1
Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
3
Permission to use, copy, modify, and distribute this software for any
4
purpose with or without fee is hereby granted, provided that the above
5
copyright notice and this permission notice appear in all copies.
7
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20
sudoreplay - replay sudo session logs
24
B<sudoreplay> [B<-h>] [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
26
B<sudoreplay> [B<-h>] [B<-d> I<directory>] -l [search expression]
30
B<sudoreplay> plays back or lists the output logs created by B<sudo>.
31
When replaying, B<sudoreplay> can play the session back in real-time,
32
or the playback speed may be adjusted (faster or slower) based on
33
the command line options.
35
The I<ID> should either be a six character sequence of digits and
36
upper case letters, e.g. C<0100A5>, or a pattern matching the
37
I<iolog_file> option in the I<sudoers> file. When a command is run
38
via B<sudo> with I<log_output> enabled in the I<sudoers> file, a
39
C<TSID=ID> string is logged via syslog or to the B<sudo> log file.
40
The I<ID> may also be determined using B<sudoreplay>'s list mode.
42
In list mode, B<sudoreplay> can be used to find the ID of a session
43
based on a number of criteria such as the user, tty or command run.
45
In replay mode, if the standard output has not been redirected,
46
B<sudoreplay> will act on the following keys:
52
Pause output; press any key to resume.
56
Reduce the playback speed by one half.
60
Double the playback speed.
66
B<sudoreplay> accepts the following command line options:
72
Use I<directory> to for the session logs instead of the default,
77
By default, B<sudoreplay> will play back the command's standard
78
output, standard error and tty output. The I<-f> option can be
79
used to select which of these to output. The I<filter> argument
80
is a comma-separated list, consisting of one or more of following:
81
I<stdout>, I<stderr>, and I<ttyout>.
85
The B<-h> (I<help>) option causes B<sudoreplay> to print a short
86
help message to the standard output and exit.
88
=item -l [I<search expression>]
90
Enable "list mode". In this mode, B<sudoreplay> will list available
91
sessions in a format similar to the B<sudo> log file format, sorted
92
by file name (or sequence number). If a I<search expression> is
93
specified, it will be used to restrict the IDs that are displayed.
94
An expression is composed of the following predicates:
98
=item command I<command pattern>
100
Evaluates to true if the command run matches I<command pattern>.
101
On systems with POSIX regular expression support, the pattern may
102
be an extended regular expression. On systems without POSIX regular
103
expression support, a simple substring match is performed instead.
105
=item cwd I<directory>
107
Evaluates to true if the command was run with the specified current
110
=item fromdate I<date>
112
Evaluates to true if the command was run on or after I<date>.
113
See L<"Date and time format"> for a description of supported
114
date and time formats.
116
=item group I<runas_group>
118
Evaluates to true if the command was run with the specified
119
I<runas_group>. Note that unless a I<runas_group> was explicitly
120
specified when B<sudo> was run this field will be empty in the log.
122
=item runas I<runas_user>
124
Evaluates to true if the command was run as the specified I<runas_user>.
125
Note that B<sudo> runs commands as user I<root> by default.
129
Evaluates to true if the command was run on or prior to I<date>.
130
See L<"Date and time format"> for a description of supported
131
date and time formats.
135
Evaluates to true if the command was run on the specified terminal
136
device. The I<tty> should be specified without the F</dev/> prefix,
137
e.g. F<tty01> instead of F</dev/tty01>.
139
=item user I<user name>
141
Evaluates to true if the ID matches a command run by I<user name>.
145
Predicates may be abbreviated to the shortest unique string (currently
146
all predicates may be shortened to a single character).
148
Predicates may be combined using I<and>, I<or> and I<!> operators
149
as well as C<'('> and C<')'> for grouping (note that parentheses
150
must generally be escaped from the shell). The I<and> operator is
151
optional, adjacent predicates have an implied I<and> unless separated
156
Specify an upper bound on how long to wait between key presses or
157
output data. By default, B<sudo_replay> will accurately reproduce
158
the delays between key presses or program output. However, this
159
can be tedious when the session includes long pauses. When the
160
I<-m> option is specified, B<sudoreplay> will limit these pauses
161
to at most I<max_wait> seconds. The value may be specified as a
162
floating point number, .e.g. I<2.5>.
164
=item -s I<speed_factor>
166
This option causes B<sudoreplay> to adjust the number of seconds
167
it will wait between key presses or program output. This can be
168
used to slow down or speed up the display. For example, a
169
I<speed_factor> of I<2> would make the output twice as fast whereas
170
a I<speed_factor> of <.5> would make the output twice as slow.
174
The B<-V> (version) option causes B<sudoreplay> to print its version number
179
=head2 Date and time format
181
The time and date may be specified multiple ways, common formats include:
185
=item HH:MM:SS am MM/DD/CCYY timezone
187
24 hour time may be used in place of am/pm.
189
=item HH:MM:SS am Month, Day Year timezone
191
24 hour time may be used in place of am/pm, and month and day names
192
may be abbreviated. Note that month and day of the week names must
193
be specified in English.
195
=item CCYY-MM-DD HH:MM:SS
199
=item DD Month CCYY HH:MM:SS
201
The month name may be abbreviated.
205
Either time or date may be omitted, the am/pm and timezone are
206
optional. If no date is specified, the current day is assumed; if
207
no time is specified, the first second of the specified date is
208
used. The less significant parts of both time and date may also
209
be omitted, in which case zero is assumed. For example, the following
212
The following are all valid time and date specifications:
218
The current time and date.
222
Exactly one day from now.
234
The first second of the next Friday.
238
The current time but the first day of the coming week.
240
=item a fortnight ago
242
The current time but 14 days ago.
244
=item 10:01 am 9/17/2009
246
10:01 am, September 17, 2009.
250
10:01 am on the current day.
254
10:00 am on the current day.
258
00:00 am, September 17, 2009.
260
=item 10:01 am Sep 17, 2009
262
10:01 am, September 17, 2009.
270
=item F</var/log/sudo-io>
272
The default I/O log directory.
274
=item F</var/log/sudo-io/00/00/01/log>
276
Example session log info.
278
=item F</var/log/sudo-io/00/00/01/stdin>
280
Example session standard input log.
282
=item F</var/log/sudo-io/00/00/01/stdout>
284
Example session standard output log.
286
=item F</var/log/sudo-io/00/00/01/stderr>
288
Example session standard error log.
290
=item F</var/log/sudo-io/00/00/01/ttyin>
292
Example session tty input file.
294
=item F</var/log/sudo-io/00/00/01/ttyout>
296
Example session tty output file.
298
=item F</var/log/sudo-io/00/00/01/timing>
300
Example session timing file.
304
Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
305
unless B<sudo> was used as part of a pipeline for a particular
310
List sessions run by user I<millert>:
312
sudoreplay -l user millert
314
List sessions run by user I<bob> with a command containing the string vi:
316
sudoreplay -l user bob command vi
318
List sessions run by user I<jeff> that match a regular expression:
320
sudoreplay -l user jeff command '/bin/[a-z]*sh'
322
List sessions run by jeff or bob on the console:
324
sudoreplay -l ( user jeff or user bob ) tty console
328
L<sudo(8)>, L<script(1)>
336
If you feel you have found a bug in B<sudoreplay>, please submit a bug report
337
at http://www.sudo.ws/sudo/bugs/
341
Limited free support is available via the sudo-users mailing list,
342
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
347
B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
348
including, but not limited to, the implied warranties of merchantability
349
and fitness for a particular purpose are disclaimed. See the LICENSE
350
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
351
for complete details.
added
removed
doc/sudoreplay.pod
