mirror of https://github.com/sudo-project/sudo.git
253 lines
9.6 KiB
Groff
253 lines
9.6 KiB
Groff
#
|
|
# sudo logsrv daemon configuration
|
|
#
|
|
|
|
[server]
|
|
# The host name or IP address and port to listen on with an optional TLS
|
|
# flag. If no port is specified, port 30343 will be used for plaintext
|
|
# connections and port 30344 will be used to TLS connections.
|
|
# The following forms are accepted:
|
|
# listen_address = hostname(tls)
|
|
# listen_address = hostname:port(tls)
|
|
# listen_address = IPv4_address(tls)
|
|
# listen_address = IPv4_address:port(tls)
|
|
# listen_address = [IPv6_address](tls)
|
|
# listen_address = [IPv6_address]:port(tls)
|
|
#
|
|
# The (tls) suffix should be omitted for plaintext connections.
|
|
#
|
|
# Multiple listen_address settings may be specified.
|
|
# The default is to listen on all addresses.
|
|
listen_address = 172.0.0.1:30343
|
|
listen_address = 172.0.0.1:30344(tls)
|
|
|
|
# The file containing the ID of the running sudo_logsrvd process.
|
|
pid_file = /var/run/sudo/sudo_logsrvd.pid
|
|
|
|
# Where to log server warnings: none, stderr, syslog, or a path name.
|
|
server_log = stderr
|
|
|
|
# If true, enable the SO_KEEPALIVE socket option on client connections.
|
|
# Defaults to true.
|
|
tcp_keepalive = true
|
|
|
|
# The amount of time, in seconds, the server will wait for the client to
|
|
# respond. A value of 0 will disable the timeout. The default value is 30.
|
|
timeout = 30
|
|
|
|
# If true, the server will validate its own certificate at startup.
|
|
# Defaults to true.
|
|
tls_verify = false
|
|
|
|
# If true, client certificates will be validated by the server;
|
|
# clients without a valid certificate will be unable to connect.
|
|
# By default, client certs are not checked.
|
|
tls_checkpeer = true
|
|
|
|
# Path to a certificate authority bundle file in PEM format to use
|
|
# instead of the system's default certificate authority database.
|
|
tls_cacert = regress/logsrvd_conf/cacert.pem
|
|
|
|
# Path to the server's certificate file in PEM format.
|
|
# Required for TLS connections.
|
|
tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
|
|
|
|
# Path to the server's private key file in PEM format.
|
|
# Required for TLS connections.
|
|
tls_key = regress/logsrvd_conf/logsrvd_key.pem
|
|
|
|
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
|
|
# This setting is only effective if the negotiated protocol is TLS version
|
|
# 1.2. The default cipher list is HIGH:!aNULL.
|
|
tls_ciphers_v12 = HIGH:!aNULL
|
|
|
|
# TLS cipher list if the negotiated protocol is TLS version 1.3.
|
|
# The default cipher list is TLS_AES_256_GCM_SHA384.
|
|
tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
|
|
|
|
# Path to the Diffie-Hellman parameter file in PEM format.
|
|
# If not set, the server will use the OpenSSL defaults.
|
|
tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
|
|
|
|
[relay]
|
|
# The host name or IP address and port to send logs to in relay mode.
|
|
# The syntax is identical to listen_address with the exception of
|
|
# the wild card ('*') syntax. When this setting is enabled, logs will
|
|
# be relayed to the specified host instead of being stored locally.
|
|
# This setting is not enabled by default.
|
|
#relay_host = relayhost.dom.ain
|
|
relay_host = 127.0.0.1(tls)
