[sudo-users] sudoreplay with agrument command not working?
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jul 6 20:07:40 MDT 2018
I spoke too soon, since sudoreplay does a depth-first traversal it
will find I/O logs in non-default locations as long as they are
somewhere under the default I/O log directory.
However, it will only find the command that was initially run via
sudo. In other words, if the session was for a shell, sudoreplay
will not find commands run from within that shell. There is no
full-text search of the I/O logs.
The I/O logs are just gzip'd files so you could use something like
zgrep to search for specific strings within the logs.
- todd
More information about the sudo-users
mailing list