On Thu, 23.02.12 17:54, Rainer Gerhards ([email protected]) wrote: > Hi, > > I am thinking on how to detect potential fake messages, claiming to be > e.g. from the audit subsystem. Let's assume > - auditd is stopped --> audit messages are put into the kernel log > - journald controls /dev/kmsg and provides these via the the journal > log socket to syslogd
I presume you mean /proc/kmsg here, not /dev/kmsg? Note that on F17 (and most likely for much longer) systemd does not take control of /proc/kmsg and leaves that to syslog-ng/rsyslog. > - syslogd uses SCM_CREDENTIALS on the journald provided socket > > Question now: what pid will I see inside SCM_CREDENTIALS (0, 1, s/t > else)? I assume I can use the pid to tell the difference between a > real message and a faked one from some user process. Is that a correct > assumption? You will see systemd's own PID if we have no other sensible PID to fill in. And if a message originates from the kernel we have no PID. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
