1SUDOREPLAY(8) MAINTENANCE COMMANDS SUDOREPLAY(8)
2
6 sudoreplay - replay sudo session logs
7
9 sudoreplay [-d directory] [-f filter] [-m max_wait] [-s speed_factor]
10 ID
11 sudoreplay [-d directory] -l [search expression]
13
15 sudoreplay plays back or lists the session logs created by sudo. When
16 replaying, sudoreplay can play the session back in real-time, or the
17 playback speed may be adjusted (faster or slower) based on the command
18 line options. The ID should be a six character sequence of digits and
19 upper case letters, e.g. 0100A5, which is logged by sudo when a
20 command is run with session logging enabled.
21 In list mode, sudoreplay can be used to find the ID of a session based
23 on a number of criteria such as the user, tty or command run.
24 In replay mode, if the standard output has not been redirected,
26 sudoreplay will act on the following keys:
27 ' ' (space)
29 Pause output; press any key to resume.
30 '<' Reduce the playback speed by one half.
32 '>' Double the playback speed.
34
36 sudoreplay accepts the following command line options:
37 -d directory
39 Use directory to for the session logs instead of the
40 default, /var/log/sudo-io.
41 -f filter By default, sudoreplay will play back the command's
43 standard output, standard error and tty output. The -f
44 option can be used to select which of these to output. The
45 filter argument is a comma-separated list, consisting of
46 one or more of following: stdout, stderr, and ttyout.
47 -l Enable "list mode". In this mode, sudoreplay will list
49 available session IDs. If a search expression is
50 specified, it will be used to restrict the IDs that are
51 displayed. An expression is composed of the following
52 predicates:
53 command command pattern
55 Evaluates to true if the command run matches
56 command pattern. On systems with POSIX regular
57 expression support, the pattern may be an extended
58 regular expression. On systems without POSIX
59 regular expression support, a simple substring
60 match is performed instead.
61 cwd directory
63 Evaluates to true if the command was run with the
64 specified current working directory.
65 fromdate date
67 Evaluates to true if the command was run on or
68 after date. See "Date and time format" for a
69 description of supported date and time formats.
70 group runas_group
72 Evaluates to true if the command was run with the
73 specified runas_group. Note that unless a
74 runas_group was explicitly specified when sudo was
75 run this field will be empty in the log.
76 runas runas_user
78 Evaluates to true if the command was run as the
79 specified runas_user. Note that sudo runs commands
80 as user root by default.
81 todate date
83 Evaluates to true if the command was run on or
84 prior to date. See "Date and time format" for a
85 description of supported date and time formats.
86 tty tty Evaluates to true if the command was run on the
88 specified terminal device. The tty should be
89 specified without the /dev/ prefix, e.g. tty01
90 instead of /dev/tty01.
91 user user name
93 Evaluates to true if the ID matches a command run
94 by user name.
95 Predicates may be abbreviated to the shortest unique string
97 (currently all predicates may be shortened to a single
98 character).
99 Predicates may be combined using and, or and ! operators as
101 well as '(' and ')' for grouping (note that parentheses
102 must generally be escaped from the shell). The and
103 operator is optional, adjacent predicates have an implied
104 and unless separated by an or.
105 -m max_wait Specify an upper bound on how long to wait between key
107 presses or output data. By default, sudo_replay will
108 accurately reproduce the delays between key presses or
109 program output. However, this can be tedious when the
110 session includes long pauses. When the -m option is
111 specified, sudoreplay will limit these pauses to at most
112 max_wait seconds. The value may be specified as a floating
113 point number, .e.g. 2.5.
114 -s speed_factor
116 This option causes sudoreplay to adjust the number of
117 seconds it will wait between key presses or program output.
118 This can be used to slow down or speed up the display. For
119 example, a speed_factor of 2 would make the output twice as
120 fast whereas a speed_factor of <.5> would make the output
121 twice as slow.
122 -V The -V (version) option causes sudoreplay to print its
124 version number and exit.
125 Date and time format
127 The time and date may be specified multiple ways, common formats
128 include:
129 HH:MM:SS am MM/DD/CCYY timezone
131 24 hour time may be used in place of am/pm.
132 HH:MM:SS am Month, Day Year timezone
134 24 hour time may be used in place of am/pm, and month and day
135 names may be abbreviated. Note that month and day of the week
136 names must be specified in English.
137 CCYY-MM-DD HH:MM:SS
139 ISO time format
140 DD Month CCYY HH:MM:SS
142 The month name may be abbreviated.
143 Either time or date may be omitted, the am/pm and timezone are
145 optional. If no date is specified, the current day is assumed; if no
146 time is specified, the first second of the specified date is used. The
147 less significant parts of both time and date may also be omitted, in
148 which case zero is assumed. For example, the following are all valid:
149 The following are all valid time and date specifications:
151 now The current time and date.
153 tomorrow
155 Exactly one day from now.
156 yesterday
158 24 hours ago.
159 2 hours ago
161 2 hours ago.
162 next Friday
164 The first second of the next Friday.
165 this week
167 The current time but the first day of the coming week.
168 a fortnight ago
170 The current time but 14 days ago.
171 10:01 am 9/17/2009
173 10:01 am, September 17, 2009.
174 10:01 am
176 10:01 am on the current day.
177 10 10:00 am on the current day.
179 9/17/2009
181 00:00 am, September 17, 2009.
182 10:01 am Sep 17, 2009
184 10:01 am, September 17, 2009.
185
187 /var/log/sudo-io The default I/O log directory.
188 /var/log/sudo-io/00/00/01/log
190 Example session log info.
191 /var/log/sudo-io/00/00/01/stdin
193 Example session standard input log.
194 /var/log/sudo-io/00/00/01/stdout
196 Example session standard output log.
197 /var/log/sudo-io/00/00/01/stderr
199 Example session standard error log.
200 /var/log/sudo-io/00/00/01/ttyin
202 Example session tty input file.
203 /var/log/sudo-io/00/00/01/ttyout
205 Example session tty output file.
206 /var/log/sudo-io/00/00/01/timing
208 Example session timing file.
209 Note that the stdin, stdout and stderr files will be empty unless sudo
211 was used as part of a pipeline for a particular command.
212
214 List sessions run by user millert:
215 sudoreplay -l user millert
217 List sessions run by user bob with a command containing the string vi:
219 sudoreplay -l user bob command vi
221 List sessions run by user jeff that match a regular expression:
223 sudoreplay -l user jeff command '/bin/[a-z]*sh'
225 List sessions run by jeff or bob on the console:
227 sudoreplay -l ( user jeff or user bob ) tty console
229
231 sudo(8), script(1)
232
234 Todd C. Miller
235
237 If you feel you have found a bug in sudoreplay, please submit a bug
238 report at http://www.sudo.ws/sudo/bugs/
239
241 Limited free support is available via the sudo-users mailing list, see
242 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
243 the archives.
244
246 sudoreplay is provided ``AS IS'' and any express or implied warranties,
247 including, but not limited to, the implied warranties of
248 merchantability and fitness for a particular purpose are disclaimed.
249 See the LICENSE file distributed with sudo or
250 http://www.sudo.ws/sudo/license.html for complete details.
2511.7.4 July 12, 2010 SUDOREPLAY(8)