On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > Hi, > > I see it many times before, but never take a time to post about it. > > Scrips in /etc/periodic are grepping logs for yesterday date, but > without specifying year (because some logs do not have year logged). > > This results in false positive alerts in security e-mails from our > lightly loaded servers, where logs are not enough rotated. > > For example /var/log/auth.log is 62KB (838 lines) and contains entries > for almost 2 years. > > Today I get following alert: > > Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > > (hostname and IP are replaced by X) > > But looking in to auth.log I found zero entries from yesterday - Feb 15 > entries were logged 1 year ago! > > So I propose to set all daemons / syslog to log year too (as %Y) and > change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > %e %Y"` in periodic scripts. > > The affected scripts are: > 460.status-mail-rejects > 470.status-named > 800.loginfail > 900.tcpwrap > > Maybe some others, I did just a quick grep -rsn 'date -v-1d' > /etc/periodic and I don't know the logic used in other script to get > yesterday messages. > > What do you think about it? >
Rotating the appropriate logs daily/weekly/monthly/whatever will silence these false alarms. Glen _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
