#############################################################################
# This is the easd server configuration file.
#
# Usage: key value
# [ value ] = optional value
# { value } = requird value
# [ value1 | value2 ] = value1 OR value2 is optional
# { value1 | value2 } = value1 OR value2 is requird
#
# Value: integer|string
# integer = 0 - 65536
# string = alpha-numeric string
#############################################################################
#############################################################################
# Section: TCP/IP
#############################################################################
# Usage: Port { value }
# Value: integer
# Default: 5554
# Description: Which port to listen for new requests. 1 - 65536.
#############################################################################
Port 5554
#############################################################################
# Syntax: KeepAlive { value }
# Value: yes | no
# Default: yes
# Description: Specifies whether the daemon should send TCP keepalive
# packets to the client.
#############################################################################
KeepAlive yes
#############################################################################
# Section: Event Notification
#############################################################################
# Usage: NotificationHook { value }
# Value: string
# Default: disabled
# Description: Specify an executable to be called when a user has connected
# and authenticated to the server. This executable will be
# forked into the background and a clean environment will be
# set with the following environment variables set:
#
# EASH_EFFECTIVE_GID - effective gid
# EASH_EFFECTIVE_GR_NAME - effective group name
# EASH_EFFECTIVE_PW_NAME - effective username
# EASH_EFFECTIVE_UID - effective uid
# EASH_ID - EAS Audit ID (eas_replay)
# EASH_IP - remote IP address
# EASH_ORIGINAL_GID - original gid
# EASH_ORIGINAL_GR_NAME - original group name
# EASH_ORIGINAL_PW_NAME - original username
# EASH_ORIGINAL_UID - original uid
# EASH_REAL_GID - real gid
# EASH_REAL_GR_NAME - real group name
# EASH_REAL_PW_NAME - real username
# EASH_REAL_UID - real uid
# EASH_TERMINAL - original terminal
#
# Note: This is generally used to send email upon a connection.
#
# Example #!/bin/sh
# script: cat <<EOF | mailx -s "$EASH_ORIGINAL_PW_NAME opened a session"
# $EASH_ORIGINAL_PW_NAME opened a session as
# $EASH_EFFECTIVE_PW_NAME from $EASH_IP
#
# To review this session type `eas_replay $EASH_ID'
# EOF
# exit 0
#
#############################################################################
#NotificationHook /usr/libexec/custom_notification_script
#############################################################################
# Usage: HookFailureCritical { value }
# Value: yes | no
# Default: yes
# Description: If the executable specified by NotificationHook has return
# code of non-zero OR if the executable specified by
# NotificationHook fails - EAS will terminate the session.
#############################################################################
#HookFailureCritical yes
#############################################################################
# Usage: HookTimeout { value }
# Value: integer
# Default: 5
# Description: Use this option to set a timeout on the NotificationHook.
# Value is in seconds. Legal values are 1 - 65536.
#############################################################################
#HookTimeout 5
#############################################################################
# Section: Digital Signatures
#############################################################################
# Usage: SignMode { value }
# Usage: SignOwner { value }
# Usage: SignInode { value }
# Usage: SignCtime { value }
# Usage: SignMtime { value }
#############################################################################
# Value: yes | no
#############################################################################
# Default: SignMode yes
# Default: SignOwner yes
# Default: SignInode no
# Default: SignCtime no
# Default: SignMtime no
#############################################################################
# Description: This option will add the file's inode to the SHA1 signature.
#
# Special: Once these options are set, previous audit logs are subject
# to the terms of the strictness. For example if you disable
# this option all previous audit logs using this option will
# not be verifiable through EAS Replay.
#
# You must have a standard with these options and not change it
# mid-stream.
#
# Note: It's highly recommended that the default values be not be
# changed. The default values represent high security and
# integrity with the trade-off of being able to copy the audit
# logs to a different log server.
#
# Option SignMode adds the file's permissions to the signature
# details: SignOwner adds the file's uid and gid to the signature
# SignInode adds the file's inode to the signature
# SignCtime adds the file's ctime to the signature
# (the file's ctime is changed by writing or by
# setting inode information)
# * owner
# * group
# * link count
# * mode
# * etc
# SignMtime adds the file's mtime to the signature
# (the file's mtime is changed by file
# modifications)
# * mknod(2)
# * truncate(2)
# * pipe(2)
# * utime(2)
# * write(2) (of more than zero bytes)
# The mtime is not changed for changes in
# owner, group, link count or mode.
#############################################################################
#SignMode yes
#SignOwner yes
#SignInode no
#SignCtime no
#SignMtime no
#############################################################################
# Section: EAS Server Configuration
#############################################################################
# Usage: PidFile { value }
# Value: string
# Default: /var/run/easd.pid
# Description: This file will contain the process ID of the easd daemon.
#############################################################################
PidFile /var/run/easd.pid
#############################################################################
# Usage: SessionDirectory { value }
# Value: string
# Default: /var/log/easd
# Description: This directory will store session output and timing
# information.
#############################################################################
SessionDirectory /var/log/easd
#############################################################################
