SUDO I/O logs and TSID
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.
I have a few questions:
- What does TSID stand for?
- It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?
- Any other content related to understanding TSID would be helpful.
sudo logs
add a comment |Â
up vote
1
down vote
favorite
I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.
I have a few questions:
- What does TSID stand for?
- It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?
- Any other content related to understanding TSID would be helpful.
sudo logs
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.
I have a few questions:
- What does TSID stand for?
- It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?
- Any other content related to understanding TSID would be helpful.
sudo logs
I am new to sudo and trying to understand the details of sudo session logs, specifically about TSID.
I have a few questions:
- What does TSID stand for?
- It is a 6 character sequence which forms the directory structure - 0001A1: what does each pair of 2 characters signify?
- Any other content related to understanding TSID would be helpful.
sudo logs
edited Jul 5 at 6:24
karel
706817
706817
asked Jul 5 at 2:45
yellolion
132
132
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Background
TSID is described in the sudoreplay
man page as follows:
The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.
You can use sudoreplay -l
to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>
.
Sample output
I found sample output in a AU Q&A titled: How to make sudoreplay work:
$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -
$ sudo sudoreplay 000001
Further research
If you look through the sudoers
man page it explains what the TSID=
is:
Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with âÂÂTSID=âÂÂ. The iolog_file option may be used to control the format of the session ID.
NOTE: A similar paragraph is mentioned on both the log_input
and log_output
definitions.
If you read further through the sudoers
man page you'll discover that TSID=
is also called logid
:
date hostname progname: username : TTY=ttyname ; PWD=cwd ;
USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
ENV=env_vars COMMAND=command
Which leads to this:
logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.
Initial thoughts...
Most of the examples I've found show TSID=
as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.
In either case it doesn't appear to be a "smart numbering system" of any consequence.
Look to the source code
In grep
'ing through the sudo code repo there's a NEWS file that states the following:
- The sudoers policy now stores the TSID field in the logs
even when the "iolog_file" sudoers option is defined to a value
other than %sessid. Previously, the TSID field was only
included in the log file when the "iolog_file" option was set
to its default value.
If you're curious the source to the TSID=
is located in the logging.c file.
References
- https://www.sudo.ws/man/1.8.13/sudoreplay.man.html
- https://www.freebsd.org/doc/handbook/security-sudo.html
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Background
TSID is described in the sudoreplay
man page as follows:
The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.
You can use sudoreplay -l
to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>
.
Sample output
I found sample output in a AU Q&A titled: How to make sudoreplay work:
$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -
$ sudo sudoreplay 000001
Further research
If you look through the sudoers
man page it explains what the TSID=
is:
Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with âÂÂTSID=âÂÂ. The iolog_file option may be used to control the format of the session ID.
NOTE: A similar paragraph is mentioned on both the log_input
and log_output
definitions.
If you read further through the sudoers
man page you'll discover that TSID=
is also called logid
:
date hostname progname: username : TTY=ttyname ; PWD=cwd ;
USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
ENV=env_vars COMMAND=command
Which leads to this:
logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.
Initial thoughts...
Most of the examples I've found show TSID=
as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.
In either case it doesn't appear to be a "smart numbering system" of any consequence.
Look to the source code
In grep
'ing through the sudo code repo there's a NEWS file that states the following:
- The sudoers policy now stores the TSID field in the logs
even when the "iolog_file" sudoers option is defined to a value
other than %sessid. Previously, the TSID field was only
included in the log file when the "iolog_file" option was set
to its default value.
If you're curious the source to the TSID=
is located in the logging.c file.
References
- https://www.sudo.ws/man/1.8.13/sudoreplay.man.html
- https://www.freebsd.org/doc/handbook/security-sudo.html
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
add a comment |Â
up vote
1
down vote
accepted
Background
TSID is described in the sudoreplay
man page as follows:
The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.
You can use sudoreplay -l
to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>
.
Sample output
I found sample output in a AU Q&A titled: How to make sudoreplay work:
$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -
$ sudo sudoreplay 000001
Further research
If you look through the sudoers
man page it explains what the TSID=
is:
Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with âÂÂTSID=âÂÂ. The iolog_file option may be used to control the format of the session ID.
NOTE: A similar paragraph is mentioned on both the log_input
and log_output
definitions.
If you read further through the sudoers
man page you'll discover that TSID=
is also called logid
:
date hostname progname: username : TTY=ttyname ; PWD=cwd ;
USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
ENV=env_vars COMMAND=command
Which leads to this:
logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.
Initial thoughts...
Most of the examples I've found show TSID=
as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.
In either case it doesn't appear to be a "smart numbering system" of any consequence.
