| |
| |
| |
| SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) |
| |
| |
| NNAAMMEE |
| sudoreplay - replay sudo session logs |
| |
| SSYYNNOOPPSSIISS |
| ssuuddoorreeppllaayy [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] [--ss _s_p_e_e_d___f_a_c_t_o_r] |
| ID |
| |
| ssuuddoorreeppllaayy [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] |
| |
| DDEESSCCRRIIPPTTIIOONN |
| ssuuddoorreeppllaayy plays back or lists the session logs created by ssuuddoo. When |
| replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the |
| playback speed may be adjusted (faster or slower) based on the command |
| line options. The _I_D should be a six character sequence of digits and |
| upper case letters, e.g. 0100A5, which is logged by ssuuddoo when a |
| command is run with session logging enabled. |
| |
| In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based |
| on a number of criteria such as the user, tty or command run. |
| |
| In replay mode, if the standard output has not been redirected, |
| ssuuddoorreeppllaayy will act on the following keys: |
| |
| ' ' (space) |
| Pause output; press any key to resume. |
| |
| '<' Reduce the playback speed by one half. |
| |
| '>' Double the playback speed. |
| |
| OOPPTTIIOONNSS |
| ssuuddoorreeppllaayy accepts the following command line options: |
| |
| -d _d_i_r_e_c_t_o_r_y |
| Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the |
| default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. |
| |
| -f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's |
| standard output, standard error and tty output. The _-_f |
| option can be used to select which of these to output. The |
| _f_i_l_t_e_r argument is a comma-separated list, consisting of |
| one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. |
| |
| -l Enable "list mode". In this mode, ssuuddoorreeppllaayy will list |
| available session IDs. If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is |
| specified, it will be used to restrict the IDs that are |
| displayed. An expression is composed of the following |
| predicates: |
| |
| command _c_o_m_m_a_n_d _p_a_t_t_e_r_n |
| Evaluates to true if the command run matches |
| _c_o_m_m_a_n_d _p_a_t_t_e_r_n. On systems with POSIX regular |
| expression support, the pattern may be an extended |
| regular expression. On systems without POSIX |
| |
| |
| |
| 1.7.4 July 12, 2010 1 |
| |
| |
| |
| |
| |
| SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) |
| |
| |
| regular expression support, a simple substring |
| match is performed instead. |
| |
| cwd _d_i_r_e_c_t_o_r_y |
| Evaluates to true if the command was run with the |
| specified current working directory. |
| |
| fromdate _d_a_t_e |
| Evaluates to true if the command was run on or |
| after _d_a_t_e. See "Date and time format" for a |
| description of supported date and time formats. |
| |
| group _r_u_n_a_s___g_r_o_u_p |
| Evaluates to true if the command was run with the |
| specified _r_u_n_a_s___g_r_o_u_p. Note that unless a |
| _r_u_n_a_s___g_r_o_u_p was explicitly specified when ssuuddoo was |
| run this field will be empty in the log. |
| |
| runas _r_u_n_a_s___u_s_e_r |
| Evaluates to true if the command was run as the |
| specified _r_u_n_a_s___u_s_e_r. Note that ssuuddoo runs commands |
| as user _r_o_o_t by default. |
| |
| todate _d_a_t_e |
| Evaluates to true if the command was run on or |
| prior to _d_a_t_e. See "Date and time format" for a |
| description of supported date and time formats. |
| |
| tty _t_t_y Evaluates to true if the command was run on the |
| specified terminal device. The _t_t_y should be |
| specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 |
| instead of _/_d_e_v_/_t_t_y_0_1. |
| |
| user _u_s_e_r _n_a_m_e |
| Evaluates to true if the ID matches a command run |
| by _u_s_e_r _n_a_m_e. |
| |
| Predicates may be abbreviated to the shortest unique string |
| (currently all predicates may be shortened to a single |
| character). |
| |
| Predicates may be combined using _a_n_d, _o_r and _! operators as |
| well as '(' and ')' for grouping (note that parentheses |
| must generally be escaped from the shell). The _a_n_d |
| operator is optional, adjacent predicates have an implied |
| _a_n_d unless separated by an _o_r. |
| |
| -m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key |
| presses or output data. By default, ssuuddoo__rreeppllaayy will |
| accurately reproduce the delays between key presses or |
| program output. However, this can be tedious when the |
| session includes long pauses. When the _-_m option is |
