On Saturday 26 May 2007 09:49, Alexey Mikhailov wrote: > On Friday 25 May 2007 22:04:34 Benjamin Lutz wrote: > > On Friday 25 May 2007 01:22:21 Alexey Mikhailov wrote: > > > [...] > > > 2. As I said before initial subject of this project was > > > "Distributed audit daemon". But after some discussions we had > > > decided that this project can be done in more general maner. We > > > can perform distributed logging for any user-space app. > > > [...] > > > > This sounds very similar to syslogd. Is it feasible to make dlogd a > > drop-in replacement for syslogd, at least from a > > syslog-using-program point of view? > > Our project concentrates on log shipping. We're paying most attention > to securely and reliable log ships. So our project differs from > syslogd in major way. > > But actually it could be possible to be dlogd used by > syslogd\syslog-ng for logs shipping, as I see it.
The thing that bugs me most about syslog is not even the transport to remote syslogd instances; that's relatively easy to fix (put some SSL between the daemons, or use encrypted tunnels, etc). It's that when a process logs a syslog event, it can claim to be anything at all. Iirc, it can even give a bogus timestamp. So what I was hoping for here is for auditd to come with a hook that intercepts syslog(3) calls, adds/validates pid, process name and timestamp, and then puts that information somewhere (some local log, a remote log, a lineprinter). It doesn't even have to give the information back to a syslogd daemon; whatever auditd uses for itself would be fine too. What I'm hoping for here is some way to get a guarantee that the information in a log is actually correct. The way it is at the moment, syslog messages are way too trivial to spoof. Anyway, this is just a feature wish :) I'm happy to see you work on auditd, whether or not it contains these syslog bits. Cheers Benjamin
pgpawCcXyt3p8.pgp
Description: PGP signature