From owner-p4-projects@FreeBSD.ORG  Mon Feb 27 13:40:07 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id A925616A423; Mon, 27 Feb 2006 13:40:06 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2EFD716A420;
	Mon, 27 Feb 2006 13:40:06 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AD31143D45;
	Mon, 27 Feb 2006 13:40:05 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 2279246B09;
	Mon, 27 Feb 2006 08:39:47 -0500 (EST)
Date: Mon, 27 Feb 2006 13:44:20 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: "Christian S.J. Peron" <csjp@FreeBSD.org>
In-Reply-To: <43FFF528.7070100@FreeBSD.org>
Message-ID: <20060227133628.W52695@fledge.watson.org>
References: <200602250012.k1P0CgNJ041723@repoman.freebsd.org>
	<43FFF528.7070100@FreeBSD.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Perforce Change Reviews <perforce@freebsd.org>
Subject: Re: PERFORCE change 92365 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2006 13:40:07 -0000


On Sat, 25 Feb 2006, Christian S.J. Peron wrote:

>> @@ -795,7 +795,11 @@
>> 		}
>> 	}
>> 
>> +#ifdef LOG_SECURITY
>> 	openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
>> +#else
>> +	openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH);
>> +#endif
>> 	syslog(LOG_INFO, "starting...\n");
>> 
>> 	if (debug == 0 && daemon(0, 0) == -1) {
>
> In userspace, we are using LOG_AUTH | LOG_ERR to report audit failures, at 
> least for login(1) and su(1). Might be a good idea to be consistent, anyway.

My general feeling has been that audit-related log material shouldn't go into 
publically readable logs.  LOG_SECURITY works well for this on FreeBSD; 
however, LOG_AUTHPRIV is probably the better place for the log messages to go 
so that they don't enter a world-readable log file on other systems?  This 
looks like it will work on Linux and Darwin.  On Solaris, there's a LOG_AUDIT, 
which has the same underlying numeric value as LOG_SECURITY on FreeBSD.

Robert N M Watson