1SUDOREPLAY(8) BSD System Manager's Manual SUDOREPLAY(8)
2
4 sudoreplay — replay sudo session logs
5
7 sudoreplay [-hnRS] [-d dir] [-f filter] [-m num] [-s num] ID
8
9 sudoreplay [-h] [-d dir] -l [search expression]
10
12 sudoreplay plays back or lists the output logs created by sudo. When
13 replaying, sudoreplay can play the session back in real-time, or the
14 playback speed may be adjusted (faster or slower) based on the command
15 line options.
16
17 The ID should either be a six character sequence of digits and upper case
18 letters, e.g., 0100A5, a pattern matching the iolog_file option in the
19 sudoers file, or a path name. Path names may be relative to the
20 iolog_dir option in the sudoers file (unless overridden by the -d option)
21 or fully qualified, beginning with a ‘/’ character. When a command is
22 run via sudo with log_output enabled in the sudoers file, a TSID=ID
23 string is logged via syslog or to the sudo log file. The ID may also be
24 determined using sudoreplay's list mode.
25
26 In list mode, sudoreplay can be used to find the ID of a session based on
27 a number of criteria such as the user, tty or command run.
28
29 In replay mode, if the standard input and output are connected to a ter‐
30 minal and the -n option is not specified, sudoreplay will operate inter‐
31 actively. In interactive mode, sudoreplay will attempt to adjust the
32 terminal size to match that of the session and write directly to the ter‐
33 minal (not all terminals support this). Additionally, it will poll the
34 keyboard and act on the following keys:
35
36 ‘\n’ or ‘\r’ Skip to the next replay event; useful for long pauses.
37
38 ‘ ’ (space) Pause output; press any key to resume.
39
40 ‘<’ Reduce the playback speed by one half.
41
42 ‘>’ Double the playback speed.
43
44 The session can be interrupted via control-C. When the session has fin‐
45 ished, the terminal is restored to its original size if it was changed
46 during playback.
47
48 The options are as follows:
49
50 -d dir, --directory=dir
51 Store session logs in dir instead of the default,
52 /var/log/sudo-io.
53
54 -f filter, --filter=filter
55 Select which I/O type(s) to display. By default, sudoreplay
56 will display the command's standard output, standard error
57 and tty output. The filter argument is a comma-separated
58 list, consisting of one or more of following: stdin, stdout,
59 stderr, ttyin, and ttyout.
60
61 -h, --help Display a short help message to the standard output and exit.
62
63 -l, --list [search expression]
64 Enable “list mode”. In this mode, sudoreplay will list
65 available sessions in a format similar to the sudo log file
66 format, sorted by file name (or sequence number). If a
67 search expression is specified, it will be used to restrict
68 the IDs that are displayed. An expression is composed of the
69 following predicates:
70
71 command pattern
72 Evaluates to true if the command run matches the
73 POSIX extended regular expression pattern.
74
75 cwd directory
76 Evaluates to true if the command was run with the
77 specified current working directory.
78
79 fromdate date
80 Evaluates to true if the command was run on or after
81 date. See Date and time format for a description of
82 supported date and time formats.
83
84 group runas_group
85 Evaluates to true if the command was run with the
86 specified runas_group. Note that unless a
87 runas_group was explicitly specified when sudo was
88 run this field will be empty in the log.
89
90 runas runas_user
91 Evaluates to true if the command was run as the spec‐
92 ified runas_user. Note that sudo runs commands as
93 user root by default.
94
95 todate date
96 Evaluates to true if the command was run on or prior
97 to date. See Date and time format for a description
98 of supported date and time formats.
99
100 tty tty name
101 Evaluates to true if the command was run on the spec‐
102 ified terminal device. The tty name should be speci‐
103 fied without the /dev/ prefix, e.g., tty01 instead of
104 /dev/tty01.
105
106 user user name
107 Evaluates to true if the ID matches a command run by
108 user name.
109
110 Predicates may be abbreviated to the shortest unique string.
111
112 Predicates may be combined using and, or and ! operators as
113 well as ‘(’ and ‘)’ grouping (note that parentheses must gen‐
114 erally be escaped from the shell). The and operator is
115 optional, adjacent predicates have an implied and unless sep‐
116 arated by an or.
117
118 -m, --max-wait max_wait
119 Specify an upper bound on how long to wait between key
120 presses or output data. By default, sudoreplay will accu‐
121 rately reproduce the delays between key presses or program
122 output. However, this can be tedious when the session
123 includes long pauses. When the -m option is specified,
124 sudoreplay will limit these pauses to at most max_wait sec‐
125 onds. The value may be specified as a floating point number,
126 e.g., 2.5. A max_wait of zero or less will eliminate the
127 pauses entirely.
128
129 -n, --non-interactive
130 Do not prompt for user input or attempt to re-size the termi‐
131 nal. The session is written to the standard output, not
132 directly to the user's terminal.
133
134 -R, --no-resize
135 Do not attempt to re-size the terminal to match the terminal
136 size of the session.
