Gary Palmer wrote:
On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote:
On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote:
Glen Barber wrote:
On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
Hi,
I see it many times before, but never take a time to post about it.
Scrips in /etc/periodic are grepping logs for yesterday date, but
without specifying year (because some logs do not have year logged).
This results in false positive alerts in security e-mails from our
lightly loaded servers, where logs are not enough rotated.
For example /var/log/auth.log is 62KB (838 lines) and contains entries
for almost 2 years.
Today I get following alert:
Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
(hostname and IP are replaced by X)
But looking in to auth.log I found zero entries from yesterday - Feb 15
entries were logged 1 year ago!
So I propose to set all daemons / syslog to log year too (as %Y) and
change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
%e %Y"` in periodic scripts.
The affected scripts are:
460.status-mail-rejects
470.status-named
800.loginfail
900.tcpwrap
Maybe some others, I did just a quick grep -rsn 'date -v-1d'
/etc/periodic and I don't know the logic used in other script to get
yesterday messages.
What do you think about it?
Rotating the appropriate logs daily/weekly/monthly/whatever will silence
these false alarms.
My post was not about "how can I fix it localy", but what sould be done
in FreeBSD distribuition, because these false alerts were made by
default FreeBSD configuration (coincidence of newsyslog settings,
periodic scripts and log format)
IMHO, this isn't something the FreeBSD installation can "guess" as a
suitable default, but up to the administrator to define what is
appropriate for their system.
Whether or not the administrator tunes their setup to meet their
requirements, the default newsyslog.conf should not allow these
alerts to happen by enforcing a minimum of 1 roll over per year.
Miroslav, please file a bug report requesting newsyslog.conf be updated
to mitigate this problem.
PR submitted as conf/165331, but 1 roll over per year will not fix it.
As I wrote in another message in this thread, the script 800.loginfail
is reading all archived logs on disk:
catmsgs() {
find ${LOG} -name 'auth.log.*' -mtime -2 |
sort -t. -r -n -k 2,2 |
while read f
do
case $f in
*.gz) zcat -f $f;;
*.bz2) bzcat -f $f;;
esac
done
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}
The fix must ensure that there will not be any file (including
compressed) with entries older than 364 days.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
