sudoreplay

sudoreplay [-d directory] [-f format] [-i ID] [-F] [-l] [-L] [-P] [-s seconds] [-T seconds] [-z] [ID]

-d directory
    Specify an alternate base directory for session recordings. Defaults to /var/log/sudo-io.

-f format
    Specify the output format for listings. Typically 'log' for traditional format or 'json' for JSON output.

-i ID
    Replay the session specified by its unique ID. The ID is a hexadecimal string (e.g., '012345ABCD').

-F
    Fast-forward mode. Skip delays between commands and output, playing the session as quickly as possible.

-l
    List all available session IDs recorded in the specified directory. This is useful for identifying sessions to replay.

-L
    List available sessions with more verbose details, including user, host, command, and start time.

-P
    Display a progress indicator while playing back a session, showing the current time offset.

-s seconds
    Start playing the session at the specified time offset in seconds from the beginning.

-T seconds
    Stop playing the session at the specified time offset in seconds from the beginning.

-z
    Decompress recording files if they are stored in a compressed format (e.g., gzip).

ID
    The unique session ID to replay. This can be provided as a positional argument if -i is not used.

sudoreplay is a command-line utility used to replay command sessions recorded by sudo. When sudo is configured to log all user input and output, sudoreplay can be used to reconstruct the exact terminal session, including keystrokes, screen output, and timings. This feature is invaluable for security auditing, incident response, training, and troubleshooting. It helps administrators understand what commands were executed, the context in which they were run, and the precise sequence of events during a privileged session. sudoreplay can play back sessions at normal speed, fast-forward, or even start/stop at specific time offsets within the recording.

For sudoreplay to function, sudo must be configured to log session I/O in the /etc/sudoers file (e.g., using the log_output and log_input options).

The user running sudoreplay must have appropriate read permissions to the session recording files and directories, which are typically restricted for security reasons.

Replaying very large or long sessions can consume significant system resources and time.

Each recorded session is assigned a unique, timestamp-based hexadecimal ID (e.g., '20231027153012ABCD'). These IDs are crucial for specifying which session to replay.

Session recordings are stored as a series of files (e.g., log, stdin, stdout, stderr, ttyin, timing) within a directory structure, organized by the session ID. The timing file is especially important as it contains the precise delays between events, allowing for accurate replay.

sudoreplay is an integral part of the sudo project, developed to enhance the auditing capabilities of privileged command execution. Its introduction provided a powerful mechanism for accountability and forensic analysis, moving beyond simple command logging to full session reconstruction. This feature became increasingly important for compliance with security standards and for detailed incident investigations, making its debut with sudo versions that supported I/O logging.

sudo(8), sudoers(5)