simp-stunnel-6.1.0-0.noarch.rpm
      Found Existing Remote RPM: pupmod-simp-sudo-5.0.3-0.noarch.rpm
-     Found Existing Remote RPM: pupmod-simp-sudosh-6.0.1-0.noarch.rpm
      ...
 
    .. IMPORTANT::
@@ -422,7 +421,7 @@ tested in acceptance/simp-packer tests) do function as advertised:
 * Local and LDAP users can change their passwords on both the SIMP
   server and client on CentOS 6 and CentOS 7.
 * The Rsyslog rules from ``simp_rsyslog``, ``syslog`` and
-  SIMP application modules (``aide``, ``sudosh``, etc.) result
+  SIMP application modules (``aide``, ``tlog``, etc.) result
   in application log messages being written to the correct local
   and remote log files.
 

docs/glossary.rst

@@ -655,11 +655,22 @@ Glossary of Terms
 
       Source: `Stunnel Home Page <https://www.stunnel.org/>`__
 
+   Sudo
+      ``sudo`` allows a permitted user to execute a command as the superuser or
+      another user, as specified by the security policy.  The invoking user's
+      real (not effective) user ID is used to determine the user name with
+      which to query the security policy.
+
+      Source: The ``SUDO(8)`` man page
+
    Sudosh
       An application that acts as an echo logger to enhance the auditing of
       privileged activities at the command line of the operating system.
       Utilities are available for playing back sudosh sessions in real time.
 
+      Sudosh has been replaced by :term:`Tlog` in the latest SIMP
+      distributions.
+
    SYN cookies
    syncookies
       A technique used to resist SYN flood attacks.
@@ -703,6 +714,15 @@ Glossary of Terms
 
       Source: `Wikipedia: TCP Wrappers <https://en.wikipedia.org/wiki/TCP_Wrappers>`__
 
+   Tlog
+      Tlog is a terminal I/O recording and playback package suitable for
+      implementing centralized user session recording.
+
+      Tlog has replaced :term:`Sudosh` as the preferred terminal logging
+      program in SIMP.
+
+      source: `The Tlog home page <https://github.com/Scribery/tlog/blob/master/README.md>`__
+
    TLS
    Transport Layer Security
       A cryptographic protocol that provides network communications security.

docs/security_conop/Technical_Security.rst

@@ -142,8 +142,9 @@ have several default settings including:
 *  Assignment of users into groups locally or centrally via LDAP. [:ref:`AC-2 (7)`]
 
    * By default, SIMP will have an administrators groups that has the ability
-     to run ``sudosh``. Implementations should further define administrators or
-     user groups and limit them with the Puppet ``sudo`` class.
+     to run ``sudo su - root``. Implementations should further define
+     administrators or user groups and limit them with the Puppet ``sudo``
+     class.
 
 Access Enforcement
 ------------------
@@ -231,7 +232,7 @@ Least Privilege
 SIMP does not allow ``root`` to directly :term:`SSH` into a system. Direct
 access to the ``root`` user must occur via a console (or at a virtual instance
 of the physical console) to log on. Otherwise, users must log on as themselves
-and perform privileged commands using ``sudo`` or ``sudosh``.
+and perform privileged commands using ``sudo``.
 [:ref:`AC-6`]
 
 :term:`NIST 800-53` least privilege security controls give people access to
@@ -305,7 +306,7 @@ OpenSSH software. OpenSSH provides both confidentiality and integrity of remote
 access sessions. The SSH :term:`IPTables` rules allow connections from any
 host. SSH relies on other Linux mechanisms to provide identification and
 authentication of a user.  As discussed in the auditing section, user actions
-are audited with the audit daemon (``auditd``) and :term:`sudosh`.
+are audited with the audit daemon (``auditd``) and :term:`Tlog`.
 [:ref:`AC-17`]
 
 Systems and Communications Protection
@@ -328,7 +329,7 @@ performing non-administrative activities. In both cases, general users with
 accounts on an individual host are allowed access to the host using the
 ``pam::access`` module, so long as they have an account on the target host. No
 user may perform or have access to administrative functions unless given
-``sudo`` or :term:`sudosh` privileges via Puppet.
+``sudo`` privileges via Puppet.
 
 Shared Resources
 ----------------
@@ -445,9 +446,9 @@ and applied if deemed applicable.
 
