[systemd-devel] trust of kernel messages re-routed via journald

[Rainer Gerhards]

Hi,

I am thinking on how to detect potential fake messages, claiming to be
e.g. from the audit subsystem. Let's assume
- auditd is stopped --> audit messages are put into the kernel log
- journald controls /dev/kmsg and provides these via the the journal
log socket to syslogd
- syslogd uses SCM_CREDENTIALS on the journald provided socket

Question now: what pid will I see inside SCM_CREDENTIALS (0, 1, s/t
else)? I assume I can use the pid to tell the difference between a
real message and a faked one from some user process. Is that a correct
assumption?

Thanks,
Rainer