[systemd-devel] trust of kernel messages re-routed via journald

Rainer Gerhards rgerhards at gmail.com
Thu Feb 23 08:54:03 PST 2012


I am thinking on how to detect potential fake messages, claiming to be
e.g. from the audit subsystem. Let's assume
- auditd is stopped --> audit messages are put into the kernel log
- journald controls /dev/kmsg and provides these via the the journal
log socket to syslogd
- syslogd uses SCM_CREDENTIALS on the journald provided socket

Question now: what pid will I see inside SCM_CREDENTIALS (0, 1, s/t
else)? I assume I can use the pid to tell the difference between a
real message and a faked one from some user process. Is that a correct


More information about the systemd-devel mailing list