1SUDO_LOGSRVD.CONF(5)        BSD File Formats Manual       SUDO_LOGSRVD.CONF(5)
2

NAME

4     sudo_logsrvd.conf — configuration for sudo_logsrvd
5

DESCRIPTION

7     The sudo_logsrvd.conf file is used to configure the sudo_logsrvd log
8     server.  It uses an INI-style format made up of sections in square brack‐
9     ets and “key = value” pairs specific to each section below the section
10     name.  Depending on the key, values may be integers, booleans or strings.
11     Section and key names are not case sensitive, but values are.
12
13     The pound sign (‘#’) is used to indicate a comment.  Both the comment
14     character and any text after it, up to the end of the line, are ignored.
15     Lines beginning with a semi-colon (‘;’) are also ignored.
16
17     Long lines can be continued with a backslash (‘\’) as the last character
18     on the line.  Note that leading white space is removed from the beginning
19     of lines even when the continuation character is used.
20
21     The EXAMPLES section contains a copy of the default sudo_logsrvd.conf
22     file.
23
24     The following configuration sections are recognized:
25
26           ·   server
27           ·   iolog
28           ·   eventlog
29           ·   syslog
30           ·   logfile
31
32     Each section is described in detail below.
33
34   server
35     The server section configures the address and port the server will listen
36     on.  The following keys are recognized:
37
38     listen_address = host[:port][(tls)]
39               The host name or IP address, optional port to listen on and an
40               optional Transport Layer Security (TLS) flag in parentheses.
41
42               The host may be a host name, an IPv4 address, an IPv6 address
43               in square brackets or the wild card entry ‘*’.  A host setting
44               of ‘*’ will cause sudo_logsrvd to listen on all configured net‐
45               work interfaces.
46
47               If the optional tls flag is present, sudo_logsrvd will secure
48               the connection with TLS version 1.2 or 1.3.  Versions of TLS
49               prior to 1.2 are not supported.  See sudo_logsrvd(8) for
50               details on generating TLS keys and certificates.
51
52               If a port is specified, it may either be a port number or a
53               known service name as defined by the system service name data‐
54               base.  If no port is specified, port 30343 will be used for
55               plaintext connections and port 30344 will be used for TLS con‐
56               nections.
57
58               The default value is:
59                     listen_address = *:30343
60                     listen_address = *:30344(tls)
61               which will listen on all configured network interfaces for both
62               plaintext and TLS connections.  Multiple listen_address lines
63               may be specified to listen on more than one port or interface.
64
65     pid_file = path
66               The path to the file containing the process ID of the running
67               sudo_logsrvd.  If set to an empty value, or if sudo_logsrvd is
68               run with the -n option, no pid_file will be created.  If
69               pid_file refers to a symbolic link, it will be ignored.  The
70               default value is /run/sudo/sudo_logsrvd.pid.
71
72     tcp_keepalive = boolean
73               If true, sudo_logsrvd will enable the TCP keepalive socket
74               option on the client connection.  This enables the periodic
75               transmission of keepalive messages to the client.  If the
76               client does not respond to a message, the connection will be
77               closed.
78
79     timeout = number
80               The amount of time, in seconds, sudo_logsrvd will wait for the
81               client to respond.  A value of 0 will disable the timeout.  The
82               default value is 30.
83
84     tls_cacert = path
85               The path to a certificate authority bundle file, in PEM format,
86               to use instead of the system's default certificate authority
87               database when authenticating clients.  The default is to use
88               /etc/ssl/sudo/cacert.pem if it exists, otherwise the system's
89               default certificate authority database is used.
90
91     tls_cert = path
92               The path to the server's certificate file, in PEM format.  The
93               default value is /etc/ssl/sudo/certs/logsrvd_cert.pem.
94
95     tls_checkpeer = bool
96               If true, client certificates will be validated by the server;
97               clients without a valid certificate will be unable to connect.
98               If false, no validation of client certificates will be per‐
99               formed.  It true and client certificates are created using a
100               private certificate authority, the tls_cacert setting must be
101               set to a CA bundle that contains the CA certificate used to
102               generate the client certificate.  The default value is false.
103
104     tls_ciphers_v12 = string
105               A list of ciphers to use for connections secured by TLS version
106               1.2 only, separated by a colon ‘:’.  See the CIPHER LIST FORMAT
107               section in openssl-ciphers(1) for full details.  The default
108               value is HIGH:!aNULL which consists of encryption cipher suites
