Enhanced command search availability options in the WebUI within session recordings. #52721
Comments
pnrao1983
added
feature-request
|
A bit of context:
The reason you don't see this is because session recordings capture the output that was observed on the PTY, not the commands that were executed. It's true that for simple use cases involving a well-behaved user that you can attempt to determine what commands were executed based on the contents of the PTY output, but this does not hold up against a user looking to hide their tracks and can't be counted on as a security feature. We will likely look into some form of recording summarization (see #47083), which is adjacent but not identical to this request. Another option is Lastly, the session recording viewer in the web UI is searchable via cmd+f. |
What would you like Teleport to do?
Allow users to search session recordings based on specific commands or operations executed during the session in the Web UI.
What problem does this solve?
Currently, session recordings cannot be located based on the commands executed(For ex: if I want check who executed kubectl delete pod or any thing like this). This makes it difficult to audit user actions, investigate security incidents, or track specific operational tasks. Implementing this feature would improve searchability, compliance, and incident response.
If a workaround exists, please include it.
At present, session recordings can only be reviewed manually or by correlating them with logs. While audit logs contain command executions, they do not link directly to the session recordings, making the process time-consuming and inefficient. We have the below feature request pending implementation for kube exec session audit events. Still, the customers want to have the command search option in the WebUI within the session recordings.
The other option to view offline below can be leveraged to search and view the commands executed in the terminal:
#3530
The text was updated successfully, but these errors were encountered: