mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Add manual pages for logsrvd and sendlog.

Browse Source
This commit is contained in:
Todd C. Miller 2019-10-24 20:04:32 -06:00
parent 66fc926959
commit b57054785f
12 changed files with 1760 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
MANIFEST
View File

@ -34,8 +34,14 @@ doc/sudo.conf.mdoc.in
doc/sudo.man.in doc/sudo.man.in
doc/sudo.man.in.sed doc/sudo.man.in.sed
doc/sudo.mdoc.in doc/sudo.mdoc.in
doc/sudo_logsrvd.man.in
doc/sudo_logsrvd.mdoc.in
doc/sudo_logsrvd.conf.man.in
doc/sudo_logsrvd.conf.mdoc.in
doc/sudo_plugin.man.in doc/sudo_plugin.man.in
doc/sudo_plugin.mdoc.in doc/sudo_plugin.mdoc.in
doc/sudo_sendlog.man.in
doc/sudo_sendlog.mdoc.in
doc/sudoers.ldap.man.in doc/sudoers.ldap.man.in
doc/sudoers.ldap.mdoc.in doc/sudoers.ldap.mdoc.in
doc/sudoers.man.in doc/sudoers.man.in

40
configure vendored
View File

@ -766,6 +766,7 @@ NOEXECFILE
mansrcdir mansrcdir
mansectform mansectform
mansectsu mansectsu
logpath
devdir devdir
SEMAN SEMAN
PSMAN PSMAN
@ -3079,6 +3080,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
# #
@ -25794,37 +25796,23 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for log file location" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for log file location" >&5
$as_echo_n "checking for log file location... " >&6; } $as_echo_n "checking for log file location... " >&6; }
if test -n "$with_logpath"; then if test -n "$with_logpath"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_logpath" >&5 logpath="$with_logpath"
$as_echo "$with_logpath" >&6; }
cat >>confdefs.h <<EOF
#define _PATH_SUDO_LOGFILE "$with_logpath"
EOF
elif test -d "/var/log"; then elif test -d "/var/log"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/log/sudo.log" >&5 logpath="/var/log/sudo.log"
$as_echo "/var/log/sudo.log" >&6; }
cat >>confdefs.h <<\EOF
#define _PATH_SUDO_LOGFILE "/var/log/sudo.log"
EOF
elif test -d "/var/adm"; then elif test -d "/var/adm"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/adm/sudo.log" >&5 logpath="/var/adm/sudo.log"
$as_echo "/var/adm/sudo.log" >&6; }
cat >>confdefs.h <<\EOF
#define _PATH_SUDO_LOGFILE "/var/adm/sudo.log"
EOF
elif test -d "/usr/adm"; then elif test -d "/usr/adm"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/adm/sudo.log" >&5 logpath="/usr/adm/sudo.log"
$as_echo "/usr/adm/sudo.log" >&6; } else
cat >>confdefs.h <<\EOF # Assume a modern system
#define _PATH_SUDO_LOGFILE "/usr/adm/sudo.log" logpath="/var/log/sudo.log"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $logpath" >&5
$as_echo "$logpath" >&6; }
cat >>confdefs.h <<EOF
#define _PATH_SUDO_LOGFILE "$logpath"
EOF EOF
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
$as_echo "unknown" >&6; }
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sudo run dir location" >&5
$as_echo_n "checking for sudo run dir location... " >&6; } $as_echo_n "checking for sudo run dir location... " >&6; }

1
configure.ac
View File

@ -70,6 +70,7 @@ AC_SUBST([LCMAN])
AC_SUBST([PSMAN]) AC_SUBST([PSMAN])
AC_SUBST([SEMAN]) AC_SUBST([SEMAN])
AC_SUBST([devdir]) AC_SUBST([devdir])
AC_SUBST([logpath])
AC_SUBST([mansectsu]) AC_SUBST([mansectsu])
AC_SUBST([mansectform]) AC_SUBST([mansectform])
AC_SUBST([mansrcdir]) AC_SUBST([mansrcdir])

