====== To record all session using tlog ======

To set up a comprehensive session recording and shipping of logs using PAM and rsyslog on a Linux system, you will need to follow several steps. Below is a general guideline for achieving this:

==== tlog ====

To record and store session logs using tlog, you can follow these steps:

Install Tlog:

Make sure tlog is installed on your system. You can typically install it using your system's package manager. For example, on Debian-based systems:
<code bash>
sudo apt-get install tlog
</code>
Create a Directory for Tlog Logs:

Create a directory to store the Tlog session logs. This should be a secure location with appropriate permissions.
<code bash>
sudo mkdir /var/log/tlog
sudo chown root:adm /var/log/tlog
sudo chmod 750 /var/log/tlog
</code>

Create or edit the Tlog configuration file. The configuration file for tlog is often located at /etc/tlog/tlog-rec-session.conf. Customize it to meet your requirements. Below is a simple example:

<code ini /etc/tlog/tlog-rec-session.conf>
# /etc/tlog/tlog-rec-session.conf
tty_path = /var/log/tlog/%{user}/%Y-%m-%d/%{session}.%{tty}.log
</code>

This configuration will store session logs in /var/log/tlog directory in separate folders for each user.

Restart Services:

Restart the sshd service to apply the PAM changes:
<code bash>
sudo systemctl restart sshd
</code>
Test the Configuration:

Log in to the system via SSH or locally and execute some commands. The session logs should now be recorded in the /var/log/tlog directory.

=== Set Up Log Rotation ===


To prevent log files from growing indefinitely, set up log rotation for the Tlog logs in /etc/logrotate.d/tlog:
<code bash /etc/logrotate.d/tlog>
/var/log/tlog/*/*.log {
    weekly
    rotate 4
    compress
    missingok
    notifempty
}
</code>
Monitor and Secure the Logs:

Regularly monitor and secure the log files and directories to ensure they cannot be tampered with by unauthorized users.

Please note that the exact file paths and configuration options may vary depending on your Linux distribution and Tlog version. Always consult the documentation and configuration files specific to your system for the most accurate instructions.


==== Install and Configure Auditd ====

Install the auditd package on your Linux system if it's not already installed.
Configure Auditd to record login sessions. Create or edit file and add rules similar to the following:

<code bash /etc/audit/rules.d/audit.rules>
-a always,exit -F arch=b64 -S execve -C uid!=euid -k session
-a always,exit -F arch=b32 -S execve -C uid!=euid -k session
</code>
These rules ensure that all executed commands are logged.

Install and Configure auditd logging to rsyslog:

Edit and set the following parameter to forward logs to rsyslog:
<code bash /etc/audit/auditd.conf>
write_logs = yes
</code>
Install and Configure rsyslog:

configure it to receive logs from auditd. Add or modify lines like this:

<code bash /etc/rsyslog.d/audit.conf>
$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/lib/rsyslog

# Send audit logs to a secure location
:programname, startswith, "auditd" -/var/log/audit/audit.log

# You can also forward logs to a remote syslog server if needed
*.* @remote-syslog-server:514
</code>

This configuration sends audit logs to /var/log/audit/audit.log. Adjust the path to your desired secure location.
==== PAM Configuration ====

Edit PAM configuration files such as /etc/pam.d/sshd for SSH or /etc/pam.d/login for local logins.
Add or modify PAM rules to include session recording. You can use the pam_tlog.so module if available on your system or another suitable module depending on your requirements.
Here's an example of a PAM configuration for SSH sessions:

<code bash /etc/pam.d/sshd>
# /etc/pam.d/sshd
session required pam_tlog.so
</code>

Ensure that session recording is placed in a directory like /var/log/tlog and configure it to use a secure location.

Restart Services:

Restart the auditd and rsyslog services to apply the changes:
<code bash>
sudo systemctl restart auditd
sudo systemctl restart rsyslog
</code>

Test the Configuration:

Log in to the system via SSH or locally and execute some commands.
Check the /var/log/audit/audit.log file and the /var/log/tlog directory for recorded sessions.
Please note that this is a basic setup, and the actual configuration may vary based on your specific requirements and the Linux distribution you are using. Additionally, ensure that your system's security policies and compliance requirements are met with this configuration.