| SUDO_LOGSRVD.CONF(5) | File Formats Manual | SUDO_LOGSRVD.CONF(5) |
sudo_logsrvd.conf —
configuration for sudo_logsrvd
The sudo_logsrvd.conf file is used to
configure the sudo_logsrvd log server. It uses an
INI-style format made up of sections in square brackets and “key =
value” pairs specific to each section below the section name.
Depending on the key, values may be integers, booleans, or strings. Section
and key names are not case sensitive, but values are.
The pound sign (‘#’) is used
to indicate a comment. Both the comment character and any text after it, up
to the end of the line, are ignored. Lines beginning with a semi-colon
(‘;’) are also ignored.
Long lines can be continued with a backslash
(‘\’) as the last character on the
line. Leading white space is removed from the beginning of lines even when
the continuation character is used.
The EXAMPLES section contains a
copy of the default sudo_logsrvd.conf file.
The following configuration sections are recognized:
Each section is described in detail below.
The server section configures the address and port the server will listen on. The following keys are recognized:
The host may be a host name, an IPv4 address, an IPv6 address
in square brackets or the wild card entry
‘*’. A host setting of
‘*’ will cause
sudo_logsrvd to listen on all configured network
interfaces.
If the optional tls flag is present,
sudo_logsrvd will secure the connection with TLS
version 1.2 or 1.3. Versions of TLS prior to 1.2 are not supported. See
sudo_logsrvd(8) for details on generating TLS keys and
certificates.
If a port is specified, it may either be a port number or a known service name as defined by the system service name database. If no port is specified, port 30343 will be used for plaintext connections and port 30344 will be used for TLS connections.
The default value is:
listen_address = *:30343 listen_address = *:30344(tls)
/’ character. A value of
stderr is only effective when used in conjunction with
the -n option. The default value is
syslog.sudo_logsrvd. If set to an empty value, or if
sudo_logsrvd is run with the
-n option, no pid_file will be
created. If pid_file refers to a symbolic link, it will
be ignored. The default value is
/run/sudo/sudo_logsrvd.pid.sudo_logsrvd will enable the TCP
keepalive socket option on the client connection. This enables the
periodic transmission of keepalive messages to the client. If the client
does not respond to a message in time, the connection will be closed.
Defaults to true.sudo_logsrvd will
wait for the client to respond. A value of 0 will disable the timeout. The
default value is 30.sudo_logsrvd; clients without a valid certificate
will be unable to connect. If false, no validation of client certificates
will be performed. It true and client certificates are created using a
private certificate authority, the tls_cacert setting
must be set to a CA bundle that contains the CA certificate used to
generate the client certificate. The default value is
false.:’. See the
CIPHER LIST FORMAT section in
openssl-ciphers(1) for full details. The default value
is “HIGH:!aNULL” which consists of encryption cipher suites
with key lengths larger than 128 bits, and some cipher suites with 128-bit
keys. Cipher suites that offer no authentication are excluded.:’. Supported
cipher suites depend on the version of OpenSSL used, but should include
the following:
The default cipher suite is “TLS_AES_256_GCM_SHA384”.
openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
By default, sudo_logsrvd will use the
OpenSSL defaults for Diffie-Hellman key generation.
sudo_logsrvd will validate its own
certificate at startup time or when the configuration is changed. If
false, no verification is performed of the server certificate. When using
self-signed certificates without a certificate authority, this setting
should be set to false. The default value is true.The relay section configures the optional logsrv relay host and port the server will connect to. The TLS configuration keys are optional, by default the corresponding keys in the server section will be used. They are only present in this section to make it possible for the relay connection to use a different set of TLS parameters from the client-facing server. The following keys are recognized:
sudo_logsrvd will
wait for the connection to a relay_host (see below) to
complete. Once the connection is complete, the
timeout setting
controls the amount of time sudo_logsrvd will wait
for the relay to respond. A value of 0 will disable the timeout. The
default value is 30.*’ syntax is not
supported.
When this setting is enabled, messages from the client will be
forwarded to one of the specified relay hosts instead of being stored
locally. The host could be running an instance of
sudo_logsrvd or another server that supports the
sudo_logsrv.proto(5) protocol.