109               with key lengths larger than 128 bits, and some cipher suites
110               with 128-bit keys.  Cipher suites that offer no authentication
111               are excluded.
112
113     tls_ciphers_v13 = string
114               A list of ciphers to use for connections secured by TLS version
115               1.3 only, separated by a colon ‘:’.  Supported cipher suites
116               depend on the version of OpenSSL used, but should include the
117               following:
118
119                     TLS_AES_128_GCM_SHA256
120                     TLS_AES_256_GCM_SHA384
121                     TLS_CHACHA20_POLY1305_SHA256
122                     TLS_AES_128_CCM_SHA256
123                     TLS_AES_128_CCM_8_SHA256
124
125               The default cipher suite is TLS_AES_256_GCM_SHA384.
126
127     tls_dhparams = path
128               The path to a file containing custom Diffie-Hellman parameters
129               in PEM format.  This file can be created with the following
130               command:
131
132               openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
133
134               By default, sudo_logsrvd will use the OpenSSL defaults for
135               Diffie-Hellman key generation.
136
137     tls_key = path
138               The path to the server's private key file, in PEM format.  The
139               default value is /etc/ssl/sudo/private/logsrvd_key.pem.
140
141     tls_verify = bool
142               If true, the server certificate will be verified at startup and
143               clients will authenticate the server by verifying its certifi‐
144               cate and identity.  If false, no verification is performed of
145               the server certificate by the server or the client.  When using
146               self-signed certificates without a certificate authority, this
147               setting should be set to false.  The default value is true.
148
149   iolog
150     The iolog section configures I/O log parameters.  These settings are
151     identical to the I/O configuration in sudoers(5).  The following keys are
152     recognized:
153
154     iolog_compress = boolean
155               If set, I/O logs will be compressed using zlib.  Enabling com‐
156               pression can make it harder to view the logs in real-time as
157               the program is executing due to buffering.  The default value
158               is false.
159
160     iolog_dir = path
161               The top-level directory to use when constructing the path name
162               for the I/O log directory.  The session sequence number, if
163               any, is stored in the directory.  The default value is
164               /var/log/sudo-io.
165
166               The following percent (‘%’) escape sequences are supported:
167
168               %{seq}
169                     expanded to a monotonically increasing base-36 sequence
170                     number, such as 0100A5, where every two digits are used
171                     to form a new directory, e.g., 01/00/A5
172
173               %{user}
174                     expanded to the invoking user's login name
175
176               %{group}
177                     expanded to the name of the invoking user's real group-ID
178
179               %{runas_user}
180                     expanded to the login name of the user the command will
181                     be run as (e.g., root)
182
183               %{runas_group}
184                     expanded to the group name of the user the command will
185                     be run as (e.g., wheel)
186
187               %{hostname}
188                     expanded to the local host name without the domain name
189
190               %{command}
191                     expanded to the base name of the command being run
192
193               In addition, any escape sequences supported by the system's
194               strftime(3) function will be expanded.
195
196               To include a literal ‘%’ character, the string ‘%%’ should be
197               used.
198
199     iolog_file = path
200               The path name, relative to iolog_dir, in which to store I/O
201               logs.  Note that iolog_file may contain directory components.
202               The default value is %{seq}.
203
204               See the iolog_dir setting above for a list of supported percent
205               (‘%’) escape sequences.
206
207               In addition to the escape sequences, path names that end in six
208               or more Xs will have the Xs replaced with a unique combination
209               of digits and letters, similar to the mktemp(3) function.
210
211               If the path created by concatenating iolog_dir and iolog_file
212               already exists, the existing I/O log file will be truncated and
213               overwritten unless iolog_file ends in six or more Xs.
214
215     iolog_flush = boolean
216               If set, I/O log data is flushed to disk after each write
217               instead of buffering it.  This makes it possible to view the
218               logs in real-time as the program is executing but may signifi‐
219               cantly reduce the effectiveness of I/O log compression.  The
220               default value is true.
221
222     iolog_group = name
223               The group name to look up when setting the group-ID on new I/O
224               log files and directories.  If iolog_group is not set, the pri‐