| specified, ssuuddoorreeppllaayy will limit these pauses to at most |
| _m_a_x___w_a_i_t seconds. The value may be specified as a floating |
| |
| |
| |
| 1.7.4 July 12, 2010 2 |
| |
| |
| |
| |
| |
| SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) |
| |
| |
| point number, .e.g. _2_._5. |
| |
| -s _s_p_e_e_d___f_a_c_t_o_r |
| This option causes ssuuddoorreeppllaayy to adjust the number of |
| seconds it will wait between key presses or program output. |
| This can be used to slow down or speed up the display. For |
| example, a _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as |
| fast whereas a _s_p_e_e_d___f_a_c_t_o_r of <.5> would make the output |
| twice as slow. |
| |
| -V The --VV (version) option causes ssuuddoorreeppllaayy to print its |
| version number and exit. |
| |
| DDaattee aanndd ttiimmee ffoorrmmaatt |
| The time and date may be specified multiple ways, common formats |
| include: |
| |
| HH:MM:SS am MM/DD/CCYY timezone |
| 24 hour time may be used in place of am/pm. |
| |
| HH:MM:SS am Month, Day Year timezone |
| 24 hour time may be used in place of am/pm, and month and day |
| names may be abbreviated. Note that month and day of the week |
| names must be specified in English. |
| |
| CCYY-MM-DD HH:MM:SS |
| ISO time format |
| |
| DD Month CCYY HH:MM:SS |
| The month name may be abbreviated. |
| |
| Either time or date may be omitted, the am/pm and timezone are |
| optional. If no date is specified, the current day is assumed; if no |
| time is specified, the first second of the specified date is used. The |
| less significant parts of both time and date may also be omitted, in |
| which case zero is assumed. For example, the following are all valid: |
| |
| The following are all valid time and date specifications: |
| |
| now The current time and date. |
| |
| tomorrow |
| Exactly one day from now. |
| |
| yesterday |
| 24 hours ago. |
| |
| 2 hours ago |
| 2 hours ago. |
| |
| next Friday |
| The first second of the next Friday. |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 3 |
| |
| |
| |
| |
| |
| SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) |
| |
| |
| this week |
| The current time but the first day of the coming week. |
| |
| a fortnight ago |
| The current time but 14 days ago. |
| |
| 10:01 am 9/17/2009 |
| 10:01 am, September 17, 2009. |
| |
| 10:01 am |
| 10:01 am on the current day. |
| |
| 10 10:00 am on the current day. |
| |
| 9/17/2009 |
| 00:00 am, September 17, 2009. |
| |
| 10:01 am Sep 17, 2009 |
| 10:01 am, September 17, 2009. |
| |
| FFIILLEESS |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g |
| Example session log info. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n |
| Example session standard input log. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t |
| Example session standard output log. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r |
| Example session standard error log. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n |
| Example session tty input file. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t |
| Example session tty output file. |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g |
| Example session timing file. |
| |
| Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo |
| was used as part of a pipeline for a particular command. |
| |
| EEXXAAMMPPLLEESS |
| List sessions run by user _m_i_l_l_e_r_t: |
| |
| sudoreplay -l user millert |
| |
| List sessions run by user _b_o_b with a command containing the string vi: |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 4 |
| |
| |
| |
| |
| |
| SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) |
| |
| |
| sudoreplay -l user bob command vi |
| |
| List sessions run by user _j_e_f_f that match a regular expression: |
| |
| sudoreplay -l user jeff command '/bin/[a-z]*sh' |
| |
| List sessions run by jeff or bob on the console: |
| |
| sudoreplay -l ( user jeff or user bob ) tty console |
| |
| SSEEEE AALLSSOO |
| _s_u_d_o(1m), _s_c_r_i_p_t(1) |
| |
| AAUUTTHHOORR |
| Todd C. Miller |
| |
| BBUUGGSS |
| If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug |
| report at http://www.sudo.ws/sudo/bugs/ |
| |
| SSUUPPPPOORRTT |
| Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search |
| the archives. |
| |
| DDIISSCCLLAAIIMMEERR |
| ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of |
| merchantability and fitness for a particular purpose are disclaimed. |
| See the LICENSE file distributed with ssuuddoo or |
| http://www.sudo.ws/sudo/license.html for complete details. |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 12, 2010 5 |
| |
| |