1 SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
4 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by - replay sudo session logs
6 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
7 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] [-
\b-f
\bf _
\bf_
\bi_
\bl_
\bt_
\be_
\br] [-
\b-m
\bm _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt]
8 [-
\b-s
\bs _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br] ID
10 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by [-
\b-h
\bh] [-
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by] -
\b-l
\bl [search expression]
12 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
13 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by plays back or lists the output logs created by s
\bsu
\bud
\bdo
\bo. When
14 replaying, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can play the session back in real-time, or the
15 playback speed may be adjusted (faster or slower) based on the command
18 The _
\bI_
\bD should either be a six character sequence of digits and upper case
19 letters, e.g. 0100A5, or a pattern matching the _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bf_
\bi_
\bl_
\be option in the
20 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. When a command is run via s
\bsu
\bud
\bdo
\bo with _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt enabled in
21 the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, a TSID=ID string is logged via syslog or to the s
\bsu
\bud
\bdo
\bo
22 log file. The _
\bI_
\bD may also be determined using s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by's list mode.
24 In list mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by can be used to find the ID of a session based on
25 a number of criteria such as the user, tty or command run.
27 In replay mode, if the standard output has not been redirected,
28 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will act on the following keys:
30 ` ' (space) Pause output; press any key to resume.
32 `<' Reduce the playback speed by one half.
34 `>' Double the playback speed.
36 The options are as follows:
38 -
\b-d
\bd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by Use _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by to for the session logs instead of the
39 default, _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo.
41 -
\b-f
\bf _
\bf_
\bi_
\bl_
\bt_
\be_
\br By default, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will play back the command's
42 standard output, standard error and tty output. The -
\b-f
\bf
43 option can be used to select which of these to output. The
44 _
\bf_
\bi_
\bl_
\bt_
\be_
\br argument is a comma-separated list, consisting of
45 one or more of following: _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt, _
\bs_
\bt_
\bd_
\be_
\br_
\br, and _
\bt_
\bt_
\by_
\bo_
\bu_
\bt.
47 -
\b-h
\bh The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print a short
48 help message to the standard output and exit.
50 -
\b-l
\bl [_
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn]
51 Enable ``list mode''. In this mode, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will list
52 available sessions in a format similar to the s
\bsu
\bud
\bdo
\bo log file
53 format, sorted by file name (or sequence number). If a
54 _
\bs_
\be_
\ba_
\br_
\bc_
\bh _
\be_
\bx_
\bp_
\br_
\be_
\bs_
\bs_
\bi_
\bo_
\bn is specified, it will be used to restrict
55 the IDs that are displayed. An expression is composed of
56 the following predicates:
58 command _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn
59 Evaluates to true if the command run matches
60 _
\bp_
\ba_
\bt_
\bt_
\be_
\br_
\bn. On systems with POSIX regular expression
61 support, the pattern may be an extended regular
62 expression. On systems without POSIX regular
63 expression support, a simple sub-string match is
66 cwd _
\bd_
\bi_
\br_
\be_
\bc_
\bt_
\bo_
\br_
\by
67 Evaluates to true if the command was run with the
68 specified current working directory.
70 fromdate _
\bd_
\ba_
\bt_
\be
71 Evaluates to true if the command was run on or
72 after _
\bd_
\ba_
\bt_
\be. See _
\bD_
\ba_
\bt_
\be _
\ba_
\bn_
\bd _
\bt_
\bi_
\bm_
\be _
\bf_
\bo_
\br_
\bm_
\ba_
\bt for a
73 description of supported date and time formats.
75 group _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp
76 Evaluates to true if the command was run with the
77 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp. Note that unless a
78 _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bg_
\br_
\bo_
\bu_
\bp was explicitly specified when s
\bsu
\bud
\bdo
\bo was
79 run this field will be empty in the log.
81 runas _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br
82 Evaluates to true if the command was run as the
83 specified _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bu_
\bs_
\be_
\br. Note that s
\bsu
\bud
\bdo
\bo runs commands
84 as user _
\br_
\bo_
\bo_
\bt by default.
86 todate _
\bd_
\ba_
\bt_
\be
87 Evaluates to true if the command was run on or
88 prior to _
\bd_
\ba_
\bt_
\be. See _
\bD_
\ba_
\bt_
\be _
\ba_
\bn_
\bd _
\bt_
\bi_
\bm_
\be _
\bf_
\bo_
\br_
\bm_
\ba_
\bt for a
89 description of supported date and time formats.
91 tty _
\bt_
\bt_
\by _
\bn_
\ba_
\bm_
\be
92 Evaluates to true if the command was run on the
93 specified terminal device. The _
\bt_
\bt_
\by _
\bn_
\ba_
\bm_
\be should be
94 specified without the _
\b/_
\bd_
\be_
\bv_
\b/ prefix, e.g. _
\bt_
\bt_
\by_
\b0_
\b1
95 instead of _
\b/_
\bd_
\be_
\bv_
\b/_
\bt_
\bt_
\by_
\b0_
\b1.
