# Sudo Replay Notes.md Sudo replay is for replaying SSH sessions. https://www.sudo.ws/man/1.8.13/sudoreplay.man.html ## Viewing replays 02/01/2020 /var/log/sudo-io ``` man sudoreplay sudoreplay -l user brad_poulton sudoreplay -l sudoreplay sudoreplay 000154 #speed things up ( 2x speed and .5 seconds between key presses. ) sudoreplay 000154 -m .5 -s 2 ``` ## Cleaning up unwanted replays Replays stored in /var/log/sudo-io, with one directory per replay. A given replay has a `TSID` like `TSID=BEEF01` This results in a directory of `/var/log/sudo-io/BE/EF/01`. If you want rid of this replay you can just remove that directory. If you're looking for replays by some (greppable) criteria: ``` sudoreplay -l | egrep rsync | awk -F\; '{ print $4 }' | awk -F= '{ print $2 }' | sed -e "s#\(\S\S\)\(\S\S\)\(\S\S\)#/var/log/sudo-io/\1/\2/\3#" | xargs du -hsxc ``` Replace `du` with an `rm` or whatever. ## Preventing future replay logging for certain commands Current logging setup is in `msoc-infrastructure/salt/fileroots/os_modifications/files/sudo/redhat/sudoers.d/95-scaleft`. The `Defaults log_output` means everything is logged by default. But individual commands can be exluded from logging like so: ``` Cmnd_Alias SFTP_AS = /bin/bash -c /usr/libexec/openssh/sftp-server Cmnd_Alias NO_LOG = /bin/sudoreplay Cmnd_Alias RSYNC = /bin/rsync --server Defaults! SFTP_AS !log_output Defaults! NO_LOG !log_output Defaults! RSYNC !log_output Defaults log_output ``` Invididual commands that - without considering their arguments - should be excluded can be added to the `NO_LOG` alias. Like we don't need to log output of `sudoreplay` no matter WHAT the arguments to it are. But, when you're trying to deal with "don't log certain commands depending on their arguments" then you need a new `Cmnd_Alias` just for that, and a `Defaults!` line for it. (The exclamation is important somehow)