Recording Sessions with Sudoreplay

While looking in to a way to record a terminal I came across sudoreplay. Sudoreplay is something some of you may know, may have known but forgotten, and for some this might be brand new. For me I was part of the last group.

Here is the man page if you want read up on it real quick.

http://bit.ly/man-sudoreplay

For Linux system administration there are a couple of ways we can grant a regular user the ability to elevate their privileges to the super user a.k.a root. If you are unfamiliar with this concept I suggest the following reading from RedHat’s Systems Administrator Guide.

http://bit.ly/gaining-privileges

Each enviornment is different and has their own set of requirements. Sometimes an administrator will give sudo access but will prevent the user from executing the su command as in the example below.

# sudo su -

If the user is allowed to execute sudo su - then all subsequent commands will not be logged in to the security log as they will be executed from the resulting bash login.

This is where sudoreplay comes in to the picture. By adding the following lines to the /etc/sudoers configuration sudo sessions will be logged to /var/log/sudo-io.

Defaults log_output  
Defaults!/usr/bin/sudoreplay !log_output  
Defaults!/sbin/reboot !log_output  

In our configurations we place the lines under /etc/sudoers.d/logging because it makes it easier to manage and keeps us from having to edit the stock configuration file ( a good practice in and of itself ).

There is plenty to explore here, but for the sake of brevity I’ll just scratch the surface of listing and replaying the sessions.

Listing Available Sessions

The sudoreplay logs are stored under /var/log/sudo-io and the individual sessions are stored in numbered directories with in sudo-io.

# sudoreplay -l
Jan  9 17:44:19 2018 : vagrant : TTY=/dev/pts/0 ; CWD=/home/vagrant ; USER=root ; TSID=000001 ; COMMAND=/bin/su -  
Jan  9 18:12:15 2018 : vagrant : TTY=/dev/pts/0 ; CWD=/home/vagrant ; USER=root ; TSID=000002 ; COMMAND=/bin/su -  
Jan  9 18:12:22 2018 : root : TTY=/dev/pts/1 ; CWD=/root ; USER=root ; TSID=000003 ; COMMAND=/bin/cat /etc/passwd  

Replaying the Sessions

The sessions can be replayed using sudoreplay using the TSID value found in the listing above. Keep in mind when you are viewing the session, it is not actually executing the commands again, it is just replaying the session.

# sudoreplay 000003

We can take a little bit more control over the playback by using the -m (maxwait) and -s (speedfactor) flags. So for example, if we wanted to run at 2x speed and trim any dead space over 2 second we could do the following.

# sudoreplay -m 2 -s 2 000003 

While replaying we can control the speed of the replay as follows.

' ' - (space) - Pause the replay
'<' - Reduce the playback speed by half
'>' - Double the Playback speed

At this point you may be asking ‘why or where would you use this?’. Like most technologies, your usage will vary depending on your use case.

For me, I am using sudoreplay to record session for training purposes. This gives me a chance to review how someone solved a problem or at least what their approach was.

Let me know how you are using it or how you would consider using it.

Go be bad at something.
-Alex