1SUDO_LOGSRVD.CONF(5) BSD File Formats Manual SUDO_LOGSRVD.CONF(5)
2
4 sudo_logsrvd.conf — configuration for sudo_logsrvd
5
7 The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8 server. It uses an INI-style format made up of sections in square brack‐
9 ets and “key = value” pairs specific to each section below the section
10 name. Depending on the key, values may be integers, booleans or strings.
11 Section and key names are not case sensitive, but values are.
12 The pound sign (‘#’) is used to indicate a comment. Both the comment
14 character and any text after it, up to the end of the line, are ignored.
15 Lines beginning with a semi-colon (‘;’) are also ignored.
16 Long lines can be continued with a backslash (‘\’) as the last character
18 on the line. Note that leading white space is removed from the beginning
19 of lines even when the continuation character is used.
20 The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22 file.
23 The following configuration sections are recognized:
25 · server
27 · iolog
28 · eventlog
29 · syslog
30 · logfile
31 Each section is described in detail below.
33 server
35 The server section configures the address and port the server will listen
36 on. The following keys are recognized:
37 listen_address = host[:port]
39 The host name or IP address and optional port to listen on. If
40 no port is specified, port 30344 will be used. The host may be
41 a host name, an IPv4 address, an IPv6 address in square brack‐
42 ets or the wild card entry ‘*’. A host setting of ‘*’ will
43 cause sudo_logsrvd to listen on all configured network inter‐
44 faces.
45 If a port is specified, it may either be a port number or a
47 known service name as defined by the system service name data‐
48 base. The default value is listen_address = *:30344 which will
49 listen on all configured network interfaces. Multiple
50 listen_address lines may be specified to listen on more than
51 one interface.
52 tcp_keepalive = boolean
54 If true, sudo_logsrvd will enable the TCP keepalive socket
55 option on the client connection. This enables the periodic
56 transmission of keepalive messages to the client. If the
57 client does not respond to a message, the connection will be
58 closed.
59 timeout = number
61 The amount of time, in seconds, sudo_logsrvd will wait for the
62 client to respond. A value of 0 will disable the timeout. The
63 default value is 30.
64 tls = boolean
66 If true, sudo_logsrvd will secure network connections with
67 Transport Layer Security (TLS) version 1.2 or 1.3. Versions of
68 TLS prior to 1.2 are not supported. The tls_cert and tls_key
69 settings are also required when TLS is enabled. The default
70 value is false.
71 tls_cacert = path
73 The path to a certificate authority bundle file, in PEM format,
74 to use instead of the system's default certificate authority
75 database when authenticating clients. The default is to use
76 the system's default certificate authority database.
77 tls_cert = path
79 The path to the server's certificate file, in PEM format. This
80 setting is required when TLS is enabled.
81 tls_checkpeer = bool
83 If true, client certificates will be validated by the server;
84 clients without a valid certificate will be unable to connect.
85 If false, no validation of client certificates will be per‐
86 formed. It true and client certificates are created using a
87 private certificate authority, the tls_cacert setting must be
88 set to a CA bundle that contains the CA certificate used to
89 generate the client certificate. The default value is false.
90 tls_ciphers_v12 = string
92 A list of ciphers to use for connections secured by TLS version
93 1.2 only, separated by a colon ‘:’. See the CIPHER LIST FORMAT
94 section in openssl-ciphers(1) for full details. The default
95 value is HIGH:!aNULL which consists of encryption cipher suites
96 with key lengths larger than 128 bits, and some cipher suites
97 with 128-bit keys. Cipher suites that offer no authentication
98 are excluded.
99 tls_ciphers_v13 = string
101 A list of ciphers to use for connections secured by TLS version
102 1.3 only, separated by a colon ‘:’. Supported cipher suites
103 depend on the version of OpenSSL used, but should include the
104 following:
105 TLS_AES_128_GCM_SHA256
107 TLS_AES_256_GCM_SHA384
108 TLS_CHACHA20_POLY1305_SHA256
109 TLS_AES_128_CCM_SHA256
110 TLS_AES_128_CCM_8_SHA256
111 The default cipher suite is TLS_AES_256_GCM_SHA384.
113 tls_dhparams = path
115 The path to a file containing custom Diffie-Hellman parameters
116 in PEM format. This file can be created with the following
117 command:
118 openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
120 By default, sudo_logsrvd will use the OpenSSL defaults for
122 Diffie-Hellman key generation.
123 tls_key = path
125 The path to the server's private key file, in PEM format. This
126 setting is required when TLS is enabled.