59
doc/Makefile.in
View File

@ -71,13 +71,18 @@ DEVEL = @DEVEL@
SHELL = @SHELL@ SHELL = @SHELL@
DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \ DOCS = $(mansrcdir)/cvtsudoers.$(mantype) $(mansrcdir)/sudo.$(mantype) \
$(mansrcdir)/sudo.conf.$(mantype) $(mansrcdir)/sudo_plugin.$(mantype) \ $(mansrcdir)/sudo.conf.$(mantype) $(mansrcdir)/sudo_logsrvd.$(mantype) \
$(mansrcdir)/sudo_logsrvd.conf.$(mantype) \
$(mansrcdir)/sudo_plugin.$(mantype) \
$(mansrcdir)/sudo_sendlog.$(mantype) \
$(mansrcdir)/sudoers.$(mantype) $(mansrcdir)/sudoers.ldap.$(mantype) \ $(mansrcdir)/sudoers.$(mantype) $(mansrcdir)/sudoers.ldap.$(mantype) \
$(mansrcdir)/sudoers_timestamp.$(mantype) \ $(mansrcdir)/sudoers_timestamp.$(mantype) \
$(mansrcdir)/sudoreplay.$(mantype) $(mansrcdir)/visudo.$(mantype) $(mansrcdir)/sudoreplay.$(mantype) $(mansrcdir)/visudo.$(mantype)
DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \ DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \
$(srcdir)/sudo.man.in $(srcdir)/sudo_plugin.man.in \ $(srcdir)/sudo.man.in $(srcdir)/sudo_logsrvd.man.in \
$(srcdir)/sudo_logsrvd.conf.man.in \
$(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_sendlog.man.in \
$(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \
$(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoreplay.man.in \ $(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoreplay.man.in \
$(srcdir)/visudo.man.in $(srcdir)/visudo.man.in
@ -241,6 +246,34 @@ $(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.
$(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in $(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_logsrvd.man.in: $(srcdir)/sudo_logsrvd.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
$(mansrcdir)/sudo_logsrvd.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.man.in | $(SED) -f fixman.sed > $@
$(mansrcdir)/sudo_logsrvd.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_logsrvd.conf.man.in: $(srcdir)/sudo_logsrvd.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_logsrvd.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_LOGSRVD.CONF" \)"5"\(.*\)/\1"'$$mansectform'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(5)/($$mansectform)/g" > $@; \
fi
$(mansrcdir)/sudo_logsrvd.conf.man: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_logsrvd.conf.man.in | $(SED) -f fixman.sed > $@
$(mansrcdir)/sudo_logsrvd.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_logsrvd.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
@ -255,6 +288,20 @@ $(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugi
$(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in $(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
$(srcdir)/sudo_sendlog.man.in: $(srcdir)/sudo_sendlog.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
$(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_sendlog.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_SENDLOG" \)"8"\(.*\)/\1"'$$mansectsu'"\2/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \
fi
$(mansrcdir)/sudo_sendlog.man: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.man.in fixman.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_sendlog.man.in | $(SED) -f fixman.sed > $@
$(mansrcdir)/sudo_sendlog.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_sendlog.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
pre-install: pre-install:
install: install-doc install: install-doc
@ -272,15 +319,18 @@ install-doc: install-dirs
@LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done @LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) $(INSTALL_OWNER) -m 0644 $$f $(DESTDIR)$(docdir); done
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/cvtsudoers.$(mantype) $(DESTDIR)$(mandirexe)/cvtsudoers.1 $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/cvtsudoers.$(mantype) $(DESTDIR)$(mandirexe)/cvtsudoers.1
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_logsrvd.$(mantype) $(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_sendlog.$(mantype) $(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudo_logsrvd.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) $(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers_timestamp.$(mantype) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
@LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) @LDAP@$(INSTALL) $(INSTALL_OWNER) -m 0644 $(mansrcdir)/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@if test -n "$(MANCOMPRESS)"; then \ @if test -n "$(MANCOMPRESS)"; then \
for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \ for f in $(mandirexe)/cvtsudoers.1 $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_logsrvd.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudo_sendlog.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudo_logsrvd.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers_timestamp.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
if test -f $(DESTDIR)$$f; then \ if test -f $(DESTDIR)$$f; then \
echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \ echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
$(MANCOMPRESS) -f $(DESTDIR)$$f; \ $(MANCOMPRESS) -f $(DESTDIR)$$f; \
@ -302,10 +352,13 @@ uninstall:
-rm -f $(DESTDIR)$(mandirexe)/cvtsudoers.1 \ -rm -f $(DESTDIR)$(mandirexe)/cvtsudoers.1 \
$(DESTDIR)$(mandirsu)/sudo.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_logsrvd.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudo_sendlog.$(mansectsu) \
$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \ $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudo_logsrvd.conf.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
$(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
$(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)

