# Start syslogd in foreground mode. # The client writes a message to Sys::Syslog native method. # The syslogd writes it into a file and through a pipe. # The syslogd passes it via UDP to the loghost. # The server receives the message on its UDP socket. # Find the message in client, file, syslogd, server log. # Check fstat for the parent and child process. # Check ktrace for setting the correct uid and gid. # Check that stdio is dupped to /dev/null. use strict; use warnings; our %args = ( syslogd => { foreground => 1, loggrep => { qr/ -F / => 1, qr/ -d / => 0, }, fstat => { qr/^root .* wd / => 1, qr/^root .* root / => 0, qr/^root .* [012] .* null$/ => 3, qr/^root .* kqueue / => 0, qr/^root .* internet/ => 0, qr/^_syslogd .* wd / => 1, qr/^_syslogd .* root / => 1, qr/^_syslogd .* [012] .* null$/ => 3, qr/^_syslogd .* kqueue / => 1, qr/^_syslogd .* internet/ => 2, }, ktrace => { qr/CALL setresuid(.*"_syslogd".*){3}/ => 2, qr/CALL setresgid(.*"_syslogd".*){3}/ => 2, qr/CALL setsid/ => 0, }, }, pipe => { nocheck => 1, }, ); 1;