# Usage: User { value }
# Value: string | integer
# Default: 0
# Description: Specify the name or UID of the user easd should run as.
# Please note that the GID will be the default GID of the UID
# provided.
#
# Special: This value needs to be set before EAS Daemon is started for
# the first time. It can be changed at a later date under the
# following conditions:
#
# 1) StrictSignatures is off
# 2) You recursively change the owner of the
# SessionDirectory and all its files.
#
# Note: It's recommended you never change this value once EAS has
# been started for the first time due to the StrictSignatures.
# Disabling StrictSignatures increases the risk for
# manipulating audit logs.
#############################################################################
User easd
#############################################################################
# Syntax: IdleTimeout { value }
# Value: integer
# Default: 7200
# Description: Specify idle timeout in seconds. If the client does not
# send output or input within the given timeout the server will
# terminate the connection. A value of -1 will disable the
# idle timeout. Default value of 7200 seconds (2 hours)
#############################################################################
IdleTimeout 7200
#############################################################################
# Usage: Sync { value }
# Value: _IONBF | _IOLBF | _IOFBF
# Default: _IONBF
# Description: _IONBF unbuffered
# _IOLBF line buffered
# _IOFBF fully buffered
#
#
# Special: If you want to snoop on active sessions, you need to specify
# _IOFBF to fully buffer the audit logs. Using _IONBF or
# _IOLBF will lead to unexpected results.
#
# Note: It's recommended that you leave buffering turned off for
# performance reasons. _IONBF is the default setting.
#############################################################################
#Sync _IONBF
#############################################################################
# Section: Syslog Configuration
#############################################################################
# Syntax: SyslogFacility { value }
# Value: string
# Default: LOG_AUTH
# Description: Specify the syslog facility that easd should log to.
# LOG_AUTH security/authorization messages (DEFAULT)
# LOG_CRON cron and at
# LOG_DAEMON system daemons without seperate facility value
# LOG_FTP ftp daemon
# LOG_KERN kernel messages
# LOG_LOCAL0 through LOG_LOCAL7
# reserved for local use.
# LOG_LPR line printer
# LOG_MAIL mail
# LOG_NEWS USENET
# LOG_SYSLOG generally reserved for syslogd
# LOG_USER default genertic user-level messages
# LOG_UUCP UUCP
#############################################################################
SyslogFacility LOG_AUTH
#############################################################################
# Syntax: SyslogPriority { value }
# Value: string
# Default: LOG_INFO
# Description: Specify the default syslog priority that easd should log
# with.
# LOG_EMERG system is unstable
# LOG_ALERT action must be taken immediately
# LOG_CRIT critical conditions
# LOG_ERR error conditions
# LOG_WARNING warning conditions
# LOG_NOTICE normal, but significant conditions
# LOG_INFO information messages (DEFAULT)
# LOG_DEBUG debug-level messages
#
# Special: Please note that EAS will always use
# LOG_CRIT on critical error conditions.
# LOG_ERR on error conditions.
# LOG_DEBUG when the LogLevel is set to DEBUG[123]
# Otherwise the default SyslogPriority will be used.
#############################################################################
SyslogPriority LOG_INFO
#############################################################################
# Syntax: LogLevel { value }
# Value: string
# Default: INFO
# Description: Specify the log level for easd.
# INFO this is the default (SyslogPriority) - logs informational messages to syslog
# DEBUG1 debug level 1 (LOG_DEBUG) - logs system calls
# DEBUG2 debug level 2 (LOG_DEBUG) - logs function calls
# DEBUG3 debug level 3 (LOG_DEBUG) - (warning) logs all function calls and data
#############################################################################
LogLevel INFO
#############################################################################
# Syntax: Cipher { value1:value2:... }
# Value: string
# Default: HIGH:MEDIUM
# Description: Define permitted SSL ciphers in a colon delimited list.
# For a complete list see "openssl ciphers"
#############################################################################
Cipher HIGH:MEDIUM
#############################################################################
# Section: SSL Configuration
#############################################################################
# Syntax: Method { value1 | value2 | value3 | value4 }
# Value: string
# Default: SSLv3
# Description: OpenSSL method.
# TLSv1 TLS version 1
# SSLv2 SSL version 2
# SSLv3 SSL version 3
# SSLv23 SSL version 2 and 3 compatibility mode
#############################################################################
Method SSLv3
#############################################################################
# Syntax: PrivateKey { value }
# Value: string
# Default: /etc/eas/certs/server.pem
# Description: Specify private key and certificate file. The file should
# begin with a PEM encoded private key followed by a PEM
# encoded certificate. The PEM file can contain serveral
# certificates that you trust.
#############################################################################
PrivateKey /etc/eas//certs/server.pem
#############################################################################
# Syntax: CertificateAuthority { value }
# Value: string
# Default: /etc/eas/certs/root.pem
# Description: Specify certificate authority file. If you want to trust
# additional certificates, append them to the file. By
# default the certificates in the PrivateKey are trusted.
#############################################################################
CertificateAuthority /etc/eas//certs/root.pem
#############################################################################
# Syntax: RandomFile { value }
# Value: string
# Default: disabled
# Description: Specify the default file to read(2) random data so that
# OpenSSL can be correctly seeded. Default is /dev/urandom
#############################################################################
#RandomFile /dev/urandom
#############################################################################
# Syntax: EDGFile { value }
# Value: string
# Default: disabled
# Description: Specify path to Entropy Gathering Daemon socket. Use this
# option if you don't have /dev/urandom or /dev/random
#############################################################################
#EGDFile /var/run/egd-pool
