syslog¶
Intro¶
syslog - writes to system log.
Description¶
The syslog() function allows the calling process to make a system logging request. It passes the message pointed to by bufp, of length len, to the appropriate logging utility. type is a priority value as described in syslog(3).
Syslog is a convenient API to report system events. It is used in kernel and user space. However, no authentication or encryption is used and any user can access syslog, so it is insecure for sensitive and critical information.
Arguments¶
type
:int
- Type of message to log.bufp
:char*
[U] - Pointer to the message to be written to syslog.len
:int
- Length of message.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
do_syslog¶
Type¶
Kprobe.
Purpose¶
Monitors syscall execution and collects arguments given by the user.
Example Use Case¶
Syslog can be used to log errors and warnings in applications. For example, if an application experiences an error, it may log this error to syslog so that it can be monitored and tracked.
Issues¶
User data can be easily accessed by any user since there is no authentication or encryption used, making it vulnerable to malicious users.
Related Events¶
- syslog_imageinit - Linking an image in the kernel for log reporting.
- syslog_device - Linking a syslog device for log reporting.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.