1SUDOREPLAY(8) BSD System Manager's Manual SUDOREPLAY(8)
2
4 sudoreplay — replay sudo session logs
5
7 sudoreplay [-FhnRS] [-d dir] [-f filter] [-m num] [-s num] ID[@offset]
8 sudoreplay [-h] [-d dir] -l [search expression]
10
12 sudoreplay plays back or lists the output logs created by sudo. When re‐
13 playing, sudoreplay can play the session back in real-time, or the play‐
14 back speed may be adjusted (faster or slower) based on the command line
15 options.
16 The ID should either be a six character sequence of digits and upper case
18 letters, e.g., “0100A5” or a path name. The ID may include an optional
19 @offset suffix which may be used to start replaying at a specific time
20 offset. The @offset is specified as a number in seconds since the start
21 of the session with an optional decimal fraction.
22 Path names may be relative to the I/O log directory /var/log/sudo-io (un‐
24 less overridden by the -d option) or fully qualified, beginning with a
25 ‘/’ character. When a command is run via sudo with log_output enabled in
26 the sudoers file, a “TSID=ID” string is logged via syslog(3) or to the
27 sudo log file. The ID may also be determined using sudoreplay's list
28 mode.
29 In list mode, sudoreplay can be used to find the ID of a session based on
31 a number of criteria such as the user, tty, or command run.
32 In replay mode, if the standard input and output are connected to a ter‐
34 minal and the -n option is not specified, sudoreplay will operate inter‐
35 actively. In interactive mode, sudoreplay will attempt to adjust the
36 terminal size to match that of the session and write directly to the ter‐
37 minal (not all terminals support this). Additionally, it will poll the
38 keyboard and act on the following keys:
39 ‘\n’ or ‘\r’ Skip to the next replay event; useful for long pauses.
41 ‘ ’ (space) Pause output; press any key to resume.
43 ‘<’ Reduce the playback speed by one half.
45 ‘>’ Double the playback speed.
47 The session can be interrupted via control-C. When the session has fin‐
49 ished, the terminal is restored to its original size if it was changed
50 during playback.
51 The options are as follows:
53 -d dir, --directory=dir
55 Store session logs in dir instead of the default,
56 /var/log/sudo-io.
57 -f filter, --filter=filter
59 Select which I/O type(s) to display. By default, sudoreplay will
60 display the command's standard output, standard error, and tty
61 output. The filter argument is a comma-separated list, consist‐
62 ing of one or more of following: stdin, stdout, stderr, ttyin,
63 and ttyout.
64 -F, --follow
66 Enable “follow mode”. When replaying a session, sudoreplay will
67 ignore end-of-file and keep replaying until the log is complete.
68 This can be used to replay a session that is still in progress,
69 similar to “tail -f”. An I/O log file is considered to be com‐
70 plete when the write bits have been cleared on the session's tim‐
71 ing file. Versions of sudo prior to 1.9.1 do not clear the write
72 bits upon completion.
73 -h, --help
75 Display a short help message to the standard output and exit.
76 -l, --list [search expression]
78 Enable “list mode”. In this mode, sudoreplay will list available
79 sessions in a format similar to the sudo log file format, sorted
80 by file name (or sequence number). Any control characters
81 present in the log data are formatted in octal with a leading ‘#’
82 character. For example, a horizontal tab is displayed as ‘#011’
83 and an embedded carriage return is displayed as ‘#015’. Space
84 characters in the command name and arguments are also formatted
85 in octal.
86 If a search expression is specified, it will be used to restrict
88 the IDs that are displayed. An expression is composed of the
89 following predicates:
90 command pattern
92 Evaluates to true if the command run matches the POSIX
93 extended regular expression pattern.
94 cwd directory
96 Evaluates to true if the command was run with the speci‐
97 fied current working directory.
98 fromdate date
100 Evaluates to true if the command was run on or after
101 date. See Date and time format for a description of sup‐
102 ported date and time formats.
103 group runas_group
105 Evaluates to true if the command was run with the speci‐
106 fied runas_group. Unless a runas_group was explicitly
107 specified when sudo was run this field will be empty in
108 the log.
109 host hostname
111 Evaluates to true if the command was run on the specified
112 hostname.
113 runas runas_user
115 Evaluates to true if the command was run as the specified
116 runas_user. By default, sudo runs commands as the root
117 user.
118 todate date
120 Evaluates to true if the command was run on or prior to
121 date. See Date and time format for a description of sup‐
122 ported date and time formats.
123 tty tty name
125 Evaluates to true if the command was run on the specified
126 terminal device. The tty name should be specified with‐
127 out the /dev/ prefix, e.g., tty01 instead of /dev/tty01.
128 user user name
130 Evaluates to true if the ID matches a command run by user
131 name.
132 Predicates may be abbreviated to the shortest unique string.
134 Predicates may be combined using and, or, and ! operators as well
136 as ‘(’ and ‘)’ grouping (parentheses must generally be escaped
137 from the shell). The and operator is optional, adjacent predi‐
138 cates have an implied and unless separated by an or.
139 -m, --max-wait max_wait
141 Specify an upper bound on how long to wait between key presses or
142 output data. By default, sudoreplay will accurately reproduce
143 the delays between key presses or program output. However, this
144 can be tedious when the session includes long pauses. When the
145 -m option is specified, sudoreplay will limit these pauses to at
146 most max_wait seconds. The value may be specified as a floating
147 point number, e.g., 2.5. A max_wait of zero or less will elimi‐
148 nate the pauses entirely.
