Date: Mon, 27 Feb 2006 13:44:20 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: "Christian S.J. Peron" <csjp@FreeBSD.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 92365 for review Message-ID: <20060227133628.W52695@fledge.watson.org> In-Reply-To: <43FFF528.7070100@FreeBSD.org> References: <200602250012.k1P0CgNJ041723@repoman.freebsd.org> <43FFF528.7070100@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 25 Feb 2006, Christian S.J. Peron wrote:
>> @@ -795,7 +795,11 @@
>> }
>> }
>>
>> +#ifdef LOG_SECURITY
>> openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
>> +#else
>> + openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH);
>> +#endif
>> syslog(LOG_INFO, "starting...\n");
>>
>> if (debug == 0 && daemon(0, 0) == -1) {
>
> In userspace, we are using LOG_AUTH | LOG_ERR to report audit failures, at
> least for login(1) and su(1). Might be a good idea to be consistent, anyway.
My general feeling has been that audit-related log material shouldn't go into
publically readable logs. LOG_SECURITY works well for this on FreeBSD;
however, LOG_AUTHPRIV is probably the better place for the log messages to go
so that they don't enter a world-readable log file on other systems? This
looks like it will work on Linux and Darwin. On Solaris, there's a LOG_AUDIT,
which has the same underlying numeric value as LOG_SECURITY on FreeBSD.
Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060227133628.W52695>