564
doc/sudo_logsrvd.conf.man.in Normal file
View File

@ -0,0 +1,564 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "October 3, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrvd.conf\fR
\- configuration for sudo_logsrvd
.SH "DESCRIPTION"
The
\fBsudo_logsrvd.conf\fR
file is used to configure the
\fBsudo_logsrvd\fR
log server.
It uses an INI-style format made up of sections in square brackets and
\(lqkey = value\(rq
pairs specific to each section below the section name.
Depending on the key, values may be integers, booleans or strings.
Section and key names are not case sensitive, but values are.
.PP
The pound sign
(\(oq#\(cq)
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
Lines beginning with a semi-colon
(\(oq\&;\(cq)
are also ignored.
.PP
Long lines can be continued with a backslash
(\(oq\e\(cq)
as the last character on the line.
Note that leading white space is removed from the beginning of lines
even when the continuation character is used.
.PP
The
\fIEXAMPLES\fR
section contains a copy of the default
\fBsudo_logsrvd.conf\fR
file.
.PP
The following configuration sections are recognized:
.PP
.RS 6n
.PD 0
.TP 4n
\fB\(bu\fR
server
.TP 4n
\fB\(bu\fR
iolog
.TP 4n
\fB\(bu\fR
eventlog
.TP 4n
\fB\(bu\fR
syslog
.TP 4n
\fB\(bu\fR
logfile
.RE
.PD
.PP
Each section is described in detail below.
.SS "server"
The
\fIserver\fR
section configures the address and port the server will listen on.
The following keys are recognized:
.TP 10n
listen_address = host[:port]
The host name or IP address and optional port to listen on.
If no port is specified, port 30344 will be used.
The host may be a host name, an IPv4 address, an IPv6 address
in square brackets or the wild card entry
\(oq*\(cq.
A host setting of
\(oq*\(cq
will cause
\fBsudo_logsrvd\fR
to listen on all configured network interfaces.
.sp
If a port is specified, it may either be a port number or a known
service name as defined by the system service name database.
The default value is
\fRlisten_address = *:30344\fR
which will listen on all configured network interfaces.
Multiple
\fIlisten_address\fR
lines may be specified to listen on more than one interface.
.SS "iolog"
The
\fIiolog\fR
section configures I/O log parameters.
These settings are identical to the I/O configuration in
sudoers(@mansectform@).
The following keys are recognized:
.TP 10n
iolog_compress = boolean
If set, I/O logs will be compressed using
\fBzlib\fR.
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
\fRfalse\fR.
.TP 10n
iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
The session sequence number, if any, is stored in the directory.
The default value is
\fI@iolog_dir@\fR.
.sp
The following percent
(\(oq%\(cq)
escape sequences are supported:
.PP
.RS 10n
.PD 0
.TP 6n
\fR%{seq}\fR
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
\fI01/00/A5\fR
.PD
.TP 6n
\fR%{user}\fR
expanded to the invoking user's login name
.TP 6n
\fR%{group}\fR
expanded to the name of the invoking user's real group-ID
.TP 6n
\fR%{runas_user}\fR
expanded to the login name of the user the command will
be run as (e.g., root)
.TP 6n
\fR%{runas_group}\fR
expanded to the group name of the user the command will
be run as (e.g., wheel)
.TP 6n
\fR%{hostname}\fR
expanded to the local host name without the domain name
.TP 6n
\fR%{command}\fR
expanded to the base name of the command being run
.PP
In addition, any escape sequences supported by the system's
strftime(3)
function will be expanded.
.sp
To include a literal
\(oq%\(cq
character, the string
\(oq%%\(cq
should be used.
.RE
.TP 10n
iolog_file = path
The path name, relative to
\fIiolog_dir\fR,
in which to store I/O logs.
Note that
\fIiolog_file\fR
may contain directory components.
The default value is
\fR%{seq}\fR.
.sp
See the
\fIiolog_dir\fR
setting above for a list of supported percent
(\(oq%\(cq)
escape sequences.
.sp
In addition to the escape sequences, path names that end in six or
more
\fRX\fRs
will have the
\fRX\fRs
replaced with a unique combination of digits and letters, similar to the
mktemp(3)
function.
.sp
If the path created by concatenating
\fIiolog_dir\fR
and
\fIiolog_file\fR
already exists, the existing I/O log file will be truncated and
overwritten unless
\fIiolog_file\fR
ends in six or
more
\fRX\fRs.
.TP 10n
iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
This makes it possible to view the logs in real-time as the program is
executing but may significantly reduce the effectiveness
of I/O log compression.
The default value is
\fRtrue\fR.
.TP 10n
iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
If
\fIiolog_group\fR
is not set,
the primary group-ID of the user specified by
\fIiolog_user is used.\fR
If neither
\fIiolog_group\fR
nor
\fIiolog_user\fR
are set, I/O log files and directories are created with group-ID 0.
.TP 10n
iolog_mode = mode
The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group or other
are honored, everything else is ignored.
The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
\fIiolog_mode\fR.
The default value is
\fR0600\fR.
.TP 10n
iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
If
\fIiolog_group\fR
is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and
group-ID 0.
.TP 10n
maxseq = number
The maximum sequence number that will be substituted for the
\(lq\fR%{seq}\fR\(rq
escape in the I/O log file (see the
\fIiolog_dir\fR
description above for more information).
While the value substituted for
\(lq\fR%{seq}\fR\(rq
is in base 36,
\fImaxseq\fR
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
\(lqZZZZZZ\(rq)
will be silently truncated to 2176782336.
The default value is 2176782336.
.SS "eventlog"
The
\fIeventlog\fR
section configures how (and if) security policy events are logged.
.TP 6n
log_type = string
Where to log accept, reject and alert events reported by the policy.
Supported values are
\fIsyslog\fR,
\fIlogfile\fR,
and
\fInone\fR.
The default value is
\fIsyslog\fR.
.TP 6n
log_format = string
The event log format.
Currently, only sudo-style event logs are supported.
Other log formats may be added in the future.
The default value is
\fIsudo\fR.
.SS "syslog"
The
\fIsyslog\fR
section configures how events are logged via
syslog(3).
.TP 6n
facility = string
Syslog facility if syslog is being used for logging.
Defaults to
\fR@logfac@\fR.
.sp
The following syslog facilities are supported:
\fBauthpriv\fR
(if your
OS supports it),
\fBauth\fR,
\fBdaemon\fR,
\fBuser\fR,
\fBlocal0\fR,
\fBlocal1\fR,
\fBlocal2\fR,
\fBlocal3\fR,
\fBlocal4\fR,
\fBlocal5\fR,
\fBlocal6\fR,
and
\fBlocal7\fR.
.TP 6n
accept_priority = string
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
\fR@goodpri@\fR.
.sp
The following syslog priorities are supported:
\fBalert\fR,
\fBcrit\fR,
\fBdebug\fR,
\fBemerg\fR,
\fBerr\fR,
\fBinfo\fR,
\fBnotice\fR,
\fBwarning\fR,
and
\fBnone\fR.
Setting it to a value of
\fBnone\fR
will disable logging of successful commands.
.TP 6n
reject_priority = string
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
\fR@badpri@\fR.
.sp
See
\fIaccept_priority\fR
for the list of supported syslog priorities.
.TP 6n
alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
\fR@badpri@\fR.
.sp
See
\fIaccept_priority\fR
for the list of supported syslog priorities.
.TP 6n
maxlen = number
On many systems,
syslog(3)
has a relatively small log buffer.
IETF RFC 5424 states that syslog servers must support messages of
at least 480 bytes and should support messages up to 2048 bytes.
By default,
\fBsudo_logsrvd\fR
creates log messages up to 980 bytes which corresponds to the
historic
BSD
syslog implementation which used a 1024 byte buffer
to store the message, date, hostname and program name.
.sp
To prevent syslog messages from being truncated,
\fBsudo_logsrvd\fR
will split up log messages that are larger than
\fImaxlen\fR
bytes.
When a message is split, additional parts will include the string
\(lq(command continued)\(rq
after the user name and before the continued command line arguments.
.SS "logfile"
The
\fIlogfile\fR
section consists of settings related to logging to a plain file
(not syslog).
.TP 6n
path = string
The path to the file-based event log.
This path must be fully-qualified and start with a
\(oq/\(cq
character.
The default value is
\fI@logpath@\fR.
.TP 6n
time_format = string
The string used when formatting the date and time for file-based event logs.
Formatting is performed via the system's
strftime(3)
function so any escape sequences supported by that function will be expanded.
The default value is
\(lq\fR%h %e %T\fR\(rq
which produces dates like
\(lqOct 3 07:15:24\(rq
in the C locale.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo_logsrvd.conf\fR
Sudo log server configuration file
.SH "EXAMPLES"
.nf
.RS 0n
#
# sudo logsrv configuration
#
[server]
# The host name or IP address and port to listen on. If no port is
# specified, port 30344 will be used.
# The following forms are accepted:
# listen_address = hostname
# listen_address = hostname:port
# listen_address = IPv4_address
# listen_address = IPv4_address:port
# listen_address = [IPv6_address]
# listen_address = [IPv6_address]:port
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30344
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
#iolog_dir = /var/log/sudo-io
# The path name, relative to iolog_dir, in which to store I/O logs.
# Note that iolog_file may contain directory components.
#iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user and group-IDs on new I/O log files
# and directories. If iolog_group is set, it will be used instead of the
# user's primary group-ID. By default, I/O log files and directories are
# created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are not
# present in the specified mode. When creating I/O log directories, search
# (execute) bits are added to match the read and write bits specified by
# iolog_mode.
#iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence number
# "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336
[eventlog]
# Where to log accept, reject and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog
# Event log format.
# Currently only sudo-style event logs are supported.
#log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3, local4,
# local5, local6, and local7.
#facility = authpriv
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = notice
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = alert
# Syslog priority to use for event log alert messages reported by the client.
#alert_priority = alert
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T
.RE
.fi
.SH "SEE ALSO"
strftime(3),
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(8),
sudo_logsrvd(8)
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