127 tls_verify = bool
129 If true, the server certificate will be verified at startup and
130 clients will authenticate the server by verifying its certifi‐
131 cate and identity. If false, no verification is performed of
132 the server certificate by the server or the client. When using
133 self-signed certificates without a certificate authority, this
134 setting should be set to false. The default value is true.
135 iolog
137 The iolog section configures I/O log parameters. These settings are
138 identical to the I/O configuration in sudoers(5). The following keys are
139 recognized:
140 iolog_compress = boolean
142 If set, I/O logs will be compressed using zlib. Enabling com‐
143 pression can make it harder to view the logs in real-time as
144 the program is executing due to buffering. The default value
145 is false.
146 iolog_dir = path
148 The top-level directory to use when constructing the path name
149 for the I/O log directory. The session sequence number, if
150 any, is stored in the directory. The default value is
151 /var/log/sudo-io.
152 The following percent (‘%’) escape sequences are supported:
154 %{seq}
156 expanded to a monotonically increasing base-36 sequence
157 number, such as 0100A5, where every two digits are used
158 to form a new directory, e.g., 01/00/A5
159 %{user}
161 expanded to the invoking user's login name
162 %{group}
164 expanded to the name of the invoking user's real group-ID
165 %{runas_user}
167 expanded to the login name of the user the command will
168 be run as (e.g., root)
169 %{runas_group}
171 expanded to the group name of the user the command will
172 be run as (e.g., wheel)
173 %{hostname}
175 expanded to the local host name without the domain name
176 %{command}
178 expanded to the base name of the command being run
179 In addition, any escape sequences supported by the system's
181 strftime(3) function will be expanded.
182 To include a literal ‘%’ character, the string ‘%%’ should be
184 used.
185 iolog_file = path
187 The path name, relative to iolog_dir, in which to store I/O
188 logs. Note that iolog_file may contain directory components.
189 The default value is %{seq}.
190 See the iolog_dir setting above for a list of supported percent
192 (‘%’) escape sequences.
193 In addition to the escape sequences, path names that end in six
195 or more Xs will have the Xs replaced with a unique combination
196 of digits and letters, similar to the mktemp(3) function.
197 If the path created by concatenating iolog_dir and iolog_file
199 already exists, the existing I/O log file will be truncated and
200 overwritten unless iolog_file ends in six or more Xs.
201 iolog_flush = boolean
203 If set, I/O log data is flushed to disk after each write
204 instead of buffering it. This makes it possible to view the
205 logs in real-time as the program is executing but may signifi‐
206 cantly reduce the effectiveness of I/O log compression. The
207 default value is true.
208 iolog_group = name
210 The group name to look up when setting the group-ID on new I/O
211 log files and directories. If iolog_group is not set, the pri‐
212 mary group-ID of the user specified by iolog_user is used. If
213 neither iolog_group nor iolog_user are set, I/O log files and
214 directories are created with group-ID 0.
215 iolog_mode = mode
217 The file mode to use when creating I/O log files. Mode bits
218 for read and write permissions for owner, group or other are
219 honored, everything else is ignored. The file permissions will
220 always include the owner read and write bits, even if they are
221 not present in the specified mode. When creating I/O log
222 directories, search (execute) bits are added to match the read
223 and write bits specified by iolog_mode. The default value is
224 0600.
225 iolog_user = name
227 The user name to look up when setting the owner of new I/O log
228 files and directories. If iolog_group is set, it will be used
229 instead of the user's primary group-ID. By default, I/O log
230 files and directories are created with user and group-ID 0.
231 maxseq = number
233 The maximum sequence number that will be substituted for the
234 “%{seq}” escape in the I/O log file (see the iolog_dir descrip‐
235 tion above for more information). While the value substituted
236 for “%{seq}” is in base 36, maxseq itself should be expressed
237 in decimal. Values larger than 2176782336 (which corresponds
238 to the base 36 sequence number “ZZZZZZ”) will be silently trun‐
239 cated to 2176782336. The default value is 2176782336.
240 eventlog
242 The eventlog section configures how (and if) security policy events are
243 logged.
244 log_type = string
246 Where to log accept, reject and alert events reported by the pol‐
247 icy. Supported values are syslog, logfile, and none. The default
248 value is syslog.
249 log_format = string
251 The event log format. Supported log formats are “sudo” for tradi‐
252 tional sudo-style logs and “json” for JSON-format logs. The JSON
253 log entries contain the full contents of the accept, reject and
254 alert messages. The default value is sudo.
