1SUDO_LOGSRVD(8)           BSD System Manager's Manual          SUDO_LOGSRVD(8)
2

NAME

4     sudo_logsrvd — sudo event and I/O log server
5

SYNOPSIS

7     sudo_logsrvd [-hnV] [-f file] [-R percentage]
8

DESCRIPTION

10     sudo_logsrvd is a high-performance log server that accepts event and I/O
11     logs from sudo.  It can be used to implement centralized logging of sudo
12     logs.  The server has two modes of operation: local and relay.  By de‐
13     fault, sudo_logsrvd stores the logs locally but it can also be configured
14     to relay them to another server that supports the sudo_logsrv.proto(5)
15     protocol.
16
17     When not relaying, event log entries may be logged either via syslog(3)
18     or to a local file.  I/O Logs stored locally by sudo_logsrvd can be re‐
19     played via the sudoreplay(8) utility in the same way as logs generated
20     directly by the sudoers plugin.
21
22     The server also supports restarting interrupted log transfers.  To dis‐
23     tinguish completed I/O logs from incomplete ones, the I/O log timing file
24     is set to be read-only when the log is complete.
25
26     Configuration parameters for sudo_logsrvd may be specified in the
27     sudo_logsrvd.conf(5) file or the file specified via the -f option.
28
29     sudo_logsrvd rereads its configuration file when it receives SIGHUP and
30     writes server state to the debug file (if one is configured) when it re‐
31     ceives SIGUSR1.
32
33     The options are as follows:
34
35     -f file, --file=file
36                 Read configuration from file instead of the default,
37                 /etc/sudo_logsrvd.conf.
38
39     -h, --help  Display a short help message to the standard output and exit.
40
41     -n, --no-fork
42                 Run sudo_logsrvd in the foreground instead of detaching from
43                 the terminal and becoming a daemon.
44
45     -R percentage, --random-drop=percentage
46                 For each message, there is a percentage chance that the
47                 server will drop the connection.  This is only intended for
48                 debugging the ability of a client to restart a connection.
49
50     -V, --version
51                 Print the sudo_logsrvd version and exit.
52
53   Securing server connections
54     The I/O log data sent to sudo_logsrvd may contain sensitive information
55     such as passwords and should be secured using Transport Layer Security
56     (TLS).  Doing so requires having a signed certificate on the server and,
57     if tls_checkpeer is enabled in sudo_logsrvd.conf(5), a signed certificate
58     on the client as well.
59
60     The certificates can either be signed by a well-known Certificate Author‐
61     ity (CA), or a private CA can be used.  Instructions for creating a pri‐
62     vate CA are included below in the EXAMPLES section.
63
64   Debugging sudo_logsrvd
65     sudo_logsrvd supports a flexible debugging framework that is configured
66     via Debug lines in the sudo.conf(5) file.
67
68     For more information on configuring sudo.conf(5), please refer to its
69     manual.
70

FILES

72     /etc/sudo.conf            Sudo front end configuration
73
74     /etc/sudo_logsrvd.conf    Sudo log server configuration file
75
76     /var/log/sudo_logsrvd/incoming
77                               Directory where new journals are stored when
78                               the store_first relay setting is enabled.
79
80     /var/log/sudo_logsrvd/outgoing
81                               Directory where completed journals are stored
82                               when the store_first relay setting is enabled.
83
84     /var/log/sudo-io          Default I/O log file location
85
86     /run/sudo/sudo_logsrvd.pid
87                               Process ID file for sudo_logsrvd
88