536
doc/sudo_logsrvd.conf.mdoc.in Normal file
View File

@ -0,0 +1,536 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 3, 2019
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd.conf
.Nd configuration for sudo_logsrvd
.Sh DESCRIPTION
The
.Nm sudo_logsrvd.conf
file is used to configure the
.Nm sudo_logsrvd
log server.
It uses an INI-style format made up of sections in square brackets and
.Dq key = value
pairs specific to each section below the section name.
Depending on the key, values may be integers, booleans or strings.
Section and key names are not case sensitive, but values are.
.Pp
The pound sign
.Pq Ql #
is used to indicate a comment.
Both the comment character and any text after it, up to the end of
the line, are ignored.
Lines beginning with a semi-colon
.Pq Ql \&;
are also ignored.
.Pp
Long lines can be continued with a backslash
.Pq Ql \e
as the last character on the line.
Note that leading white space is removed from the beginning of lines
even when the continuation character is used.
.Pp
The
.Sx EXAMPLES
section contains a copy of the default
.Nm
file.
.Pp
The following configuration sections are recognized:
.Pp
.Bl -bullet -compact -offset indent
.It
server
.It
iolog
.It
eventlog
.It
syslog
.It
logfile
.El
.Pp
Each section is described in detail below.
.Ss server
The
.Em server
section configures the address and port the server will listen on.
The following keys are recognized:
.Bl -tag -width 8n
.It listen_address = host Ns Op : Ns port
The host name or IP address and optional port to listen on.
If no port is specified, port 30344 will be used.
The host may be a host name, an IPv4 address, an IPv6 address
in square brackets or the wild card entry
.Ql * .
A host setting of
.Ql *
will cause
.Nm sudo_logsrvd
to listen on all configured network interfaces.
.Pp
If a port is specified, it may either be a port number or a known
service name as defined by the system service name database.
The default value is
.Li listen_address = *:30344
which will listen on all configured network interfaces.
Multiple
.Em listen_address
lines may be specified to listen on more than one interface.
.El
.Ss iolog
The
.Em iolog
section configures I/O log parameters.
These settings are identical to the I/O configuration in
.Xr sudoers @mansectform@ .
The following keys are recognized:
.Bl -tag -width 8n
.It iolog_compress = boolean
If set, I/O logs will be compressed using
.Sy zlib .
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
.Li false .
.It iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
The session sequence number, if any, is stored in the directory.
The default value is
.Pa @iolog_dir@ .
.Pp
The following percent
.Pq Ql %
escape sequences are supported:
.Bl -tag -width 4n
.It Li %{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
.Pa 01/00/A5
.It Li %{user}
expanded to the invoking user's login name
.It Li %{group}
expanded to the name of the invoking user's real group-ID
.It Li %{runas_user}
expanded to the login name of the user the command will
be run as (e.g., root)
.It Li %{runas_group}
expanded to the group name of the user the command will
be run as (e.g., wheel)
.It Li %{hostname}
expanded to the local host name without the domain name
.It Li %{command}
expanded to the base name of the command being run
.El
.Pp
In addition, any escape sequences supported by the system's
.Xr strftime 3
function will be expanded.
.Pp
To include a literal
.Ql %
character, the string
.Ql %%
should be used.
.It iolog_file = path
The path name, relative to
.Em iolog_dir ,
in which to store I/O logs.
Note that
.Em iolog_file
may contain directory components.
The default value is
.Li %{seq} .
.Pp
See the
.Em iolog_dir
setting above for a list of supported percent
.Pq Ql %
escape sequences.
.Pp
In addition to the escape sequences, path names that end in six or
more
.Li X Ns s
will have the
.Li X Ns s
replaced with a unique combination of digits and letters, similar to the
.Xr mktemp 3
function.
.Pp
If the path created by concatenating
.Em iolog_dir
and
.Em iolog_file
already exists, the existing I/O log file will be truncated and
overwritten unless
.Em iolog_file
ends in six or
more
.Li X Ns s .
.It iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
This makes it possible to view the logs in real-time as the program is
executing but may significantly reduce the effectiveness
of I/O log compression.
The default value is
.Li true .
.It iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
If
.Em iolog_group
is not set,
the primary group-ID of the user specified by
.Em iolog_user is used.
If neither
.Em iolog_group
nor
.Em iolog_user
are set, I/O log files and directories are created with group-ID 0.
.It iolog_mode = mode
The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group or other
are honored, everything else is ignored.
The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
.Em iolog_mode .
The default value is
.Li 0600 .
.It iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
If
.Em iolog_group
is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and
group-ID 0.
.It maxseq = number
The maximum sequence number that will be substituted for the
.Dq Li %{seq}
escape in the I/O log file (see the
.Em iolog_dir
description above for more information).
While the value substituted for
.Dq Li %{seq}
is in base 36,
.Em maxseq
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
.Dq ZZZZZZ )
will be silently truncated to 2176782336.
The default value is 2176782336.
.El
.Ss eventlog
The
.Em eventlog
section configures how (and if) security policy events are logged.
.Bl -tag -width 4n
.It log_type = string
Where to log accept, reject and alert events reported by the policy.
Supported values are
.Em syslog ,
.Em logfile ,
and
.Em none .
The default value is
.Em syslog .
.It log_format = string
The event log format.
Currently, only sudo-style event logs are supported.
Other log formats may be added in the future.
The default value is
.Em sudo .
.El
.Ss syslog
