/etc/security/audit_warn -- where to log to by default?
Adam C. Migus
adam at migus.org
Thu Jan 27 00:26:59 GMT 2005
fergus wrote:
>On 26.01-13:07, Adam C. Migus wrote:
>[ ... ]
>
>
>>How about 1 syslogd process reading from multiple devices each with the
>>appropriate label implemented as a common label-aware syslogd process
>>that demonstrates the ability to read from multiple devices, each with
>>it's own label but on the premis that before it reads the message from
>>device with label X it creates a child with label X which is capable of
>>processing the message(s) in question.
>>
>>
>
>this would have to be done in the userland process as it would
>be difficult to have the kernel monitor and manually switch
>the label based on message being accessed. and, if that were
>possible i don't see that we'd need multiple devices. if it
>is a userland function then it would be no different than
>giving the process the privilage to switch labels.
>
>perhaps i'm mis-understanding the suggestion.
>
>
>
Perhaps.
I'm thinking of a parent syslogd which indeed does have the ability to
switch labels and listens for log messages from a number different
source devices (sockets, whatever) each with an appopriate label to
recieve messages from a certian subset of processes (depending on label)
then upon getting a message it spawns a child with the label of the
device/message, to handle the read/write. That way the process with the
extra privilege doesn't actually see anything other than the fact that a
message is pending for a given label and roughly speaking you're
preserving the confidentially/integrity of the data.
Does that make more (or any) sense? :-)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list