forked from HougeLangley/archzfs-iso
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
489 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| # | ||
| # Default /etc/sudo.conf file | ||
| # | ||
| # Sudo plugins: | ||
| # Plugin plugin_name plugin_path plugin_options ... | ||
| # | ||
| # The plugin_path is relative to /usr/lib/sudo unless | ||
| # fully qualified. | ||
| # The plugin_name corresponds to a global symbol in the plugin | ||
| # that contains the plugin interface structure. | ||
| # The plugin_options are optional. | ||
| # | ||
| # The sudoers plugin is used by default if no Plugin lines are present. | ||
| #Plugin sudoers_policy sudoers.so | ||
| #Plugin sudoers_io sudoers.so | ||
| #Plugin sudoers_audit sudoers.so | ||
|
|
||
| # | ||
| # Sudo askpass: | ||
| # Path askpass /path/to/askpass | ||
| # | ||
| # An askpass helper program may be specified to provide a graphical | ||
| # password prompt for "sudo -A" support. Sudo does not ship with its | ||
| # own askpass program but can use the OpenSSH askpass. | ||
| # | ||
| # Use the OpenSSH askpass | ||
| #Path askpass /usr/X11R6/bin/ssh-askpass | ||
| # | ||
| # Use the Gnome OpenSSH askpass | ||
| #Path askpass /usr/libexec/openssh/gnome-ssh-askpass | ||
|
|
||
| # | ||
| # Sudo device search path: | ||
| # Path devsearch /dev/path1:/dev/path2:/dev | ||
| # | ||
| # A colon-separated list of paths to check when searching for a user's | ||
| # terminal device. | ||
| # | ||
| #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev | ||
|
|
||
| # | ||
| # Sudo command interception: | ||
| # Path intercept /path/to/sudo_intercept.so | ||
| # | ||
| # Path to a shared library containing replacements for the execv(), | ||
| # execve() and fexecve() library functions that perform a policy check | ||
| # to verify the command is allowed and simply return an error if not. | ||
| # This is used to implement the "intercept" functionality on systems that | ||
| # support LD_PRELOAD or its equivalent. | ||
| # | ||
| # The compiled-in value is usually sufficient and should only be changed | ||
| # if you rename or move the sudo_intercept.so file. | ||
| # | ||
| #Path intercept /usr/lib/sudo/sudo_intercept.so | ||
|
|
||
| # | ||
| # Sudo noexec: | ||
| # Path noexec /path/to/sudo_noexec.so | ||
| # | ||
| # Path to a shared library containing replacements for the execv(), | ||
| # execve() and fexecve() library functions that just return an error. | ||
| # This is used to implement the "noexec" functionality on systems that | ||
| # support LD_PRELOAD or its equivalent. | ||
| # | ||
| # The compiled-in value is usually sufficient and should only be changed | ||
| # if you rename or move the sudo_noexec.so file. | ||
| # | ||
| #Path noexec /usr/lib/sudo/sudo_noexec.so | ||
|
|
||
| # | ||
| # Sudo plugin directory: | ||
| # Path plugin_dir /path/to/plugins | ||
| # | ||
| # The default directory to use when searching for plugins that are | ||
| # specified without a fully qualified path name. | ||
| # | ||
| #Path plugin_dir /usr/lib/sudo | ||
|
|
||
| # | ||
| # Sudo developer mode: | ||
| # Set developer_mode true|false | ||
| # | ||
| # Allow loading of plugins that are owned by non-root or are writable | ||
| # by "group" or "other". Should only be used during plugin development. | ||
| #Set developer_mode true | ||
|
|
||
| # | ||
| # Core dumps: | ||
| # Set disable_coredump true|false | ||
| # | ||
| # By default, sudo disables core dumps while it is executing (they | ||
| # are re-enabled for the command that is run). | ||
| # To aid in debugging sudo problems, you may wish to enable core | ||
| # dumps by setting "disable_coredump" to false. | ||
| # | ||
| #Set disable_coredump false | ||
|
|
||
| # | ||
| # User groups: | ||
| # Set group_source static|dynamic|adaptive | ||
| # | ||
| # Sudo passes the user's group list to the policy plugin. | ||
| # If the user is a member of the maximum number of groups (usually 16), | ||
| # sudo will query the group database directly to be sure to include | ||
| # the full list of groups. | ||
| # | ||
| # On some systems, this can be expensive so the behavior is configurable. | ||
| # The "group_source" setting has three possible values: | ||
| # static - use the user's list of groups returned by the kernel. | ||
