SoC: Distributed Audit Daemon project

Benjamin Lutz mail at maxlor.com
Sun May 27 16:31:08 UTC 2007 

On Saturday 26 May 2007 09:49, Alexey Mikhailov wrote:
> On Friday 25 May 2007 22:04:34 Benjamin Lutz wrote:
> > On Friday 25 May 2007 01:22:21 Alexey Mikhailov wrote:
> > > [...]
> > > 2. As I said before initial subject of this project was
> > > "Distributed audit daemon". But after some discussions we had
> > > decided that this project can be done in more general maner. We
> > > can perform distributed logging for any user-space app.
> > > [...]
> >
> > This sounds very similar to syslogd. Is it feasible to make dlogd a
> > drop-in replacement for syslogd, at least from a
> > syslog-using-program point of view?
>
> Our project concentrates on log shipping. We're paying most attention
> to securely and reliable log ships. So our project differs from
> syslogd in major way.
>
> But actually it could be possible to be dlogd used by
> syslogd\syslog-ng for logs shipping, as I see it.

The thing that bugs me most about syslog is not even the transport to 
remote syslogd instances; that's relatively easy to fix (put some SSL 
between the daemons, or use encrypted tunnels, etc). It's that when a 
process logs a syslog event, it can claim to be anything at all. Iirc, 
it can even give a bogus timestamp.

So what I was hoping for here is for auditd to come with a hook that 
intercepts syslog(3) calls, adds/validates pid, process name and 
timestamp, and then puts that information somewhere (some local log, a 
remote log, a lineprinter). It doesn't even have to give the 
information back to a syslogd daemon; whatever auditd uses for itself 
would be fine too.

What I'm hoping for here is some way to get a guarantee that the 
information in a log is actually correct. The way it is at the moment, 
syslog messages are way too trivial to spoof. Anyway, this is just a 
feature wish :) I'm happy to see you work on auditd, whether or not it 
contains these syslog bits.

Cheers
Benjamin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20070527/95c3b3bb/attachment.pgp

More information about the freebsd-hackers mailing list