--- /dev/null
+Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+=pod
+
+=head1 NAME
+
+sudoreplay - replay sudo session logs
+
+=head1 SYNOPSIS
+
+B<sudoreplay> [B<-h>] [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
+
+B<sudoreplay> [B<-h>] [B<-d> I<directory>] -l [search expression]
+
+=head1 DESCRIPTION
+
+B<sudoreplay> plays back or lists the output logs created by B<sudo>.
+When replaying, B<sudoreplay> can play the session back in real-time,
+or the playback speed may be adjusted (faster or slower) based on
+the command line options.
+
+The I<ID> should either be a six character sequence of digits and
+upper case letters, e.g. C<0100A5>, or a pattern matching the
+I<iolog_file> option in the I<sudoers> file. When a command is run
+via B<sudo> with I<log_output> enabled in the I<sudoers> file, a
+C<TSID=ID> string is logged via syslog or to the B<sudo> log file.
+The I<ID> may also be determined using B<sudoreplay>'s list mode.
+
+In list mode, B<sudoreplay> can be used to find the ID of a session
+based on a number of criteria such as the user, tty or command run.
+
+In replay mode, if the standard output has not been redirected,
+B<sudoreplay> will act on the following keys:
+
+=over 8
+
+=item ' ' (space)
+
+Pause output; press any key to resume.
+
+=item '<'
+
+Reduce the playback speed by one half.
+
+=item '>'
+
+Double the playback speed.
+
+=back
+
+=head1 OPTIONS
+
+B<sudoreplay> accepts the following command line options:
+
+=over 12
+
+=item -d I<directory>
+
+Use I<directory> to for the session logs instead of the default,
+F</var/log/sudo-io>.
+
+=item -f I<filter>
+
+By default, B<sudoreplay> will play back the command's standard
+output, standard error and tty output. The I<-f> option can be
+used to select which of these to output. The I<filter> argument
+is a comma-separated list, consisting of one or more of following:
+I<stdout>, I<stderr>, and I<ttyout>.
+
+=item -h
+
+The B<-h> (I<help>) option causes B<sudoreplay> to print a short
+help message to the standard output and exit.
+
+=item -l [I<search expression>]
+
+Enable "list mode". In this mode, B<sudoreplay> will list available
+sessions in a format similar to the B<sudo> log file format, sorted
+by file name (or sequence number). If a I<search expression> is
+specified, it will be used to restrict the IDs that are displayed.
+An expression is composed of the following predicates:
+
+=over 8
+
+=item command I<command pattern>
+
+Evaluates to true if the command run matches I<command pattern>.
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression. On systems without POSIX regular
+expression support, a simple substring match is performed instead.
+
+=item cwd I<directory>
+
+Evaluates to true if the command was run with the specified current
+working directory.
+
+=item fromdate I<date>
+
+Evaluates to true if the command was run on or after I<date>.
+See L<"Date and time format"> for a description of supported
+date and time formats.
+
+=item group I<runas_group>
+
+Evaluates to true if the command was run with the specified
+I<runas_group>. Note that unless a I<runas_group> was explicitly
+specified when B<sudo> was run this field will be empty in the log.
+
+=item runas I<runas_user>
+
+Evaluates to true if the command was run as the specified I<runas_user>.
+Note that B<sudo> runs commands as user I<root> by default.
+
+=item todate I<date>
+
+Evaluates to true if the command was run on or prior to I<date>.
+See L<"Date and time format"> for a description of supported
+date and time formats.
+
+=item tty I<tty>
+
+Evaluates to true if the command was run on the specified terminal
+device. The I<tty> should be specified without the F</dev/> prefix,
+e.g. F<tty01> instead of F</dev/tty01>.
+
+=item user I<user name>
+
+Evaluates to true if the ID matches a command run by I<user name>.
+
+=back
+
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+
+Predicates may be combined using I<and>, I<or> and I<!> operators
+as well as C<'('> and C<')'> for grouping (note that parentheses
+must generally be escaped from the shell). The I<and> operator is
+optional, adjacent predicates have an implied I<and> unless separated
+by an I<or>.
