From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 17:20:13 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA271065672 for ; Thu, 16 Feb 2012 17:20:13 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id A5F408FC0A for ; Thu, 16 Feb 2012 17:20:11 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id A46892842D for ; Thu, 16 Feb 2012 18:04:35 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D92F928426 for ; Thu, 16 Feb 2012 18:04:34 +0100 (CET) Message-ID: <4F3D3722.2000904@quip.cz> Date: Thu, 16 Feb 2012 18:04:34 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 17:20:14 -0000 Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date, but without specifying year (because some logs do not have year logged). This results in false positive alerts in security e-mails from our lightly loaded servers, where logs are not enough rotated. For example /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years. Today I get following alert: Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx (hostname and IP are replaced by X) But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago! So I propose to set all daemons / syslog to log year too (as %Y) and change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in periodic scripts. The affected scripts are: 460.status-mail-rejects 470.status-named 800.loginfail 900.tcpwrap Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic and I don't know the logic used in other script to get yesterday messages. What do you think about it? Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 17:49:44 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B95171065670 for ; Thu, 16 Feb 2012 17:49:44 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qw0-f47.google.com (mail-qw0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 55E248FC23 for ; Thu, 16 Feb 2012 17:49:44 +0000 (UTC) Received: by qadz30 with SMTP id z30so5207910qad.13 for ; Thu, 16 Feb 2012 09:49:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-operating-system :user-agent; bh=/yM0iL53/ejjIy2t/Su5Gs2sgUvHyPgjiLPexXA4Kn0=; b=QoH5ErmUGHs7sAmptiQ5f7dEfzX+LjOWa3u+v05AyTJrKom5ePLrtccJzr2OcIGTN1 ODzhrPBQ0d/XaGZJmGjY863bajCDsuJKmX+pIDk2HluuDghnkE2etNMXjd8XPU8UUHkL SDy4w2i+KjHiGvXw0NotfOeTDh4o1Z9rZf5cI= Received: by 10.229.76.69 with SMTP id b5mr2415440qck.22.1329413217044; Thu, 16 Feb 2012 09:26:57 -0800 (PST) Received: from schism.local (75-146-225-65-Philadelphia.hfc.comcastbusiness.net. [75.146.225.65]) by mx.google.com with ESMTPS id gw4sm19059941qab.13.2012.02.16.09.26.54 (version=SSLv3 cipher=OTHER); Thu, 16 Feb 2012 09:26:55 -0800 (PST) Date: Thu, 16 Feb 2012 12:26:52 -0500 From: Glen Barber To: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <20120216172652.GA1989@schism.local> References: <4F3D3722.2000904@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F3D3722.2000904@quip.cz> X-Operating-System: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 17:49:44 -0000 On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > Hi, > > I see it many times before, but never take a time to post about it. > > Scrips in /etc/periodic are grepping logs for yesterday date, but > without specifying year (because some logs do not have year logged). > > This results in false positive alerts in security e-mails from our > lightly loaded servers, where logs are not enough rotated. > > For example /var/log/auth.log is 62KB (838 lines) and contains entries > for almost 2 years. > > Today I get following alert: > > Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > > (hostname and IP are replaced by X) > > But looking in to auth.log I found zero entries from yesterday - Feb 15 > entries were logged 1 year ago! > > So I propose to set all daemons / syslog to log year too (as %Y) and > change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > %e %Y"` in periodic scripts. > > The affected scripts are: > 460.status-mail-rejects > 470.status-named > 800.loginfail > 900.tcpwrap > > Maybe some others, I did just a quick grep -rsn 'date -v-1d' > /etc/periodic and I don't know the logic used in other script to get > yesterday messages. > > What do you think about it? > Rotating the appropriate logs daily/weekly/monthly/whatever will silence these false alarms. Glen From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 17:59:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6A5D106564A for ; Thu, 16 Feb 2012 17:59:57 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7E40E8FC16 for ; Thu, 16 Feb 2012 17:59:57 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8FD5828431; Thu, 16 Feb 2012 18:59:56 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A965528426; Thu, 16 Feb 2012 18:59:55 +0100 (CET) Message-ID: <4F3D441A.4040303@quip.cz> Date: Thu, 16 Feb 2012 18:59:54 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Glen Barber References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> In-Reply-To: <20120216172652.GA1989@schism.