Subject: syslog && LOG_AUTHPRIV
To: None <firstname.lastname@example.org>
From: Luke Mewburn <email@example.com>
Date: 10/18/1994 15:00:24
The current version of syslogd (from 4.4BSD-lite?) has a facility
level `authpriv' - which is supposed to be like auth.* but only log to
a secure file (i.e, one that has perms of 600).
Unfortunately, the current syslog.conf doesn't support the use of
this, which means you often get messages in /var/log/messages like:
4 login failures from foo.bar.com
4 login failures from foo.bar.com, ner
The latter message shouldn't appear in a world readable file...
The solution is to change syslog.conf so that it looks something like:
(So that *.notice for /var/log/messages explicitly ignores any
authpriv stuff, and authpriv stuff goes to /var/log/secure, which has
permissions like 600...)
If you do this, don't forget to change /etc/newsyslog.conf so that
/var/log/secure gets rotated similar to /var/log/messages, but of
course, the backup files get perms of 600...
PS: files like wtmp, messages, and maillog should get a default
install permission of 600 not 664... Maybe the mtree stuff in
/usr/src/etc needs hacking for this too...
Luke Mewburn, <firstname.lastname@example.org>
`Think of it as Evolution in Action.' - "Oath of Fealty", Niven & Pournelle