+
+=item -m I<max_wait>
+
+Specify an upper bound on how long to wait between key presses or
+output data. By default, B<sudo_replay> will accurately reproduce
+the delays between key presses or program output. However, this
+can be tedious when the session includes long pauses. When the
+I<-m> option is specified, B<sudoreplay> will limit these pauses
+to at most I<max_wait> seconds. The value may be specified as a
+floating point number, .e.g. I<2.5>.
+
+=item -s I<speed_factor>
+
+This option causes B<sudoreplay> to adjust the number of seconds
+it will wait between key presses or program output. This can be
+used to slow down or speed up the display. For example, a
+I<speed_factor> of I<2> would make the output twice as fast whereas
+a I<speed_factor> of <.5> would make the output twice as slow.
+
+=item -V
+
+The B<-V> (version) option causes B<sudoreplay> to print its version number
+and exit.
+
+=back
+
+=head2 Date and time format
+
+The time and date may be specified multiple ways, common formats include:
+
+=over 8
+
+=item HH:MM:SS am MM/DD/CCYY timezone
+
+24 hour time may be used in place of am/pm.
+
+=item HH:MM:SS am Month, Day Year timezone
+
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated. Note that month and day of the week names must
+be specified in English.
+
+=item CCYY-MM-DD HH:MM:SS
+
+ISO time format
+
+=item DD Month CCYY HH:MM:SS
+
+The month name may be abbreviated.
+
+=back
+
+Either time or date may be omitted, the am/pm and timezone are
+optional. If no date is specified, the current day is assumed; if
+no time is specified, the first second of the specified date is
+used. The less significant parts of both time and date may also
+be omitted, in which case zero is assumed. For example, the following
+are all valid:
+
+The following are all valid time and date specifications:
+
+=over 8
+
+=item now
+
+The current time and date.
+
+=item tomorrow
+
+Exactly one day from now.
+
+=item yesterday
+
+24 hours ago.
+
+=item 2 hours ago
+
+2 hours ago.
+
+=item next Friday
+
+The first second of the next Friday.
+
+=item this week
+
+The current time but the first day of the coming week.
+
+=item a fortnight ago
+
+The current time but 14 days ago.
+
+=item 10:01 am 9/17/2009
+
+10:01 am, September 17, 2009.
+
+=item 10:01 am
+
+10:01 am on the current day.
+
+=item 10
+
+10:00 am on the current day.
+
+=item 9/17/2009
+
+00:00 am, September 17, 2009.
+
+=item 10:01 am Sep 17, 2009
+
+10:01 am, September 17, 2009.
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F</var/log/sudo-io>
+
+The default I/O log directory.
+
+=item F</var/log/sudo-io/00/00/01/log>
+
+Example session log info.
+
+=item F</var/log/sudo-io/00/00/01/stdin>
+
+Example session standard input log.
+
+=item F</var/log/sudo-io/00/00/01/stdout>
+
+Example session standard output log.
+
+=item F</var/log/sudo-io/00/00/01/stderr>
+
+Example session standard error log.
+
+=item F</var/log/sudo-io/00/00/01/ttyin>
+
+Example session tty input file.
+
+=item F</var/log/sudo-io/00/00/01/ttyout>
+
+Example session tty output file.
+
+=item F</var/log/sudo-io/00/00/01/timing>
+
+Example session timing file.
+
+=back
+
+Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
+unless B<sudo> was used as part of a pipeline for a particular
+command.
+
+=head1 EXAMPLES
+
+List sessions run by user I<millert>:
+
+ sudoreplay -l user millert
+
+List sessions run by user I<bob> with a command containing the string vi:
+
+ sudoreplay -l user bob command vi
+
+List sessions run by user I<jeff> that match a regular expression:
+
+ sudoreplay -l user jeff command '/bin/[a-z]*sh'
+
+List sessions run by jeff or bob on the console:
+
+ sudoreplay -l ( user jeff or user bob ) tty console
+
+=head1 SEE ALSO
+
+L<sudo(8)>, L<script(1)>
+
+=head1 AUTHOR
+
+Todd C. Miller
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudoreplay>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
projects / debian / sudo / blobdiff