infrastructure-notes/Sudo Replay Notes.md

Sudo Replay Notes.md

Sudo replay is for replaying SSH sessions.

https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

Viewing replays

02/01/2020

/var/log/sudo-io

man sudoreplay 
sudoreplay -l user brad_poulton
sudoreplay -l 
sudoreplay <TSID>
sudoreplay 000154

#speed things up ( 2x speed and .5 seconds between key presses. )
sudoreplay 000154 -m .5 -s 2

Cleaning up unwanted replays

Replays stored in /var/log/sudo-io, with one directory per replay. A given replay has a TSID like TSID=BEEF01 This results in a directory of /var/log/sudo-io/BE/EF/01. If you want rid of this replay you can just remove that directory. If you're looking for replays by some (greppable) criteria:

sudoreplay -l 
| egrep rsync 
| awk -F\; '{ print $4 }' 
| awk -F= '{ print $2 }' 
| sed -e "s#\(\S\S\)\(\S\S\)\(\S\S\)#/var/log/sudo-io/\1/\2/\3#"  
| xargs du -hsxc

Replace du with an rm or whatever.

Preventing future replay logging for certain commands

Current logging setup is in msoc-infrastructure/salt/fileroots/os_modifications/files/sudo/redhat/sudoers.d/95-scaleft. The Defaults log_output means everything is logged by default. But individual commands can be exluded from logging like so:

Cmnd_Alias SFTP_AS = /bin/bash -c /usr/libexec/openssh/sftp-server
Cmnd_Alias NO_LOG = /bin/sudoreplay
Cmnd_Alias RSYNC = /bin/rsync --server
Defaults! SFTP_AS !log_output
Defaults! NO_LOG !log_output
Defaults! RSYNC !log_output
Defaults log_output

Invididual commands that - without considering their arguments - should be excluded can be added to the NO_LOG alias. Like we don't need to log output of sudoreplay no matter WHAT the arguments to it are. But, when you're trying to deal with "don't log certain commands depending on their arguments" then you need a new Cmnd_Alias just for that, and a Defaults! line for it. (The exclamation is important somehow)