SUDO I/O logs and TSID

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.



I have a few questions:



  1. What does TSID stand for?

  2. It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?

  3. Any other content related to understanding TSID would be helpful.






share|improve this question

























    up vote
    1
    down vote

    favorite












    I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.



    I have a few questions:



    1. What does TSID stand for?

    2. It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?

    3. Any other content related to understanding TSID would be helpful.






    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.



      I have a few questions:



      1. What does TSID stand for?

      2. It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?

      3. Any other content related to understanding TSID would be helpful.






      share|improve this question













      I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.



      I have a few questions:



      1. What does TSID stand for?

      2. It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?

      3. Any other content related to understanding TSID would be helpful.








      share|improve this question












      share|improve this question




      share|improve this question








      edited Jul 5 at 6:24









      karel

      706817




      706817









      asked Jul 5 at 2:45









      yellolion

      132




      132




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Background



          TSID is described in the sudoreplay man page as follows:




          The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.




          You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.



          Sample output



          I found sample output in a AU Q&A titled: How to make sudoreplay work:



          $ sudo sudoreplay -l
          Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

          $ sudo sudoreplay 000001


          Further research



          If you look through the sudoers man page it explains what the TSID= is:




          Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.




          NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.



          If you read further through the sudoers man page you'll discover that TSID= is also called logid:



          date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
          USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
          ENV=env_vars COMMAND=command


          Which leads to this:




          logid -
          An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.




          Initial thoughts...



          Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.



          In either case it doesn't appear to be a "smart numbering system" of any consequence.



          Look to the source code



          In grep'ing through the sudo code repo there's a NEWS file that states the following:




          • The sudoers policy now stores the TSID field in the logs
            even when the "iolog_file" sudoers option is defined to a value
            other than %sessid. Previously, the TSID field was only
            included in the log file when the "iolog_file" option was set
            to its default value.



          If you're curious the source to the TSID= is located in the logging.c file.



          References



          • https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

          • https://www.freebsd.org/doc/handbook/security-sudo.html





          share|improve this answer























          • Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
            – slm♦
            Jul 5 at 20:28











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453513%2fsudo-i-o-logs-and-tsid%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          Background



          TSID is described in the sudoreplay man page as follows:




          The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.




          You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.



          Sample output



          I found sample output in a AU Q&A titled: How to make sudoreplay work:



          $ sudo sudoreplay -l
          Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

          $ sudo sudoreplay 000001


          Further research



          If you look through the sudoers man page it explains what the TSID= is:




          Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.




          NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.



          If you read further through the sudoers man page you'll discover that TSID= is also called logid:



          date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
          USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
          ENV=env_vars COMMAND=command


          Which leads to this:




          logid -
          An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.




          Initial thoughts...



          Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.



          In either case it doesn't appear to be a "smart numbering system" of any consequence.



          Look to the source code



          In grep'ing through the sudo code repo there's a NEWS file that states the following:




          • The sudoers policy now stores the TSID field in the logs
            even when the "iolog_file" sudoers option is defined to a value
            other than %sessid. Previously, the TSID field was only
            included in the log file when the "iolog_file" option was set
            to its default value.



          If you're curious the source to the TSID= is located in the logging.c file.



          References



          • https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

          • https://www.freebsd.org/doc/handbook/security-sudo.html





          share|improve this answer























          • Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
            – slm♦
            Jul 5 at 20:28















          up vote
          1
          down vote



          accepted










          Background



          TSID is described in the sudoreplay man page as follows:




          The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.




          You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.



          Sample output



          I found sample output in a AU Q&A titled: How to make sudoreplay work:



          $ sudo sudoreplay -l
          Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

          $ sudo sudoreplay 000001


          Further research



          If you look through the sudoers man page it explains what the TSID= is:




          Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.




          NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.



          If you read further through the sudoers man page you'll discover that TSID= is also called logid:



          date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
          USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
          ENV=env_vars COMMAND=command


          Which leads to this:




          logid -
          An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.




          Initial thoughts...



          Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.



          In either case it doesn't appear to be a "smart numbering system" of any consequence.



          Look to the source code



          In grep'ing through the sudo code repo there's a NEWS file that states the following:




          • The sudoers policy now stores the TSID field in the logs
            even when the "iolog_file" sudoers option is defined to a value
            other than %sessid. Previously, the TSID field was only
            included in the log file when the "iolog_file" option was set
            to its default value.



          If you're curious the source to the TSID= is located in the logging.c file.



          References



          • https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

          • https://www.freebsd.org/doc/handbook/security-sudo.html





          share|improve this answer























          • Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
            – slm♦
            Jul 5 at 20:28













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          Background



          TSID is described in the sudoreplay man page as follows:




          The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.




          You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.



          Sample output



          I found sample output in a AU Q&A titled: How to make sudoreplay work:



          $ sudo sudoreplay -l
          Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

          $ sudo sudoreplay 000001


          Further research



          If you look through the sudoers man page it explains what the TSID= is:




          Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.




          NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.



          If you read further through the sudoers man page you'll discover that TSID= is also called logid:



          date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
          USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
          ENV=env_vars COMMAND=command


          Which leads to this:




          logid -
          An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.




          Initial thoughts...



          Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.



          In either case it doesn't appear to be a "smart numbering system" of any consequence.



          Look to the source code



          In grep'ing through the sudo code repo there's a NEWS file that states the following:




          • The sudoers policy now stores the TSID field in the logs
            even when the "iolog_file" sudoers option is defined to a value
            other than %sessid. Previously, the TSID field was only
            included in the log file when the "iolog_file" option was set
            to its default value.



          If you're curious the source to the TSID= is located in the logging.c file.



          References



          • https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

          • https://www.freebsd.org/doc/handbook/security-sudo.html





          share|improve this answer















          Background



          TSID is described in the sudoreplay man page as follows:




          The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.




          You can use sudoreplay -l to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>.



          Sample output



          I found sample output in a AU Q&A titled: How to make sudoreplay work:



          $ sudo sudoreplay -l
          Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -

          $ sudo sudoreplay 000001


          Further research



          If you look through the sudoers man page it explains what the TSID= is:




          Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with “TSID=”. The iolog_file option may be used to control the format of the session ID.




          NOTE: A similar paragraph is mentioned on both the log_input and log_output definitions.



          If you read further through the sudoers man page you'll discover that TSID= is also called logid:



          date hostname progname: username : TTY=ttyname ; PWD=cwd ; 
          USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
          ENV=env_vars COMMAND=command


          Which leads to this:




          logid -
          An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.




          Initial thoughts...



          Most of the examples I've found show TSID= as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.



          In either case it doesn't appear to be a "smart numbering system" of any consequence.



          Look to the source code



          In grep'ing through the sudo code repo there's a NEWS file that states the following:




          • The sudoers policy now stores the TSID field in the logs
            even when the "iolog_file" sudoers option is defined to a value
            other than %sessid. Previously, the TSID field was only
            included in the log file when the "iolog_file" option was set
            to its default value.



          If you're curious the source to the TSID= is located in the logging.c file.



          References



          • https://www.sudo.ws/man/1.8.13/sudoreplay.man.html

          • https://www.freebsd.org/doc/handbook/security-sudo.html






          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jul 5 at 7:10


























          answered Jul 5 at 6:42









          slm♦

          233k65479651




          233k65479651











          • Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
            – slm♦
            Jul 5 at 20:28

















          • Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
            – slm♦
            Jul 5 at 20:28
















          Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
          – slm♦
          Jul 5 at 20:28





          Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
          – slm♦
          Jul 5 at 20:28













           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453513%2fsudo-i-o-logs-and-tsid%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?