From owner-freebsd-hackers@FreeBSD.ORG Sun May 27 16:31:08 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1177016A477 for ; Sun, 27 May 2007 16:31:08 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from popeye1.ggamaur.net (popeye1.ggamaur.net [213.160.40.50]) by mx1.freebsd.org (Postfix) with ESMTP id AE72F13C4B7 for ; Sun, 27 May 2007 16:31:07 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from maxlor.mine.nu (maxlor@c-82-192-240-247.customer.ggaweb.ch [82.192.240.247]) by popeye1.ggamaur.net (8.13.7/8.13.7/Submit) with ESMTP id l4RGV3AZ010633; Sun, 27 May 2007 18:31:05 +0200 (CEST) (envelope-from mail@maxlor.com) Received: from localhost (unknown [127.0.0.1]) by maxlor.mine.nu (Postfix) with ESMTP id 9A9722E237; Sun, 27 May 2007 18:31:00 +0200 (CEST) X-Virus-Scanned: amavisd-new at atlantis.intranet Received: from maxlor.mine.nu ([127.0.0.1]) by localhost (atlantis.intranet [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E586gUBOLxr1; Sun, 27 May 2007 18:31:00 +0200 (CEST) Received: from mini.intranet (mini.intranet [10.0.0.17]) by maxlor.mine.nu (Postfix) with ESMTP id 60EFC2E236; Sun, 27 May 2007 18:31:00 +0200 (CEST) From: Benjamin Lutz To: freebsd-hackers@freebsd.org, karma@freebsd.org Date: Sun, 27 May 2007 18:30:56 +0200 User-Agent: KMail/1.9.5 References: <200705250322.22259.karma@FreeBSD.org> <200705252004.38092.mail@maxlor.com> <200705261149.18510.karma@FreeBSD.org> In-Reply-To: <200705261149.18510.karma@FreeBSD.org> X-Face: $Ov27?7*N,h60fIEfNJdb!m,@#4T/d; 1hw|W0zvsHM(a$Yn6BYQ0^SEEXvi8>D`|V*F"=?utf-8?q?=5F+=0A=09R2?=@Aq>+mNb4`,'[[%z9v0Fa~]AD1}xQO3|>b.z&}l#R-_(P`?@Mz"kS; XC>Eti,i3>%@=?utf-8?q?g=3F=0A=094f?=,\c7|Ghwb&ky$b2PJ^\0b83NkLsFKv|smL/cI4UD%Tu8alAD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1297929.ZEhfnqmqU5"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200705271830.59646.mail@maxlor.com> X-Scanned-By: MIMEDefang 2.61 on 213.160.40.60 Cc: trustedbsd-discuss@freebsd.org Subject: Re: SoC: Distributed Audit Daemon project X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2007 16:31:08 -0000 --nextPart1297929.ZEhfnqmqU5 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 26 May 2007 09:49, Alexey Mikhailov wrote: > On Friday 25 May 2007 22:04:34 Benjamin Lutz wrote: > > On Friday 25 May 2007 01:22:21 Alexey Mikhailov wrote: > > > [...] > > > 2. As I said before initial subject of this project was > > > "Distributed audit daemon". But after some discussions we had > > > decided that this project can be done in more general maner. We > > > can perform distributed logging for any user-space app. > > > [...] > > > > This sounds very similar to syslogd. Is it feasible to make dlogd a > > drop-in replacement for syslogd, at least from a > > syslog-using-program point of view? > > Our project concentrates on log shipping. We're paying most attention > to securely and reliable log ships. So our project differs from > syslogd in major way. > > But actually it could be possible to be dlogd used by > syslogd\syslog-ng for logs shipping, as I see it. The thing that bugs me most about syslog is not even the transport to=20 remote syslogd instances; that's relatively easy to fix (put some SSL=20 between the daemons, or use encrypted tunnels, etc). It's that when a=20 process logs a syslog event, it can claim to be anything at all. Iirc,=20 it can even give a bogus timestamp. So what I was hoping for here is for auditd to come with a hook that=20 intercepts syslog(3) calls, adds/validates pid, process name and=20 timestamp, and then puts that information somewhere (some local log, a=20 remote log, a lineprinter). It doesn't even have to give the=20 information back to a syslogd daemon; whatever auditd uses for itself=20 would be fine too. What I'm hoping for here is some way to get a guarantee that the=20 information in a log is actually correct. The way it is at the moment,=20 syslog messages are way too trivial to spoof. Anyway, this is just a=20 feature wish :) I'm happy to see you work on auditd, whether or not it=20 contains these syslog bits. Cheers Benjamin --nextPart1297929.ZEhfnqmqU5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGWbJDzZEjpyKHuQwRAq2iAJoD1nhQu/O3Ot8QAs2JLAf4vDsrVACcC9tG KXQ5a+jxxnoL+HBNQ/WtEns= =A7tz -----END PGP SIGNATURE----- --nextPart1297929.ZEhfnqmqU5--