Posted: . At: 3:49 PM. This was 2 years ago. Post ID: 16538
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

How to set up sudoreplay on Ubuntu and playback a sudo session.

by

The sudoreplay command can play back sudo session logs. To set this up, firstly run the sudo visudo command to edit the etc/sudoers file safely.

Then add these lines to the end of the file.

Defaults log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults!/sbin/reboot !log_output

Then save and exit. Now it is all set up. Once this was enabled, I ran the sudo mc command and this was recorded in the new log directory, /var/log/sudo-io.

This is an example of the usage of this new utility.

jason@jason-Lenovo-H50-55:~$ sudo sudoreplay -l
Aug 10 15:28:11 2022 : jason : TTY=/dev/pts/0 ; CWD=/home/jason ; USER=root ; TSID=000001 ; COMMAND=/usr/bin/mc

Another example, looking for a specific command.

jason@jason-Lenovo-H50-55:~$ sudo sudoreplay -l user jason command mc
Aug 10 15:28:11 2022 : jason : TTY=/dev/pts/0 ; CWD=/home/jason ; USER=root ; TSID=000001 ; COMMAND=/usr/bin/mc

How to print all instances of sudo usage from a certain time-frame.

jason@jason-Lenovo-H50-55:~$ sudo sudoreplay -l fromdate "8 minutes ago"
Aug 10 15:37:12 2022 : jason : TTY=/dev/pts/0 ; CWD=/home/jason ; USER=root ; TSID=000002 ; COMMAND=/usr/bin/apt install xephem
Aug 10 15:37:18 2022 : jason : TTY=/dev/pts/0 ; CWD=/home/jason ; USER=root ; TSID=000003 ; COMMAND=/usr/bin/apt install celestia
Aug 10 15:37:54 2022 : jason : TTY=/dev/pts/0 ; CWD=/home/jason ; USER=root ; TSID=000004 ; COMMAND=/usr/bin/apt update

To replay a sudo session, run sudo replay like this. This is replaying the session with TSID that equals 000004. of course you would run the sudoreplay command with -l first to list the sessions and find out what the commands are.

jason@jason-Lenovo-H50-55:~$ sudo sudoreplay  000004
Replaying sudo session: /usr/bin/apt update
 
 
 
Hit:1 http://au.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://au.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://au.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://security.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.