mjhjmtu

I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.

I have a few questions:

1. What does TSID stand for?


2. It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?


3. Any other content related to understanding TSID would be helpful.

Background

TSID is described in the sudoreplay man page as follows:

The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.

You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.

Sample output

I found sample output in a AU Q&A titled: How to make sudoreplay work:

$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

$ sudo sudoreplay 000001

Further research

If you look through the sudoers man page it explains what the TSID= is:

Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.

NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.

If you read further through the sudoers man page you'll discover that TSID= is also called logid:

date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; 
ENV=env_vars COMMAND=command

Which leads to this:

logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.

Initial thoughts...

Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.

In either case it doesn't appear to be a "smart numbering system" of any consequence.

Look to the source code

In grep'ing through the sudo code repo there's a NEWS file that states the following:

• The sudoers policy now stores the TSID field in the logs
  even when the "iolog_file" sudoers option is defined to a value
  other than %sessid. Previously, the TSID field was only
  included in the log file when the "iolog_file" option was set
  to its default value.

If you're curious the source to the TSID= is located in the logging.c file.

References

• https://www.sudo.ws/man/1.8.13/sudoreplay.man.html


• https://www.freebsd.org/doc/handbook/security-sudo.html