225               mary group-ID of the user specified by iolog_user is used. If
226               neither iolog_group nor iolog_user are set, I/O log files and
227               directories are created with group-ID 0.
228
229     iolog_mode = mode
230               The file mode to use when creating I/O log files.  Mode bits
231               for read and write permissions for owner, group or other are
232               honored, everything else is ignored.  The file permissions will
233               always include the owner read and write bits, even if they are
234               not present in the specified mode.  When creating I/O log
235               directories, search (execute) bits are added to match the read
236               and write bits specified by iolog_mode.  The default value is
237               0600.
238
239     iolog_user = name
240               The user name to look up when setting the owner of new I/O log
241               files and directories.  If iolog_group is set, it will be used
242               instead of the user's primary group-ID.  By default, I/O log
243               files and directories are created with user and group-ID 0.
244
245     maxseq = number
246               The maximum sequence number that will be substituted for the
247               “%{seq}” escape in the I/O log file (see the iolog_dir descrip‐
248               tion above for more information).  While the value substituted
249               for “%{seq}” is in base 36, maxseq itself should be expressed
250               in decimal.  Values larger than 2176782336 (which corresponds
251               to the base 36 sequence number “ZZZZZZ”) will be silently trun‐
252               cated to 2176782336.  The default value is 2176782336.
253
254   eventlog
255     The eventlog section configures how (and if) security policy events are
256     logged.
257
258     log_type = string
259           Where to log accept, reject and alert events reported by the pol‐
260           icy.  Supported values are syslog, logfile, and none.  The default
261           value is syslog.
262
263     log_format = string
264           The event log format.  Supported log formats are “sudo” for tradi‐
265           tional sudo-style logs and “json” for JSON-format logs.  The JSON
266           log entries contain the full contents of the accept, reject and
267           alert messages.  The default value is sudo.
268
269   syslog
270     The syslog section configures how events are logged via syslog(3).
271
272     facility = string
273           Syslog facility if syslog is being used for logging.  Defaults to
274           authpriv.
275
276           The following syslog facilities are supported: authpriv (if your OS
277           supports it), auth, daemon, user, local0, local1, local2, local3,
278           local4, local5, local6, and local7.
279
280     accept_priority = string
281           Syslog priority to use when the user is allowed to run a command
282           and authentication is successful.  Defaults to notice.
283
284           The following syslog priorities are supported: alert, crit, debug,
285           emerg, err, info, notice, warning, and none.  Setting it to a value
286           of none will disable logging of successful commands.
287
288     reject_priority = string
289           Syslog priority to use when the user is not allowed to run a com‐
290           mand or when authentication is unsuccessful.  Defaults to alert.
291
292           See accept_priority for the list of supported syslog priorities.
293
294     alert_priority = string
295           Syslog priority to use for event log alert messages received from
296           the client.  Defaults to alert.
297
298           See accept_priority for the list of supported syslog priorities.
299
300     maxlen = number
301           On many systems, syslog(3) has a relatively small log buffer.  IETF
302           RFC 5424 states that syslog servers must support messages of at
303           least 480 bytes and should support messages up to 2048 bytes.  By
304           default, sudo_logsrvd creates log messages up to 960 bytes which
305           corresponds to the historic BSD syslog implementation which used a
306           1024 byte buffer to store the message, date, hostname and program
307           name.
308
309           To prevent syslog messages from being truncated, sudo_logsrvd will
310           split up sudo-style log messages that are larger than maxlen bytes.
311           When a message is split, additional parts will include the string
312           “(command continued)” after the user name and before the continued
313           command line arguments.  JSON-format log entries are never split
314           and are not affected by maxlen.
315
316   logfile
317     The logfile section consists of settings related to logging to a plain
318     file (not syslog).
319
320     path = string
321           The path to the file-based event log.  This path must be fully-
322           qualified and start with a ‘/’ character.  The default value is
323           /var/log/sudo.log.
324
325     time_format = string
326           The string used when formatting the date and time for file-based
327           event logs.  Formatting is performed via the system's strftime(3)
328           function so any escape sequences supported by that function will be
329           expanded.  The default value is “%h %e %T” which produces dates
330           like “Oct 3 07:15:24” in the C locale.
331