255 syslog
257 The syslog section configures how events are logged via syslog(3).
258 facility = string
260 Syslog facility if syslog is being used for logging. Defaults to
261 authpriv.
262 The following syslog facilities are supported: authpriv (if your OS
264 supports it), auth, daemon, user, local0, local1, local2, local3,
265 local4, local5, local6, and local7.
266 accept_priority = string
268 Syslog priority to use when the user is allowed to run a command
269 and authentication is successful. Defaults to notice.
270 The following syslog priorities are supported: alert, crit, debug,
272 emerg, err, info, notice, warning, and none. Setting it to a value
273 of none will disable logging of successful commands.
274 reject_priority = string
276 Syslog priority to use when the user is not allowed to run a com‐
277 mand or when authentication is unsuccessful. Defaults to alert.
278 See accept_priority for the list of supported syslog priorities.
280 alert_priority = string
282 Syslog priority to use for event log alert messages received from
283 the client. Defaults to alert.
284 See accept_priority for the list of supported syslog priorities.
286 maxlen = number
288 On many systems, syslog(3) has a relatively small log buffer. IETF
289 RFC 5424 states that syslog servers must support messages of at
290 least 480 bytes and should support messages up to 2048 bytes. By
291 default, sudo_logsrvd creates log messages up to 960 bytes which
292 corresponds to the historic BSD syslog implementation which used a
293 1024 byte buffer to store the message, date, hostname and program
294 name.
295 To prevent syslog messages from being truncated, sudo_logsrvd will
297 split up sudo-style log messages that are larger than maxlen bytes.
298 When a message is split, additional parts will include the string
299 “(command continued)” after the user name and before the continued
300 command line arguments. JSON-format log entries are never split
301 and are not affected by maxlen.
302 logfile
304 The logfile section consists of settings related to logging to a plain
305 file (not syslog).
306 path = string
308 The path to the file-based event log. This path must be fully-
309 qualified and start with a ‘/’ character. The default value is
310 /var/log/sudo.log.
311 time_format = string
313 The string used when formatting the date and time for file-based
314 event logs. Formatting is performed via the system's strftime(3)
315 function so any escape sequences supported by that function will be
316 expanded. The default value is “%h %e %T” which produces dates
317 like “Oct 3 07:15:24” in the C locale.
318
320 /etc/sudo_logsrvd.conf Sudo log server configuration file
321
323 #
324 # sudo logsrv configuration
325 #
326 [server]
328 # The host name or IP address and port to listen on. If no port is
329 # specified, port 30344 will be used.
330 # The following forms are accepted:
331 # listen_address = hostname
332 # listen_address = hostname:port
333 # listen_address = IPv4_address
334 # listen_address = IPv4_address:port
335 # listen_address = [IPv6_address]
336 # listen_address = [IPv6_address]:port
337 #
338 # Multiple listen_address settings may be specified.
339 # The default is to listen on all addresses.
340 #listen_address = *:30344
341 # If set, enable the SO_KEEPALIVE socket option on the connected socket.
343 #tcp_keepalive = true
344 # The amount of time, in seconds, the server will wait for the client to
346 # respond. A value of 0 will disable the timeout. The default value is 30.
347 #timeout = 30
348 # If set, secure connections with TLS 1.2 or 1.3.
350 # By default, server connections are not encrypted.
351 #tls = true
352 # If set, server certificate will be verified at server startup and
354 # also connecting clients will perform server authentication by
355 # verifying the server's certificate and identity.
356 #tls_verify = true
357 # Whether to verify client certificates for TLS connections.
359 # By default client certs are not checked.
360 #tls_checkpeer = false
361 # Path to the certificate authority bundle file in PEM format.
363 # Required if 'tls_verify' or 'tls_checkpeer' is set.
364 #tls_cacert = /etc/ssl/sudo/cacert.pem
365 # Path to the server's certificate file in PEM format.
367 # Required for TLS connections.
368 #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
369 # Path to the server's private key file in PEM format.
371 # Required for TLS connections.
372 #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
373 # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
375 # NOTE that this setting is only effective if the negotiated protocol
376 # is TLS version 1.2.
377 # The default cipher list is HIGH:!aNULL.
378 #tls_ciphers_v12 = HIGH:!aNULL
379 # TLS cipher list if the negotiated protocol is TLS version 1.3.
381 # The default cipher list is TLS_AES_256_GCM_SHA384.
382 #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
383 # Path to the Diffie-Hellman parameter file in PEM format.
385 # If not set, the server will use the OpenSSL defaults.
