Date: Mon, 27 Feb 2006 10:47:21 -0600 From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 92365 for review Message-ID: <44032D19.3090201@FreeBSD.org> In-Reply-To: <20060227133628.W52695@fledge.watson.org> References: <200602250012.k1P0CgNJ041723@repoman.freebsd.org> <43FFF528.7070100@FreeBSD.org> <20060227133628.W52695@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
>
> On Sat, 25 Feb 2006, Christian S.J. Peron wrote:
>
>>> @@ -795,7 +795,11 @@
>>> }
>>> }
>>>
>>> +#ifdef LOG_SECURITY
>>> openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
>>> +#else
>>> + openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH);
>>> +#endif
>>> syslog(LOG_INFO, "starting...\n");
>>>
>>> if (debug == 0 && daemon(0, 0) == -1) {
>>
>>
>> In userspace, we are using LOG_AUTH | LOG_ERR to report audit
>> failures, at least for login(1) and su(1). Might be a good idea to be
>> consistent, anyway.
>
>
> My general feeling has been that audit-related log material shouldn't
> go into publically readable logs. LOG_SECURITY works well for this on
> FreeBSD; however, LOG_AUTHPRIV is probably the better place for the
> log messages to go so that they don't enter a world-readable log file
> on other systems? This looks like it will work on Linux and Darwin.
> On Solaris, there's a LOG_AUDIT, which has the same underlying numeric
> value as LOG_SECURITY on FreeBSD.
>
> Robert N M Watson
>
>
I would agree here. I just consulted RFC 3164 to see if there is
anything that they are designating for security related messages and
here is what I found:
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages (note 1)
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon (note 2)
10 security/authorization messages (note 1)
11 FTP daemon
12 NTP subsystem
13 log audit (note 1)
14 log alert (note 1)
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
Note 1 - Various operating systems have been found to utilize
Facilities 4, 10, 13 and 14 for security/authorization,
audit, and alert messages which seem to be similar.
--
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer
FreeBSD Security Team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44032D19.3090201>