Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry.

From this blog you will learn how to turn on session recording in sudo, how to enable or disable hiding passwords in session recordings, and how to view the results.

To hide passwords in session recordings you will need at least sudo version 1.9.10 on your system. Most operating systems still use an earlier version. Compiling sudo is easy, but it is even easier to use a ready-to-use binary. Packages for many operating systems are available on the sudo website at https://www.sudo.ws/getting/packages/.

You can enable session recording in the sudoers file. Just open it using visudo, and append the following line:

Defaults log_input, log_output

This way, both input and output are recorded. You should now start a shell and change a user’s password.

czanik@czplaptop:~> sudo -s
czplaptop:/home/czanik # passwd bla
New password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password: 
passwd: password updated successfully
czplaptop:/home/czanik # exit
czanik@czplaptop:~> 

You can use the sudoreplay command to list and play back recordings:

czanik@czplaptop:~> sudo sudoreplay -l
Mar  9 11:01:37 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/01 ; COMMAND=/bin/bash
Mar  9 11:03:13 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/02 ; COMMAND=/usr/bin/sudoreplay -l
czanik@czplaptop:~> sudo sudoreplay 00/00/01
Replaying sudo session: /bin/bash
czplaptop:/home/czanik # passwd bla
New password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password: 
passwd: password updated successfully
czplaptop:/home/czanik # exit
czanik@czplaptop:~> 

When you play back the session, you see the exact same output as before. The input is not displayed by sudoreplay. You can check it by viewing the file contents, which are compressed. Session recordings are stored in the /var/log/sudo-io/ directory. The session identifier is the same as the sub-directory that contains the logs for that session. In this example, the full path is /var/log/sudo-io/00/00/01, where you will see a number of files. Use the zless command to view the one names ttyin. The contents should look something like:

passwd bla^Mblabla^Mblabla^M^D

This is not easy to read and it is full of control characters, but you can still understand what is happening: the password for user bla is changed and the new password is present in the log.

You can hide passwords in input recordings by adding the following line to your sudoers file:

Defaults !log_passwords

When you disable the logging of passwords, sudo uses a regular expression to detect the password prompts in the terminal output and hide passwords in the recording. It will write stars instead of the actual character until a character appears on screen or the user hits enter. This also means that hiding passwords does not work if a program prints stars or anything else to the screen while the user is typing the password.

Let’s see this in practice:

czanik@czplaptop:~> sudo -s
czplaptop:/home/czanik # passwd bla
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: password updated successfully
czplaptop:/home/czanik # exit
czanik@czplaptop:~> sudo sudoreplay -l
Mar  9 11:01:37 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/01 ; COMMAND=/bin/bash
Mar  9 11:03:13 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/02 ; COMMAND=/usr/bin/sudoreplay -l
Mar  9 11:03:36 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/03 ; COMMAND=/usr/bin/sudoreplay 00/00/01
Mar  9 11:09:15 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/04 ; COMMAND=/bin/bash
Mar  9 11:40:40 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/05 ; COMMAND=/bin/bash
Mar  9 11:41:12 2022 : czanik : HOST=czplaptop ; TTY=/dev/pts/1 ; CWD=/home/czanik ; USER=root ; TSID=00/00/06 ; COMMAND=/usr/bin/sudoreplay -l
czanik@czplaptop:~> sudo -s
czplaptop:/home/czanik # cd /var/log/sudo-io/00/00/05/
czplaptop:/var/log/sudo-io/00/00/05 # zless ttyin 

When you look at the terminal input log, you will see stars instead of the actual password:

passwd bla^M********^M********^M^D

Once you disable password logging, sudo can find most password prompts on the terminal. You can change what sudo is looking for by configuring the passprompt_regex setting in the sudoers file. The configurations in this blog show how to record sessions locally. If you have more than one host, it is better to collect session recordings centrally: https://www.sudo.ws/posts/2021/06/new-in-1.9.7-using-sudo_logsrvd-in-relay-mode/. Password hiding is performed when the logs are stored. When using sudo_logsrvd, you will need to set log_passwords and passprompt_regex in sudo_logsrvd.conf instead.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.