1: .\"
2: .\" Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .Dd February 15, 2014
18: .Dt SUDOREPLAY @mansectsu@
19: .Os Sudo @PACKAGE_VERSION@
20: .Sh NAME
21: .Nm sudoreplay
22: .Nd replay sudo session logs
23: .Sh SYNOPSIS
24: .Nm sudoreplay
25: .Op Fl h
26: .Op Fl d Ar dir
27: .Op Fl f Ar filter
28: .Op Fl m Ar num
29: .Op Fl s Ar num
30: ID
31: .Pp
32: .Nm sudoreplay
33: .Op Fl h
34: .Op Fl d Ar dir
35: .Fl l
36: .Op search expression
37: .Sh DESCRIPTION
38: .Nm sudoreplay
39: plays back or lists the output logs created by
40: .Nm sudo .
41: When replaying,
42: .Nm sudoreplay
43: can play the session back in real-time, or the playback speed may be
44: adjusted (faster or slower) based on the command line options.
45: .Pp
46: The
47: .Em ID
48: should either be a six character sequence of digits and
49: upper case letters, e.g.\&
50: .Li 0100A5 ,
51: or a pattern matching the
52: .Em iolog_file
53: option in the
54: .Em sudoers
55: file.
56: When a command is run via
57: .Nm sudo
58: with
59: .Em log_output
60: enabled in the
61: .Em sudoers
62: file, a
63: .Li TSID=ID
64: string is logged via syslog or to the
65: .Nm sudo
66: log file.
67: The
68: .Em ID
69: may also be determined using
70: .Nm sudoreplay Ns 's
71: list mode.
72: .Pp
73: In list mode,
74: .Nm sudoreplay
75: can be used to find the ID of a session based on a number of criteria
76: such as the user, tty or command run.
77: .Pp
78: In replay mode, if the standard output has not been redirected,
79: .Nm sudoreplay
80: will act on the following keys:
81: .Bl -tag -width 12n
82: .It So Li \en Sc No or So Li \er Sc
83: Skip to the next replay event; useful for long pauses.
84: .It So Li \ Sc Pq space
85: Pause output; press any key to resume.
86: .It Ql <
87: Reduce the playback speed by one half.
88: .It Ql >
89: Double the playback speed.
90: .El
91: .Pp
92: The options are as follows:
93: .Bl -tag -width Fl
94: .It Fl d Ar dir , Fl -directory Ns = Ns Ar dir
95: Store session logs in
96: .Ar dir
97: instead of the default,
98: .Pa @iolog_dir@ .
99: .It Fl f Ar filter , Fl -filter Ns = Ns Ar filter
100: Select which I/O type(s) to display.
101: By default,
102: .Nm sudoreplay
103: will display the command's standard output, standard error and tty output.
104: The
105: .Ar filter
106: argument is a comma-separated list, consisting of one or more of following:
107: .Em stdout ,
108: .Em stderr ,
109: and
110: .Em ttyout .
111: .It Fl h , -help
112: Display a short help message to the standard output and exit.
113: .It Fl l , -list Op Ar search expression
114: Enable
115: .Dq list mode .
116: In this mode,
117: .Nm sudoreplay
118: will list available sessions in a format similar to the
119: .Nm sudo
120: log file format, sorted by file name (or sequence number).
121: If a
122: .Ar search expression
123: is specified, it will be used to restrict the IDs that are displayed.
124: An expression is composed of the following predicates:
125: .Bl -tag -width 6n
126: .It command Ar pattern
127: Evaluates to true if the command run matches
128: .Ar pattern .
129: On systems with POSIX regular expression support, the pattern may
130: be an extended regular expression.
131: On systems without POSIX regular expression support, a simple sub-string
132: match is performed instead.
133: .It cwd Ar directory
134: Evaluates to true if the command was run with the specified current
135: working directory.