The
.Em syslog
section configures how events are logged via
.Xr syslog 3 .
.Bl -tag -width 4n
.It facility = string
Syslog facility if syslog is being used for logging.
Defaults to
.Li @logfac@ .
.Pp
The following syslog facilities are supported:
.Sy authpriv
(if your
OS supports it),
.Sy auth ,
.Sy daemon ,
.Sy user ,
.Sy local0 ,
.Sy local1 ,
.Sy local2 ,
.Sy local3 ,
.Sy local4 ,
.Sy local5 ,
.Sy local6 ,
and
.Sy local7 .
.It accept_priority = string
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
.Li @goodpri@ .
.Pp
The following syslog priorities are supported:
.Sy alert ,
.Sy crit ,
.Sy debug ,
.Sy emerg ,
.Sy err ,
.Sy info ,
.Sy notice ,
.Sy warning ,
and
.Sy none .
Setting it to a value of
.Sy none
will disable logging of successful commands.
.It reject_priority = string
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
.Li @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
.Li @badpri@ .
.Pp
See
.Em accept_priority
for the list of supported syslog priorities.
.It maxlen = number
On many systems,
.Xr syslog 3
has a relatively small log buffer.
IETF RFC 5424 states that syslog servers must support messages of
at least 480 bytes and should support messages up to 2048 bytes.
By default,
.Nm sudo_logsrvd
creates log messages up to 980 bytes which corresponds to the
historic
.Bx
syslog implementation which used a 1024 byte buffer
to store the message, date, hostname and program name.
.Pp
To prevent syslog messages from being truncated,
.Nm sudo_logsrvd
will split up log messages that are larger than
.Em maxlen
bytes.
When a message is split, additional parts will include the string
.Dq Pq command continued
after the user name and before the continued command line arguments.
.El
.Ss logfile
The
.Em logfile
section consists of settings related to logging to a plain file
(not syslog).
.Bl -tag -width 4n
.It path = string
The path to the file-based event log.
This path must be fully-qualified and start with a
.Sq /
character.
The default value is
.Pa @logpath@ .
.It time_format = string
The string used when formatting the date and time for file-based event logs.
Formatting is performed via the system's
.Xr strftime 3
function so any escape sequences supported by that function will be expanded.
The default value is
.Dq Li "%h %e %T"
which produces dates like
.Dq Oct 3 07:15:24
in the C locale.
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.El
.Sh EXAMPLES
.Bd -literal
#
# sudo logsrv configuration
#
[server]
# The host name or IP address and port to listen on. If no port is
# specified, port 30344 will be used.
# The following forms are accepted:
# listen_address = hostname
# listen_address = hostname:port
# listen_address = IPv4_address
# listen_address = IPv4_address:port
# listen_address = [IPv6_address]
# listen_address = [IPv6_address]:port
#
# Multiple listen_address settings may be specified.
# The default is to listen on all addresses.
#listen_address = *:30344
[iolog]
# The top-level directory to use when constructing the path name for the
# I/O log directory. The session sequence number, if any, is stored here.
#iolog_dir = /var/log/sudo-io
# The path name, relative to iolog_dir, in which to store I/O logs.
# Note that iolog_file may contain directory components.
#iolog_file = %{seq}
# If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel
# The user to use when setting the user-ID and group-ID of new I/O log files
# and directories. If iolog_group is set, it will be used instead of the
# user's primary group-ID. By default, I/O log files and directories are
# created with user and group-ID 0.
#iolog_user = root
# The file mode to use when creating I/O log files. The file permissions
# will always include the owner read and write bits, even if they are not
# present in the specified mode. When creating I/O log directories, search
# (execute) bits are added to match the read and write bits specified by
# iolog_mode.
#iolog_mode = 0600
# The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file. While the value substituted for "%{seq}"
# is in base 36, maxseq itself should be expressed in decimal. Values
# larger than 2176782336 (which corresponds to the base 36 sequence number
# "ZZZZZZ") will be silently truncated to 2176782336.
#maxseq = 2176782336
[eventlog]
# Where to log accept, reject and alert events.
# Accepted values are syslog, logfile, or none.
# Defaults to syslog
#log_type = syslog
# Event log format.
# Currently only sudo-style event logs are supported.
#log_format = sudo
[syslog]
# The maximum length of a syslog payload.
# On many systems, syslog(3) has a relatively small log buffer.
# IETF RFC 5424 states that syslog servers must support messages
# of at least 480 bytes and should support messages up to 2048 bytes.
# Messages larger than this value will be split into multiple messages.
#maxlen = 960
# The syslog facility to use for event log messages.
# The following syslog facilities are supported: authpriv (if your OS
# supports it), auth, daemon, user, local0, local1, local2, local3, local4,
# local5, local6, and local7.
#facility = authpriv
# Syslog priority to use for event log accept messages, when the command
# is allowed by the security policy. The following syslog priorities are
# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
#accept_priority = notice
# Syslog priority to use for event log reject messages, when the command
# is not allowed by the security policy.
#reject_priority = alert
# Syslog priority to use for event log alert messages reported by the client.
#alert_priority = alert
[logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo
# The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed.
#time_format = %h %e %T
.Ed
.Sh SEE ALSO
.Xr strftime 3 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
distribution (https://www.sudo.ws/history.html) for a brief
history of sudo.
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm sudo
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

