[syslog-ng] Filtering using SO_PEERCRED

Simon Arlott simon at arlott.org
Fri Sep 21 18:55:33 CEST 2007 

I've attached a patch that uses SO_PEERCRED to find the PID/UID/GID of the 
application using syslog. I wanted to be able to prevent users faking messages 
but at the same time not lose some of sshd's messages that are sent from a 
non-privileged process. The next step would be to send users' other messages 
to /home/$FROM_USER/syslog which would be owned by them - but owner(....) is 
only evaluated at startup...


Sample config:
	filter f_sshd { uid(0) and program("sshd"); };
	filter f_sshdu { not uid(0) and program("sshd") and pid(); }; #pid() checks PID in message is correct

	destination sshd { file("/var/log/sshd.$YEAR$MONTH"
		template("$DAY $HOUR:$MIN:$SEC $MSG\n") template-escape(no)); };
	log { source(local); filter(f_sshd); destination(sshd); };
	
	destination usshd { file("/var/log/sshd.$YEAR$MONTH"
		template("$DAY $HOUR:$MIN:$SEC $PROGRAM[$PID]: ($FROM_USER) $MSGONLY\n") template-escape(no)); };
	log { source(local); filter(f_sshdu); destination(usshd); };

* Allows log messages from sshd as root and from sshd as a user to be distinguished
* Further processing of the log can be assured of the authenticity of the message
* No need to restrict access to /dev/log and lose otherwise useful logging

Sample log:
	sshd[30955]: Connection from 0.0.0.0 port 0
	sshd[30955]: Failed none for nobody from 0.0.0.0 port 0 ssh2
	sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
	sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
	sshd[30955]: Accepted publickey for nobody from 0.0.0.0 port 0 ssh2
	sshd[30957]: (nobody) Connection closed by 0.0.0.0
	sshd[30957]: (nobody) Closing connection to 0.0.0.0

-- 
Simon Arlott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng-2.0.5_peercred.patch
Type: text/x-patch
Size: 14126 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070921/fc516c45/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3619 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070921/fc516c45/attachment-0001.bin

More information about the syslog-ng mailing list