Documentation
Solutions Guide

Session Recording

Record and replay every SSH, RDP, and database session. Complete visibility for compliance, forensics, and training.

Estimated time: 20 minutes

Supported Protocols

SSH Sessions

Full terminal recording with command logging

RDP Sessions

Video recording of Windows desktop sessions

Database Queries

SQL queries and results with execution time

Kubernetes

kubectl commands and pod exec sessions

Configuration Steps

1

Enable Session Recording

Configure the proxy service to record sessions.

# /etc/tigeraccess/config.yaml
proxy_service:
  enabled: true

  # Enable recording for all protocols
  ssh_service:
    enabled: true
    recording: true

  kubernetes_service:
    enabled: true
    recording: true

  db_service:
    enabled: true
    recording: true
2

Configure Storage Backend

Set up where recordings are stored (S3, GCS, MinIO).

tacctl create -f - <<EOF
kind: session_recording_config
metadata:
  name: default
spec:
  mode: proxy  # or 'node' for agent-side recording
  storage:
    type: s3
    bucket: tigeraccess-recordings
    region: us-east-1
    prefix: sessions/
  retention:
    max_age: 365d
EOF
3

Define Recording Policies

Control which sessions are recorded based on resources and roles.

tacctl create -f - <<EOF
kind: role
metadata:
  name: production-access
spec:
  options:
    # Always record production sessions
    record_session:
      default: best_effort
      ssh: strict  # Fail if recording fails

    # Enhanced recording for sensitive resources
    enhanced_recording:
      enabled: true
      command: true
      network: true
      disk: true
EOF
4

Set Up Search Index

Enable full-text search across all recordings.

tacctl create -f - <<EOF
kind: session_recording_config
metadata:
  name: search
spec:
  search:
    enabled: true
    backend: opensearch
    endpoint: https://search.company.com:9200
    index_prefix: tigeraccess-sessions
EOF
5

Access Recordings

View and search recordings via CLI or web UI.

# List recent sessions
tac recordings ls --from=24h

# Search for specific commands
tac recordings search "DROP TABLE"

# Play back a session
tac recordings play session-id-12345

# Export for compliance
tac recordings export session-id-12345 --format=mp4

Enterprise Configuration

Complete Recording Setup

# Complete session recording configuration
kind: session_recording_config
metadata:
  name: enterprise
spec:
  # Recording mode
  mode: proxy-sync  # Ensures recording before access

  # Storage configuration
  storage:
    type: s3
    bucket: company-tigeraccess-recordings
    region: us-east-1
    server_side_encryption: aws:kms
    kms_key_id: arn:aws:kms:us-east-1:123456789:key/abc123

  # Retention policies
  retention:
    default: 90d
    production: 365d
    pci_scope: 7y  # 7 years for PCI compliance

  # Search and indexing
  search:
    enabled: true
    backend: opensearch
    real_time: true

  # Compliance settings
  compliance:
    tamper_proof: true
    hash_algorithm: sha256
    signature_required: true

Session Recording Enabled

With session recording configured, you gain:

  • 100% visibility into all privileged sessions
  • Full-text search across all recordings
  • Cryptographically signed, tamper-proof evidence
  • Automated compliance report generation

Related Guides

Zero Trust Security

Implement zero trust architecture

Just-in-Time Access

Time-bound access with approvals

Multi-Factor Authentication

Strong authentication methods