/etc/security/audit_warn -- where to log to by default?

Adam C. Migus adam at migus.org
Thu Jan 27 00:26:59 GMT 2005


fergus wrote:

>On 26.01-13:07, Adam C. Migus wrote:
>[ ... ] 
>  
>
>>How about 1 syslogd process reading from multiple devices each with the 
>>appropriate label implemented as a common label-aware syslogd process 
>>that demonstrates the ability to read from multiple devices, each with 
>>it's own label but on the premis that before it reads the message from 
>>device with label X it creates a child with label X which is capable of 
>>processing the message(s) in question.
>>    
>>
>
>this would have to be done in the userland process as it would
>be difficult to have the kernel monitor and manually switch
>the label based on message being accessed.  and, if that were
>possible i don't see that we'd need multiple devices.  if it
>is a userland function then it would be no different than
>giving the process the privilage to switch labels.
>
>perhaps i'm mis-understanding the suggestion.
>
>  
>
Perhaps.

I'm thinking of a parent syslogd which indeed does have the ability to 
switch labels and listens for log messages from a number different 
source devices (sockets, whatever) each with an appopriate label to 
recieve messages from a certian subset of processes (depending on label) 
then upon getting a message it spawns a child with the label of the 
device/message, to handle the read/write.  That way the process with the 
extra privilege doesn't actually see anything other than the fact that a 
message is pending for a given label and roughly speaking you're 
preserving the confidentially/integrity of the data.

Does that make more (or any) sense?  :-)

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message



More information about the trustedbsd-discuss mailing list