Imported Upstream version 1.8.7

[debian/sudo] / doc / sudoreplay.mdoc.in

.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd February 5, 2013
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoreplay
.Nd replay sudo session logs
.Sh SYNOPSIS
.Nm sudoreplay
.Op Fl h
.Bk -words
.Op Fl d Ar directory
.Ek
.Bk -words
.Op Fl f Ar filter
.Ek
.Bk -words
.Op Fl m Ar max_wait
.Ek
.Bk -words
.Op Fl s Ar speed_factor
.Ek
ID
.Pp
.Nm sudoreplay
.Op Fl h
.Bk -words
.Op Fl d Ar directory
.Ek
.Fl l
.Op search expression
.Sh DESCRIPTION
.Nm sudoreplay
plays back or lists the output logs created by
.Nm sudo .
When replaying,
.Nm sudoreplay
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.Pp
The
.Em ID
should either be a six character sequence of digits and
upper case letters, e.g.\&
.Li 0100A5 ,
or a pattern matching the
.Em iolog_file
option in the
.Em sudoers
file.
When a command is run via
.Nm sudo
with
.Em log_output
enabled in the
.Em sudoers
file, a
.Li TSID=ID
string is logged via syslog or to the
.Nm sudo
log file.
The
.Em ID
may also be determined using
.Nm sudoreplay Ns No 's
list mode.
.Pp
In list mode,
.Nm sudoreplay
can be used to find the ID of a session based on a number of criteria
such as the user, tty or command run.
.Pp
In replay mode, if the standard output has not been redirected,
.Nm sudoreplay
will act on the following keys:
.Bl -tag -width 12n
.It So Li \  Sc No (space)
Pause output; press any key to resume.
.It Ql <
Reduce the playback speed by one half.
.It Ql >
Double the playback speed.
.El
.Pp
The options are as follows:
.Bl -tag -width 12n
.It Fl d Ar directory
Use
.Ar directory
to for the session logs instead of the default,
.Pa @iolog_dir@ .
.It Fl f Ar filter
By default,
.Nm sudoreplay
will play back the command's standard output, standard error and tty output.
The
.Fl f
option can be used to select which of these to output.
The
.Ar filter
argument is a comma-separated list, consisting of one or more of following:
.Em stdout ,
.Em stderr ,
and
.Em ttyout .
.It Fl h
The
.Fl h No ( Em help Ns No )
option causes
.Nm sudoreplay
to print a short help message to the standard output and exit.
.It Fl l Op Ar search expression
Enable
.Dq list mode .
In this mode,
.Nm sudoreplay
will list available sessions in a format similar to the
.Nm sudo
log file format, sorted by file name (or sequence number).
If a
.Ar search expression
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.Bl -tag -width 6n
.It command Ar pattern
Evaluates to true if the command run matches
.Ar pattern .
On systems with POSIX regular expression support, the pattern may
be an extended regular expression.
On systems without POSIX regular expression support, a simple sub-string
match is performed instead.
.It cwd Ar directory
Evaluates to true if the command was run with the specified current
working directory.
.It fromdate Ar date
Evaluates to true if the command was run on or after
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It group Ar runas_group
Evaluates to true if the command was run with the specified
.Ar runas_group .
Note that unless a
.Ar runas_group
was explicitly specified when
.Nm sudo
was run this field will be empty in the log.
.It runas Ar runas_user
Evaluates to true if the command was run as the specified
.Ar runas_user .
Note that
.Nm sudo
runs commands as user
.Em root
by default.
.It todate Ar date
Evaluates to true if the command was run on or prior to
.Ar date .
See
.Sx Date and time format
for a description of supported date and time formats.
.It tty Ar tty name
Evaluates to true if the command was run on the specified terminal device.
The
.Ar tty name
should be specified without the
.Pa /dev/
prefix, e.g.\&
.Pa tty01
instead of
.Pa /dev/tty01 .
.It user Ar user name
Evaluates to true if the ID matches a command run by
.Ar user name .
.El
.Pp
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
.Pp
Predicates may be combined using
.Em and ,
.Em or
and
.Em \&!
operators as well as
.Ql \&(
and
.Ql \&)
grouping (note that parentheses must generally be escaped from the shell).
The
.Em and
operator is optional, adjacent predicates have an implied
.Em and
unless separated by an
.Em or .
.It Fl m Ar max_wait
Specify an upper bound on how long to wait between key presses or output data.
By default,
.Nm sudoreplay
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
.Fl m
option is specified,
.Nm sudoreplay
will limit these pauses to at most
.Em max_wait
seconds.
The value may be specified as a floating point number, e.g.\&
.Em 2.5 .
.It Fl s Ar speed_factor
This option causes
.Nm sudoreplay
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
.Ar speed_factor
of
.Em 2
would make the output twice as fast whereas a
.Ar speed_factor
of
.Em .5
would make the output twice as slow.
.It Fl V
The
.Fl V No ( Em version Ns No )
option causes
.Nm sudoreplay
to print its version number
and exit.
.El
.Ss Date and time format
The time and date may be specified multiple ways, common formats include:
.Bl -tag -width 6n
.It HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.It HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated.
Note that month and day of the week names must be specified in English.
.It CCYY-MM-DD HH:MM:SS
ISO time format
.It DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.El
.Pp
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.Pp
The following are all valid time and date specifications:
.Bl -tag -width 6n
.It now
The current time and date.
.It tomorrow
Exactly one day from now.
.It yesterday
24 hours ago.
.It 2 hours ago
2 hours ago.
.It next Friday
The first second of the next Friday.
.It this week
The current time but the first day of the coming week.
.It a fortnight ago
The current time but 14 days ago.
.It 10:01 am 9/17/2009
10:01 am, September 17, 2009.
.It 10:01 am
10:01 am on the current day.
.It 10
10:00 am on the current day.
.It 9/17/2009
00:00 am, September 17, 2009.
.It 10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @iolog_dir@
The default I/O log directory.
.It Pa @iolog_dir@/00/00/01/log
Example session log info.
.It Pa @iolog_dir@/00/00/01/stdin
Example session standard input log.
.It Pa @iolog_dir@/00/00/01/stdout
Example session standard output log.
.It Pa @iolog_dir@/00/00/01/stderr
Example session standard error log.
.It Pa @iolog_dir@/00/00/01/ttyin
Example session tty input file.
.It Pa @iolog_dir@/00/00/01/ttyout
Example session tty output file.
.It Pa @iolog_dir@/00/00/01/timing
Example session timing file.
.El
.Pp
Note that the
.Em stdin ,
.Em stdout
and
.Em stderr
files will be empty unless
.Nm sudo
was used as part of a pipeline for a particular command.
.Sh EXAMPLES
List sessions run by user
.Em millert :
.Bd -literal -offset indent
# sudoreplay -l user millert
.Ed
.Pp
List sessions run by user
.Em bob
with a command containing the string vi:
.Bd -literal -offset indent
# sudoreplay -l user bob command vi
.Ed
.Pp
List sessions run by user
.Em jeff
that match a regular expression:
.Bd -literal -offset indent
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.Ed
.Pp
List sessions run by jeff or bob on the console:
.Bd -literal -offset indent
# sudoreplay -l ( user jeff or user bob ) tty console
.Ed
.Sh SEE ALSO
.Xr sudo @mansectsu@ ,
.Xr script 1
.Sh AUTHORS
Todd C. Miller
.Sh BUGS
If you feel you have found a bug in
.Nm sudoreplay ,
please submit a bug report at http://www.sudo.ws/sudo/bugs/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudoreplay
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or http://www.sudo.ws/sudo/license.html for complete details.