149 -n, --non-interactive
151 Do not prompt for user input or attempt to re-size the terminal.
152 The session is written to the standard output, not directly to
153 the user's terminal.
154 -R, --no-resize
156 Do not attempt to re-size the terminal to match the terminal size
157 of the session.
158 -S, --suspend-wait
160 Wait while the command was suspended. By default, sudoreplay
161 will ignore the time interval between when the command was sus‐
162 pended and when it was resumed. If the -S option is specified,
163 sudoreplay will wait instead.
164 -s, --speed speed_factor
166 This option causes sudoreplay to adjust the number of seconds it
167 will wait between key presses or program output. This can be
168 used to slow down or speed up the display. For example, a
169 speed_factor of 2 would make the output twice as fast whereas a
170 speed_factor of .5 would make the output twice as slow.
171 -V, --version
173 Print the sudoreplay versions version number and exit.
174 Date and time format
176 The time and date may be specified multiple ways, common formats include:
177 HH:MM:SS am MM/DD/CCYY timezone
179 24 hour time may be used in place of am/pm.
180 HH:MM:SS am Month, Day Year timezone
182 24 hour time may be used in place of am/pm, and month and day
183 names may be abbreviated. Month and day of the week names must
184 be specified in English.
185 CCYY-MM-DD HH:MM:SS
187 ISO time format
188 DD Month CCYY HH:MM:SS
190 The month name may be abbreviated.
191 Either time or date may be omitted, the am/pm and timezone are optional.
193 If no date is specified, the current day is assumed; if no time is speci‐
194 fied, the first second of the specified date is used. The less signifi‐
195 cant parts of both time and date may also be omitted, in which case zero
196 is assumed.
197 The following are all valid time and date specifications:
199 now The current time and date.
201 tomorrow
203 Exactly one day from now.
204 yesterday
206 24 hours ago.
207 2 hours ago
209 2 hours ago.
210 next Friday
212 The first second of the Friday in the next (upcoming) week. Not
213 to be confused with “this Friday” which would match the Friday of
214 the current week.
215 last week
217 The current time but 7 days ago. This is equivalent to “a week
218 ago”.
219 a fortnight ago
221 The current time but 14 days ago.
222 10:01 am 9/17/2009
224 10:01 am, September 17, 2009.
225 10:01 am
227 10:01 am on the current day.
228 10 10:00 am on the current day.
230 9/17/2009
232 00:00 am, September 17, 2009.
233 10:01 am Sep 17, 2009
235 10:01 am, September 17, 2009.
236 Relative time specifications do not always work as expected. For exam‐
238 ple, the “next” qualifier is intended to be used in conjunction with a
239 day such as “next Monday”. When used with units of weeks, months, years,
240 etc the result will be one more than expected. For example, “next week”
241 will result in a time exactly two weeks from now, which is probably not
242 what was intended. This will be addressed in a future version of
243 sudoreplay.
244 Debugging sudoreplay
246 sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
247 work that is configured via Debug lines in the sudo.conf(5) file.
248 For more information on configuring sudo.conf(5), refer to its manual.
250
252 /etc/sudo.conf Debugging framework configuration
253 /var/log/sudo-io The default I/O log directory.
255 /var/log/sudo-io/00/00/01/log
257 Example session log info.
258 /var/log/sudo-io/00/00/01/log.json
260 Example session log info (JSON format).
261 /var/log/sudo-io/00/00/01/stdin
263 Example session standard input log.
264 /var/log/sudo-io/00/00/01/stdout
266 Example session standard output log.
267 /var/log/sudo-io/00/00/01/stderr
269 Example session standard error log.
270 /var/log/sudo-io/00/00/01/ttyin
272 Example session tty input file.
273 /var/log/sudo-io/00/00/01/ttyout
275 Example session tty output file.
276 /var/log/sudo-io/00/00/01/timing
278 Example session timing file.
279 The stdin, stdout and stderr files will be empty unless sudo was used as
281 part of a pipeline for a particular command.
282
284 List sessions run by user millert:
285 # sudoreplay -l user millert
287 List sessions run by user bob with a command containing the string vi:
289 # sudoreplay -l user bob command vi
291 List sessions run by user jeff that match a regular expression:
293 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
295 List sessions run by jeff or bob on the console:
297 # sudoreplay -l ( user jeff or user bob ) tty console
299
301 script(1), sudo.conf(5), sudo(8)
302
304 Many people have worked on sudo over the years; this version consists of
305 code written primarily by:
306 Todd C. Miller
308 See the CONTRIBUTORS.md file in the sudo distribution
310 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
311 ple who have contributed to sudo.
312
314 If you believe you have found a bug in sudoreplay, you can submit a bug
315 report at https://bugzilla.sudo.ws/
316
318 Limited free support is available via the sudo-users mailing list, see
319 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
320 the archives.
321
323 sudoreplay is provided “AS IS” and any express or implied warranties, in‐
324 cluding, but not limited to, the implied warranties of merchantability
325 and fitness for a particular purpose are disclaimed. See the LICENSE.md
326 file distributed with sudo or https://www.sudo.ws/about/license/ for com‐
327 plete details.
328Sudo 1.9.14p3 January 16, 2023 Sudo 1.9.14p3