 Privileged commands are audited as part of the SIMP auditing configuration.
 This is accomplished by monitoring ``sudo`` commands with ``auditd``.
-The output of session interaction for administrators that use :term:`sudosh`
-are also logged. Each ``sudosh`` session can be reviewed using
-``sudosh-replay`` and are also sent to ``rsyslog``.
+The output of session interaction for administrative login shells is also
+collected using :term:`Tlog`. :term:`Tlog` session recordings are sent to
+:term:`Syslog` for further processing.
 [:ref:`AU-2 (4)`]
 
 Content of Audit Records

docs/security_mapping/Components.rst

@@ -22,5 +22,5 @@ as components).
   components/ssh/ssh.rst
   components/stunnel/stunnel.rst
   components/sudo/sudo.rst
-  components/sudosh/sudosh.rst
+  components/tlog/tlog.rst
   components/tcpwrappers/tcpwrappers.rst

docs/security_mapping/components/simp/authorize_access_to_security_functions/control.rst

@@ -2,7 +2,11 @@ Authorize Access to Security Functions
 --------------------------------------
 
 One of the main mechanisms to control access to security functions is the use of
-sudo.  SIMP installs the following sudo rules
+sudo.  SIMP installs the following :term:`sudo` rules:
+
+.. NOTE:
+   The lack of a required password is due to the presumption that users will be
+   using SSH keys, and not passwords, to access their systems.
 
 .. list-table::
   :header-rows: 1
@@ -12,7 +16,7 @@ sudo.  SIMP installs the following sudo rules
     - Run As Account
     - Password Required
   * - administrators
-    - /usr/bin/sudosh
+    - /bin/su - root -l
     - root
     - no
   * - administrators

docs/security_mapping/components/simp/centralized_management_of_planned_audit_record_content/control.rst

@@ -3,10 +3,12 @@ Centralized Management of Planned Audit Record Content
 
 SIMP centrally controls what audit events are recorded on the clients.  The
 SIMP module controls which of the those events are sent to local :term:`syslog`
-daemon so that they may be forwarded to a central syslog server. The following
-list contains the conditions to be met for the SIMP logs to be sent to syslog.
+daemon so that they may be optionally forwarded to a central syslog server. The
+following orthogonal list contains the conditions to be met for the SIMP logs
+to be sent to syslog.
 
-- $programname == 'sudosh'
+- $programname == 'tlog-rec-session'
+- $programname == 'tlog'
 - $programname =='yum'
 - $syslogfacility-text == 'cron'
 - $syslogfacility-text == 'authpriv'
@@ -22,7 +24,7 @@ configures the ``rsyslog`` daemon to accept logs from SIMP clients and places
 them in ``/var/log/hosts/``. The following files are created for each host in
 that directory:
 
-- sudosh.log
+- tlog.log
 - httpd.log
 - dhcpd.log
 - puppet-agent-err.log

docs/security_mapping/components/tlog/session_audit/control.rst

@@ -0,0 +1,31 @@
+Session Audit
+-------------
+
+The :term:`Tlog` application is installed on each SIMP node. It is set, by
+default, to log interactive shell sessions to privileged user accounts via a
+login shell hook.
+
+The ``tlog-rec-session`` application may optionally be set as the user's
+default shell to log all sessions without the optional hook.
+
+A ``tlog-play`` application is also provided to replay captured sessions.
+
+In addition to :term:`Tlog`, the :term:`PAM` module ``pam_tty_audit`` is used
+to record keystrokes during a ``root`` user's session.  Additional accounts can
+be audited by adding them to the parameter ``pam::tty_audit_users``.
+
+.. NOTE::
+   As a safeguard against recording sensitive credentials (such as passwords),
+   both ``tlog`` and ``pam_tty_audit`` do NOT record when ``echo`` is turned off.
+
+.. WARNING::
+   The audit logs **WILL RECORD SENSITIVE DETAILS** (such as passwords) for any
+   scripts or applications that:
+
+     * Do _not_ protect terminal output while entering or echoing sensitive data
+     * AND are run by an audited user (e.g., ``root``)
+
+   It is therefore HIGHLY RECOMMENDED to update any such scripts or
+   applications to turn of echo during these sensitive operations.
+
+References: :ref:`AU-14`

docs/security_mapping/components/tlog/tlog.rst

@@ -0,0 +1,13 @@
+Tlog
+====
+
+**Module Name**: ``pupmod-simp-tlog``
+
+This Puppet module provides the capability to use :term:`Tlog` to log
+designated login sessions to a :term:`syslog` server.
+
+.. toctree::
+  :maxdepth: 2
+  :glob:
+
+  */*

docs/user_guide/HOWTO/Central_Log_Collection/Rsyslog.rst

@@ -85,7 +85,7 @@ Using the following example ``Hash``:
 
 The ``programs`` line would match the following due to the highlighted section:
 
-* 2017-03-14T15:26:53.589793+00:00 sample.host.name **sudo**: test_user : TTY=pts/0 ; PWD=/home/test_user ; USER=root ; COMMAND=/bin/sudosh
+* 2017-03-14T15:26:53.589793+00:00 sample.host.name **sudo**: test_user : TTY=pts/0 ; PWD=/home/test_user ; USER=root ; COMMAND=/usr/sbin/visudo
 
 The ``facilities`` line would match the following because the listed facility is ``cron``:
 

docs/user_guide/SIMP_Administration/General_Administration/Session_Auditing.inc

@@ -1,14 +1,16 @@
 Session Auditing
 ----------------
 
-By default, a SIMP system uses :term:`Sudosh` to enable logging the output of
-sudo sessions to ``Rsyslog``.
+Older versions of SIMP used :term:`Sudosh` to enable logging of privileged user
+activities.
 
-To open a ``sudo`` session from a regular user to ``root``, you should type
-``sudo sudosh``.
+This has been replaced by :term:`Tlog` for a more seamless user experience and
+all activities should be able to be done without the need for additional
+explicit ``sudo`` commands from this point on.
 
-``sudosh`` logs are stored in ``/var/log/sudosh.log``. Sessions can be replayed
-by typing ``sudosh-syslog-replay``.
+By default, the actions of the ``root`` user at a login shell are audited.
+Please see the :term:`Tlog` documentation and the `SIMP Tlog Puppet Module`_
+for additional details.
 
 .. NOTE::
 
@@ -18,8 +20,10 @@ by typing ``sudosh-syslog-replay``.
 .. NOTE::
 
    If you built your system from an ISO, you will probably have a local
-   ``simp`` user that has the ability to run ``sudo su - root`` directly and
-   bypass ``sudosh``.
+   ``simp`` user that has the ability to run ``sudo su - root`` directly.
 
-   This is meant as an emergency 'break glass' user and should be removed or
-   disabled once your environment is configured to your satisfaction.
+   The ``simp`` user is meant as an emergency 'break glass' user and should be
+   removed or disabled once your environment is configured to your
+   satisfaction.
+
+.. _SIMP Tlog Puppet Module: https://github.com/simp/pupmod-simp-tlog

docs/user_guide/User_Management/LDAP.rst

@@ -103,8 +103,8 @@ that user:
 
 Ensure that an administrative account is created as soon as the SIMP system has
 been properly configured. Administrative accounts should belong to the
-``administrators`` LDAP group (gidNumber 700). Members of this LDAP group can
-utilize sudo sudosh for privilege escalation.
+``administrators`` LDAP group (gidNumber 700). By default, Members of this
+group can directly access a privileged shell via ``sudo su -``.
 
 .. NOTE::
    The ``pwdReset: TRUE`` command causes the user to change the
@@ -199,8 +199,8 @@ Add a Group
 
 SIMP systems are preconfigured with two groups:
 
-- ``administrators`` (700):  Group that has both sudosh and ssh privileges
-- ``users`` (100): Group that does not have sudosh or ssh privileges
+- ``administrators`` (700):  Group that has ssh and privilege escalation privileges
+- ``users`` (100): Group that does not have ssh or privilege escalation privileges
 
 To add another group:
 
@@ -380,8 +380,8 @@ To lock an LDAP account:
         -f /root/ldifs/lock_user.ldif
 
 .. NOTE::
-   The ``ldapmodify`` command is only effective when using the
-   *ppolicy* overlay.
+   The ``ldapmodify`` command is only effective when using the *ppolicy*
+   overlay.
 
 .. _unlock-ldap-label:
 
@@ -408,8 +408,8 @@ To unlock an LDAP account:
         -f /root/ldifs/unlock_account.ldif
 
 .. NOTE::
-   The ``ldapmodify`` command is only effective when using the
-   *ppolicy* overlay.
+   The ``ldapmodify`` command is only effective when using the *ppolicy*
+   overlay.
 
 Troubleshooting Issues
 ----------------------