Understanding `sudo` Flags and Logging: A Practical Guide

The sudo command is one of the most powerful and commonly used tools
on Unix-like systems. It allows a permitted user to execute commands as
another user---typically the root user. But not all sudo usage is
equal: flags change its behavior, and logs record what users do for
auditing and security purposes.

This post explains:

Common and important sudo flags\
How standard sudo logs work\
What sudo I/O logs (iologs) are and what they capture\
Practical considerations for automation and security

1. Key `sudo` Flags Explained

Here are the most useful and commonly seen sudo flags, especially in
automation and security‑sensitive environments.

`-H` --- Set HOME for the target user

This flag resets the HOME environment variable to the target user's
home directory (usually /root).\
Useful when running scripts that read/write files in $HOME.

`-S` --- Read the password from stdin

This instructs sudo to read the password from standard input instead
of a terminal prompt.

Example:

echo "mypassword" | sudo -S systemctl restart nginx

Not commonly used in automation unless necessary, because it mixes
secrets into process pipelines.

`-n` --- Non‑interactive (fail instead of prompting)

Prevents sudo from asking for a password.\
If authentication is required and no cached credential exists, sudo
fails immediately.

Great for automation systems like Ansible, CI/CD, cron jobs, and remote
orchestration.

`-u <user>` --- Run as a specific user

Run a command as a different user:

sudo -u postgres psql

`-s` --- Run a shell as the target user

Starts a login shell without clearing environment variables.

`-i` --- Run a login shell as the target user

Simulates a full login (environment, PATH, HOME).

2. Standard sudo Logging

By default, sudo logs activity to syslog (or /var/log/auth.log
depending on the system).

Example log entry:

Jan 30 12:34:12 server sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx

This captures:

Username\
TTY\
Working directory\
Target user\
Command executed

But it does not record:

Keystrokes\
Command output\
What happened inside interactive programs

For many organizations, this is not enough for compliance or thorough
auditing.

3. Sudo I/O Logging (iolog)

To capture everything that happens inside a sudo session, sudo
offers an I/O logging feature ("iolog").

This includes:

What _is captured_:

Keystrokes\
Backspaces and corrections\
Commands typed inside sudo su - shells\
Output printed to the terminal\
Screen updates (vim, top, htop, less, etc.)\
Timestamps and delays between keystrokes\
Raw terminal interactions

What is _not captured_:

The sudo password (authentication happens before logging)

Iolog Directory

By default:

/var/log/sudo-io/

Each sudo session gets its own subdirectory containing:

log --- metadata\
ttyin --- user input (keystrokes)\
ttyout --- screen output\
stdout/stderr --- raw output streams\
timing --- exact timing info for replay\
command --- the target command

4. Replaying sudo Sessions with `sudoreplay`

Use sudoreplay to recreate the terminal session:

sudo sudoreplay <session-id>

It uses the timing file to:

Reproduce exact pauses\
Imitate real typing speed\
Replay visual terminal updates

This makes it a forensic-grade tool---like having a video recording
of the terminal.

5. Disk Usage Considerations

Sudo iologs can consume significant disk space depending on workload:

Light commands: KB--MB\
Log-heavy tools: tens to hundreds of MB\
Full-screen TUIs (htop, vim, less): hundreds of MB to multiple GB\
Long-running interactive sessions: GBs

To prevent disk exhaustion:

Use iolog_dir on a large partition\
Set up log rotation or retention policies\
Compress old logs

Example cleanup with tmpfiles.d:

X /var/log/sudo-io - - - 30d

6. Final Thoughts

sudo is more than a privilege escalation tool---it is also the front
line of security auditing. Flags like -H, -n, and -u help automate
privileged actions safely. Meanwhile, iologs offer deep forensic insight
into interactive sessions, which is essential in environments where
accountability, compliance, and traceability are required.

Understanding these features helps you build secure, maintainable, and
transparent systems.

Understanding `sudo` Flags and Logging: A Practical Guide

1. Key `sudo` Flags Explained

`-H` --- Set HOME for the target user

`-S` --- Read the password from stdin

`-n` --- Non‑interactive (fail instead of prompting)

`-u <user>` --- Run as a specific user

`-s` --- Run a shell as the target user

`-i` --- Run a login shell as the target user

2. Standard sudo Logging

3. Sudo I/O Logging (iolog)

What _is captured_:

What is _not captured_:

Iolog Directory

4. Replaying sudo Sessions with `sudoreplay`

5. Disk Usage Considerations

6. Final Thoughts

Add a new comment.

Recent posts

Recent replies

Category

Archive

Other

Understanding `sudo` Flags and Logging: A Practical Guide

1. Key sudo Flags Explained

-H --- Set HOME for the target user

-S --- Read the password from stdin

-n --- Non‑interactive (fail instead of prompting)

-u <user> --- Run as a specific user

-s --- Run a shell as the target user

-i --- Run a login shell as the target user

2. Standard sudo Logging

3. Sudo I/O Logging (iolog)

What _is captured_:

What is _not captured_:

Iolog Directory

4. Replaying sudo Sessions with sudoreplay

5. Disk Usage Considerations

6. Final Thoughts

Add a new comment.

Recent posts

Recent replies

Category

Archive

Other

1. Key `sudo` Flags Explained

`-H` --- Set HOME for the target user

`-S` --- Read the password from stdin

`-n` --- Non‑interactive (fail instead of prompting)

`-u <user>` --- Run as a specific user

`-s` --- Run a shell as the target user

`-i` --- Run a login shell as the target user

4. Replaying sudo Sessions with `sudoreplay`