1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
#
# sudo logsrv daemon configuration
#
[server]
# The host name or IP address and port to listen on with an optional TLS
# flag. If no port is specified, port 30343 will be used for plaintext
# connections and port 30344 will be used to TLS connections.
# The following forms are accepted:
# listen_address = hostname(tls)
# listen_address = hostname:port(tls)
# listen_address = IPv4_address(tls)
# listen_address = IPv4_address:port(tls)
# listen_address = [IPv6_address](tls)
# listen_address = [IPv6_address]:port(tls)
#
# The (tls) suffix should be omitted for plaintext connections.
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
listen_address = *:30343
#listen_address = *:30344(tls)
# The file containing the ID of the running sudo_logsrvd process.
pid_file = /var/run/sudo/sudo_logsrvd.pid
# Where to log server warnings: none, stderr, syslog, or a path name.
server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to
# respond. A value of 0 will disable the timeout. The default value is 30.
timeout = 30
# If true, the server will validate its own certificate at startup.
# Defaults to true.
#tls_verify = true
# If true, client certificates will be validated by the server;
# clients without a valid certificate will be unable to connect.
# By default, client certs are not checked.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
#tls_cacert = regress/logsrvd_conf/cacert.pem
# Path to the server's certificate file in PEM format.
# Required for TLS connections.
#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# Required for TLS connections.
#tls_key = regress/logsrvd_conf/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# This setting is only effective if the negotiated protocol is TLS version
# 1.2. The default cipher list is HIGH:!aNULL.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default cipher list is TLS_AES_256_GCM_SHA384.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# If not set, the server will use the OpenSSL defaults.
#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
[relay]
# The host name or IP address and port to send logs to in relay mode.
# The syntax is identical to listen_address with the exception of
# the wild card ('*') syntax. When this setting is enabled, logs will
# be relayed to the specified host instead of being stored locally.
# This setting is not enabled by default.
#relay_host = relayhost.dom.ain
relay_host = 127.0.0.1
# The amount of time, in seconds, the server will wait for a connection
# to the relay server to complete. A value of 0 will disable the timeout.
# The default value is 30.
connect_timeout = 30
# The directory to store messages in before they are sent to the relay.
# Messages are stored in wire format.
# The default value is /var/log/sudo_logsrvd.
relay_dir = /var/log/sudo_logsrvd
# The number of seconds to wait after a connection error before
# making a new attempt to forward a message to a relay host.
# The default value is 30.
retry_interval = 30
# Whether to store the log before relaying it. If true, enable store
# and forward mode. If false, the client connection is immediately
# relayed. Defaults to false.
store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to
# respond. A value of 0 will disable the timeout. The default value is 30.
timeout = 30
# If true, the server's relay certificate will be verified at startup.
# The default is to use the value in the [server] section.
#tls_verify = true
# Whether to verify the relay's certificate for TLS connections.
# The default is to use the value in the [server] section.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
# The default is to use the value in the [server] section.
#tls_cacert = regress/logsrvd_conf/cacert.pem
# Path to the server's certificate file in PEM format.
# The default is to use the certificate in the [server] section.
#tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# The default is to use the key in the [server] section.
#tls_key = regress/logsrvd_conf/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# this setting is only effective if the negotiated protocol is TLS version
# 1.2. The default is to use the value in the [server] section.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default is to use the value in the [server] section.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# The default is to use the value in the [server] section.
#tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
iolog_dir = /var/log/sudo-io
# The path name, relative to iolog_dir, in which to store I/O logs.
# It is possible for iolog_file to contain directory components.
iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O
# log files and directories. If iolog_group is set, it will be used
# instead of the user's primary group-ID. By default, I/O log files
# and directories are created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are
# not present in the specified mode. When creating I/O log directories,
# search (execute) bits are added to match the read and write bits
# specified by iolog_mode.
iolog_mode = 0600
# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
# password in the terminal input using passprompt_regex.
log_passwords = true
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence
# number "ZZZZZZ") will be silently truncated to 2176782336.
maxseq = 2176782336
# One or more POSIX extended regular expressions used to match
# password prompts in the terminal output when log_passwords is
# disabled. Multiple passprompt_regex settings may be specified.
#passprompt_regex = [Pp]assword[: ]*
passprompt_regex = [Pp]assword for [a-z0-9]+: *
[eventlog]
# Where to log accept, reject, exit, and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
log_exit = true
# Event log format.
# Supported log formats are "sudo" and "json"
# Defaults to sudo
log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3,
# local4, local5, local6, and local7.
#facility = authpriv
facility = auth
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
accept_priority = notice
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
reject_priority = alert
# Syslog priority to use for event log alert messages reported by the
# client.
alert_priority = alert
# The syslog facility to use for server warning messages.
# Defaults to daemon.
server_facility = daemon
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
path = /var/log/sudo.log
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
time_format = %h %e %T
|