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 17:59:57 -0000 Glen Barber wrote: > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: >> Hi, >> >> I see it many times before, but never take a time to post about it. >> >> Scrips in /etc/periodic are grepping logs for yesterday date, but >> without specifying year (because some logs do not have year logged). >> >> This results in false positive alerts in security e-mails from our >> lightly loaded servers, where logs are not enough rotated. >> >> For example /var/log/auth.log is 62KB (838 lines) and contains entries >> for almost 2 years. >> >> Today I get following alert: >> >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >> >> (hostname and IP are replaced by X) >> >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! >> >> So I propose to set all daemons / syslog to log year too (as %Y) and >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b >> %e %Y"` in periodic scripts. >> >> The affected scripts are: >> 460.status-mail-rejects >> 470.status-named >> 800.loginfail >> 900.tcpwrap >> >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' >> /etc/periodic and I don't know the logic used in other script to get >> yesterday messages. >> >> What do you think about it? >> > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence > these false alarms. My post was not about "how can I fix it localy", but what sould be done in FreeBSD distribuition, because these false alerts were made by default FreeBSD configuration (coincidence of newsyslog settings, periodic scripts and log format) Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 19:01:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3227E1065673 for ; Thu, 16 Feb 2012 19:01:29 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id DACAC8FC0A for ; Thu, 16 Feb 2012 19:01:28 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2522860vcm.13 for ; Thu, 16 Feb 2012 11:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-operating-system :user-agent; bh=Tt6zLjHJISHETwGhy70EWNyxF7aJOpjhElA9JnejNSk=; b=Mkti2NXCqQRYq/DadXdkZ3/ZNjlwxm+AMP7ZoBFiUuc/dAC2ceVSXtEJHcZmF76gHc Ns0jMyOaFTxantCGkJ7wCBuKsfPkwWYgWgJooejUPkYaKE+65d0z+Ir017YTPulp3G2A 6AynVKrw6kIqNugwNEtCDm3bejxQ6A4c75iPc= Received: by 10.52.27.1 with SMTP id p1mr1802315vdg.17.1329418887417; Thu, 16 Feb 2012 11:01:27 -0800 (PST) Received: from schism.local (75-146-225-65-Philadelphia.hfc.comcastbusiness.net. [75.146.225.65]) by mx.google.com with ESMTPS id eg10sm4662331vdc.7.2012.02.16.11.01.26 (version=SSLv3 cipher=OTHER); Thu, 16 Feb 2012 11:01:26 -0800 (PST) Date: Thu, 16 Feb 2012 14:01:24 -0500 From: Glen Barber To: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <20120216190124.GB1989@schism.local> References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F3D441A.4040303@quip.cz> X-Operating-System: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 19:01:29 -0000 On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: > Glen Barber wrote: > > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > >> Hi, > >> > >> I see it many times before, but never take a time to post about it. > >> > >> Scrips in /etc/periodic are grepping logs for yesterday date, but > >> without specifying year (because some logs do not have year logged). > >> > >> This results in false positive alerts in security e-mails from our > >> lightly loaded servers, where logs are not enough rotated. > >> > >> For example /var/log/auth.log is 62KB (838 lines) and contains entries > >> for almost 2 years. > >> > >> Today I get following alert: > >> > >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > >> > >> (hostname and IP are replaced by X) > >> > >> But looking in to auth.log I found zero entries from yesterday - Feb 15 > >> entries were logged 1 year ago! > >> > >> So I propose to set all daemons / syslog to log year too (as %Y) and > >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > >> %e %Y"` in periodic scripts. > >> > >> The affected scripts are: > >> 460.status-mail-rejects > >> 470.status-named > >> 800.loginfail > >> 900.tcpwrap > >> > >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' > >> /etc/periodic and I don't know the logic used in other script to get > >> yesterday messages. > >> > >> What do you think about it? > >> > > > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence > > these false alarms. > > My post was not about "how can I fix it localy", but what sould be done > in FreeBSD distribuition, because these false alerts were made by > default FreeBSD configuration (coincidence of newsyslog settings, > periodic scripts and log format) > IMHO, this isn't something the FreeBSD installation can "guess" as a suitable default, but up to the administrator to define what is appropriate for their system. Glen From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 19:30:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F13B106566C for ; Thu, 16 Feb 2012 19:30:30 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id C5E608FC0C for ; Thu, 16 Feb 2012 19:30:29 +0000 (UTC) Received: by lagz14 with SMTP id z14so4134671lag.13 for ; Thu, 16 Feb 2012 11:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TFTgyFQOsIIb9njTGO9eWPu8+lVAi8mwptAOMmaY1BI=; b=wU/GRRYY9kx4Fqe5OvkBwVE/fIdhZS6aEUMVy2bQ3oF4xN+8YZA1OVXtVu4nqfVR4u 7rJwzp9aQcZBNuf1x1Ds5sWXKZ9RnfavSDO5d7orQquvN/KX9y+6ehy1iy01hyi0nTT8 GYmyH2RcH/0Xd+Mw6+DoTfmTsrogOXTZF69gU= MIME-Version: 1.0 Received: by 10.152.145.137 with SMTP id su9mr3049048lab.23.1329419311564; Thu, 16 Feb 2012 11:08:31 -0800 (PST) Received: by 10.152.18.4 with HTTP; Thu, 16 Feb 2012 11:08:31 -0800 (PST) In-Reply-To: <4F3D3722.2000904@quip.cz> References: <4F3D3722.2000904@quip.cz> Date: Thu, 16 Feb 2012 22:08:31 +0300 Message-ID: From: Sergey Kandaurov To: Miroslav Lachman <000.fbsd@quip.cz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 19:30:30 -0000 2012/2/16 Miroslav Lachman <000.fbsd@quip.cz>: > Hi, > > I see it many times before, but never take a time to post about it. > > Scrips in /etc/periodic are grepping logs for yesterday date, but without > specifying year (because some logs do not have year logged). > > This results in false positive alerts in security e-mails from our lightl= y > loaded servers, where logs are not enough rotated. > > For example /var/log/auth.log is 62KB (838 lines) and contains entries fo= r > almost 2 years. > > Today I get following alert: > > Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xx= x > Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xx= x > > (hostname and IP are replaced by X) > > But looking in to auth.log I found zero entries from yesterday - Feb 15 > entries were logged 1 year ago! > > So I propose to set all daemons / syslog to log year too (as %Y) and chan= ge > =A0yesterday=3D`date -v-1d "+%b %e "` =A0to yesterday=3D`date -v-1d "+%b = %e %Y"` in > periodic scripts. > > The affected scripts are: > 460.status-mail-rejects > 470.status-named > 800.loginfail > 900.tcpwrap > > Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodi= c > and I don't know the logic used in other script to get yesterday messages= . > > What do you think about it? > This is how the traditional BSD syslog was designed (and standardized by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss". In IETF this RFC is marked obsolete and replaced with RFC 5424 with different timestamp format in ISO 8601 form. FreeBSD doesn't implement 5424 yet. Almost complete implementation was done in NetBSD in that regard in 2008. NetBSD before RFC 5424 changes has had pretty similar syslogd source, so if one could analyze and port that changes to FreeBSD, that would be pretty nice. --=20 wbr, pluknet From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 12:24:35 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B98621065680 for ; Fri, 17 Feb 2012 12:24:35 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6D9808FC0A for ; Fri, 17 Feb 2012 12:24:35 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id C918C28431; Fri, 17 Feb 2012 13:24:33 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0325728424; Fri, 17 Feb 2012 13:24:32 +0100 (CET) Message-ID: <4F3E4700.1080206@quip.cz> Date: Fri, 17 Feb 2012 13:24:32 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Gregory Orange References: <4F3D3722.2000904@quip.cz> <4F3E0307.3010909@calorieking.com> In-Reply-To: <4F3E0307.3010909@calorieking.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 12:24:35 -0000 I re-add list to CC. Gregory Orange wrote: > Hi Miroslav, > I don't know if this message really contributes anything to the list, so > I'll email you directly. > > On 17/02/12 01:04, Miroslav Lachman wrote: >> I see it many times before, but never take a time to post about it. > > Well, thank you for posting it. I'm fairly new to BSD admin (GNU/Linux > for a few years prior), and generally to being the main person > responsible for security. I am really glad to see that my post helped to somebody. >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! > > We've been concerned by some auth.log entries for a week or two, and > only after reading your message and taking a closer look at the context > of the logs did I think of that possibility. It's exactly my issue! Be aware that adding shorter time (or lower file size) for log rotation is not enough. Script 800.loginfail is reading all