You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 lines
6.0 KiB
Plaintext
160 lines
6.0 KiB
Plaintext
2 years ago
|
#
|
||
|
# sudo logsrv configuration
|
||
|
#
|
||
|
|
||
|
[server]
|
||
|
# The host name or IP address and port to listen on with an optional TLS
|
||
|
# flag. If no port is specified, port 30343 will be used for plaintext
|
||
|
# connections and port 30344 will be used to TLS connections.
|
||
|
# The following forms are accepted:
|
||
|
# listen_address = hostname(tls)
|
||
|
# listen_address = hostname:port(tls)
|
||
|
# listen_address = IPv4_address(tls)
|
||
|
# listen_address = IPv4_address:port(tls)
|
||
|
# listen_address = [IPv6_address](tls)
|
||
|
# listen_address = [IPv6_address]:port(tls)
|
||
|
#
|
||
|
# The (tls) suffix should be omitted for plaintext connections.
|
||
|
#
|
||
|
# Multiple listen_address settings may be specified.
|
||
|
# The default is to listen on all addresses.
|
||
|
#listen_address = *:30343
|
||
|
#listen_address = *:30344(tls)
|
||
|
|
||
|
# The file containing the ID of the running sudo_logsrvd process.
|
||
|
#pid_file = /var/run/sudo/sudo_logsrvd.pid
|
||
|
|
||
|
# If set, enable the SO_KEEPALIVE socket option on the connected socket.
|
||
|
#tcp_keepalive = true
|
||
|
|
||
|
# The amount of time, in seconds, the server will wait for the client to
|
||
|
# respond. A value of 0 will disable the timeout. The default value is 30.
|
||
|
#timeout = 30
|
||
|
|
||
|
# If set, server certificate will be verified at server startup and
|
||
|
# also connecting clients will perform server authentication by
|
||
|
# verifying the server's certificate and identity.
|
||
|
#tls_verify = true
|
||
|
|
||
|
# Whether to verify client certificates for TLS connections.
|
||
|
# By default client certs are not checked.
|
||
|
#tls_checkpeer = false
|
||
|
|
||
|
# Path to the certificate authority bundle file in PEM format.
|
||
|
# Required if 'tls_verify' or 'tls_checkpeer' is set.
|
||
|
#tls_cacert = /etc/ssl/sudo/cacert.pem
|
||
|
|
||
|
# Path to the server's certificate file in PEM format.
|
||
|
# Required for TLS connections.
|
||
|
#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
|
||
|
|
||
|
# Path to the server's private key file in PEM format.
|
||
|
# Required for TLS connections.
|
||
|
#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
|
||
|
|
||
|
# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
|
||
|
# NOTE that this setting is only effective if the negotiated protocol
|
||
|
# is TLS version 1.2.
|
||
|
# The default cipher list is HIGH:!aNULL.
|
||
|
#tls_ciphers_v12 = HIGH:!aNULL
|
||
|
|
||
|
# TLS cipher list if the negotiated protocol is TLS version 1.3.
|
||
|
# The default cipher list is TLS_AES_256_GCM_SHA384.
|
||
|
#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
|
||
|
|
||
|
# Path to the Diffie-Hellman parameter file in PEM format.
|
||
|
# If not set, the server will use the OpenSSL defaults.
|
||
|
#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
|
||
|
|
||
|
[iolog]