EXAMPLES

90   Creating self-signed certificates
91     Unless you are using certificates signed by a well-known Certificate Au‐
92     thority (or a local enterprise CA), you will need to create your own CA
93     that can sign the certificates used by sudo_logsrvd, sudo_sendlog, and
94     the sudoers plugin.  The following steps use the openssl(1) command to
95     create keys and certificates.
96
97   Initial setup
98     First, we need to create a directory structure to store the files for the
99     CA.  We'll create a new directory hierarchy in /etc/ssl/sudo for this
100     purpose.
101
102           # mkdir /etc/ssl/sudo
103           # cd /etc/ssl/sudo
104           # mkdir certs csr newcerts private
105           # chmod 700 private
106           # touch index.txt
107           # echo 1000 > serial
108
109     The serial and index.txt files are used to keep track of signed certifi‐
110     cates.
111
112     Next, we need to make a copy of the openssl.conf file and customize it
113     for our new CA.  The path to openssl.cnf is system-dependent but
114     /etc/ssl/openssl.cnf is the most common location.  You will need to ad‐
115     just the example below if it has a different location on your system.
116
117           # cp /etc/ssl/openssl.cnf .
118
119     Now edit the openssl.cnf file in the current directory and make sure it
120     contains “ca” and “CA_default” sections.  Those sections should include
121     the following settings:
122
123           [ ca ]
124           default_ca      = CA_default
125
126           [ CA_default ]
127           dir             = /etc/ssl/sudo
128           certs           = $dir/certs
129           database        = $dir/index.txt
130           certificate     = $dir/cacert.pem
131           serial          = $dir/serial
132
133     If your openssl.conf file already has a “CA_default” section, you may
134     only need to modify the “dir” setting.
135
136   Creating the CA key and certificate
137     In order to create and sign our own certificates, we need to create a
138     private key and a certificate for the root of the CA.  First, create the
139     private key and protect it with a pass phrase:
140
141           # openssl genrsa -aes256 -out private/cakey.pem 4096
142           # chmod 400 private/cakey.pem
143
144     Next, generate the root certificate, using appropriate values for the
145     site-specific fields:
146
147           # openssl req -config openssl.cnf -key private/cakey.pem \
148               -new -x509 -days 7300 -sha256 -extensions v3_ca \
149               -out cacert.pem
150
151           Enter pass phrase for private/cakey.pem:
152           You are about to be asked to enter information that will be
153           incorporated into your certificate request.
154           What you are about to enter is what is called a Distinguished Name
155           or a DN.
156           There are quite a few fields but you can leave some blank.
157           For some fields there will be a default value,
158           If you enter '.', the field will be left blank.
159           -----
160           Country Name (2 letter code) [AU]:US
161           State or Province Name (full name) [Some-State]:Colorado
162           Locality Name (eg, city) []:
163           Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
164           Organizational Unit Name (eg, section) []:sudo Certificate Authority
165           Common Name (e.g., server FQDN or YOUR name) []:sudo Root CA
166           Email Address []:
167
168           # chmod 444 cacert.pem
169
170     Finally, verify the root certificate:
171
172           # openssl x509 -noout -text -in cacert.pem
173
174   Creating and signing certificates
175     The server and client certificates will be signed by the previously cre‐
176     ated root CA.  Usually, the root CA is not used to sign server/client
177     certificates directly.  Instead, intermediate certificates are created
178     and signed with the root CA and the intermediate certs are used to sign
179     CSRs (Certificate Signing Request).  In this example we'll skip this part
180     for simplicity's sake and sign the CSRs with the root CA.
181
182     First, generate the private key without a pass phrase.
183
184           # openssl genrsa -out private/logsrvd_key.pem 2048
185           # chmod 400 private/logsrvd_key.pem
186
187     Next, create a certificate signing request (CSR) for the server's cer‐
188     tificate.  The organization name must match the name given in the root
189     certificate.  The common name should be either the server's IP address or
190     a fully qualified domain name.
191
192           # openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \
193               -sha256 -out csr/logsrvd_csr.pem
194
195           Enter pass phrase for private/logsrvd_key.pem:
196           You are about to be asked to enter information that will be
197           incorporated into your certificate request.
198           What you are about to enter is what is called a Distinguished Name
199           or a DN.
200           There are quite a few fields but you can leave some blank.
201           For some fields there will be a default value,