138
doc/sudo_logsrvd.man.in Normal file
View File

@ -0,0 +1,138 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD" "@mansectsu@" "October 3, 2019" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_logsrvd\fR
\- sudo event and I/O log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_logsrvd\fR
[\fB\-hnV\fR]
[\fB\-f\fR\ \fIfile\fR]
[\fB\-R\fR\ \fIpercentage\fR]
.SH "DESCRIPTION"
\fBsudo_logsrvd\fR
is a high-performance log server that accepts event and I/O logs from
\fBsudo\fR.
It can be used to implement centralized logging of
\fBsudo\fR
logs.
Event log entries may be logged either via
syslog(3)
or to a file.
I/O Logs created by
\fBsudo_logsrvd\fR
can be replayed via the
sudoreplay(@mansectsu@)
utility in the same way as logs generated directly by the
\fBsudoers\fR
plugin.
.PP
The options are as follows:
.TP 12n
\fB\-f\fR, \fB\--file\fR
Read configuration from
\fIfile\fR
instead of the default,
\fI@sysconfdir@/sudo_logsrvd.conf\fR.
.TP 12n
\fB\-h\fR, \fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-n\fR, \fB\--no-fork\fR
Run
\fBsudo_logsrvd\fR
in the the foreground instead of detaching from the terminal and becoming
a daemon.
.TP 12n
\fB\-R\fR, \fB\--random-drop\fR
For each message, there is a
\fIpercentage\fR
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_logsrvd\fR
version and exit.
.PP
Configuration parameters for
\fBsudo_logsrvd\fR
may be set in the
sudo_logsrvd.conf(@mansectform@)
file.
.SS "Debugging sudo_logsrvd"
\fBsudo_logsrvd\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front end configuration
.TP 26n
\fI@sysconfdir@/sudo_logsrvd.conf\fR
Sudo log server configuration file
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@),
sudo_sendlog(@mansectsu@),
sudoreplay(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo_logsrvd\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_logsrvd\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

132
doc/sudo_logsrvd.mdoc.in Normal file
View File

@ -0,0 +1,132 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 3, 2019
.Dt SUDO_LOGSRVD @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_logsrvd
.Nd sudo event and I/O log server
.Sh SYNOPSIS
.Nm sudo_logsrvd
.Op Fl hnV
.Op Fl f Ar file
.Op Fl R Ar percentage
.Sh DESCRIPTION
.Nm
is a high-performance log server that accepts event and I/O logs from
.Nm sudo .
It can be used to implement centralized logging of
.Nm sudo
logs.
Event log entries may be logged either via
.Xr syslog 3
or to a file.
I/O Logs created by
.Nm
can be replayed via the
.Xr sudoreplay @mansectsu@
utility in the same way as logs generated directly by the
.Nm sudoers
plugin.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl f , -file
Read configuration from
.Ar file
instead of the default,
.Pa @sysconfdir@/sudo_logsrvd.conf .
.It Fl h , -help
Display a short help message to the standard output and exit.
.It Fl n , -no-fork
Run
.Nm
in the foreground instead of detaching from the terminal and becoming
a daemon.
.It Fl R , -random-drop
For each message, there is a
.Ar percentage
chance that the server will drop the connection.
This is only intended for debugging the ability of a
client to restart a connection.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Pp
Configuration parameters for
.Nm
may be set in the
.Xr sudo_logsrvd.conf @mansectform@
file.
.Ss Debugging sudo_logsrvd
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front end configuration
.It Pa @sysconfdir@/sudo_logsrvd.conf
Sudo log server configuration file
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_sendlog @mansectsu@ ,
.Xr sudoreplay @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