FILES

333     /etc/sudo_logsrvd.conf    Sudo log server configuration file
334

EXAMPLES

336     #
337     # sudo logsrv configuration
338     #
339
340     [server]
341     # The host name or IP address and port to listen on with an optional TLS
342     # flag.  If no port is specified, port 30343 will be used for plaintext
343     # connections and port 30344 will be used to TLS connections.
344     # The following forms are accepted:
345     #   listen_address = hostname(tls)
346     #   listen_address = hostname:port(tls)
347     #   listen_address = IPv4_address(tls)
348     #   listen_address = IPv4_address:port(tls)
349     #   listen_address = [IPv6_address](tls)
350     #   listen_address = [IPv6_address]:port(tls)
351     #
352     # The (tls) suffix should be omitted for plaintext connections.
353     #
354     # Multiple listen_address settings may be specified.
355     # The default is to listen on all addresses.
356     #listen_address = *:30343
357     #listen_address = *:30344(tls)
358
359     # The file containing the ID of the running sudo_logsrvd process.
360     #pid_file = /run/sudo/sudo_logsrvd.pid
361
362     # If set, enable the SO_KEEPALIVE socket option on the connected socket.
363     #tcp_keepalive = true
364
365     # The amount of time, in seconds, the server will wait for the client to
366     # respond.  A value of 0 will disable the timeout.  The default value is 30.
367     #timeout = 30
368
369     # If set, server certificate will be verified at server startup and
370     # also connecting clients will perform server authentication by
371     # verifying the server's certificate and identity.
372     #tls_verify = true
373
374     # Whether to verify client certificates for TLS connections.
375     # By default client certs are not checked.
376     #tls_checkpeer = false
377
378     # Path to the certificate authority bundle file in PEM format.
379     # Required if 'tls_verify' or 'tls_checkpeer' is set.
380     #tls_cacert = /etc/ssl/sudo/cacert.pem
381
382     # Path to the server's certificate file in PEM format.
383     # Required for TLS connections.
384     #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
385
386     # Path to the server's private key file in PEM format.
387     # Required for TLS connections.
388     #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
389
390     # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
391     # NOTE that this setting is only effective if the negotiated protocol
392     # is TLS version 1.2.
393     # The default cipher list is HIGH:!aNULL.
394     #tls_ciphers_v12 = HIGH:!aNULL
395
396     # TLS cipher list if the negotiated protocol is TLS version 1.3.
397     # The default cipher list is TLS_AES_256_GCM_SHA384.
398     #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
399
400     # Path to the Diffie-Hellman parameter file in PEM format.
401     # If not set, the server will use the OpenSSL defaults.
402     #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
403
404     [iolog]
405     # The top-level directory to use when constructing the path name for the
406     # I/O log directory.  The session sequence number, if any, is stored here.
407     #iolog_dir = /var/log/sudo-io
408
409     # The path name, relative to iolog_dir, in which to store I/O logs.
410     # Note that iolog_file may contain directory components.
411     #iolog_file = %{seq}
412
413     # If set, I/O logs will be compressed using zlib.  Enabling compression can
414     # make it harder to view the logs in real-time as the program is executing.
415     #iolog_compress = false
416
417     # If set, I/O log data is flushed to disk after each write instead of
418     # buffering it.  This makes it possible to view the logs in real-time
419     # as the program is executing but reduces the effectiveness of compression.
420     #iolog_flush = true
421
422     # The group to use when creating new I/O log files and directories.
423     # If iolog_group is not set, the primary group-ID of the user specified
424     # by iolog_user is used.  If neither iolog_group nor iolog_user
425     # are set, I/O log files and directories are created with group-ID 0.
426     #iolog_group = wheel
427
428     # The user to use when setting the user-ID and group-ID of new I/O