|
|
|
|
# The amount of time, in seconds, the server will wait for a connection
|
|
# to the relay server to complete. A value of 0 will disable the timeout.
|
|
# The default value is 30.
|
|
connect_timeout = 30
|
|
|
|
# The directory to store messages in before they are sent to the relay.
|
|
# Messages are stored in wire format.
|
|
# The default value is /var/log/sudo_logsrvd.
|
|
relay_dir = /var/log/sudo_logsrvd
|
|
|
|
# The number of seconds to wait after a connection error before
|
|
# making a new attempt to forward a message to a relay host.
|
|
# The default value is 30.
|
|
retry_interval = 30
|
|
|
|
# Whether to store the log before relaying it. If true, enable store
|
|
# and forward mode. If false, the client connection is immediately
|
|
# relayed. Defaults to false.
|
|
store_first = true
|
|
|
|
# If true, enable the SO_KEEPALIVE socket option on relay connections.
|
|
# Defaults to true.
|
|
tcp_keepalive = true
|
|
|
|
# The amount of time, in seconds, the server will wait for the relay to
|
|
# respond. A value of 0 will disable the timeout. The default value is 30.
|
|
timeout = 30
|
|
|
|
# If true, the server's relay certificate will be verified at startup.
|
|
# The default is to use the value in the [server] section.
|
|
tls_verify = true
|
|
|
|
# Whether to verify the relay's certificate for TLS connections.
|
|
# The default is to use the value in the [server] section.
|
|
tls_checkpeer = false
|
|
|
|
# Path to a certificate authority bundle file in PEM format to use
|
|
# instead of the system's default certificate authority database.
|
|
# The default is to use the value in the [server] section.
|
|
tls_cacert = regress/logsrvd_conf/cacert.pem
|
|
|
|
# Path to the server's certificate file in PEM format.
|
|
# The default is to use the certificate in the [server] section.
|
|
tls_cert = regress/logsrvd_conf/logsrvd_cert.pem
|
|
|
|
# Path to the server's private key file in PEM format.
|
|
# The default is to use the key in the [server] section.
|
|
tls_key = regress/logsrvd_conf/logsrvd_key.pem
|
|
|
|
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
|
|
# this setting is only effective if the negotiated protocol is TLS version
|
|
# 1.2. The default is to use the value in the [server] section.
|
|
tls_ciphers_v12 = HIGH:!aNULL
|
|
|
|
# TLS cipher list if the negotiated protocol is TLS version 1.3.
|
|
# The default is to use the value in the [server] section.
|
|
tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
|
|
|
|
# Path to the Diffie-Hellman parameter file in PEM format.
|
|
# The default is to use the value in the [server] section.
|
|
tls_dhparams = regress/logsrvd_conf/logsrvd_dhparams.pem
|
|
|
|
[iolog]
|
|
# The top-level directory to use when constructing the path name for the
|
|
# I/O log directory. The session sequence number, if any, is stored here.
|
|
iolog_dir = /var/log/sudo-io
|
|
|
|
# The path name, relative to iolog_dir, in which to store I/O logs.
|
|
# It is possible for iolog_file to contain directory components.
|
|
iolog_file = %{seq}
|
|
|
|
# If set, I/O logs will be compressed using zlib. Enabling compression can
|
|
# make it harder to view the logs in real-time as the program is executing.
|
|
iolog_compress = false
|
|
|
|
# If set, I/O log data is flushed to disk after each write instead of
|
|
# buffering it. This makes it possible to view the logs in real-time
|
|
# as the program is executing but reduces the effectiveness of compression.
|
|
iolog_flush = true
|
|
|
|
# The group to use when creating new I/O log files and directories.
|
|
# If iolog_group is not set, the primary group-ID of the user specified
|
|
# by iolog_user is used. If neither iolog_group nor iolog_user
|
|
# are set, I/O log files and directories are created with group-ID 0.
|
|
#iolog_group = wheel
|
|
|
|
# The user to use when setting the user-ID and group-ID of new I/O
|
|
# log files and directories. If iolog_group is set, it will be used
|
|
# instead of the user's primary group-ID. By default, I/O log files
|
|
# and directories are created with user and group-ID 0.
|
|
#iolog_user = root
|
|
|
|
# The file mode to use when creating I/O log files. The file permissions
|
|
# will always include the owner read and write bits, even if they are
|
|
# not present in the specified mode. When creating I/O log directories,
|
|
# search (execute) bits are added to match the read and write bits
|
|
# specified by iolog_mode.
|
|
iolog_mode = 0600
|
|
|
|
# If disabled, sudo_logsrvd will attempt to avoid logging plaintext
|
|
# password in the terminal input using passprompt_regex.
|
|
log_passwords = true
|
|
|
|
# The maximum sequence number that will be substituted for the "%{seq}"
|
|
# escape in the I/O log file. While the value substituted for "%{seq}"
|
|
# is in base 36, maxseq itself should be expressed in decimal. Values
|
|
# larger than 2176782336 (which corresponds to the base 36 sequence
|
|
# number "ZZZZZZ") will be silently truncated to 2176782336.
|
|
maxseq = 2176782336
|
|
|
|
# One or more POSIX extended regular expressions used to match
|
|
# password prompts in the terminal output when log_passwords is
|
|
# disabled. Multiple passprompt_regex settings may be specified.
|
|
#passprompt_regex = [Pp]assword[: ]*
|
|
passprompt_regex = [Pp]assword for [a-z0-9]+: *
|
|
|
|
[eventlog]
|
|
# Where to log accept, reject, exit, and alert events.
|
|
# Accepted values are syslog, logfile, or none.
|
|
# Defaults to syslog
|
|
log_type = none
|
|
|
|
# Whether to log an event when a command exits or is terminated by a signal.
|
|
# Defaults to false
|
|
log_exit = true
|
|
|
|
# Event log format.
|
|
# Supported log formats are "sudo" and "json"
|
|
# Defaults to sudo
|
|
log_format = json
|
|
|
|
[syslog]
|
|
# The maximum length of a syslog payload.
|
|
# On many systems, syslog(3) has a relatively small log buffer.
|
|
# IETF RFC 5424 states that syslog servers must support messages
|
|
# of at least 480 bytes and should support messages up to 2048 bytes.
|
|
# Messages larger than this value will be split into multiple messages.
|
|
maxlen = 960
|
|
|
|
# The syslog facility to use for event log messages.
|
|
# The following syslog facilities are supported: authpriv (if your OS
|
|
# supports it), auth, daemon, user, local0, local1, local2, local3,
|
|
# local4, local5, local6, and local7.
|
|
#facility = authpriv
|
|
facility = daemon
|
|
|
|
# Syslog priority to use for event log accept messages, when the command
|
|
# is allowed by the security policy. The following syslog priorities are
|
|
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
|
|
accept_priority = notice
|
|
|
|
# Syslog priority to use for event log reject messages, when the command
|
|
# is not allowed by the security policy.
|
|
reject_priority = alert
|
|
|
|
# Syslog priority to use for event log alert messages reported by the
|
|
# client.
|
|
alert_priority = alert
|
|
|
|
# The syslog facility to use for server warning messages.
|
|
# Defaults to daemon.
|
|
server_facility = daemon
|
|
|
|
[logfile]
|
|
# The path to the file-based event log.
|
|
# This path must be fully-qualified and start with a '/' character.
|
|
path = /var/log/sudo.log
|
|
|
|
# The format string used when formatting the date and time for
|
|
# file-based event logs. Formatting is performed via strftime(3) so
|
|
# any format string supported by that function is allowed.
|
|
time_format = %h %e %T
|