sudoreplay

sudoreplay [-d delay] [-e command_number] [-f] [-h] [-i idle_delay] [-l line_length] [-m max_wait] [-n] [-o output_file] [-p percent] [-q] [-r rate] [-s start_time] [-u user] [-V] [session_id | tty]

-d delay
    Sets the initial replay delay in seconds. Defaults to 3 seconds.

-e command_number
    Replays a specific command_number from the session. Can be specified multiple times to replay a set of commands.

-f
    Force replay even if the session is incomplete.

-h
    Displays help message and exit.

-i idle_delay
    Sets the idle_delay in seconds. Defaults to 0.5 seconds.

-l line_length
    Sets the line_length for output. Defaults to 80.

-m max_wait
    Sets the maximum wait time in seconds for a command to complete before skipping it. Defaults to 5 seconds.

-n
    No replay; only print the session details.

-o output_file
    Saves the replay output to output_file instead of displaying on the terminal.

-p percent
    Replays only a percentage of the session.

-q
    Quiet mode; suppress informational messages.

-r rate
    Sets the replay rate as a percentage. Defaults to 100.

-s start_time
    Starts the replay from a specific start_time within the session.

-u user
    Replays all sessions from a specific user.

-V
    Displays version information and exit.

session_id
    The session ID to replay. This can be found in the sudo logs.

tty
    Replays the last session from the specified tty.

The sudoreplay command allows you to replay sudo sessions. It retrieves session data from the sudo logs, effectively recreating the user's terminal activity. This can be useful for auditing, training, or troubleshooting. You can replay sessions by session ID, user, or tty. sudoreplay supports various options to control the replay speed, output, and filtering of commands. Important: The target computer must have the same users as the computer the command was run on. Replay is often done on a similar environment for testing and audit purposes. sudoreplay is a powerful tool for analyzing sudo usage and identifying potential security risks.

The effectiveness of sudoreplay depends on the completeness and availability of the sudo logs. Incomplete or missing logs will result in incomplete or failed replays. The output_file parameter doesn't handle all command outputs very well and requires manual analysis.
The command requires that the target computer has the same users than the original one.

The session ID is a unique identifier assigned to each sudo session. It's typically found in the sudo logs, which are often located in /var/log/auth.log or a similar location, depending on the system's configuration. Inspecting these logs is crucial for identifying specific sessions you want to replay.

The -r and -i options allow you to control the replay speed. -r adjusts the overall replay rate as a percentage, while -i adjusts the idle time between commands. Experimenting with these options can help you find a replay speed that's suitable for your analysis.

sudoreplay is part of the sudo suite of utilities, developed to enhance security and auditing capabilities for privileged commands. It has evolved alongside sudo to provide a way to reconstruct and analyze user activity within sudo sessions, providing insights into command usage and potential security incidents.

sudo(8), visudo(8)