|
||
|
# The top-level directory to use when constructing the path name for the
|
||
|
# I/O log directory. The session sequence number, if any, is stored here.
|
||
|
#iolog_dir = /var/log/sudo-io
|
||
|
|
||
|
# The path name, relative to iolog_dir, in which to store I/O logs.
|
||
|
# Note that iolog_file may contain directory components.
|
||
|
#iolog_file = %{seq}
|
||
|
|
||
|
# If set, I/O logs will be compressed using zlib. Enabling compression can
|
||
|
# make it harder to view the logs in real-time as the program is executing.
|
||
|
#iolog_compress = false
|
||
|
|
||
|
# If set, I/O log data is flushed to disk after each write instead of
|
||
|
# buffering it. This makes it possible to view the logs in real-time
|
||
|
# as the program is executing but reduces the effectiveness of compression.
|
||
|
#iolog_flush = true
|
||
|
|
||
|
# The group to use when creating new I/O log files and directories.
|
||
|
# If iolog_group is not set, the primary group-ID of the user specified
|
||
|
# by iolog_user is used. If neither iolog_group nor iolog_user
|
||
|
# are set, I/O log files and directories are created with group-ID 0.
|
||
|
#iolog_group = wheel
|
||
|
|
||
|
# The user to use when setting the user-ID and group-ID of new I/O
|
||
|
# log files and directories. If iolog_group is set, it will be used
|
||
|
# instead of the user's primary group-ID. By default, I/O log files
|
||
|
# and directories are created with user and group-ID 0.
|
||
|
#iolog_user = root
|
||
|
|
||
|
# The file mode to use when creating I/O log files. The file permissions
|
||
|
# will always include the owner read and write bits, even if they are
|
||
|
# not present in the specified mode. When creating I/O log directories,
|
||
|
# search (execute) bits are added to match the read and write bits
|
||
|
# specified by iolog_mode.
|
||
|
#iolog_mode = 0600
|
||
|
|
||
|
# The maximum sequence number that will be substituted for the "%{seq}"
|
||
|
# escape in the I/O log file. While the value substituted for "%{seq}"
|
||
|
# is in base 36, maxseq itself should be expressed in decimal. Values
|
||
|
# larger than 2176782336 (which corresponds to the base 36 sequence
|
||
|
# number "ZZZZZZ") will be silently truncated to 2176782336.
|
||
|
#maxseq = 2176782336
|
||
|
|
||
|
[eventlog]
|
||
|
# Where to log accept, reject and alert events.
|
||
|
# Accepted values are syslog, logfile, or none.
|
||
|
# Defaults to syslog
|
||
|
#log_type = syslog
|
||
|
|
||
|
# Event log format.
|
||
|
# Supported log formats are "sudo" and "json"
|
||
|
# Defaults to sudo
|
||
|
#log_format = sudo
|
||
|
|
||
|
[syslog]
|
||
|
# The maximum length of a syslog payload.
|
||
|
# On many systems, syslog(3) has a relatively small log buffer.
|
||
|
# IETF RFC 5424 states that syslog servers must support messages
|
||
|
# of at least 480 bytes and should support messages up to 2048 bytes.
|
||
|
# Messages larger than this value will be split into multiple messages.
|
||
|
#maxlen = 960
|
||
|
|
||
|
# The syslog facility to use for event log messages.
|
||
|
# The following syslog facilities are supported: authpriv (if your OS
|
||
|
# supports it), auth, daemon, user, local0, local1, local2, local3,
|
||
|
# local4, local5, local6, and local7.
|
||
|
#facility = authpriv
|
||
|
|
||
|
# Syslog priority to use for event log accept messages, when the command
|
||
|
# is allowed by the security policy. The following syslog priorities are
|
||
|
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
|
||
|
#accept_priority = notice
|
||
|
|
||
|
# Syslog priority to use for event log reject messages, when the command
|
||
|
# is not allowed by the security policy.
|
||
|
#reject_priority = alert
|
||
|
|
||
|
# Syslog priority to use for event log alert messages reported by the
|
||
|
# client.
|
||
|
#alert_priority = alert
|
||
|
|
||
|
[logfile]
|
||
|
# The path to the file-based event log.
|
||
|
# This path must be fully-qualified and start with a '/' character.
|
||
|
#path = /var/log/sudo
|
||
|
|
||
|
# The format string used when formatting the date and time for
|
||
|
# file-based event logs. Formatting is performed via strftime(3) so
|
||
|
# any format string supported by that function is allowed.
|
||
|
#time_format = %h %e %T
|