1# The client writes a message to Sys::Syslog native method. 2# The syslogd writes it into a file and through a pipe. 3# The syslogd passes it via UDP to the loghost. 4# The server receives the message on its UDP socket. 5# Find the message in client, file, syslogd, server log. 6# Check fstat for the parent and child process. 7# Check ktrace for setting the correct uid and gid and exec priv. 8 9use strict; 10use warnings; 11 12our %args = ( 13 syslogd => { 14 options => ["-u"], 15 up => qr/fork\+exec done/, 16 nopipe => 1, 17 noconsole => 1, 18 nouser => 1, 19 loggrep => { 20 qr/ -F / => 0, 21 qr/ -d / => '>=1', 22 qr/\[priv\]: fork\+exec done/ => 1, 23 }, 24 fstat => { 25 qr/^root .* wd / => 1, 26 qr/^root .* root / => 0, 27 qr/^root .* kqueue / => 0, 28 qr/^root .* internet/ => 0, 29 qr/^root .* 3\* unix stream/ => 1, 30 qr/^root +syslogd +\d+ +([4-9]|\d\d)/ => 0, 31 qr/^_syslogd .* wd / => 1, 32 qr/^_syslogd .* root / => 1, 33 qr/^_syslogd .* kqueue / => 1, 34 qr/^_syslogd .* internet/ => 2, 35 }, 36 ktrace => { 37 qr/syslogd CALL setresuid(.*"_syslogd".*){3}/ => 1, 38 qr/syslogd CALL setresgid(.*"_syslogd".*){3}/ => 1, 39 qr/syslogd CALL setsid/ => 0, 40 qr/syslogd RET execve JUSTRETURN/ => 2, 41 qr/\[\d\] = "-P"/ => 1, 42 }, 43 }, 44 pipe => { nocheck => 1 }, 45 tty => { nocheck => 1 }, 46); 47 481; 49