97 user _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be
98 Evaluates to true if the ID matches a command run
99 by _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be.
101 Predicates may be abbreviated to the shortest unique string
102 (currently all predicates may be shortened to a single
105 Predicates may be combined using _
\ba_
\bn_
\bd, _
\bo_
\br and _
\b! operators as
106 well as `(' and `)' grouping (note that parentheses must
107 generally be escaped from the shell). The _
\ba_
\bn_
\bd operator is
108 optional, adjacent predicates have an implied _
\ba_
\bn_
\bd unless
109 separated by an _
\bo_
\br.
111 -
\b-m
\bm _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt Specify an upper bound on how long to wait between key
112 presses or output data. By default, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will
113 accurately reproduce the delays between key presses or
114 program output. However, this can be tedious when the
115 session includes long pauses. When the -
\b-m
\bm option is
116 specified, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by will limit these pauses to at most
117 _
\bm_
\ba_
\bx_
\b__
\bw_
\ba_
\bi_
\bt seconds. The value may be specified as a floating
118 point number, e.g. _
\b2_
\b._
\b5.
120 -
\b-s
\bs _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br
121 This option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to adjust the number of
122 seconds it will wait between key presses or program output.
123 This can be used to slow down or speed up the display. For
124 example, a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of _
\b2 would make the output twice as
125 fast whereas a _
\bs_
\bp_
\be_
\be_
\bd_
\b__
\bf_
\ba_
\bc_
\bt_
\bo_
\br of _
\b._
\b5 would make the output
128 -
\b-V
\bV The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by to print its
129 version number and exit.
131 D
\bDa
\bat
\bte
\be a
\ban
\bnd
\bd t
\bti
\bim
\bme
\be f
\bfo
\bor
\brm
\bma
\bat
\bt
132 The time and date may be specified multiple ways, common formats include:
134 HH:MM:SS am MM/DD/CCYY timezone
135 24 hour time may be used in place of am/pm.
137 HH:MM:SS am Month, Day Year timezone
138 24 hour time may be used in place of am/pm, and month and day
139 names may be abbreviated. Note that month and day of the week
140 names must be specified in English.
145 DD Month CCYY HH:MM:SS
146 The month name may be abbreviated.
148 Either time or date may be omitted, the am/pm and timezone are optional.
149 If no date is specified, the current day is assumed; if no time is
150 specified, the first second of the specified date is used. The less
151 significant parts of both time and date may also be omitted, in which
152 case zero is assumed.
154 The following are all valid time and date specifications:
156 now The current time and date.
159 Exactly one day from now.
168 The first second of the next Friday.
171 The current time but the first day of the coming week.
174 The current time but 14 days ago.
177 10:01 am, September 17, 2009.
180 10:01 am on the current day.
182 10 10:00 am on the current day.
185 00:00 am, September 17, 2009.
187 10:01 am Sep 17, 2009
188 10:01 am, September 17, 2009.
191 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo The default I/O log directory.
193 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bl_
\bo_
\bg
194 Example session log info.
196 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bi_
\bn
197 Example session standard input log.
199 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\bo_
\bu_
\bt
200 Example session standard output log.
202 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bs_
\bt_
\bd_
\be_
\br_
\br
203 Example session standard error log.
205 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bi_
\bn
206 Example session tty input file.
208 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bt_
\by_
\bo_
\bu_
\bt
209 Example session tty output file.
211 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo_
\b/_
\b0_
\b0_
\b/_
\b0_
\b0_
\b/_
\b0_
\b1_
\b/_
\bt_
\bi_
\bm_
\bi_
\bn_
\bg
212 Example session timing file.
214 Note that the _
\bs_
\bt_
\bd_
\bi_
\bn, _
\bs_
\bt_
\bd_
\bo_
\bu_
\bt and _
\bs_
\bt_
\bd_
\be_
\br_
\br files will be empty unless s
\bsu
\bud
\bdo
\bo
215 was used as part of a pipeline for a particular command.
217 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
218 List sessions run by user _
\bm_
\bi_
\bl_
\bl_
\be_
\br_
\bt:
220 # sudoreplay -l user millert
222 List sessions run by user _
\bb_
\bo_
\bb with a command containing the string vi:
224 # sudoreplay -l user bob command vi
226 List sessions run by user _
\bj_
\be_
\bf_
\bf that match a regular expression:
228 # sudoreplay -l user jeff command '/bin/[a-z]*sh'
230 List sessions run by jeff or bob on the console:
232 # sudoreplay -l ( user jeff or user bob ) tty console
234 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
237 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
241 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by, please submit a bug
242 report at http://www.sudo.ws/sudo/bugs/
244 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
245 Limited free support is available via the sudo-users mailing list, see
246 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
249 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
250 s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by is provided ``AS IS'' and any express or implied warranties,
251 including, but not limited to, the implied warranties of merchantability
252 and fitness for a particular purpose are disclaimed. See the LICENSE
253 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
256 Sudo 1.8.7 February 5, 2013 Sudo 1.8.7