If multiple relay_host lines are specified, the first available relay host will be used.
sudo_logsrvd will store logs locally
before relaying them. Once the log is complete, a connection to the relay
host is opened and the log is relayed. If the network connection is
interrupted before the log can be fully transferred, it will be
retransmitted later. The default is to relay logs in real-time.sudo_logsrvd will enable the TCP
keepalive socket option on the relay connection. This enables the periodic
transmission of keepalive messages to the relay server. If the relay does
not respond to a message in time, the connection will be closed.sudo_logsrvd will
wait for the relay server to respond after a connection has succeeded. A
value of 0 will disable the timeout. The default value is
30.sudo_logsrvd; connections to a relay without a
valid certificate will fail. If false, no validation of relay certificates
will be performed. It true and relay certificates are created using a
private certificate authority, the tls_cacert setting
must be set to a CA bundle that contains the CA certificate used to
generate the relay certificate. The default is to use the value specified
in the server section.:’. See the
CIPHER LIST FORMAT section in
openssl-ciphers(1) for full details. The default is to
use the value specified in the server
section.:’. Supported
cipher suites depend on the version of OpenSSL used, see the
server section for more information. The
default is to use the value specified in the
server section.The iolog section configures I/O log parameters. These settings are identical to the I/O configuration in sudoers(5). The following keys are recognized:
The following percent
(‘%’) escape sequences are
supported:
In addition, any escape sequences supported by the system's strftime(3) function will be expanded.
To include a literal ‘%’
character, the string ‘%%’ should
be used.
See the iolog_dir setting above for a list
of supported percent (‘%’) escape
sequences.
In addition to the escape sequences, path names that end in six or more Xs will have the Xs replaced with a unique combination of digits and letters, similar to the mktemp(3) function.
If the path created by concatenating iolog_dir and iolog_file already exists, the existing I/O log file will be truncated and overwritten unless iolog_file ends in six or more Xs.
sudo_logsrvd will
attempt to prevent passwords from being logged. It does this by using the
regular expressions in passprompt_regex to match a
password prompt in the terminal output buffer. When a match is found,
input characters in the I/O log will be replaced with
‘*’ until either a line feed or
carriage return is found in the terminal input or a new terminal output
buffer is received. If, however, a program displays characters as the user
types them (such as sudo when the
pwfeedback
option is set), only the first character of the password will be replaced
in the I/O log. The default value is true.The eventlog section configures how (and if) security policy events are logged.
sudo_logsrvd will log an event when a
command exits or is terminated by a signal. Defaults to
false.The syslog section configures how events are logged via syslog(3).
The following syslog facilities are supported: authpriv (if your OS supports it), auth, daemon, user, local0, local1, local2, local3, local4, local5, local6, and local7.
The following syslog priorities are supported: alert, crit, debug, emerg, err, info, notice, warning, and none. Setting it to a value of none will disable logging of successful commands.
See accept_priority for the list of supported syslog priorities.
See accept_priority for the list of supported syslog priorities.
sudo_logsrvd creates log messages up to
960 bytes which corresponds to the historic BSD
syslog implementation which used a 1024 byte buffer to store the message,
date, hostname, and program name.
To prevent syslog messages from being truncated,
sudo_logsrvd will split up sudo-style log
messages that are larger than maxlen bytes. When a
message is split, additional parts will include the string
“(command continued)” after the user name and before the
continued command line arguments. JSON-format log entries are never
split and are not affected by maxlen.
The logfile section consists of settings related to logging to a plain file (not syslog).
C’ locale.#
# sudo logsrv daemon configuration
#
[server]
# The host name or IP address and port to listen on with an optional TLS
# flag. If no port is specified, port 30343 will be used for plaintext
# connections and port 30344 will be used to TLS connections.
# The following forms are accepted:
# listen_address = hostname(tls)
# listen_address = hostname:port(tls)
# listen_address = IPv4_address(tls)
# listen_address = IPv4_address:port(tls)
# listen_address = [IPv6_address](tls)
# listen_address = [IPv6_address]:port(tls)
#
# The (tls) suffix should be omitted for plaintext connections.
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30343
#listen_address = *:30344(tls)
# The file containing the ID of the running sudo_logsrvd process.
#pid_file = /run/sudo/sudo_logsrvd.pid
# Where to log server warnings: none, stderr, syslog, or a path name.
#server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server will validate its own certificate at startup.
