/etc/security/audit_warn -- where to log to by default?
Robert Watson
rwatson at FreeBSD.org
Tue Jan 25 01:34:04 GMT 2005
Right now we're using the audit_warn script as shipped in the Darwin bsm
source drop, which consists of:
#!/bin/sh
TIME=$(date "+%h %d %H:%M:%S")
echo "$TIME audit warning: $@" >> /etc/security/audit_messages
My leaning is that this is undesirable on a couple of counts:
(1) It would be nice to store the audit-related log messages in /var/log
with the rest of the log files.
(2) It would be nice to use syslog(3) to log the messages, as well as
newsyslog(8) to rotate the log.
This suggests replacing it with something like the following:
#!/bin/sh
logger -p security.warning "audit warning: $@"
We'd then either leave that pointed at /var/log/security, or add a
/var/log/audit.log to capture audit data form the audit_warn command using
a name-based classification.
The primary interesting downside would be on a system running MAC, where
perhaps the integrity grade, confidentiality level, or domain/type of the
audit data is different from that of the other log data, and would benefit
from being stored in another directory to facilitate that, not to mention
keeping the syslog daemon out of the loop (as syslogd talks to a lot of
other processes directly, including many untrusted ones).
Any thoughts on this one?
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list