139
doc/sudo_sendlog.man.in Normal file
View File

@ -0,0 +1,139 @@
.\" Automatically generated from an mdoc input file. Do not edit.
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_SENDLOG" "@mansectsu@" "October 3, 2019" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudo_sendlog\fR
\- send sudo I/O log to log server
.SH "SYNOPSIS"
.HP 13n
\fBsudo_sendlog\fR
[\fB\-V\fR]
[\fB\-h\fR\ \fIhost\fR]
[\fB\-i\fR\ \fIiolog-id\fR]
[\fB\-p\fR\ \fIport\fR]
[\fB\-r\fR\ \fIrestart-point\fR]
\fIpath\fR
.SH "DESCRIPTION"
\fBsudo_sendlog\fR
can be used to send the existing
\fBsudoers\fR
I/O log
\fIpath\fR
to a remote log server such as
sudo_logsrvd(@mansectsu@)
for central storage.
.PP
The options are as follows:
.TP 12n
\fB\--help\fR
Display a short help message to the standard output and exit.
.TP 12n
\fB\-h\fR, \fB\--host\fR
Connect to the specified
\fIhost\fR
instead of localhost.
.TP 12n
\fB\-i\fR, \fB\--iolog-id\fR
Use the specified
\fIiolog-id\fR
when restarting a log transfer.
The
\fIiolog-id\fR
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
\fB\-r\fR
option.
.TP 12n
\fB\-p\fR, \fB\--port\fR
Use the specified network
\fIport\fR
when connecting to the log server instead of the
default, port 30344.
.TP 12n
\fB\-r\fR, \fB\--restart\fR
Restart an interrupted connection to the log server.
The specified
\fIrestart-point\fR
is used to tell the server the point in time at which to continue the log.
The
\fIrestart-point\fR
is specified in the form
\(lqseconds,nanoseconds\(rq
and is usually the last commit point received from the server.
The
\fB\-i\fR
option must also be specified when restarting a transfer.
.TP 12n
\fB\-V\fR, \fB\--version\fR
Print the
\fBsudo_sendlog\fR
version and exit.
.SS "Debugging sendlog"
\fBsudo_sendlog\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
Sudo front end configuration
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudo(@mansectsu@),
sudo_logsrvd(@mansectsu@)
.SH "AUTHORS"
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "BUGS"
If you feel you have found a bug in
\fBsudo_sendlog\fR,
please submit a bug report at https://bugzilla.sudo.ws/
.SH "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
\fBsudo_sendlog\fR
is provided
\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or https://www.sudo.ws/license.html for complete details.

133
doc/sudo_sendlog.mdoc.in Normal file
View File

@ -0,0 +1,133 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd October 3, 2019
.Dt SUDO_SENDLOG @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_sendlog
.Nd send sudo I/O log to log server
.Sh SYNOPSIS
.Nm sudo_sendlog
.Op Fl V
.Op Fl h Ar host
.Op Fl i Ar iolog-id
.Op Fl p Ar port
.Op Fl r Ar restart-point
.Ar path
.Sh DESCRIPTION
.Nm
can be used to send the existing
.Nm sudoers
I/O log
.Ar path
to a remote log server such as
.Xr sudo_logsrvd @mansectsu@
for central storage.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl -help
Display a short help message to the standard output and exit.
.It Fl h , -host
Connect to the specified
.Ar host
instead of localhost.
.It Fl i , -iolog-id
Use the specified
.Ar iolog-id
when restarting a log transfer.
The
.Ar iolog-id
is reported by the server when it creates the remote I/O log.
This option may only be used in conjunction with the
.Fl r
option.
.It Fl p , -port
Use the specified network
.Ar port
when connecting to the log server instead of the
default, port 30344.
.It Fl r , -restart
Restart an interrupted connection to the log server.
The specified
.Ar restart-point
is used to tell the server the point in time at which to continue the log.
The
.Ar restart-point
is specified in the form
.Dq seconds,nanoseconds
and is usually the last commit point received from the server.
The
.Fl i
option must also be specified when restarting a transfer.
.It Fl V , -version
Print the
.Nm
version and exit.
.El
.Ss Debugging sendlog
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
lines in the
.Xr sudo.conf @mansectform@
file.
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
Sudo front end configuration
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr sudo_logsrvd @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo
over the years; this version consists of code written primarily by:
.Bd -ragged -offset indent
.An Todd C. Miller
.Ed
.Pp
See the CONTRIBUTORS file in the
.Nm sudo
distribution (https://www.sudo.ws/contributors.html) for an
exhaustive list of people who have contributed to
.Nm sudo .
.Sh BUGS
If you feel you have found a bug in
.Nm ,
please submit a bug report at https://bugzilla.sudo.ws/
.Sh SUPPORT
Limited free support is available via the sudo-users mailing list,
see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.Sh DISCLAIMER
.Nm
is provided
.Dq AS IS
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
.Nm sudo
or https://www.sudo.ws/license.html for complete details.