# Defaults to true.
#tls_verify = true
# If true, client certificates will be validated by the server;
# clients without a valid certificate will be unable to connect.
# By default, client certs are not checked.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# Required for TLS connections.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# Required for TLS connections.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# This setting is only effective if the negotiated protocol is TLS version
# 1.2. The default cipher list is HIGH:!aNULL.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default cipher list is TLS_AES_256_GCM_SHA384.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# If not set, the server will use the OpenSSL defaults.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[relay]
# The host name or IP address and port to send logs to in relay mode.
# The syntax is identical to listen_address with the exception of
# the wild card ('*') syntax. When this setting is enabled, logs will
# be relayed to the specified host instead of being stored locally.
# This setting is not enabled by default.
#relay_host = relayhost.dom.ain
#relay_host = relayhost.dom.ain(tls)
# The amount of time, in seconds, the server will wait for a connection
# to the relay server to complete. A value of 0 will disable the timeout.
# The default value is 30.
#connect_timeout = 30
# The directory to store messages in before they are sent to the relay.
# Messages are stored in wire format.
# The default value is /var/log/sudo_logsrvd.
#relay_dir = /var/log/sudo_logsrvd
# The number of seconds to wait after a connection error before
# making a new attempt to forward a message to a relay host.
# The default value is 30.
#retry_interval = 30
# Whether to store the log before relaying it. If true, enable store
# and forward mode. If false, the client connection is immediately
# relayed. Defaults to false.
#store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to
# respond. A value of 0 will disable the timeout. The default value is 30.
#timeout = 30
# If true, the server's relay certificate will be verified at startup.
# The default is to use the value in the [server] section.
#tls_verify = true
# Whether to verify the relay's certificate for TLS connections.
# The default is to use the value in the [server] section.
#tls_checkpeer = false
# Path to a certificate authority bundle file in PEM format to use
# instead of the system's default certificate authority database.
# The default is to use the value in the [server] section.
#tls_cacert = /etc/ssl/sudo/cacert.pem
# Path to the server's certificate file in PEM format.
# The default is to use the certificate in the [server] section.
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
# Path to the server's private key file in PEM format.
# The default is to use the key in the [server] section.
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
# this setting is only effective if the negotiated protocol is TLS version
# 1.2. The default is to use the value in the [server] section.
#tls_ciphers_v12 = HIGH:!aNULL
# TLS cipher list if the negotiated protocol is TLS version 1.3.
# The default is to use the value in the [server] section.
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
# Path to the Diffie-Hellman parameter file in PEM format.
# The default is to use the value in the [server] section.
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
#iolog_dir = /var/log/sudo-io
# The path name, relative to iolog_dir, in which to store I/O logs.
# It is possible for iolog_file to contain directory components.
#iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O
# log files and directories. If iolog_group is set, it will be used
# instead of the user's primary group-ID. By default, I/O log files
# and directories are created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are
# not present in the specified mode. When creating I/O log directories,
# search (execute) bits are added to match the read and write bits
# specified by iolog_mode.
#iolog_mode = 0600
# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
# password in the terminal input using passprompt_regex.
#log_passwords = true
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence
# number "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336
# One or more POSIX extended regular expressions used to match
# password prompts in the terminal output when log_passwords is
# disabled. Multiple passprompt_regex settings may be specified.
#passprompt_regex = [Pp]assword[: ]*
#passprompt_regex = [Pp]assword for [a-z0-9]+: *
[eventlog]
# Where to log accept, reject, exit, and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format.
# Currently only sudo-style event logs are supported.
#log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3,
# local4, local5, local6, and local7.
#facility = authpriv
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = notice
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = alert
# Syslog priority to use for event log alert messages reported by the
# client.
#alert_priority = alert
# The syslog facility to use for server warning messages.
# Defaults to daemon.
#server_facility = daemon
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo.log
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T
strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
Many people have worked on sudo over the
years; this version consists of code written primarily by:
See the CONTRIBUTORS.md file in the sudo
distribution (https://www.sudo.ws/about/contributors/) for an exhaustive
list of people who have contributed to sudo.
If you believe you have found a bug in
sudo, you can submit a bug report at
https://bugzilla.sudo.ws/
Limited free support is available via the sudo-users mailing list, see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives.
sudo is provided “AS IS” and
any express or implied warranties, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose
are disclaimed. See the LICENSE.md file distributed with
sudo or https://www.sudo.ws/about/license/ for
complete details.
| January 16, 2023 | Sudo 1.9.13p3 |