Date: Thu, 16 Feb 2012 18:04:34 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-security@freebsd.org Subject: periodic security run output gives false positives after 1 year Message-ID: <4F3D3722.2000904@quip.cz>
next in thread | raw e-mail | index | archive | help
Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date, but without specifying year (because some logs do not have year logged). This results in false positive alerts in security e-mails from our lightly loaded servers, where logs are not enough rotated. For example /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years. Today I get following alert: Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx (hostname and IP are replaced by X) But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago! So I propose to set all daemons / syslog to log year too (as %Y) and change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in periodic scripts. The affected scripts are: 460.status-mail-rejects 470.status-named 800.loginfail 900.tcpwrap Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic and I don't know the logic used in other script to get yesterday messages. What do you think about it? Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F3D3722.2000904>