available rotated compressed logs. So even if you will rotate more often, you will get false positive alerts if some 1 year old entries are stored on disk in /var/log/auth.log.X.bz2 files. Default settings in newsyslog.conf is /var/log/auth.log 600 7 500 * JC This means 7 old compressed archives taken after reaching 500kB in size of the original log. So it can contains more than 10 years of history on our mentioned server. Until FreeBSD will log dates in format with year, you must do something to be sure that none of the files in /var/log stored entries over 364 days. Cheers, Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 12:40:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 799AF1065673 for ; Fri, 17 Feb 2012 12:40:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 2DD658FC1D for ; Fri, 17 Feb 2012 12:40:10 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 90E0128426; Fri, 17 Feb 2012 13:40:09 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6A1F128423; Fri, 17 Feb 2012 13:40:04 +0100 (CET) Message-ID: <4F3E4AA3.8000004@quip.cz> Date: Fri, 17 Feb 2012 13:40:03 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Sergey Kandaurov References: <4F3D3722.2000904@quip.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 12:40:11 -0000 Sergey Kandaurov wrote: > 2012/2/16 Miroslav Lachman<000.fbsd@quip.cz>: >> Hi, >> >> I see it many times before, but never take a time to post about it. >> >> Scrips in /etc/periodic are grepping logs for yesterday date, but without >> specifying year (because some logs do not have year logged). >> >> This results in false positive alerts in security e-mails from our lightly >> loaded servers, where logs are not enough rotated. >> >> For example /var/log/auth.log is 62KB (838 lines) and contains entries for >> almost 2 years. >> >> Today I get following alert: >> >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >> >> (hostname and IP are replaced by X) >> >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! >> >> So I propose to set all daemons / syslog to log year too (as %Y) and change >> yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in >> periodic scripts. >> >> The affected scripts are: >> 460.status-mail-rejects >> 470.status-named >> 800.loginfail >> 900.tcpwrap >> >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic >> and I don't know the logic used in other script to get yesterday messages. >> >> What do you think about it? >> > > This is how the traditional BSD syslog was designed (and standardized > by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss". > > In IETF this RFC is marked obsolete and replaced with RFC 5424 with > different timestamp format in ISO 8601 form. FreeBSD doesn't implement > 5424 yet. Almost complete implementation was done in NetBSD in that > regard in 2008. NetBSD before RFC 5424 changes has had pretty similar > syslogd source, so if one could analyze and port that changes to FreeBSD, > that would be pretty nice. Thank you for pointing this out. It would be the right step forward. Unfortunately I am not a C developer, so I cannot port it my self. Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 12:40:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1E7A106564A for ; Fri, 17 Feb 2012 12:40:12 +0000 (UTC) (envelope-from lists@mschuette.name) Received: from mail.mschuette.name (lisa.mschuette.name [IPv6:2a01:4f8:d13:4d41::3deb:2d1b]) by mx1.freebsd.org (Postfix) with ESMTP id 6170B8FC20 for ; Fri, 17 Feb 2012 12:40:12 +0000 (UTC) Received: from lisa.mschuette.name (localhost [127.0.0.1]) by mail.mschuette.name (Postfix) with ESMTP id 2C53F12542A for ; Fri, 17 Feb 2012 13:40:11 +0100 (CET) Received: from mail.mschuette.name ([127.0.0.1]) by lisa.mschuette.name (mail.mschuette.name [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMaZfCgc1i15 for ; Fri, 17 Feb 2012 13:40:09 +0100 (CET) Received: from hanna.mschuette.name (unknown [IPv6:2001:638:812:b881:62eb:69ff:fe7e:bf5b]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (not verified)) (Authenticated sender: mschuett) by mail.mschuette.name (Postfix) with ESMTPSA for ; Fri, 17 Feb 2012 13:40:09 +0100 (CET) Message-ID: <4F3E4AA9.9000308@mschuette.name> Date: Fri, 17 Feb 2012 13:40:09 +0100 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4F3D3722.2000904@quip.cz> In-Reply-To: X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 12:40:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/16/2012 08:08 PM, Sergey Kandaurov wrote: > 5424 yet. Almost complete implementation was done in NetBSD in > that regard in 2008. NetBSD before RFC 5424 changes has had pretty > similar syslogd source, so if one could analyze and port that > changes to FreeBSD, that would be pretty nice. I implemented this and if anyone is interested I would be glad to help with it. So far I just did not find the time to continue development or even a FreeBSD port on my own (finishing university, looking for a job, etc). -- The code is in NetBSD-Current and my own development repository is now online at https://github.com/mschuett/nbsd-syslog With regard to porting the biggest difference between systems is the libevent library, which is included in NetBSD and used in the syslogd(8). The main "problem" with the IETF/NetBSD syslogd(8) is that it does not only change the message/protocol format, but at the same time implements TLS communication and digital signatures. -- In combination these functions really add size and complexity to the code. To improve things I wonder if syslogd(8) could be restructured into a plugin-based architecture. That might keep the different logging targets (files, console, UDP, TLS) and optional features (new/old format, signatures) separate and simpler. Of course only if it is simple enough not to add yet another layer of overhead and complexity. - -- Martin Schütte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8+Sp0ACgkQrb26LrIR2NllIACg7BieDyiVUabLww4n06vehhPe JjoAoJAq9zAejj0BynH6mP+RBlearIdL =xV69 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 15:24:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 261AC106564A for ; Fri, 17 Feb 2012 15:24:00 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id ED0588FC0A for ; Fri, 17 Feb 2012 15:23:59 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 313E368061 for ; Fri, 17 Feb 2012 07:04:50 -0800 (PST) Date: Fri, 17 Feb 2012 07:04:50 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20120217120034.201EB106574C@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120217152400.261AC106564A@hub.freebsd.org> Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 15:24:00 -0000 Sergey Kandaurov wrote: > In IETF this RFC is marked obsolete and replaced with RFC 5424 with > different timestamp format in ISO 8601 form. FreeBSD doesn't implement > 5424 yet. Almost complete implementation was done in NetBSD in that > regard in 2008. NetBSD before RFC 5424 changes has had pretty similar > syslogd source, so if one could analyze and port that changes to FreeBSD, > that would be pretty nice. Problem with that would be backwards compatibility, and it's not IMO worth breaking everyone's syslog parsing scripts to fix an issue that really isn't due to the date format as much as it is to log rotation. That's not to say that security scripts don't need to parse archived logs, just that they should perhaps check the date stamp of the archive files before parsing. Have to admit we don't use FreeBSD (or any other OS's) log rotation or log-related periodic scripts. Would love to submit replacements though. Our logic is a bit different: * rotating current log files, to /var/log/$log.$i only when they grow larger than 100MB, * checking log file size hourly, * rotating all logs regardless of size only at the end of the month, to a compressed file with the date stamp as part of the filename, * maintaining monthly archived log files in a dedicated subdirectory (/var/log/logarchive), * writing each syslog facility to its own file (kern.log, local1.log, ...). It is unfortunate that syslog is such a neglected and unoptimized aspect of nearly all Unix and Linux default installs but SA's don't have to restrict their systems to those defaults. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 17:03:56 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B896310656A4 for ; Fri, 17 Feb 2012 17:03:56 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout027.mac.com (asmtpout027.mac.com [17.148.16.102]) by mx1.freebsd.org (Postfix) with ESMTP id 8F41B8FC14 for ; Fri, 17 Feb 2012 17:03:56 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [10.1.2.182] (unknown [173.200.187.194]) by asmtp027.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0LZJ00JX0OLP1V00@asmtp027.mac.com> for freebsd-security@freebsd.org; Fri, 17 Feb 2012 08:03:26 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7361,1.0.260,0.0.0000 definitions=2012-02-17_03:2012-02-17, 2012-02-17, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1202170123 From: Chuck Swiger In-reply-to: <20120217152400.261AC106564A@hub.freebsd.org> Date: Fri, 17 Feb 2012 08:03:26 -0800 Message-id: <6671C741-3201-404B-8977-81CC5E99277A@mac.com> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> To: Roger Marquis X-Mailer: Apple Mail (2.1084) Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 17:03:56 -0000 On Feb 17, 2012, at 7:04 AM, Roger Marquis wrote: > Have to admit we don't use FreeBSD (or any other OS's) log rotation or > log-related periodic scripts. Would love to submit replacements though. > Our logic is a bit different: Doesn't newsyslog handle most of these already? http://www.freebsd.org/cgi/man.cgi?query=newsyslog.conf&sektion=5 Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 18:02:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58B011065674 for ; Fri, 17 Feb 2012 18:02:43 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id BF3E88FC0A for ; Fri, 17 Feb 2012 18:02:42 +0000 (UTC) Received: by lagz14 with SMTP id z14so5966007lag.13 for ; Fri, 17 Feb 2012 10:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0/ChVj5bv+R33uT4QSNVtDhQeSCr+9CtunMhmPJBSDQ=; b=SVfADk3XwUGDYlcuci6HuqMXoY6cU07uJHeqMtYRw8AwMLLPstkntHGE0q35fBHQX3 16n/e7tJIXW6KEEW/bdB5/swEd2n7xYbnp+EyYaFgL4ZmN9J+fjh/SuyUlLgYhQozbFl wQIvyAAKSNim8poDYIEHIWuc3jw5U6WrirDP8= MIME-Version: 1.0 Received: by 10.112.102.37 with SMTP id fl5mr2798018lbb.95.1329501761598; Fri, 17 Feb 2012 10:02:41 -0800 (PST) Received: by 10.152.18.4 with HTTP; Fri, 17 Feb 2012 10:02:41 -0800 (PST) In-Reply-To: <20120217152400.261AC106564A@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> Date: Fri, 17 Feb 2012 21:02:41 +0300 Message-ID: From: Sergey Kandaurov To: Roger Marquis Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 18:02:43 -0000 On 17 February 2012 19:04, Roger Marquis wrote: > Sergey Kandaurov wrote: >> >> In IETF this RFC is marked obsolete and replaced with RFC 5424 with >> different timestamp format in ISO 8601 form. FreeBSD doesn't implement >> 5424 yet. Almost complete implementation was done in NetBSD in that >> regard in 2008. NetBSD before RFC 5424 changes has had pretty similar >> syslogd source, so if one could analyze and port that changes to FreeBSD, >> that would be pretty nice. > > > Problem with that would be backwards compatibility, and it's not IMO > worth breaking everyone's syslog parsing scripts to fix an issue that > really isn't due to the date format as much as it is to log rotation. > That is not a showstopper. Nothing prevents to merge both formats in one daemon and introduce a new syslogd option to choose the desired format. -- wbr, pluknet From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 19:48:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D76DE1065670 for ; Fri, 17 Feb 2012 19:48:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id C23898FC2C for ; Fri, 17 Feb 2012 19:48:51 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 40B56678A9; Fri, 17 Feb 2012 11:48:51 -0800 (PST) Date: Fri, 17 Feb 2012 11:48:51 -0800 (PST) From: Roger Marquis To: Sergey Kandaurov In-Reply-To: References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120217194851.D76DE1065670@hub.freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 19:48:51 -0000 On Fri, 17 Feb 2012, Sergey Kandaurov wrote: >> Problem with that would be backwards compatibility, and it's not IMO >> worth breaking everyone's syslog parsing scripts to fix an issue that >> really isn't due to the date format as much as it is to log rotation. > > That is not a showstopper. Nothing prevents to merge both formats in one > daemon and introduce a new syslogd option to choose the desired format. That would be more of a Linux than BSD way of doing things i.e., deprecating the existing format without giving full consideration to the effects on SA scripts and monitoring software, some of which is hardcoded and difficult to change without breaking more than it fixes. The current syslog syntax timestamp has been reliable now for what, 25+ years? I don't personally see any measurable ROI from changing it. YMMV of course. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 20:22:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92575106564A for ; Fri, 17 Feb 2012 20:22:30 +0000 (UTC) (envelope-from pioto@pioto.org) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4B2038FC14 for ; Fri, 17 Feb 2012 20:22:29 +0000 (UTC) Received: by vcmm1 with SMTP id m1so3687600vcm.13 for ; Fri, 17 Feb 2012 12:22:29 -0800 (PST) Received: by 10.52.177.40 with SMTP id cn8mr3892435vdc.43.1329508404210; Fri, 17 Feb 2012 11:53:24 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.89.142 with HTTP; Fri, 17 Feb 2012 11:53:04 -0800 (PST) X-Originating-IP: [216.92.130.84] In-Reply-To: <20120217194851.D76DE1065670@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> From: Mike Kelly Date: Fri, 17 Feb 2012 14:53:04 -0500 Message-ID: To: Roger Marquis Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkKlzRiCAqLtNPiI4NOb/JJBUAkLVwB/KQM3Qtn+4B5rFgBh6F+n0KOo+QPcGY5tgO9x8oE Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 20:22:30 -0000 So, can't you just do this? 1) Make it an option. 