Date: Sun, 27 May 2007 18:30:56 +0200 From: Benjamin Lutz <mail@maxlor.com> To: freebsd-hackers@freebsd.org, karma@freebsd.org Cc: trustedbsd-discuss@freebsd.org Subject: Re: SoC: Distributed Audit Daemon project Message-ID: <200705271830.59646.mail@maxlor.com> In-Reply-To: <200705261149.18510.karma@FreeBSD.org> References: <200705250322.22259.karma@FreeBSD.org> <200705252004.38092.mail@maxlor.com> <200705261149.18510.karma@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1297929.ZEhfnqmqU5 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 26 May 2007 09:49, Alexey Mikhailov wrote: > On Friday 25 May 2007 22:04:34 Benjamin Lutz wrote: > > On Friday 25 May 2007 01:22:21 Alexey Mikhailov wrote: > > > [...] > > > 2. As I said before initial subject of this project was > > > "Distributed audit daemon". But after some discussions we had > > > decided that this project can be done in more general maner. We > > > can perform distributed logging for any user-space app. > > > [...] > > > > This sounds very similar to syslogd. Is it feasible to make dlogd a > > drop-in replacement for syslogd, at least from a > > syslog-using-program point of view? > > Our project concentrates on log shipping. We're paying most attention > to securely and reliable log ships. So our project differs from > syslogd in major way. > > But actually it could be possible to be dlogd used by > syslogd\syslog-ng for logs shipping, as I see it. The thing that bugs me most about syslog is not even the transport to=20 remote syslogd instances; that's relatively easy to fix (put some SSL=20 between the daemons, or use encrypted tunnels, etc). It's that when a=20 process logs a syslog event, it can claim to be anything at all. Iirc,=20 it can even give a bogus timestamp. So what I was hoping for here is for auditd to come with a hook that=20 intercepts syslog(3) calls, adds/validates pid, process name and=20 timestamp, and then puts that information somewhere (some local log, a=20 remote log, a lineprinter). It doesn't even have to give the=20 information back to a syslogd daemon; whatever auditd uses for itself=20 would be fine too. What I'm hoping for here is some way to get a guarantee that the=20 information in a log is actually correct. The way it is at the moment,=20 syslog messages are way too trivial to spoof. Anyway, this is just a=20 feature wish :) I'm happy to see you work on auditd, whether or not it=20 contains these syslog bits. Cheers Benjamin --nextPart1297929.ZEhfnqmqU5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGWbJDzZEjpyKHuQwRAq2iAJoD1nhQu/O3Ot8QAs2JLAf4vDsrVACcC9tG KXQ5a+jxxnoL+HBNQ/WtEns= =A7tz -----END PGP SIGNATURE----- --nextPart1297929.ZEhfnqmqU5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705271830.59646.mail>