1: .\"
2: .\" Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .Dd September 11, 2013
18: .Dt SUDOREPLAY @mansectsu@
19: .Os Sudo @PACKAGE_VERSION@
20: .Sh NAME
21: .Nm sudoreplay
22: .Nd replay sudo session logs
23: .Sh SYNOPSIS
24: .Nm sudoreplay
25: .Op Fl h
26: .Bk -words
27: .Op Fl d Ar dir
28: .Ek
29: .Bk -words
30: .Op Fl f Ar filter
31: .Ek
32: .Bk -words
33: .Op Fl m Ar num
34: .Ek
35: .Bk -words
36: .Op Fl s Ar num
37: .Ek
38: ID
39: .Pp
40: .Nm sudoreplay
41: .Op Fl h
42: .Bk -words
43: .Op Fl d Ar dir
44: .Ek
45: .Fl l
46: .Op search expression
47: .Sh DESCRIPTION
48: .Nm sudoreplay
49: plays back or lists the output logs created by
50: .Nm sudo .
51: When replaying,
52: .Nm sudoreplay
53: can play the session back in real-time, or the playback speed may be
54: adjusted (faster or slower) based on the command line options.
55: .Pp
56: The
57: .Em ID
58: should either be a six character sequence of digits and
59: upper case letters, e.g.\&
60: .Li 0100A5 ,
61: or a pattern matching the
62: .Em iolog_file
63: option in the
64: .Em sudoers
65: file.
66: When a command is run via
67: .Nm sudo
68: with
69: .Em log_output
70: enabled in the
71: .Em sudoers
72: file, a
73: .Li TSID=ID
74: string is logged via syslog or to the
75: .Nm sudo
76: log file.
77: The
78: .Em ID
79: may also be determined using
80: .Nm sudoreplay Ns No 's
81: list mode.
82: .Pp
83: In list mode,
84: .Nm sudoreplay
85: can be used to find the ID of a session based on a number of criteria
86: such as the user, tty or command run.
87: .Pp
88: In replay mode, if the standard output has not been redirected,
89: .Nm sudoreplay
90: will act on the following keys:
91: .Bl -tag -width 12n
92: .It So Li \ Sc No (space)
93: Pause output; press any key to resume.
94: .It Ql <
95: Reduce the playback speed by one half.
96: .It Ql >
97: Double the playback speed.
98: .El
99: .Pp
100: The options are as follows:
101: .Bl -tag -width Fl
102: .It Fl d Ar dir , Fl -directory Ns No = Ns Ar dir
103: Store session logs in
104: .Ar dir
105: instead of the default,
106: .Pa @iolog_dir@ .
107: .It Fl f Ar filter , Fl -filter Ns No = Ns Ar filter
108: Select which I/O type(s) to display.
109: By default,
110: .Nm sudoreplay
111: will display the command's standard output, standard error and tty output.
112: The
113: .Ar filter
114: argument is a comma-separated list, consisting of one or more of following:
115: .Em stdout ,
116: .Em stderr ,
117: and
118: .Em ttyout .
119: .It Fl h , -help
120: Display a short help message to the standard output and exit.
121: .It Fl l , -list Op Ar search expression
122: Enable
123: .Dq list mode .
124: In this mode,
125: .Nm sudoreplay
126: will list available sessions in a format similar to the
127: .Nm sudo
128: log file format, sorted by file name (or sequence number).
129: If a
130: .Ar search expression
131: is specified, it will be used to restrict the IDs that are displayed.
132: An expression is composed of the following predicates:
133: .Bl -tag -width 6n
134: .It command Ar pattern
135: Evaluates to true if the command run matches
136: .Ar pattern .
137: On systems with POSIX regular expression support, the pattern may
138: be an extended regular expression.
139: On systems without POSIX regular expression support, a simple sub-string
140: match is performed instead.
141: .It cwd Ar directory
142: Evaluates to true if the command was run with the specified current
143: working directory.
144: .It fromdate Ar date
145: Evaluates to true if the command was run on or after
146: .Ar date .
147: See
148: .Sx Date and time format
149: for a description of supported date and time formats.
150: .It group Ar runas_group
151: Evaluates to true if the command was run with the specified
152: .Ar runas_group .
153: Note that unless a
154: .Ar runas_group
155: was explicitly specified when
156: .Nm sudo
157: was run this field will be empty in the log.
158: .It runas Ar runas_user
159: Evaluates to true if the command was run as the specified
160: .Ar runas_user .
161: Note that
162: .Nm sudo
163: runs commands as user
164: .Em root
165: by default.
166: .It todate Ar date
167: Evaluates to true if the command was run on or prior to
168: .Ar date .
169: See
170: .Sx Date and time format
171: for a description of supported date and time formats.
172: .It tty Ar tty name
173: Evaluates to true if the command was run on the specified terminal device.
174: The
175: .Ar tty name
176: should be specified without the
177: .Pa /dev/
178: prefix, e.g.\&
179: .Pa tty01
180: instead of
181: .Pa /dev/tty01 .
182: .It user Ar user name
183: Evaluates to true if the ID matches a command run by
184: .Ar user name .
185: .El
186: .Pp
187: Predicates may be abbreviated to the shortest unique string (currently
188: all predicates may be shortened to a single character).
189: .Pp
190: Predicates may be combined using
191: .Em and ,
192: .Em or
193: and
194: .Em \&!
195: operators as well as
196: .Ql \&(
197: and
198: .Ql \&)
199: grouping (note that parentheses must generally be escaped from the shell).
200: The
201: .Em and
202: operator is optional, adjacent predicates have an implied
203: .Em and
204: unless separated by an
205: .Em or .
206: .It Fl m , -max-wait Ar max_wait
207: Specify an upper bound on how long to wait between key presses or output data.
208: By default,
209: .Nm sudoreplay
210: will accurately reproduce the delays between key presses or program output.
211: However, this can be tedious when the session includes long pauses.
212: When the
213: .Fl m
214: option is specified,
215: .Nm sudoreplay
216: will limit these pauses to at most
217: .Em max_wait
218: seconds.
219: The value may be specified as a floating point number, e.g.\&
220: .Em 2.5 .
221: .It Fl s , -speed Ar speed_factor
222: This option causes
223: .Nm sudoreplay
224: to adjust the number of seconds it will wait between key presses or
225: program output.
226: This can be used to slow down or speed up the display.
227: For example, a
228: .Ar speed_factor
229: of
230: .Em 2
231: would make the output twice as fast whereas a
232: .Ar speed_factor
233: of
234: .Em .5
235: would make the output twice as slow.
236: .It Fl V , -version
237: Print the
238: .Nm sudoreplay
239: versions version number and exit.
240: .El
241: .Ss Date and time format
242: The time and date may be specified multiple ways, common formats include:
243: .Bl -tag -width 6n
244: .It HH:MM:SS am MM/DD/CCYY timezone
245: 24 hour time may be used in place of am/pm.
246: .It HH:MM:SS am Month, Day Year timezone
247: 24 hour time may be used in place of am/pm, and month and day names
248: may be abbreviated.
249: Note that month and day of the week names must be specified in English.
250: .It CCYY-MM-DD HH:MM:SS
251: ISO time format
252: .It DD Month CCYY HH:MM:SS
253: The month name may be abbreviated.
254: .El
255: .Pp
256: Either time or date may be omitted, the am/pm and timezone are optional.
257: If no date is specified, the current day is assumed; if no time is
258: specified, the first second of the specified date is used.
259: The less significant parts of both time and date may also be omitted,
260: in which case zero is assumed.
261: .Pp
262: The following are all valid time and date specifications:
263: .Bl -tag -width 6n
264: .It now
265: The current time and date.
266: .It tomorrow
267: Exactly one day from now.
268: .It yesterday
269: 24 hours ago.
270: .It 2 hours ago
271: 2 hours ago.
272: .It next Friday
273: The first second of the Friday in the next (upcoming) week.
274: Not to be confused with
275: .Dq this friday
276: which would match the friday of the current week.
277: .It last week
278: The current time but 7 days ago.
279: This is equivalent to
280: .Dq a week ago .
281: .It a fortnight ago
282: The current time but 14 days ago.
283: .It 10:01 am 9/17/2009
284: 10:01 am, September 17, 2009.
285: .It 10:01 am
286: 10:01 am on the current day.
287: .It 10
288: 10:00 am on the current day.
289: .It 9/17/2009
290: 00:00 am, September 17, 2009.
291: .It 10:01 am Sep 17, 2009
292: 10:01 am, September 17, 2009.
293: .El
294: .Pp
295: Note that relative time specifications do not always work as expected.
296: For example, the
297: .Dq next
298: qualifier is intended to be used in conjunction with a day such as
299: .Dq next Monday .
300: When used with units of weeks, months, years, etc
301: the result will be one more than expected.
302: For example,
303: .Dq next week
304: will result in a time exactly two weeks from now, which is probably
305: not what was intended.
306: This will be addressed in a future version of
307: .Nm sudoreplay .
308: .Sh FILES
309: .Bl -tag -width 24n
310: .It Pa @iolog_dir@
311: The default I/O log directory.
312: .It Pa @iolog_dir@/00/00/01/log
313: Example session log info.
314: .It Pa @iolog_dir@/00/00/01/stdin
315: Example session standard input log.
316: .It Pa @iolog_dir@/00/00/01/stdout
317: Example session standard output log.
318: .It Pa @iolog_dir@/00/00/01/stderr
319: Example session standard error log.
320: .It Pa @iolog_dir@/00/00/01/ttyin
321: Example session tty input file.
322: .It Pa @iolog_dir@/00/00/01/ttyout
323: Example session tty output file.
324: .It Pa @iolog_dir@/00/00/01/timing
325: Example session timing file.
326: .El
327: .Pp
328: Note that the
329: .Em stdin ,
330: .Em stdout
331: and
332: .Em stderr
333: files will be empty unless
334: .Nm sudo
335: was used as part of a pipeline for a particular command.
336: .Sh EXAMPLES
337: List sessions run by user
338: .Em millert :
339: .Bd -literal -offset indent
340: # sudoreplay -l user millert
341: .Ed
342: .Pp
343: List sessions run by user
344: .Em bob
345: with a command containing the string vi:
346: .Bd -literal -offset indent
347: # sudoreplay -l user bob command vi
348: .Ed
349: .Pp
350: List sessions run by user
351: .Em jeff
352: that match a regular expression:
353: .Bd -literal -offset indent
354: # sudoreplay -l user jeff command '/bin/[a-z]*sh'
355: .Ed
356: .Pp
357: List sessions run by jeff or bob on the console:
358: .Bd -literal -offset indent
359: # sudoreplay -l ( user jeff or user bob ) tty console
360: .Ed
361: .Sh SEE ALSO
362: .Xr sudo @mansectsu@ ,
363: .Xr script 1
364: .Sh AUTHORS
365: Todd C. Miller
366: .Sh BUGS
367: If you feel you have found a bug in
368: .Nm sudoreplay ,
369: please submit a bug report at http://www.sudo.ws/sudo/bugs/
370: .Sh SUPPORT
371: Limited free support is available via the sudo-users mailing list,
372: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
373: search the archives.
374: .Sh DISCLAIMER
375: .Nm sudoreplay
376: is provided
377: .Dq AS IS
378: and any express or implied warranties, including, but not limited
379: to, the implied warranties of merchantability and fitness for a
380: particular purpose are disclaimed.
381: See the LICENSE file distributed with
382: .Nm sudo
383: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoreplay.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc