Hi, I am thinking on how to detect potential fake messages, claiming to be e.g. from the audit subsystem. Let's assume - auditd is stopped --> audit messages are put into the kernel log - journald controls /dev/kmsg and provides these via the the journal log socket to syslogd - syslogd uses SCM_CREDENTIALS on the journald provided socket
Question now: what pid will I see inside SCM_CREDENTIALS (0, 1, s/t else)? I assume I can use the pid to tell the difference between a real message and a faked one from some user process. Is that a correct assumption? Thanks, Rainer _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
