From owner-p4-projects@FreeBSD.ORG Mon Feb 27 16:47:23 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id EAF7D16A423; Mon, 27 Feb 2006 16:47:22 +0000 (GMT) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 947C616A420 for ; Mon, 27 Feb 2006 16:47:22 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: from ems01.seccuris.com (ems01.seccuris.com [204.112.0.35]) by mx1.FreeBSD.org (Postfix) with SMTP id C428B43D45 for ; Mon, 27 Feb 2006 16:47:21 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: (qmail 97360 invoked by uid 0); 27 Feb 2006 16:54:20 -0000 Received: from unknown (HELO ?192.168.11.101?) (unknown) by unknown with SMTP; 27 Feb 2006 16:54:20 -0000 Message-ID: <44032D19.3090201@FreeBSD.org> Date: Mon, 27 Feb 2006 10:47:21 -0600 From: "Christian S.J. Peron" User-Agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Watson References: <200602250012.k1P0CgNJ041723@repoman.freebsd.org> <43FFF528.7070100@FreeBSD.org> <20060227133628.W52695@fledge.watson.org> In-Reply-To: <20060227133628.W52695@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Perforce Change Reviews Subject: Re: PERFORCE change 92365 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2006 16:47:23 -0000 Robert Watson wrote: > > On Sat, 25 Feb 2006, Christian S.J. Peron wrote: > >>> @@ -795,7 +795,11 @@ >>> } >>> } >>> >>> +#ifdef LOG_SECURITY >>> openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY); >>> +#else >>> + openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH); >>> +#endif >>> syslog(LOG_INFO, "starting...\n"); >>> >>> if (debug == 0 && daemon(0, 0) == -1) { >> >> >> In userspace, we are using LOG_AUTH | LOG_ERR to report audit >> failures, at least for login(1) and su(1). Might be a good idea to be >> consistent, anyway. > > > My general feeling has been that audit-related log material shouldn't > go into publically readable logs. LOG_SECURITY works well for this on > FreeBSD; however, LOG_AUTHPRIV is probably the better place for the > log messages to go so that they don't enter a world-readable log file > on other systems? This looks like it will work on Linux and Darwin. > On Solaris, there's a LOG_AUDIT, which has the same underlying numeric > value as LOG_SECURITY on FreeBSD. > > Robert N M Watson > > I would agree here. I just consulted RFC 3164 to see if there is anything that they are designating for security related messages and here is what I found: Numerical Facility Code 0 kernel messages 1 user-level messages 2 mail system 3 system daemons 4 security/authorization messages (note 1) 5 messages generated internally by syslogd 6 line printer subsystem 7 network news subsystem 8 UUCP subsystem 9 clock daemon (note 2) 10 security/authorization messages (note 1) 11 FTP daemon 12 NTP subsystem 13 log audit (note 1) 14 log alert (note 1) 15 clock daemon (note 2) 16 local use 0 (local0) 17 local use 1 (local1) 18 local use 2 (local2) 19 local use 3 (local3) 20 local use 4 (local4) 21 local use 5 (local5) 22 local use 6 (local6) 23 local use 7 (local7) Note 1 - Various operating systems have been found to utilize Facilities 4, 10, 13 and 14 for security/authorization, audit, and alert messages which seem to be similar. -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team