| # dynamic - query the group database to find the list of groups. | ||
| # adaptive - if user is in less than the maximum number of groups. | ||
| # use the kernel list, else query the group database. | ||
| # | ||
| #Set group_source static | ||
|
|
||
| # | ||
| # Sudo interface probing: | ||
| # Set probe_interfaces true|false | ||
| # | ||
| # By default, sudo will probe the system's network interfaces and | ||
| # pass the IP address of each enabled interface to the policy plugin. | ||
| # On systems with a large number of virtual interfaces this may take | ||
| # a noticeable amount of time. | ||
| # | ||
| #Set probe_interfaces false | ||
|
|
||
| # | ||
| # Sudo debug files: | ||
| # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] | ||
| # | ||
| # Sudo and related programs support logging debug information to a file. | ||
| # The program is typically sudo, sudoers.so, sudoreplay, or visudo. | ||
| # | ||
| # Subsystems vary based on the program; "all" matches all subsystems. | ||
| # Priority may be crit, err, warn, notice, diag, info, trace, or debug. | ||
| # Multiple subsystem@priority may be specified, separated by a comma. | ||
| # | ||
| #Debug sudo /var/log/sudo_debug all@debug | ||
| #Debug sudoers.so /var/log/sudoers_debug all@debug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,251 @@ | ||
| # | ||
| # sudo logsrv daemon configuration | ||
| # | ||
|
|
||
| [server] | ||
| # The host name or IP address and port to listen on with an optional TLS | ||
| # flag. If no port is specified, port 30343 will be used for plaintext | ||
| # connections and port 30344 will be used to TLS connections. | ||
| # The following forms are accepted: | ||
| # listen_address = hostname(tls) | ||
| # listen_address = hostname:port(tls) | ||
| # listen_address = IPv4_address(tls) | ||
| # listen_address = IPv4_address:port(tls) | ||
| # listen_address = [IPv6_address](tls) | ||
| # listen_address = [IPv6_address]:port(tls) | ||
| # | ||
| # The (tls) suffix should be omitted for plaintext connections. | ||
| # | ||
| # Multiple listen_address settings may be specified. | ||
| # The default is to listen on all addresses. | ||
| #listen_address = *:30343 | ||
| #listen_address = *:30344(tls) | ||
|
|
||
| # The file containing the ID of the running sudo_logsrvd process. | ||
| #pid_file = /run/sudo/sudo_logsrvd.pid | ||
|
|
||
| # Where to log server warnings: none, stderr, syslog, or a path name. | ||
| #server_log = syslog | ||
|
|
||
| # If true, enable the SO_KEEPALIVE socket option on client connections. | ||
| # Defaults to true. | ||
| #tcp_keepalive = true | ||
|
|
||
| # The amount of time, in seconds, the server will wait for the client to | ||
| # respond. A value of 0 will disable the timeout. The default value is 30. | ||
| #timeout = 30 | ||
|
|
||
| # If true, the server will validate its own certificate at startup. | ||
| # Defaults to true. | ||
| #tls_verify = true | ||
|
|
||
| # If true, client certificates will be validated by the server; | ||
| # clients without a valid certificate will be unable to connect. | ||
| # By default, client certs are not checked. | ||
| #tls_checkpeer = false | ||
|
|
||
| # Path to a certificate authority bundle file in PEM format to use | ||
| # instead of the system's default certificate authority database. | ||
| #tls_cacert = /etc/ssl/sudo/cacert.pem | ||
|
|
||
| # Path to the server's certificate file in PEM format. | ||
| # Required for TLS connections. | ||
| #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem | ||
|
|
||
| # Path to the server's private key file in PEM format. | ||
| # Required for TLS connections. | ||
| #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem | ||
|
|
||
| # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual). | ||
| # This setting is only effective if the negotiated protocol is TLS version | ||
| # 1.2. The default cipher list is HIGH:!aNULL. | ||
| #tls_ciphers_v12 = HIGH:!aNULL | ||
|
|
||
| # TLS cipher list if the negotiated protocol is TLS version 1.3. | ||
| # The default cipher list is TLS_AES_256_GCM_SHA384. | ||
| #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384 | ||
|
|
||
| # Path to the Diffie-Hellman parameter file in PEM format. | ||
