1SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m) 2 3NNAAMMEE 4 ssuuddoorreeppllaayy - replay sudo session logs 5 6SSYYNNOOPPSSIISS 7 ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] 8 [--ss _s_p_e_e_d___f_a_c_t_o_r] ID 9 10 ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] --ll [search expression] 11 12DDEESSCCRRIIPPTTIIOONN 13 ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When 14 replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the 15 playback speed may be adjusted (faster or slower) based on the command 16 line options. 17 18 The _I_D should be a six character sequence of digits and upper case 19 letters, e.g. 0100A5. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t 20 enabled in the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to 21 the ssuuddoo log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list 22 mode. 23 24 In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on 25 a number of criteria such as the user, tty or command run. 26 27 In replay mode, if the standard output has not been redirected, 28 ssuuddoorreeppllaayy will act on the following keys: 29 30 ` ' (space) Pause output; press any key to resume. 31 32 `<' Reduce the playback speed by one half. 33 34 `>' Double the playback speed. 35 36 The options are as follows: 37 38 --dd _d_i_r_e_c_t_o_r_y Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the 39 default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. 40 41 --ff _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's 42 standard output, standard error and tty output. The --ff 43 option can be used to select which of these to output. The 44 _f_i_l_t_e_r argument is a comma-separated list, consisting of 45 one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. 46 47 --hh The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short 48 help message to the standard output and exit. 49 50 --ll [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] 51 Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list 52 available sessions in a format similar to the ssuuddoo log file 53 format, sorted by file name (or sequence number). If a 54 _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict 55 the IDs that are displayed. An expression is composed of 56 the following predicates: 57 58 command _p_a_t_t_e_r_n 59 Evaluates to true if the command run matches 60 _p_a_t_t_e_r_n. On systems with POSIX regular expression 61 support, the pattern may be an extended regular 62 expression. On systems without POSIX regular 63 expression support, a simple substring match is 64 performed instead. 65 66 cwd _d_i_r_e_c_t_o_r_y 67 Evaluates to true if the command was run with the 68 specified current working directory. 69 70 fromdate _d_a_t_e 71 Evaluates to true if the command was run on or 72 after _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a 73 description of supported date and time formats. 74 75 group _r_u_n_a_s___g_r_o_u_p 76 Evaluates to true if the command was run with the 77 specified _r_u_n_a_s___g_r_o_u_p. Note that unless a 78 _r_u_n_a_s___g_r_o_u_p was explicitly specified when ssuuddoo was 79 run this field will be empty in the log. 80 81 runas _r_u_n_a_s___u_s_e_r 82 Evaluates to true if the command was run as the 83 specified _r_u_n_a_s___u_s_e_r. Note that ssuuddoo runs commands 84 as user _r_o_o_t by default. 85 86 todate _d_a_t_e 87 Evaluates to true if the command was run on or 88 prior to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a 89 description of supported date and time formats. 90 91 tty _t_t_y _n_a_m_e 92 Evaluates to true if the command was run on the 93 specified terminal device. The _t_t_y _n_a_m_e should be 94 specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 95 instead of _/_d_e_v_/_t_t_y_0_1. 96 97 user _u_s_e_r _n_a_m_e 98 Evaluates to true if the ID matches a command run 99 by _u_s_e_r _n_a_m_e. 100 101 Predicates may be abbreviated to the shortest unique string 102 (currently all predicates may be shortened to a single 103 character). 104 105 Predicates may be combined using _a_n_d, _o_r and _! operators as 106 well as `(' and `)' grouping (note that parentheses must 107 generally be escaped from the shell). The _a_n_d operator is 108 optional, adjacent predicates have an implied _a_n_d unless 109 separated by an _o_r. 110 111 --mm _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key 112 presses or output data. By default, ssuuddoorreeppllaayy will 113 accurately reproduce the delays between key presses or 114 program output. However, this can be tedious when the 115 session includes long pauses. When the --mm option is 116 specified, ssuuddoorreeppllaayy will limit these pauses to at most 117 _m_a_x___w_a_i_t seconds. The value may be specified as a floating 118 point number, e.g. _2_._5. 