Sergey Kandaurov wrote:
2012/2/16 Miroslav Lachman<000.f...@quip.cz>:
Hi,
I see it many times before, but never take a time to post about it.
Scrips in /etc/periodic are grepping logs for yesterday date, but without
specifying year (because some logs do not have year logged).
This results in false positive alerts in security e-mails from our lightly
loaded servers, where logs are not enough rotated.
For example /var/log/auth.log is 62KB (838 lines) and contains entries for
almost 2 years.
Today I get following alert:
Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
(hostname and IP are replaced by X)
But looking in to auth.log I found zero entries from yesterday - Feb 15
entries were logged 1 year ago!
So I propose to set all daemons / syslog to log year too (as %Y) and change
yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in
periodic scripts.
The affected scripts are:
460.status-mail-rejects
470.status-named
800.loginfail
900.tcpwrap
Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic
and I don't know the logic used in other script to get yesterday messages.
What do you think about it?
This is how the traditional BSD syslog was designed (and standardized
by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss".
In IETF this RFC is marked obsolete and replaced with RFC 5424 with
different timestamp format in ISO 8601 form. FreeBSD doesn't implement
5424 yet. Almost complete implementation was done in NetBSD in that
regard in 2008. NetBSD before RFC 5424 changes has had pretty similar
syslogd source, so if one could analyze and port that changes to FreeBSD,
that would be pretty nice.
Thank you for pointing this out. It would be the right step forward.
Unfortunately I am not a C developer, so I cannot port it my self.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