136: .It fromdate Ar date
137: Evaluates to true if the command was run on or after
138: .Ar date .
139: See
140: .Sx Date and time format
141: for a description of supported date and time formats.
142: .It group Ar runas_group
143: Evaluates to true if the command was run with the specified
144: .Ar runas_group .
145: Note that unless a
146: .Ar runas_group
147: was explicitly specified when
148: .Nm sudo
149: was run this field will be empty in the log.
150: .It runas Ar runas_user
151: Evaluates to true if the command was run as the specified
152: .Ar runas_user .
153: Note that
154: .Nm sudo
155: runs commands as user
156: .Em root
157: by default.
158: .It todate Ar date
159: Evaluates to true if the command was run on or prior to
160: .Ar date .
161: See
162: .Sx Date and time format
163: for a description of supported date and time formats.
164: .It tty Ar tty name
165: Evaluates to true if the command was run on the specified terminal device.
166: The
167: .Ar tty name
168: should be specified without the
169: .Pa /dev/
170: prefix, e.g.\&
171: .Pa tty01
172: instead of
173: .Pa /dev/tty01 .
174: .It user Ar user name
175: Evaluates to true if the ID matches a command run by
176: .Ar user name .
177: .El
178: .Pp
179: Predicates may be abbreviated to the shortest unique string (currently
180: all predicates may be shortened to a single character).
181: .Pp
182: Predicates may be combined using
183: .Em and ,
184: .Em or
185: and
186: .Em \&!
187: operators as well as
188: .Ql \&(
189: and
190: .Ql \&)
191: grouping (note that parentheses must generally be escaped from the shell).
192: The
193: .Em and
194: operator is optional, adjacent predicates have an implied
195: .Em and
196: unless separated by an
197: .Em or .
198: .It Fl m , -max-wait Ar max_wait
199: Specify an upper bound on how long to wait between key presses or output data.
200: By default,
201: .Nm sudoreplay
202: will accurately reproduce the delays between key presses or program output.
203: However, this can be tedious when the session includes long pauses.
204: When the
205: .Fl m
206: option is specified,
207: .Nm sudoreplay
208: will limit these pauses to at most
209: .Em max_wait
210: seconds.
211: The value may be specified as a floating point number, e.g.\&
212: .Em 2.5 .
213: .It Fl s , -speed Ar speed_factor
214: This option causes
215: .Nm sudoreplay
216: to adjust the number of seconds it will wait between key presses or
217: program output.
218: This can be used to slow down or speed up the display.
219: For example, a
220: .Ar speed_factor
221: of
222: .Em 2
223: would make the output twice as fast whereas a
224: .Ar speed_factor
225: of
226: .Em .5
227: would make the output twice as slow.
228: .It Fl V , -version
229: Print the
230: .Nm sudoreplay
231: versions version number and exit.
232: .El
233: .Ss Date and time format
234: The time and date may be specified multiple ways, common formats include:
235: .Bl -tag -width 6n
236: .It HH:MM:SS am MM/DD/CCYY timezone
237: 24 hour time may be used in place of am/pm.
238: .It HH:MM:SS am Month, Day Year timezone
239: 24 hour time may be used in place of am/pm, and month and day names
240: may be abbreviated.
241: Note that month and day of the week names must be specified in English.
242: .It CCYY-MM-DD HH:MM:SS
243: ISO time format
244: .It DD Month CCYY HH:MM:SS
245: The month name may be abbreviated.
246: .El
247: .Pp
248: Either time or date may be omitted, the am/pm and timezone are optional.
249: If no date is specified, the current day is assumed; if no time is
250: specified, the first second of the specified date is used.
251: The less significant parts of both time and date may also be omitted,
252: in which case zero is assumed.
253: .Pp
254: The following are all valid time and date specifications:
255: .Bl -tag -width 6n
256: .It now
257: The current time and date.
258: .It tomorrow
259: Exactly one day from now.
260: .It yesterday
261: 24 hours ago.
262: .It 2 hours ago
263: 2 hours ago.
264: .It next Friday
265: The first second of the Friday in the next (upcoming) week.
266: Not to be confused with
267: .Dq this friday
268: which would match the friday of the current week.
269: .It last week
270: The current time but 7 days ago.
271: This is equivalent to
272: .Dq a week ago .
273: .It a fortnight ago
274: The current time but 14 days ago.
275: .It 10:01 am 9/17/2009
276: 10:01 am, September 17, 2009.
277: .It 10:01 am
278: 10:01 am on the current day.
279: .It 10
280: 10:00 am on the current day.
281: .It 9/17/2009
282: 00:00 am, September 17, 2009.
283: .It 10:01 am Sep 17, 2009
284: 10:01 am, September 17, 2009.
285: .El
286: .Pp
287: Note that relative time specifications do not always work as expected.
288: For example, the
289: .Dq next
290: qualifier is intended to be used in conjunction with a day such as
291: .Dq next Monday .
292: When used with units of weeks, months, years, etc
293: the result will be one more than expected.
294: For example,
295: .Dq next week
296: will result in a time exactly two weeks from now, which is probably
297: not what was intended.
298: This will be addressed in a future version of
299: .Nm sudoreplay .
300: .Sh FILES
301: .Bl -tag -width 24n
302: .It Pa @iolog_dir@
303: The default I/O log directory.
304: .It Pa @iolog_dir@/00/00/01/log
305: Example session log info.
306: .It Pa @iolog_dir@/00/00/01/stdin
307: Example session standard input log.
308: .It Pa @iolog_dir@/00/00/01/stdout
309: Example session standard output log.
310: .It Pa @iolog_dir@/00/00/01/stderr
311: Example session standard error log.
312: .It Pa @iolog_dir@/00/00/01/ttyin
313: Example session tty input file.
314: .It Pa @iolog_dir@/00/00/01/ttyout
315: Example session tty output file.
316: .It Pa @iolog_dir@/00/00/01/timing
317: Example session timing file.
318: .El
319: .Pp
320: Note that the
321: .Em stdin ,
322: .Em stdout
323: and
324: .Em stderr
325: files will be empty unless
326: .Nm sudo
327: was used as part of a pipeline for a particular command.
328: .Sh EXAMPLES
329: List sessions run by user
330: .Em millert :
331: .Bd -literal -offset indent
332: # sudoreplay -l user millert
333: .Ed
334: .Pp
335: List sessions run by user
336: .Em bob
337: with a command containing the string vi:
338: .Bd -literal -offset indent
339: # sudoreplay -l user bob command vi
340: .Ed
341: .Pp
342: List sessions run by user
343: .Em jeff
344: that match a regular expression:
345: .Bd -literal -offset indent
346: # sudoreplay -l user jeff command '/bin/[a-z]*sh'
347: .Ed
348: .Pp
349: List sessions run by jeff or bob on the console:
350: .Bd -literal -offset indent
351: # sudoreplay -l ( user jeff or user bob ) tty console
352: .Ed
353: .Sh SEE ALSO
354: .Xr sudo @mansectsu@ ,
355: .Xr script 1
356: .Sh AUTHORS
357: Todd C. Miller
358: .Sh BUGS
359: If you feel you have found a bug in
360: .Nm sudoreplay ,
361: please submit a bug report at http://www.sudo.ws/sudo/bugs/
362: .Sh SUPPORT
363: Limited free support is available via the sudo-users mailing list,
364: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
365: search the archives.
366: .Sh DISCLAIMER
367: .Nm sudoreplay
368: is provided
369: .Dq AS IS
370: and any express or implied warranties, including, but not limited
371: to, the implied warranties of merchantability and fitness for a
372: particular purpose are disclaimed.
373: See the LICENSE file distributed with
374: .Nm sudo
375: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>