sudoreplay
Replay previous sudo command executions
SYNOPSIS
sudoreplay [-d delay] [-e command_number] [-f] [-h] [-i idle_delay] [-l line_length] [-m max_wait] [-n] [-o output_file] [-p percent] [-q] [-r rate] [-s start_time] [-u user] [-V] [session_id | tty]
PARAMETERS
-d delay
Sets the initial replay delay in seconds. Defaults to 3 seconds.
-e command_number
Replays a specific command_number from the session. Can be specified multiple times to replay a set of commands.
-f
Force replay even if the session is incomplete.
-h
Displays help message and exit.
-i idle_delay
Sets the idle_delay in seconds. Defaults to 0.5 seconds.
-l line_length
Sets the line_length for output. Defaults to 80.
-m max_wait
Sets the maximum wait time in seconds for a command to complete before skipping it. Defaults to 5 seconds.
-n
No replay; only print the session details.
-o output_file
Saves the replay output to output_file instead of displaying on the terminal.
-p percent
Replays only a percentage of the session.
-q
Quiet mode; suppress informational messages.
-r rate
Sets the replay rate as a percentage. Defaults to 100.
-s start_time
Starts the replay from a specific start_time within the session.
-u user
Replays all sessions from a specific user.
-V
Displays version information and exit.
session_id
The session ID to replay. This can be found in the sudo logs.
tty
Replays the last session from the specified tty.
DESCRIPTION
The sudoreplay
command allows you to replay sudo sessions. It retrieves session data from the sudo logs, effectively recreating the user's terminal activity. This can be useful for auditing, training, or troubleshooting. You can replay sessions by session ID, user, or tty. sudoreplay
supports various options to control the replay speed, output, and filtering of commands. Important: The target computer must have the same users as the computer the command was run on. Replay is often done on a similar environment for testing and audit purposes. sudoreplay
is a powerful tool for analyzing sudo usage and identifying potential security risks.
CAVEATS
The effectiveness of sudoreplay
depends on the completeness and availability of the sudo logs. Incomplete or missing logs will result in incomplete or failed replays. The output_file
parameter doesn't handle all command outputs very well and requires manual analysis.
The command requires that the target computer has the same users than the original one.
SESSION IDENTIFICATION
The session ID is a unique identifier assigned to each sudo session. It's typically found in the sudo logs, which are often located in /var/log/auth.log
or a similar location, depending on the system's configuration. Inspecting these logs is crucial for identifying specific sessions you want to replay.
REPLAY SPEED CONTROL
The -r
and -i
options allow you to control the replay speed. -r
adjusts the overall replay rate as a percentage, while -i
adjusts the idle time between commands. Experimenting with these options can help you find a replay speed that's suitable for your analysis.
HISTORY
sudoreplay
is part of the sudo suite of utilities, developed to enhance security and auditing capabilities for privileged commands. It has evolved alongside sudo to provide a way to reconstruct and analyze user activity within sudo sessions, providing insights into command usage and potential security incidents.