The current version of syslogd (from 4.4BSD-lite?) has a facility
level `authpriv' - which is supposed to be like auth.* but only log to
a secure file (i.e, one that has perms of 600).

Unfortunately, the current syslog.conf doesn't support the use of
this, which means you often get messages in /var/log/messages like:
	4 login failures from foo.bar.com
	4 login failures from foo.bar.com, ner

The latter message shouldn't appear in a world readable file...


The solution is to change syslog.conf so that it looks something like:

*.err;kern.debug;auth.notice;authpriv.none	/dev/console
*.notice;kern.debug;lpr,auth.info;authpriv.none	/var/log/messages
authpriv.info					/var/log/secure
mail.info					/var/log/maillog
lpr.info					/var/log/lpd-errs
cron.info					/var/cron/log
*.notice;auth.debug				root
*.emerg						*

(So that *.notice for /var/log/messages explicitly ignores any
authpriv stuff, and authpriv stuff goes to /var/log/secure, which has
permissions like 600...)

If you do this, don't forget to change /etc/newsyslog.conf so that
/var/log/secure gets rotated similar to /var/log/messages, but of
course, the backup files get perms of 600...

PS: files like wtmp, messages, and maillog should get a default
install permission of 600 not 664... Maybe the mtree stuff in
/usr/src/etc needs hacking for this too...

-- 
Luke Mewburn, <lm@cpr.itg.telecom.com.au>
`Think of it as Evolution in Action.' - "Oath of Fealty", Niven & Pournelle