71
examples/sudo_logsrvd.conf
View File

@ -26,42 +26,39 @@
# Note that iolog_file may contain directory components. # Note that iolog_file may contain directory components.
#iolog_file = %{seq} #iolog_file = %{seq}
# If set, I/O log data is flushed to disk after each write instead of
# buffering it. This makes it possible to view the logs in real-time
# as the program is executing but may significantly reduce the effectiveness
# of I/O log compression.
#iolog_flush = true
# If set, I/O logs will be compressed using zlib. Enabling compression can # If set, I/O logs will be compressed using zlib. Enabling compression can
# make it harder to view the logs in real-time as the program is executing. # make it harder to view the logs in real-time as the program is executing.
#iolog_compress = false #iolog_compress = false
# The group name to look up when setting the group-ID on new I/O log files # If set, I/O log data is flushed to disk after each write instead of
# and directories. If iolog_group is not set, the primary group-ID of the # buffering it. This makes it possible to view the logs in real-time
# user specified by iolog_user is used. If neither iolog_group nor iolog_user # as the program is executing but reduces the effectiveness of compression.
#iolog_flush = true
# The group to use when creating new I/O log files and directories.
# If iolog_group is not set, the primary group-ID of the user specified
# by iolog_user is used. If neither iolog_group nor iolog_user
# are set, I/O log files and directories are created with group-ID 0. # are set, I/O log files and directories are created with group-ID 0.
#iolog_group = wheel #iolog_group = wheel
# The user name to look up when setting the user and group-IDs on new I/O # The user to use when setting the user-ID and group-ID of new I/O log files
# log files and directories. If iolog_group is set, it will be used instead # and directories. If iolog_group is set, it will be used instead of the
# of the user's primary group-ID. By default, I/O log files and directories # user's primary group-ID. By default, I/O log files and directories are
# are created with user and group-ID 0. # created with user and group-ID 0.
#iolog_user = root #iolog_user = root
# The file mode to use when creating I/O log files. Mode bits for read and # The file mode to use when creating I/O log files. The file permissions
# write permissions for owner, group or other are honored, everything else # will always include the owner read and write bits, even if they are not
# is ignored. The file permissions will always include the owner read and # present in the specified mode. When creating I/O log directories, search
# write bits, even if they are not present in the specified mode. When # (execute) bits are added to match the read and write bits specified by
# creating I/O log directories, search (execute) bits are added to match # iolog_mode.
# the read and write bits specified by iolog_mode.
#iolog_mode = 0600 #iolog_mode = 0600
# The maximum sequence number that will be substituted for the %{seq} # The maximum sequence number that will be substituted for the "%{seq}"
# escape in the I/O log file (see the iolog_dir description below for # escape in the I/O log file. While the value substituted for "%{seq}"
# more information). While the value substituted for %{seq} is in # is in base 36, maxseq itself should be expressed in decimal. Values
# base 36, maxseq itself should be expressed in decimal. Values larger # larger than 2176782336 (which corresponds to the base 36 sequence number
# than 2176782336 (which corresponds to the base 36 sequence number # "ZZZZZZ") will be silently truncated to 2176782336.
# ZZZZZZ) will be silently truncated to 2176782336.
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
@ -71,7 +68,7 @@
#log_type = syslog #log_type = syslog
# Event log format. # Event log format.
# Currently only supports sudo-style event logs. # Currently only sudo-style event logs are supported.
#log_format = sudo #log_format = sudo
[syslog] [syslog]
@ -88,26 +85,24 @@
# local5, local6, and local7. # local5, local6, and local7.
#facility = authpriv #facility = authpriv
# The syslog priority to use for event log accept messages, when # Syslog priority to use for event log accept messages, when the command
# the command is allowed by the security policy. The following syslog # is allowed by the security policy. The following syslog priorities are
# priorities are supported: alert, crit, debug, emerg, err, info, # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
# notice, warning, and none.
#accept_priority = notice #accept_priority = notice
# The syslog priority to use for event log reject messages, when the # Syslog priority to use for event log reject messages, when the command
# command is not allowed by the security policy. # is not allowed by the security policy.
#reject_priority = alert #reject_priority = alert
# The syslog priority to use for event log alert messages reported # Syslog priority to use for event log alert messages reported by the client.
# by the security policy.
#alert_priority = alert #alert_priority = alert
[logfile] [logfile]
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo
# The format string used when formatting the date and time for # The format string used when formatting the date and time for
# file-based event logs. Formatting is performed via strftime(3) so # file-based event logs. Formatting is performed via strftime(3) so
# any format string supported by that function is allowed. # any format string supported by that function is allowed.
#time_format = %h %e %T #time_format = %h %e %T
# The path to the file-based event log.
# This path must be fully-qualified and start with a '/' character.
#path = /var/log/sudo

17
m4/sudo.m4
View File

@ -80,20 +80,19 @@ dnl Where the log file goes, use /var/log if it exists, else /{var,usr}/adm
dnl dnl
AC_DEFUN([SUDO_LOGFILE], [AC_MSG_CHECKING(for log file location) AC_DEFUN([SUDO_LOGFILE], [AC_MSG_CHECKING(for log file location)
if test -n "$with_logpath"; then if test -n "$with_logpath"; then
AC_MSG_RESULT($with_logpath) logpath="$with_logpath"
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LOGFILE, "$with_logpath")
elif test -d "/var/log"; then elif test -d "/var/log"; then
AC_MSG_RESULT(/var/log/sudo.log) logpath="/var/log/sudo.log"
SUDO_DEFINE(_PATH_SUDO_LOGFILE, "/var/log/sudo.log")
elif test -d "/var/adm"; then elif test -d "/var/adm"; then
AC_MSG_RESULT(/var/adm/sudo.log) logpath="/var/adm/sudo.log"
SUDO_DEFINE(_PATH_SUDO_LOGFILE, "/var/adm/sudo.log")
elif test -d "/usr/adm"; then elif test -d "/usr/adm"; then
AC_MSG_RESULT(/usr/adm/sudo.log) logpath="/usr/adm/sudo.log"
SUDO_DEFINE(_PATH_SUDO_LOGFILE, "/usr/adm/sudo.log")
else else
AC_MSG_RESULT(unknown, you will have to set _PATH_SUDO_LOGFILE by hand) # Assume a modern system
logpath="/var/log/sudo.log"
fi fi
AC_MSG_RESULT($logpath)
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LOGFILE, "$logpath")
])dnl ])dnl
dnl dnl