On Sat, 25 Feb 2006, Christian S.J. Peron wrote:
>> @@ -795,7 +795,11 @@
>> }
>> }
>>
>> +#ifdef LOG_SECURITY
>> openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
>> +#else
>> + openlog("auditd", LOG_CONS | LOG_PID, LOG_AUTH);
>> +#endif
>> syslog(LOG_INFO, "starting...\n");
>>
>> if (debug == 0 && daemon(0, 0) == -1) {
>
> In userspace, we are using LOG_AUTH | LOG_ERR to report audit failures, at
> least for login(1) and su(1). Might be a good idea to be consistent, anyway.
My general feeling has been that audit-related log material shouldn't go into
publically readable logs. LOG_SECURITY works well for this on FreeBSD;
however, LOG_AUTHPRIV is probably the better place for the log messages to go
so that they don't enter a world-readable log file on other systems? This
looks like it will work on Linux and Darwin. On Solaris, there's a LOG_AUDIT,
which has the same underlying numeric value as LOG_SECURITY on FreeBSD.
Robert N M Watson