119 120 --ss _s_p_e_e_d___f_a_c_t_o_r 121 This option causes ssuuddoorreeppllaayy to adjust the number of 122 seconds it will wait between key presses or program output. 123 This can be used to slow down or speed up the display. For 124 example, a _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as 125 fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output 126 twice as slow. 127 128 --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoorreeppllaayy to print its 129 version number and exit. 130 131 DDaattee aanndd ttiimmee ffoorrmmaatt 132 The time and date may be specified multiple ways, common formats include: 133 134 HH:MM:SS am MM/DD/CCYY timezone 135 24 hour time may be used in place of am/pm. 136 137 HH:MM:SS am Month, Day Year timezone 138 24 hour time may be used in place of am/pm, and month and day 139 names may be abbreviated. Note that month and day of the week 140 names must be specified in English. 141 142 CCYY-MM-DD HH:MM:SS 143 ISO time format 144 145 DD Month CCYY HH:MM:SS 146 The month name may be abbreviated. 147 148 Either time or date may be omitted, the am/pm and timezone are optional. 149 If no date is specified, the current day is assumed; if no time is 150 specified, the first second of the specified date is used. The less 151 significant parts of both time and date may also be omitted, in which 152 case zero is assumed. 153 154 The following are all valid time and date specifications: 155 156 now The current time and date. 157 158 tomorrow 159 Exactly one day from now. 160 161 yesterday 162 24 hours ago. 163 164 2 hours ago 165 2 hours ago. 166 167 next Friday 168 The first second of the next Friday. 169 170 this week 171 The current time but the first day of the coming week. 172 173 a fortnight ago 174 The current time but 14 days ago. 175 176 10:01 am 9/17/2009 177 10:01 am, September 17, 2009. 178 179 10:01 am 180 10:01 am on the current day. 181 182 10 10:00 am on the current day. 183 184 9/17/2009 185 00:00 am, September 17, 2009. 186 187 10:01 am Sep 17, 2009 188 10:01 am, September 17, 2009. 189 190FFIILLEESS 191 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. 192 193 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g 194 Example session log info. 195 196 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n 197 Example session standard input log. 198 199 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t 200 Example session standard output log. 201 202 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r 203 Example session standard error log. 204 205 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n 206 Example session tty input file. 207 208 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t 209 Example session tty output file. 210 211 _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g 212 Example session timing file. 213 214 Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo 215 was used as part of a pipeline for a particular command. 216 217EEXXAAMMPPLLEESS 218 List sessions run by user _m_i_l_l_e_r_t: 219 220 # sudoreplay -l user millert 221 222 List sessions run by user _b_o_b with a command containing the string vi: 223 224 # sudoreplay -l user bob command vi 225 226 List sessions run by user _j_e_f_f that match a regular expression: 227 228 # sudoreplay -l user jeff command '/bin/[a-z]*sh' 229 230 List sessions run by jeff or bob on the console: 231 232 # sudoreplay -l ( user jeff or user bob ) tty console 233 234SSEEEE AALLSSOO 235 sudo(1m), script(1) 236 237AAUUTTHHOORRSS 238 Todd C. Miller 239 240BBUUGGSS 241 If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug 242 report at http://www.sudo.ws/sudo/bugs/ 243 244SSUUPPPPOORRTT 245 Limited free support is available via the sudo-users mailing list, see 246 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the 247 archives. 248 249DDIISSCCLLAAIIMMEERR 250 ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, 251 including, but not limited to, the implied warranties of merchantability 252 and fitness for a particular purpose are disclaimed. See the LICENSE 253 file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for 254 complete details. 255 256Sudo 1.7.10 July 12, 2012 Sudo 1.7.10 257