| # If not set, the server will use the OpenSSL defaults. | ||
| #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem | ||
|
|
||
| [relay] | ||
| # The host name or IP address and port to send logs to in relay mode. | ||
| # The syntax is identical to listen_address with the exception of | ||
| # the wild card ('*') syntax. When this setting is enabled, logs will | ||
| # be relayed to the specified host instead of being stored locally. | ||
| # This setting is not enabled by default. | ||
| #relay_host = relayhost.dom.ain | ||
| #relay_host = relayhost.dom.ain(tls) | ||
|
|
||
| # The amount of time, in seconds, the server will wait for a connection | ||
| # to the relay server to complete. A value of 0 will disable the timeout. | ||
| # The default value is 30. | ||
| #connect_timeout = 30 | ||
|
|
||
| # The directory to store messages in before they are sent to the relay. | ||
| # Messages are stored in wire format. | ||
| # The default value is /var/log/sudo_logsrvd. | ||
| #relay_dir = /var/log/sudo_logsrvd | ||
|
|
||
| # The number of seconds to wait after a connection error before | ||
| # making a new attempt to forward a message to a relay host. | ||
| # The default value is 30. | ||
| #retry_interval = 30 | ||
|
|
||
| # Whether to store the log before relaying it. If true, enable store | ||
| # and forward mode. If false, the client connection is immediately | ||
| # relayed. Defaults to false. | ||
| #store_first = true | ||
|
|
||
| # If true, enable the SO_KEEPALIVE socket option on relay connections. | ||
| # Defaults to true. | ||
| #tcp_keepalive = true | ||
|
|
||
| # The amount of time, in seconds, the server will wait for the relay to | ||
| # respond. A value of 0 will disable the timeout. The default value is 30. | ||
| #timeout = 30 | ||
|
|
||
| # If true, the server's relay certificate will be verified at startup. | ||
| # The default is to use the value in the [server] section. | ||
| #tls_verify = true | ||
|
|
||
| # Whether to verify the relay's certificate for TLS connections. | ||
| # The default is to use the value in the [server] section. | ||
| #tls_checkpeer = false | ||
|
|
||
| # Path to a certificate authority bundle file in PEM format to use | ||
| # instead of the system's default certificate authority database. | ||
| # The default is to use the value in the [server] section. | ||
| #tls_cacert = /etc/ssl/sudo/cacert.pem | ||
|
|
||
| # Path to the server's certificate file in PEM format. | ||
| # The default is to use the certificate in the [server] section. | ||
| #tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem | ||
|
|
||
| # Path to the server's private key file in PEM format. | ||
| # The default is to use the key in the [server] section. | ||
| #tls_key = /etc/ssl/sudo/private/logsrvd_key.pem | ||
|
|
||
| # TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual). | ||
| # this setting is only effective if the negotiated protocol is TLS version | ||
| # 1.2. The default is to use the value in the [server] section. | ||
| #tls_ciphers_v12 = HIGH:!aNULL | ||
|
|
||
| # TLS cipher list if the negotiated protocol is TLS version 1.3. | ||
| # The default is to use the value in the [server] section. | ||
| #tls_ciphers_v13 = TLS_AES_256_GCM_SHA384 | ||
|
|
||
| # Path to the Diffie-Hellman parameter file in PEM format. | ||
| # The default is to use the value in the [server] section. | ||
| #tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem | ||
|
|
||
| [iolog] | ||
| # The top-level directory to use when constructing the path name for the | ||
| # I/O log directory. The session sequence number, if any, is stored here. | ||
| #iolog_dir = /var/log/sudo-io | ||
|
|
||
| # The path name, relative to iolog_dir, in which to store I/O logs. | ||
| # It is possible for iolog_file to contain directory components. | ||
| #iolog_file = %{seq} | ||
|
|
||
| # If set, I/O logs will be compressed using zlib. Enabling compression can | ||
| # make it harder to view the logs in real-time as the program is executing. | ||
| #iolog_compress = false | ||
|
|
||
| # If set, I/O log data is flushed to disk after each write instead of | ||
| # buffering it. This makes it possible to view the logs in real-time | ||
| # as the program is executing but reduces the effectiveness of compression. | ||