202           If you enter '.', the field will be left blank.
203           -----
204           Country Name (2 letter code) [AU]:US
205           State or Province Name (full name) [Some-State]:Colorado
206           Locality Name (eg, city) []:
207           Organization Name (eg, company) [Internet Widgits Pty Ltd]:sudo
208           Organizational Unit Name (eg, section) []:sudo log server
209           Common Name (e.g., server FQDN or YOUR name) []:logserver.example.com
210           Email Address []:
211
212           Please enter the following 'extra' attributes
213           to be sent with your certificate request
214           A challenge password []:
215           An optional company name []:
216
217     Now sign the CSR that was just created:
218
219           # openssl ca -config openssl.cnf -days 375 -notext -md sha256 \
220               -in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
221
222           Using configuration from openssl.cnf
223           Enter pass phrase for ./private/cakey.pem:
224           Check that the request matches the signature
225           Signature ok
226           Certificate Details:
227                   Serial Number: 4096 (0x1000)
228                   Validity
229                       Not Before: Nov 11 14:05:05 2019 GMT
230                       Not After : Nov 20 14:05:05 2020 GMT
231                   Subject:
232                       countryName               = US
233                       stateOrProvinceName       = Colorado
234                       organizationName          = sudo
235                       organizationalUnitName    = sudo log server
236                       commonName                = logserve.example.com
237                   X509v3 extensions:
238                       X509v3 Basic Constraints:
239                           CA:FALSE
240                       Netscape Comment:
241                           OpenSSL Generated Certificate
242                       X509v3 Subject Key Identifier:
243                           4C:50:F9:D0:BE:1A:4C:B2:AC:90:76:56:C7:9E:16:AE:E6:9E:E5:B5
244                       X509v3 Authority Key Identifier:
245                           keyid:D7:91:24:16:B1:03:06:65:1A:7A:6E:CF:51:E9:5C:CB:7A:95:3E:0C
246
247           Certificate is to be certified until Nov 20 14:05:05 2020 GMT (375 days)
248           Sign the certificate? [y/n]:y
249
250           1 out of 1 certificate requests certified, commit? [y/n]y
251           Write out database with 1 new entries
252           Data Base Updated
253
254     Finally, verify the new certificate:
255
256           # openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
257           certs/logsrvd_cert.pem: OK
258
259     The /etc/ssl/sudo/certs directory now contains a signed and verified cer‐
260     tificate for use with sudo_logsrvd.
261
262     To generate a client certificate, repeat the process above using a dif‐
263     ferent file name.
264
265   Configuring sudo_logsrvd to use TLS
266     To use TLS for client/server communication, both sudo_logsrvd and the
267     sudoers plugin need to be configured to use TLS.  Configuring
268     sudo_logsrvd for TLS requires the following settings, assuming the same
269     path names used earlier:
270
271           # Listen on port 30344 for TLS connections to any address.
272           listen_address = *:30344(tls)
273
274           # Path to the certificate authority bundle file in PEM format.
275           tls_cacert = /etc/ssl/sudo/cacert.pem
276
277           # Path to the server's certificate file in PEM format.
278           tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
279
280           # Path to the server's private key file in PEM format.
281           tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
282
283     The root CA cert (cacert.pem) must be installed on the system running
284     sudo_logsrvd.  If peer authentication is enabled on the client, a copy of
285     cacert.pem must be present on the client system too.
286

SEE ALSO

288     sudo.conf(5), sudo_logsrvd.conf(5), sudoers(5), sudo(8), sudo_sendlog(8),
289     sudoreplay(8)
290

AUTHORS

292     Many people have worked on sudo over the years; this version consists of
293     code written primarily by:
294
295           Todd C. Miller
296
297     See the CONTRIBUTORS file in the sudo distribution
298     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
299     who have contributed to sudo.
300

BUGS

302     If you feel you have found a bug in sudo_logsrvd, please submit a bug re‐
303     port at https://bugzilla.sudo.ws/
304

SUPPORT

306     Limited free support is available via the sudo-users mailing list, see
307     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
308     the archives.
309

DISCLAIMER

311     sudo_logsrvd is provided “AS IS” and any express or implied warranties,
312     including, but not limited to, the implied warranties of merchantability
313     and fitness for a particular purpose are disclaimed.  See the LICENSE
314     file distributed with sudo or https://www.sudo.ws/license.html for com‐
315     plete details.
316
317Sudo 1.9.8p2                    April 29, 2021                    Sudo 1.9.8p2
Impressum