Look to the source code
In grep
'ing through the sudo code repo there's a NEWS file that states the following:
- The sudoers policy now stores the TSID field in the logs
even when the "iolog_file" sudoers option is defined to a value
other than %sessid. Previously, the TSID field was only
included in the log file when the "iolog_file" option was set
to its default value.
If you're curious the source to the TSID=
is located in the logging.c file.
References
- https://www.sudo.ws/man/1.8.13/sudoreplay.man.html
- https://www.freebsd.org/doc/handbook/security-sudo.html
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Background
TSID is described in the sudoreplay
man page as follows:
The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.
You can use sudoreplay -l
to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>
.
Sample output
I found sample output in a AU Q&A titled: How to make sudoreplay work:
$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -
$ sudo sudoreplay 000001
Further research
If you look through the sudoers
man page it explains what the TSID=
is:
Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with âÂÂTSID=âÂÂ. The iolog_file option may be used to control the format of the session ID.
NOTE: A similar paragraph is mentioned on both the log_input
and log_output
definitions.
If you read further through the sudoers
man page you'll discover that TSID=
is also called logid
:
date hostname progname: username : TTY=ttyname ; PWD=cwd ;
USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
ENV=env_vars COMMAND=command
Which leads to this:
logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.
Initial thoughts...
Most of the examples I've found show TSID=
as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.
In either case it doesn't appear to be a "smart numbering system" of any consequence.
Look to the source code
In grep
'ing through the sudo code repo there's a NEWS file that states the following:
- The sudoers policy now stores the TSID field in the logs
even when the "iolog_file" sudoers option is defined to a value
other than %sessid. Previously, the TSID field was only
included in the log file when the "iolog_file" option was set
to its default value.
If you're curious the source to the TSID=
is located in the logging.c file.
References
- https://www.sudo.ws/man/1.8.13/sudoreplay.man.html
- https://www.freebsd.org/doc/handbook/security-sudo.html
Background
TSID is described in the sudoreplay
man page as follows:
The ID should either be a six character sequence of digits and upper case letters, e.g. 0100A5, or a pattern matching the iolog_file option in the sudoers file. When a command is run via sudo with log_output enabled in the sudoers file, a TSID=ID string is logged via syslog or to the sudo log file. The ID may also be determined using sudoreplay's list mode.
You can use sudoreplay -l
to list available sessions, to replay one, you'd run a command like this: sudoreplay <tsid>
.
Sample output
I found sample output in a AU Q&A titled: How to make sudoreplay work:
$ sudo sudoreplay -l
Nov 28 11:48:35 2014 : chrthomp : TTY=/dev/pts/1 ; CWD=/home/chrthomp/DJS/2014/Nov ; USER=root ; TSID=000001 ; COMMAND=/bin/su -
$ sudo sudoreplay 000001
Further research
If you look through the sudoers
man page it explains what the TSID=
is:
Input is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with âÂÂTSID=âÂÂ. The iolog_file option may be used to control the format of the session ID.
NOTE: A similar paragraph is mentioned on both the log_input
and log_output
definitions.
If you read further through the sudoers
man page you'll discover that TSID=
is also called logid
:
date hostname progname: username : TTY=ttyname ; PWD=cwd ;
USER=runasuser ; GROUP=runasgroup ; TSID=logid ;
ENV=env_vars COMMAND=command
Which leads to this:
logid -
An I/O log identifier that can be used to replay the command's output. This is only present when the log_input or log_output option is enabled.
Initial thoughts...
Most of the examples I've found show TSID=
as either a sequence of numbers (000001) or as a sequence of numbers and letters (000AE1). Curiously I've always seen it with specific letters, mainly A-F, which would lead me to believe that it is either just a increasing integer or hex.
In either case it doesn't appear to be a "smart numbering system" of any consequence.
Look to the source code
In grep
'ing through the sudo code repo there's a NEWS file that states the following:
- The sudoers policy now stores the TSID field in the logs
even when the "iolog_file" sudoers option is defined to a value
other than %sessid. Previously, the TSID field was only
included in the log file when the "iolog_file" option was set
to its default value.
If you're curious the source to the TSID=
is located in the logging.c file.
References
- https://www.sudo.ws/man/1.8.13/sudoreplay.man.html
- https://www.freebsd.org/doc/handbook/security-sudo.html
edited Jul 5 at 7:10
answered Jul 5 at 6:42
slmâ¦
233k65479651
233k65479651
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
add a comment |Â
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
Sure thing, hopefully it helps out. Please mark as accepted if you're all set.
â slmâ¦
Jul 5 at 20:28
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453513%2fsudo-i-o-logs-and-tsid%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password