| Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com> |
| |
| Permission to use, copy, modify, and distribute this software for any |
| purpose with or without fee is hereby granted, provided that the above |
| copyright notice and this permission notice appear in all copies. |
| |
| THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| =pod |
| |
| =head1 NAME |
| |
| sudoreplay - replay sudo session logs |
| |
| =head1 SYNOPSIS |
| |
| B<sudoreplay> [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID |
| |
| B<sudoreplay> [B<-d> I<directory>] -l [search expression] |
| |
| =head1 DESCRIPTION |
| |
| B<sudoreplay> plays back or lists the session logs created by |
| B<sudo>. When replaying, B<sudoreplay> can play the session back |
| in real-time, or the playback speed may be adjusted (faster or |
| slower) based on the command line options. The I<ID> should be |
| a six character sequence of digits and upper case letters, e.g. |
| 0100A5, which is logged by B<sudo> when a command is run with |
| session logging enabled. |
| |
| In list mode, B<sudoreplay> can be used to find the ID of a session |
| based on a number of criteria such as the user, tty or command run. |
| |
| In replay mode, if the standard output has not been redirected, |
| B<sudoreplay> will act on the following keys: |
| |
| =over 8 |
| |
| =item ' ' (space) |
| |
| Pause output; press any key to resume. |
| |
| =item '<' |
| |
| Reduce the playback speed by one half. |
| |
| =item '>' |
| |
| Double the playback speed. |
| |
| =back |
| |
| =head1 OPTIONS |
| |
| B<sudoreplay> accepts the following command line options: |
| |
| =over 12 |
| |
| =item -d I<directory> |
| |
| Use I<directory> to for the session logs instead of the default, |
| F</var/log/sudo-io>. |
| |
| =item -f I<filter> |
| |
| By default, B<sudoreplay> will play back the command's standard |
| output, standard error and tty output. The I<-f> option can be |
| used to select which of these to output. The I<filter> argument |
| is a comma-separated list, consisting of one or more of following: |
| I<stdout>, I<stderr>, and I<ttyout>. |
| |
| =item -l |
| |
| Enable "list mode". In this mode, B<sudoreplay> will list available |
| session IDs. If a I<search expression> is specified, it will be |
| used to restrict the IDs that are displayed. An expression is |
| composed of the following predicates: |
| |
| =over 8 |
| |
| =item command I<command pattern> |
| |
| Evaluates to true if the command run matches I<command pattern>. |
| On systems with POSIX regular expression support, the pattern may |
| be an extended regular expression. On systems without POSIX regular |
| expression support, a simple substring match is performed instead. |
| |
| =item cwd I<directory> |
| |
| Evaluates to true if the command was run with the specified current |
| working directory. |
| |
| =item fromdate I<date> |
| |
| Evaluates to true if the command was run on or after I<date>. |
| See L<"Date and time format"> for a description of supported |
| date and time formats. |
| |
| =item group I<runas_group> |
| |
| Evaluates to true if the command was run with the specified |
| I<runas_group>. Note that unless a I<runas_group> was explicitly |
| specified when B<sudo> was run this field will be empty in the log. |
| |
| =item runas I<runas_user> |
| |
| Evaluates to true if the command was run as the specified I<runas_user>. |
| Note that B<sudo> runs commands as user I<root> by default. |
| |
| =item todate I<date> |
| |
| Evaluates to true if the command was run on or prior to I<date>. |
| See L<"Date and time format"> for a description of supported |
| date and time formats. |
| |
| =item tty I<tty> |
| |
| Evaluates to true if the command was run on the specified terminal |
| device. The I<tty> should be specified without the F</dev/> prefix, |
| e.g. F<tty01> instead of F</dev/tty01>. |
| |
| =item user I<user name> |
| |
| Evaluates to true if the ID matches a command run by I<user name>. |
| |
| =back |
| |
| Predicates may be abbreviated to the shortest unique string (currently |
| all predicates may be shortened to a single character). |
| |
| Predicates may be combined using I<and>, I<or> and I<!> operators |
| as well as C<'('> and C<')'> for grouping (note that parentheses |
| must generally be escaped from the shell). The I<and> operator is |
| optional, adjacent predicates have an implied I<and> unless separated |
| by an I<or>. |
| |
| =item -m I<max_wait> |
| |
| Specify an upper bound on how long to wait between key presses or |
| output data. By default, B<sudo_replay> will accurately reproduce |
| the delays between key presses or program output. However, this |
| can be tedious when the session includes long pauses. When the |
| I<-m> option is specified, B<sudoreplay> will limit these pauses |
| to at most I<max_wait> seconds. The value may be specified as a |
| floating point number, .e.g. I<2.5>. |
| |
| =item -s I<speed_factor> |
| |
| This option causes B<sudoreplay> to adjust the number of seconds |
| it will wait between key presses or program output. This can be |
| used to slow down or speed up the display. For example, a |
| I<speed_factor> of I<2> would make the output twice as fast whereas |
| a I<speed_factor> of <.5> would make the output twice as slow. |
| |
| =item -V |
| |
| The B<-V> (version) option causes B<sudoreplay> to print its version number |
| and exit. |
| |
| =back |
| |
| =head2 Date and time format |
| |
| The time and date may be specified multiple ways, common formats include: |
| |
| =over 8 |
| |
| =item HH:MM:SS am MM/DD/CCYY timezone |
| |
| 24 hour time may be used in place of am/pm. |
| |
| =item HH:MM:SS am Month, Day Year timezone |
| |
| 24 hour time may be used in place of am/pm, and month and day names |
| may be abbreviated. Note that month and day of the week names must |
| be specified in English. |
| |
| =item CCYY-MM-DD HH:MM:SS |
| |
| ISO time format |
| |
| =item DD Month CCYY HH:MM:SS |
| |
| The month name may be abbreviated. |
| |
| =back |
| |
| Either time or date may be omitted, the am/pm and timezone are |
| optional. If no date is specified, the current day is assumed; if |
| no time is specified, the first second of the specified date is |
| used. The less significant parts of both time and date may also |
| be omitted, in which case zero is assumed. For example, the following |
| are all valid: |
| |
| The following are all valid time and date specifications: |
| |
| =over 8 |
| |
| =item now |
| |
| The current time and date. |
| |
| =item tomorrow |
| |
| Exactly one day from now. |
| |
| =item yesterday |
| |
| 24 hours ago. |
| |
| =item 2 hours ago |
| |
| 2 hours ago. |
| |
| =item next Friday |
| |
| The first second of the next Friday. |
| |
| =item this week |
| |
| The current time but the first day of the coming week. |
| |
| =item a fortnight ago |
| |
| The current time but 14 days ago. |
| |
| =item 10:01 am 9/17/2009 |
| |
| 10:01 am, September 17, 2009. |
| |
| =item 10:01 am |
| |
| 10:01 am on the current day. |
| |
| =item 10 |
| |
| 10:00 am on the current day. |
| |
| =item 9/17/2009 |
| |
| 00:00 am, September 17, 2009. |
| |
| =item 10:01 am Sep 17, 2009 |
| |
| 10:01 am, September 17, 2009. |
| |
| =back |
| |
| =head1 FILES |
| |
| =over 24 |
| |
| =item F</var/log/sudo-io> |
| |
| The default I/O log directory. |
| |
| =item F</var/log/sudo-io/00/00/01/log> |
| |
| Example session log info. |
| |
| =item F</var/log/sudo-io/00/00/01/stdin> |
| |
| Example session standard input log. |
| |
| =item F</var/log/sudo-io/00/00/01/stdout> |
| |
| Example session standard output log. |
| |
| =item F</var/log/sudo-io/00/00/01/stderr> |
| |
| Example session standard error log. |
| |
| =item F</var/log/sudo-io/00/00/01/ttyin> |
| |
| Example session tty input file. |
| |
| =item F</var/log/sudo-io/00/00/01/ttyout> |
| |
| Example session tty output file. |
| |
| =item F</var/log/sudo-io/00/00/01/timing> |
| |
| Example session timing file. |
| |
| =back |
| |
| Note that the I<stdin>, I<stdout> and I<stderr> files will be empty |
| unless B<sudo> was used as part of a pipeline for a particular |
| command. |
| |
| =head1 EXAMPLES |
| |
| List sessions run by user I<millert>: |
| |
| sudoreplay -l user millert |
| |
| List sessions run by user I<bob> with a command containing the string vi: |
| |
| sudoreplay -l user bob command vi |
| |
| List sessions run by user I<jeff> that match a regular expression: |
| |
| sudoreplay -l user jeff command '/bin/[a-z]*sh' |
| |
| List sessions run by jeff or bob on the console: |
| |
| sudoreplay -l ( user jeff or user bob ) tty console |
| |
| =head1 SEE ALSO |
| |
| L<sudo(8)>, L<script(1)> |
| |
| =head1 AUTHOR |
| |
| Todd C. Miller |
| |
| =head1 BUGS |
| |
| If you feel you have found a bug in B<sudoreplay>, please submit a bug report |
| at http://www.sudo.ws/sudo/bugs/ |
| |
| =head1 SUPPORT |
| |
| Limited free support is available via the sudo-users mailing list, |
| see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or |
| search the archives. |
| |
| =head1 DISCLAIMER |
| |
| B<sudoreplay> is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of merchantability |
| and fitness for a particular purpose are disclaimed. See the LICENSE |
| file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html |
| for complete details. |