Erlend Leganger wrote:
> Just FYI, I know that within NATO, you can get C2 certification by using an
> evaluated verison of Solaris (the latest is Solaris 8 02/02) and then set it
> up according to the Security Release Notes:
> This includes a lot of settings (and also BSM), but is pretty
> straightforward. You are stuck with Solaris 8 though.
> See for more details.
> - Erlend Leganger

syslogd is just a messaging system, it does not log any detail at all.
applications and programs send messages to syslogd using either the
logger application or the syslog api.
syslog.conf specifies where each class of log is sent to by syslogd.
you need to configure applications using syslogd to make use of their
syslogapi functions .
for example inetd can have connection tracking reported to syslog with
the nessasary switch, ftpd can log more detail with the nessasary
switch, and ssh has some config options to vary the detail reported via
the syslog api.
syslog is not C2, it is basic security logging.

dont even consider process accounting for security logging!

C2 security logging ie BSM in solaris assigns a tracking number to a
user when they log in. every event they carry out even when they switch
user is logged against that tracking number. creation, and deletion of
files, updates, anything that requires a kernel system call is recorded
through BSM against that tracking ID.
yes it consumes lots of resources, upto 10% of CPU based on a box being
properly utilised, and potentialy many gigabytes of data a day of
logging information.
BSM is no good on its own as no human could possibly review this vast
amount of data and should be used in conjunction with a product such as
ISS real secure to pull the data off and analyse it in real time.

regards peter