sudoreplay - replay sudo session logs
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br]
+ ID
s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
default, _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
+ -f _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
+ standard output, standard error and tty output. The _\b-_\bf
+ option can be used to select which of these to output. The
+ _\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated list, consisting of
+ one or more of following: _\bs_\bt_\bd_\bo_\bu_\bt, _\bs_\bt_\bd_\be_\br_\br, and _\bt_\bt_\by_\bo_\bu_\bt.
+
-l Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
available session IDs. If a _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is
specified, it will be used to restrict the IDs that are
_\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
expression support, the pattern may be an extended
regular expression. On systems without POSIX
- regular expression support, a simple substring
- match is performed instead.
- cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Evaluates to true if the command was run with the
- specified current working directory.
+1.8.0b1 June 15, 2010 1
-1.8.0b1 June 11, 2010 1
+SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
+ regular expression support, a simple substring
+ match is performed instead.
+ cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
+ Evaluates to true if the command was run with the
+ specified current working directory.
fromdate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
session includes long pauses. When the _\b-_\bm option is
specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
_\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
- point number, .e.g. _\b2_\b._\b5.
- -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
- This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
- seconds it will wait between key presses or program output.
- This can be used to slow down or speed up the display. For
- example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
-
-1.8.0b1 June 11, 2010 2
+1.8.0b1 June 15, 2010 2
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
+ point number, .e.g. _\b2_\b._\b5.
+
+ -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
+ This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
+ seconds it will wait between key presses or program output.
+ This can be used to slow down or speed up the display. For
+ example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of <.5> would make the output
twice as slow.
next Friday
The first second of the next Friday.
- this week
- The current time but the first day of the coming week.
-
- a fortnight ago
- The current time but 14 days ago.
- 10:01 am 9/17/2009
- 10:01 am, September 17, 2009.
-1.8.0b1 June 11, 2010 3
+1.8.0b1 June 15, 2010 3
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
+ this week
+ The current time but the first day of the coming week.
+
+ a fortnight ago
+ The current time but 14 days ago.
+
+ 10:01 am 9/17/2009
+ 10:01 am, September 17, 2009.
+
10:01 am
10:01 am on the current day.
List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
- sudoreplay -l user bob command vi
- List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
- sudoreplay -l user jeff command '/bin/[a-z]*sh'
- List sessions run by jeff or bob on the console:
+1.8.0b1 June 15, 2010 4
- sudoreplay -l ( user jeff or user bob ) tty console
-1.8.0b1 June 11, 2010 4
+SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
+ sudoreplay -l user bob command vi
+ List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
+ sudoreplay -l user jeff command '/bin/[a-z]*sh'
+
+ List sessions run by jeff or bob on the console:
+ sudoreplay -l ( user jeff or user bob ) tty console
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
-
-
-
-
-
-
-
-
-
-
-1.8.0b1 June 11, 2010 5
+1.8.0b1 June 15, 2010 5
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "June 15, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
sudoreplay \- replay sudo session logs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudoreplay\fR [\fB\-d\fR \fIdirectory\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
+\&\fBsudoreplay\fR [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
.PP
\&\fBsudoreplay\fR [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
.SH "DESCRIPTION"
.IX Item "-d directory"
Use \fIdirectory\fR to for the session logs instead of the default,
\&\fI/var/log/sudo\-io\fR.
+.IP "\-f \fIfilter\fR" 12
+.IX Item "-f filter"
+By default, \fBsudoreplay\fR will play back the command's standard
+output, standard error and tty output. The \fI\-f\fR option can be
+used to select which of these to output. The \fIfilter\fR argument
+is a comma-separated list, consisting of one or more of following:
+\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
.IP "\-l" 12
.IX Item "-l"
Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
#define IOFD_TIMING 5
#define IOFD_MAX 6
+/* Bitmap of iofds to be replayed */
+unsigned int replay_filter = (1 << IOFD_STDOUT) | (1 << IOFD_STDERR) |
+ (1 << IOFD_TTYOUT);
+
/* For getopt(3) */
extern char *optarg;
extern int optind;
setprogname(argc > 0 ? argv[0] : "sudoreplay");
#endif
- while ((ch = getopt(argc, argv, "d:lm:s:V")) != -1) {
+ while ((ch = getopt(argc, argv, "d:f:lm:s:V")) != -1) {
switch(ch) {
case 'd':
session_dir = optarg;
break;
+ case 'f':
+ /* Set the replay filter. */
+ replay_filter = 0;
+ for (cp = strtok(optarg, ","); cp; cp = strtok(NULL, ",")) {
+ if (strcmp(cp, "stdout") == 0)
+ SET(replay_filter, 1 << IOFD_STDOUT);
+ else if (strcmp(cp, "stderr") == 0)
+ SET(replay_filter, 1 << IOFD_STDERR);
+ else if (strcmp(cp, "ttyout") == 0)
+ SET(replay_filter, 1 << IOFD_TTYOUT);
+ else
+ errorx(1, "invalid filter option: %s", optarg);
+ }
+ break;
case 'l':
listonly = 1;
break;
id, &id[2], &id[4], strerror(ENAMETOOLONG));
plen -= 7;
- /* Open files for replay */
+ /* Open files for replay, applying replay filter for the -f flag. */
for (idx = 0; idx < IOFD_MAX; idx++) {
- /* Don't support replaying input. */
- if (idx == IOFD_STDIN || idx == IOFD_TTYIN)
- continue;
- io_fds[idx].v = open_io_fd(path, plen, io_fnames[idx]);
- if (io_fds[idx].v == NULL)
- error(1, "unable to open %s", path);
+ if (ISSET(replay_filter, 1 << idx) || idx == IOFD_TIMING) {
+ io_fds[idx].v = open_io_fd(path, plen, io_fnames[idx]);
+ if (io_fds[idx].v == NULL)
+ error(1, "unable to open %s", path);
+ }
}
/* Read log file. */
to_wait = max_wait;
delay(to_wait);
- /* We don't replay input (but we still have to delay). */
- if (idx == IOFD_STDIN || idx == IOFD_TTYIN)
+ /* Even if we are not relaying, we still have to delay. */
+ if (io_fds[idx].v == NULL)
continue;
/* All output is sent to stdout. */
- /* XXX - add flags to allow use to select which ones */
while (nbytes != 0) {
if (nbytes > sizeof(buf))
len = sizeof(buf);
projects / sudo / commitdiff