137
138 -S, --suspend-wait
139 Wait while the command was suspended. By default, sudoreplay
140 will ignore the time interval between when the command was
141 suspended and when it was resumed. If the -S option is spec‐
142 ified, sudoreplay will wait instead.
143
144 -s, --speed speed_factor
145 This option causes sudoreplay to adjust the number of seconds
146 it will wait between key presses or program output. This can
147 be used to slow down or speed up the display. For example, a
148 speed_factor of 2 would make the output twice as fast whereas
149 a speed_factor of .5 would make the output twice as slow.
150
151 -V, --version
152 Print the sudoreplay versions version number and exit.
153
154 Date and time format
155 The time and date may be specified multiple ways, common formats include:
156
157 HH:MM:SS am MM/DD/CCYY timezone
158 24 hour time may be used in place of am/pm.
159
160 HH:MM:SS am Month, Day Year timezone
161 24 hour time may be used in place of am/pm, and month and day
162 names may be abbreviated. Note that month and day of the week
163 names must be specified in English.
164
165 CCYY-MM-DD HH:MM:SS
166 ISO time format
167
168 DD Month CCYY HH:MM:SS
169 The month name may be abbreviated.
170
171 Either time or date may be omitted, the am/pm and timezone are optional.
172 If no date is specified, the current day is assumed; if no time is speci‐
173 fied, the first second of the specified date is used. The less signifi‐
174 cant parts of both time and date may also be omitted, in which case zero
175 is assumed.
176
177 The following are all valid time and date specifications:
178
179 now The current time and date.
180
181 tomorrow
182 Exactly one day from now.
183
184 yesterday
185 24 hours ago.
186
187 2 hours ago
188 2 hours ago.
189
190 next Friday
191 The first second of the Friday in the next (upcoming) week. Not
192 to be confused with “this Friday” which would match the Friday of
193 the current week.
194
195 last week
196 The current time but 7 days ago. This is equivalent to “a week
197 ago”.
198
199 a fortnight ago
200 The current time but 14 days ago.
201
202 10:01 am 9/17/2009
203 10:01 am, September 17, 2009.
204
205 10:01 am
206 10:01 am on the current day.
207
208 10 10:00 am on the current day.
209
210 9/17/2009
211 00:00 am, September 17, 2009.
212
213 10:01 am Sep 17, 2009
214 10:01 am, September 17, 2009.
215
216 Note that relative time specifications do not always work as expected.
217 For example, the “next” qualifier is intended to be used in conjunction
218 with a day such as “next Monday”. When used with units of weeks, months,
219 years, etc the result will be one more than expected. For example, “next
220 week” will result in a time exactly two weeks from now, which is probably
221 not what was intended. This will be addressed in a future version of
222 sudoreplay.
223
224 Debugging sudoreplay
225 sudoreplay versions 1.8.4 and higher support a flexible debugging frame‐
226 work that is configured via Debug lines in the sudo.conf(5) file.
227
228 For more information on configuring sudo.conf(5), please refer to its
229 manual.
230
232 /etc/sudo.conf Debugging framework configuration
233
234 /var/log/sudo-io The default I/O log directory.
235
236 /var/log/sudo-io/00/00/01/log
237 Example session log info.
238
239 /var/log/sudo-io/00/00/01/stdin
240 Example session standard input log.
241
242 /var/log/sudo-io/00/00/01/stdout
243 Example session standard output log.
244
245 /var/log/sudo-io/00/00/01/stderr
246 Example session standard error log.
247
248 /var/log/sudo-io/00/00/01/ttyin
249 Example session tty input file.
250
251 /var/log/sudo-io/00/00/01/ttyout
252 Example session tty output file.
253
254 /var/log/sudo-io/00/00/01/timing
255 Example session timing file.
256
257 Note that the stdin, stdout and stderr files will be empty unless sudo
258 was used as part of a pipeline for a particular command.
259
261 List sessions run by user millert:
262
263 # sudoreplay -l user millert
264
265 List sessions run by user bob with a command containing the string vi:
266
267 # sudoreplay -l user bob command vi
268
269 List sessions run by user jeff that match a regular expression:
270
271 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
272
273 List sessions run by jeff or bob on the console:
274
275 # sudoreplay -l ( user jeff or user bob ) tty console
276
278 script(1), sudo.conf(5), sudo(8)
279
281 Many people have worked on sudo over the years; this version consists of
282 code written primarily by:
283
284 Todd C. Miller
285
286 See the CONTRIBUTORS file in the sudo distribution
287 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
288 who have contributed to sudo.
289
291 If you feel you have found a bug in sudoreplay, please submit a bug
292 report at https://bugzilla.sudo.ws/
293
295 Limited free support is available via the sudo-users mailing list, see
296 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
297 the archives.
298
300 sudoreplay is provided “AS IS” and any express or implied warranties,
301 including, but not limited to, the implied warranties of merchantability
302 and fitness for a particular purpose are disclaimed. See the LICENSE
303 file distributed with sudo or https://www.sudo.ws/license.html for com‐
304 plete details.
305
306Sudo 1.9.0b4 August 27, 2019 Sudo 1.9.0b4