From owner-freebsd-security@FreeBSD.ORG Sun Feb 19 04:52:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD113106564A for ; Sun, 19 Feb 2012 04:52:10 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5C9248FC15 for ; Sun, 19 Feb 2012 04:52:10 +0000 (UTC) Received: by iaeo4 with SMTP id o4so8153473iae.13 for ; Sat, 18 Feb 2012 20:52:09 -0800 (PST) Received-SPF: pass (google.com: domain of jhellenthal@gmail.com designates 10.50.178.38 as permitted sender) client-ip=10.50.178.38; Authentication-Results: mr.google.com; spf=pass (google.com: domain of jhellenthal@gmail.com designates 10.50.178.38 as permitted sender) smtp.mail=jhellenthal@gmail.com; dkim=pass header.i=jhellenthal@gmail.com Received: from mr.google.com ([10.50.178.38]) by 10.50.178.38 with SMTP id cv6mr5767131igc.1.1329627129818 (num_hops = 1); Sat, 18 Feb 2012 20:52:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=MKlL6N+fGkN/VS5W6sy5AHdY0iRXkhDOlRD6t1nAG9g=; b=VfwNanAS8v/L78LTzStGb5A13VuBzKcQIfPkuw/tsaRRRwRWj4A+rxowL7KsmfEllA N5coCrvo4iL5rRIVo7RqSpxQCrxoUvF77bjLmMgvVapIrSzqMxqlJsLR88bilacfYXJE qyAGDGvLkiC+VjpiZvbRTWqJkPsKnYs7HGzOM= Received: by 10.50.178.38 with SMTP id cv6mr4630500igc.1.1329625739710; Sat, 18 Feb 2012 20:28:59 -0800 (PST) Received: from DataIX.net ([99.181.150.215]) by mx.google.com with ESMTPS id l28sm22447044ibc.3.2012.02.18.20.25.50 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 18 Feb 2012 20:28:58 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q1J4Phft030213 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Feb 2012 23:25:43 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q1J4PfRv030070; Sat, 18 Feb 2012 23:25:41 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Sat, 18 Feb 2012 23:25:41 -0500 From: Jason Hellenthal To: Robert Simmons Message-ID: <20120219042540.GA49972@DataIX.net> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline In-Reply-To: Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 04:52:10 -0000 --zhXaljGHf11kAtnf Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 18, 2012 at 04:35:20PM -0500, Robert Simmons wrote: > On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis wrote: > > I don't personally recall a time when everything else wasn't logging the > > year, in one format or another. =A0That's not to imply that syslogs > > shouldn't be distinguishable by year but the question seems to be where > > the year should be logged, A) on every line or B) in the archive file > > name. >=20 > There already is a standard, RFC 5424: > freebsd-security@freebsd.org >=20 > You are asking, should we make our own decision to do this totally > differently than the standard set in that RFC, or should be implement > that RFC? >=20 > Another option is to do nothing and stick with the way it is. >=20 > I think the way to proceed would be to implement RFC 5424, and have it > as a switch in rc.conf, something like: >=20 > syslogd_flags=3D"-x" > where x is the new switch that would enable RFC5424 style logging. How about a environment variable that login.conf could be adjusted for so in-case something else wants to benefit from similiar behavior it can just look for that too ? Similiar to how BLOCKSIZE works. After all this is an environmental change. >=20 > This would be optional for now. Then with FreeBSD 10, 5424 would > become the default with the option now being a flag -y to enable old > style logging for backwards compatibility. >=20 > > I suspect it was not common practice to leave logs on the server for mo= re > > than a year when Allman originally wrote syslog, and I have not seen an > > environment where logs are left in /var/log for over a year. =A0Persona= lly, > > I would rather see FreeBSD stay backwards compatible and A) leave the > > syslog timestamp format alone instead opting for KIS by simply writing > > the year in the archive file name rather than wasting 5 bytes on every > > line of every syslog log file. =A0YMMV. >=20 > It really shouldn't be a common practice, but we live in a world where > governments are forcing data retention laws. In is an unfortunate > reality that needs to be dealt with. > http://en.wikipedia.org/wiki/Telecommunications_data_retention >=20 > Also, I'm not sure I follow the logic behind some of the people on > this list saying not to implement this at all. It should be an option > for now, then the default on the other side of a major OS version with > the old way then available as an option. This seems the most rational > path to take. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 ;s =3D; --zhXaljGHf11kAtnf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPQHnEAAoJEJBXh4mJ2FR++IkH/0eNNNZ3ahksXxIPck51/neP UQh2zMJdZv6JKjfOYw9f2Ep+kdJBMyHRwqvPbV9D65tZeJc4bC/u6hQYsO/wEs0N WVeg0iCLHRLYV6UeTr7z5sdJHkhThNaKPGUBfjdiB7VEhydmTpwIUyjcf2JBv6Y0 bQMCQoU7T8SjZLIbzL0Ol/5ZbKEOfYAwvgCM0lDMjsW8LFTyRmTEyssQiUu4v0zb A3BOzoTyfABjOSyve42JwQc64sDEzAWk3u29qU16rruYnA0li8U+DZtO5bR8QwZI Ze4c5+Ntj9Ucmp/L3vZMSqoAG0V2aHL3LoqJigaxOHrQHJHu38b3tW/Brvmv/7M= =UBAM -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf--