From owner-cvs-all  Sun Mar 10 13:16:10 2002
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id C861F37B405; Sun, 10 Mar 2002 13:15:58 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g2ALFiD55567;
	Sun, 10 Mar 2002 16:15:44 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 10 Mar 2002 16:15:43 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc syslog.conf
In-Reply-To: <xzpelis88z7.fsf@flood.ping.uio.no>
Message-ID: <Pine.NEB.3.96L.1020310161059.61696Z-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On 10 Mar 2002, Dag-Erling Smorgrav wrote:

> Robert Watson <rwatson@FreeBSD.org> writes:
> >   Log:
> >   /var/log/security gets almost no (if not no) activity on many FreeBSD
> >   systems due to sshd not using the security log class.
> 
> This can be arranged...

And probably should be.  I don't have time to sit down and check to make
sure the right facility is used all over the place, but it might be a good
idea for someone to do so.  There seem to be at least three relevant
facilities for this kind of thing (from syslog manpage):

     LOG_AUTH      The authorization system: login(1), su(1), getty(8), etc.

     LOG_AUTHPRIV  The same as LOG_AUTH, but logged to a file readable only by
                   selected individuals.

     LOG_SECURITY  Security subsystems, such as ipfw(4).

The current use of AUTH or AUTHPRIV is probably correct for authentication
messages coming from sshd, login, su, etc.  Which to select is an
interesting question: in general, we haven't been using authpriv, I think.
SECURITY probably isn't generally appropriate for these mechanisms unless
a problem occurs.  However, /var/log/security probably has a different
mandate than the facility of the same name, and potentially could contain
security-relevant messages, which might include authentication messages.
This suggests to me that we continue to use AUTH all over the place, and
redefine /var/log/security to have a broader mandate, and possibly trim
delivery of AUTH/SECURITY/AUTHPRIV from the other logs.  I.e., move to:

security.*;auth.*;authpriv.*		/var/log/security

Maybe .info instead of .*.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message