386 #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
387 [iolog]
389 # The top-level directory to use when constructing the path name for the
390 # I/O log directory. The session sequence number, if any, is stored here.
391 #iolog_dir = /var/log/sudo-io
392 # The path name, relative to iolog_dir, in which to store I/O logs.
394 # Note that iolog_file may contain directory components.
395 #iolog_file = %{seq}
396 # If set, I/O logs will be compressed using zlib. Enabling compression can
398 # make it harder to view the logs in real-time as the program is executing.
399 #iolog_compress = false
400 # If set, I/O log data is flushed to disk after each write instead of
402 # buffering it. This makes it possible to view the logs in real-time
403 # as the program is executing but reduces the effectiveness of compression.
404 #iolog_flush = true
405 # The group to use when creating new I/O log files and directories.
407 # If iolog_group is not set, the primary group-ID of the user specified
408 # by iolog_user is used. If neither iolog_group nor iolog_user
409 # are set, I/O log files and directories are created with group-ID 0.
410 #iolog_group = wheel
411 # The user to use when setting the user-ID and group-ID of new I/O
413 # log files and directories. If iolog_group is set, it will be used
414 # instead of the user's primary group-ID. By default, I/O log files
415 # and directories are created with user and group-ID 0.
416 #iolog_user = root
417 # The file mode to use when creating I/O log files. The file permissions
419 # will always include the owner read and write bits, even if they are
420 # not present in the specified mode. When creating I/O log directories,
421 # search (execute) bits are added to match the read and write bits
422 # specified by iolog_mode.
423 #iolog_mode = 0600
424 # The maximum sequence number that will be substituted for the "%{seq}"
426 # escape in the I/O log file. While the value substituted for "%{seq}"
427 # is in base 36, maxseq itself should be expressed in decimal. Values
428 # larger than 2176782336 (which corresponds to the base 36 sequence
429 # number "ZZZZZZ") will be silently truncated to 2176782336.
430 #maxseq = 2176782336
431 [eventlog]
433 # Where to log accept, reject and alert events.
434 # Accepted values are syslog, logfile, or none.
435 # Defaults to syslog
436 #log_type = syslog
437 # Event log format.
439 # Currently only sudo-style event logs are supported.
440 #log_format = sudo
441 [syslog]
443 # The maximum length of a syslog payload.
444 # On many systems, syslog(3) has a relatively small log buffer.
445 # IETF RFC 5424 states that syslog servers must support messages
446 # of at least 480 bytes and should support messages up to 2048 bytes.
447 # Messages larger than this value will be split into multiple messages.
448 #maxlen = 960
449 # The syslog facility to use for event log messages.
451 # The following syslog facilities are supported: authpriv (if your OS
452 # supports it), auth, daemon, user, local0, local1, local2, local3,
453 # local4, local5, local6, and local7.
454 #facility = authpriv
455 # Syslog priority to use for event log accept messages, when the command
457 # is allowed by the security policy. The following syslog priorities are
458 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
459 #accept_priority = notice
460 # Syslog priority to use for event log reject messages, when the command
462 # is not allowed by the security policy.
463 #reject_priority = alert
464 # Syslog priority to use for event log alert messages reported by the
466 # client.
467 #alert_priority = alert
468 [logfile]
470 # The path to the file-based event log.
471 # This path must be fully-qualified and start with a '/' character.
472 #path = /var/log/sudo
473 # The format string used when formatting the date and time for
475 # file-based event logs. Formatting is performed via strftime(3) so
476 # any format string supported by that function is allowed.
477 #time_format = %h %e %T
478
480 strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
481
483 See the HISTORY file in the sudo distribution (https://www.sudo.ws/his‐
484 tory.html) for a brief history of sudo.
485
487 Many people have worked on sudo over the years; this version consists of
488 code written primarily by:
489 Todd C. Miller
491 See the CONTRIBUTORS file in the sudo distribution
493 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
494 who have contributed to sudo.
495
497 If you feel you have found a bug in sudo, please submit a bug report at
498 https://bugzilla.sudo.ws/
499
501 Limited free support is available via the sudo-users mailing list, see
502 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
503 the archives.
504
506 sudo is provided “AS IS” and any express or implied warranties, includ‐
507 ing, but not limited to, the implied warranties of merchantability and
508 fitness for a particular purpose are disclaimed. See the LICENSE file
509 distributed with sudo or https://www.sudo.ws/license.html for complete
510 details.
511Sudo 1.9.0b4 February 15, 2020 Sudo 1.9.0b4