Hi Marc, * Marc Haber <mh+debian-packa...@zugschlus.de> [240103 18:00]:
> Would it be very unfriendly to indeed suggest using stunnel instead of > native SSL? Not at all, that's why I mentioned it in the first place ;) > What is a motivation to use sudo_logsrvd instead of normal > syslog? Well... Because sudo_logsrvd can do much more than regular syslog. With regular logs you get very basic informatio: Which user did run run which command as which other user. And if your user does stuff like "sudo /bin/bash" or "sudo su -" or so you will have trouble finding out what they did. If you are unlucky, you will even find an empty shell history. That's when sudo's input output logging comes in handy. If you set LOG_INPUT and LOG_OUTPUT, sudo will basically create a screen capture. You know the tool "script" to log the output of your console? It is similar. And for these io logs, the log_srvd comes in handy. Because if you want to store these logs at a central location, regular syslog won't do. That's why they came up with a dedicated server for sudo logs. And as these logs can contain confidential information, you want to transfer them via tls. Allthoug that is IMHO a pretty cool feature I grant you, that it is a limited use case, and is not a very common scenario. So if you don't want to add openssl to make me happy, I will happily provide configuration examples on how to archive the same thing via stunnel. With that in mind, coming back to: > I was not aware of sudo_logsrvd at all, since that's a daemon, it should > probably be in its own package (or disabled). Yes, it is the daemon responsible to receive and store log files from other hosts running sudo. As most people will need it, it makes sense to split it of. However, if you do so, that package should IMHO use ssl. Because I can't think of a scenario, were people would like to use the log deamon, without using ssl. And here I think simplicity of direct ssl usage wins over extra package stunnel. Best regards, Alexander