429     # log files and directories.  If iolog_group is set, it will be used
430     # instead of the user's primary group-ID.  By default, I/O log files
431     # and directories are created with user and group-ID 0.
432     #iolog_user = root
433
434     # The file mode to use when creating I/O log files.  The file permissions
435     # will always include the owner read and write bits, even if they are
436     # not present in the specified mode.  When creating I/O log directories,
437     # search (execute) bits are added to match the read and write bits
438     # specified by iolog_mode.
439     #iolog_mode = 0600
440
441     # The maximum sequence number that will be substituted for the "%{seq}"
442     # escape in the I/O log file.  While the value substituted for "%{seq}"
443     # is in base 36, maxseq itself should be expressed in decimal.  Values
444     # larger than 2176782336 (which corresponds to the base 36 sequence
445     # number "ZZZZZZ") will be silently truncated to 2176782336.
446     #maxseq = 2176782336
447
448     [eventlog]
449     # Where to log accept, reject and alert events.
450     # Accepted values are syslog, logfile, or none.
451     # Defaults to syslog
452     #log_type = syslog
453
454     # Event log format.
455     # Currently only sudo-style event logs are supported.
456     #log_format = sudo
457
458     [syslog]
459     # The maximum length of a syslog payload.
460     # On many systems, syslog(3) has a relatively small log buffer.
461     # IETF RFC 5424 states that syslog servers must support messages
462     # of at least 480 bytes and should support messages up to 2048 bytes.
463     # Messages larger than this value will be split into multiple messages.
464     #maxlen = 960
465
466     # The syslog facility to use for event log messages.
467     # The following syslog facilities are supported: authpriv (if your OS
468     # supports it), auth, daemon, user, local0, local1, local2, local3,
469     # local4, local5, local6, and local7.
470     #facility = authpriv
471
472     # Syslog priority to use for event log accept messages, when the command
473     # is allowed by the security policy.  The following syslog priorities are
474     # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
475     #accept_priority = notice
476
477     # Syslog priority to use for event log reject messages, when the command
478     # is not allowed by the security policy.
479     #reject_priority = alert
480
481     # Syslog priority to use for event log alert messages reported by the
482     # client.
483     #alert_priority = alert
484
485     [logfile]
486     # The path to the file-based event log.
487     # This path must be fully-qualified and start with a '/' character.
488     #path = /var/log/sudo
489
490     # The format string used when formatting the date and time for
491     # file-based event logs.  Formatting is performed via strftime(3) so
492     # any format string supported by that function is allowed.
493     #time_format = %h %e %T
494

SEE ALSO

496     strftime(3), sudo.conf(5), sudoers(5), sudo(8), sudo_logsrvd(8)
497

HISTORY

499     See the HISTORY file in the sudo distribution (https://www.sudo.ws/his
500     tory.html) for a brief history of sudo.
501

AUTHORS

503     Many people have worked on sudo over the years; this version consists of
504     code written primarily by:
505
506           Todd C. Miller
507
508     See the CONTRIBUTORS file in the sudo distribution
509     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
510     who have contributed to sudo.
511

BUGS

513     If you feel you have found a bug in sudo, please submit a bug report at
514     https://bugzilla.sudo.ws/
515

SUPPORT

517     Limited free support is available via the sudo-users mailing list, see
518     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
519     the archives.
520

DISCLAIMER

522     sudo is provided “AS IS” and any express or implied warranties, includ‐
523     ing, but not limited to, the implied warranties of merchantability and
524     fitness for a particular purpose are disclaimed.  See the LICENSE file
525     distributed with sudo or https://www.sudo.ws/license.html for complete
526     details.
527
528Sudo 1.9.5p2                   November 24, 2020                  Sudo 1.9.5p2
Impressum