| #iolog_flush = true | ||
|
|
||
| # The group to use when creating new I/O log files and directories. | ||
| # If iolog_group is not set, the primary group-ID of the user specified | ||
| # by iolog_user is used. If neither iolog_group nor iolog_user | ||
| # are set, I/O log files and directories are created with group-ID 0. | ||
| #iolog_group = wheel | ||
|
|
||
| # The user to use when setting the user-ID and group-ID of new I/O | ||
| # log files and directories. If iolog_group is set, it will be used | ||
| # instead of the user's primary group-ID. By default, I/O log files | ||
| # and directories are created with user and group-ID 0. | ||
| #iolog_user = root | ||
|
|
||
| # The file mode to use when creating I/O log files. The file permissions | ||
| # will always include the owner read and write bits, even if they are | ||
| # not present in the specified mode. When creating I/O log directories, | ||
| # search (execute) bits are added to match the read and write bits | ||
| # specified by iolog_mode. | ||
| #iolog_mode = 0600 | ||
|
|
||
| # If disabled, sudo_logsrvd will attempt to avoid logging plaintext | ||
| # password in the terminal input using passprompt_regex. | ||
| #log_passwords = true | ||
|
|
||
| # The maximum sequence number that will be substituted for the "%{seq}" | ||
| # escape in the I/O log file. While the value substituted for "%{seq}" | ||
| # is in base 36, maxseq itself should be expressed in decimal. Values | ||
| # larger than 2176782336 (which corresponds to the base 36 sequence | ||
| # number "ZZZZZZ") will be silently truncated to 2176782336. | ||
| #maxseq = 2176782336 | ||
|
|
||
| # One or more POSIX extended regular expressions used to match | ||
| # password prompts in the terminal output when log_passwords is | ||
| # disabled. Multiple passprompt_regex settings may be specified. | ||
| #passprompt_regex = [Pp]assword[: ]* | ||
| #passprompt_regex = [Pp]assword for [a-z0-9]+: * | ||
|
|
||
| [eventlog] | ||
| # Where to log accept, reject, exit, and alert events. | ||
| # Accepted values are syslog, logfile, or none. | ||
| # Defaults to syslog | ||
| #log_type = syslog | ||
|
|
||
| # Whether to log an event when a command exits or is terminated by a signal. | ||
| # Defaults to false | ||
| #log_exit = true | ||
|
|
||
| # Event log format. | ||
| # Supported log formats are "sudo" and "json" | ||
| # Defaults to sudo | ||
| #log_format = sudo | ||
|
|
||
| [syslog] | ||
| # The maximum length of a syslog payload. | ||
| # On many systems, syslog(3) has a relatively small log buffer. | ||
| # IETF RFC 5424 states that syslog servers must support messages | ||
| # of at least 480 bytes and should support messages up to 2048 bytes. | ||
| # Messages larger than this value will be split into multiple messages. | ||
| #maxlen = 960 | ||
|
|
||
| # The syslog facility to use for event log messages. | ||
| # The following syslog facilities are supported: authpriv (if your OS | ||
| # supports it), auth, daemon, user, local0, local1, local2, local3, | ||
| # local4, local5, local6, and local7. | ||
| #facility = auth | ||
|
|
||
| # Syslog priority to use for event log accept messages, when the command | ||
| # is allowed by the security policy. The following syslog priorities are | ||
| # supported: alert, crit, debug, emerg, err, info, notice, warning, none. | ||
| #accept_priority = notice | ||
|
|
||
| # Syslog priority to use for event log reject messages, when the command | ||
| # is not allowed by the security policy. | ||
| #reject_priority = alert | ||
|
|
||
| # Syslog priority to use for event log alert messages reported by the | ||
| # client. | ||
| #alert_priority = alert | ||
|
|
||
| # The syslog facility to use for server warning messages. | ||
| # Defaults to daemon. | ||
| #server_facility = daemon | ||
|
|
||
| [logfile] | ||
| # The path to the file-based event log. | ||
| # This path must be fully-qualified and start with a '/' character. | ||
| #path = /var/log/sudo.log | ||
|
|
||
| # The format string used when formatting the date and time for | ||
| # file-based event logs. Formatting is performed via strftime(3) so | ||
| # any format string supported by that function is allowed. | ||
| #time_format = %h %e %T |
Oops, something went wrong.