2) If it isn't set, keep the output like it is now. 3) Set it by default in new installs, with a comment above it that it might break things. That way people upgrading get a warning, too, and can keep it the way it has been if they'd like. On Fri, Feb 17, 2012 at 14:48, Roger Marquis wrote: > On Fri, 17 Feb 2012, Sergey Kandaurov wrote: >>> >>> Problem with that would be backwards compatibility, and it's not IMO >>> worth breaking everyone's syslog parsing scripts to fix an issue that >>> really isn't due to the date format as much as it is to log rotation. >> >> >> That is not a showstopper. Nothing prevents to merge both formats in one >> daemon and introduce a new syslogd option to choose the desired format. > > > That would be more of a Linux than BSD way of doing things i.e., > deprecating the existing format without giving full consideration to the > effects on SA scripts and monitoring software, some of which is hardcoded > and difficult to change without breaking more than it fixes. =C2=A0The cu= rrent > syslog syntax timestamp has been reliable now for what, 25+ years? =C2=A0= I > don't personally see any measurable ROI from changing it. =C2=A0YMMV of > course. > > Roger Marquis > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 Mike Kelly From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 23:25:00 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6A751065702 for ; Fri, 17 Feb 2012 23:25:00 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 68CA68FC1E for ; Fri, 17 Feb 2012 23:25:00 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BF77E28431; Sat, 18 Feb 2012 00:24:58 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0773228426; Sat, 18 Feb 2012 00:24:58 +0100 (CET) Message-ID: <4F3EE1C9.4030601@quip.cz> Date: Sat, 18 Feb 2012 00:24:57 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Roger Marquis References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> In-Reply-To: <20120217194851.D76DE1065670@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 23:25:00 -0000 Roger Marquis wrote: > On Fri, 17 Feb 2012, Sergey Kandaurov wrote: >>> Problem with that would be backwards compatibility, and it's not IMO >>> worth breaking everyone's syslog parsing scripts to fix an issue that >>> really isn't due to the date format as much as it is to log rotation. >> >> That is not a showstopper. Nothing prevents to merge both formats in one >> daemon and introduce a new syslogd option to choose the desired format. > > That would be more of a Linux than BSD way of doing things i.e., > deprecating the existing format without giving full consideration to the > effects on SA scripts and monitoring software, some of which is hardcoded > and difficult to change without breaking more than it fixes. The current > syslog syntax timestamp has been reliable now for what, 25+ years? I > don't personally see any measurable ROI from changing it. YMMV of > course. It is similar to y2k problem and dates with YY format instead of YYYY - it was fine for many years... But did you noticed, that almost everything else is already logging with year in date? Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 23:56:20 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BEF4106566B for ; Fri, 17 Feb 2012 23:56:20 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 397FD8FC0C for ; Fri, 17 Feb 2012 23:56:20 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id C303B678A9; Fri, 17 Feb 2012 15:56:19 -0800 (PST) Date: Fri, 17 Feb 2012 15:56:19 -0800 (PST) From: Roger Marquis To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <4F3EE1C9.4030601@quip.cz> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120217235620.4BEF4106566B@hub.freebsd.org> Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 23:56:20 -0000 >> The current syslog syntax timestamp has been reliable now for what, 25+ >> years? I don't personally see any measurable ROI from changing it. YMMV of >> course. > > It is similar to y2k problem and dates with YY format instead of YYYY - it > was fine for many years... Is it? If I recall Y2K had more to do with 2 digit year fields that should have been 4 digit. > But did you noticed, that almost everything else is already logging with year > in date? I don't personally recall a time when everything else wasn't logging the year, in one format or another. That's not to imply that syslogs shouldn't be distinguishable by year but the question seems to be where the year should be logged, A) on every line or B) in the archive file name. I suspect it was not common practice to leave logs on the server for more than a year when Allman originally wrote syslog, and I have not seen an environment where logs are left in /var/log for over a year. Personally, I would rather see FreeBSD stay backwards compatible and A) leave the syslog timestamp format alone instead opting for KIS by simply writing the year in the archive file name rather than wasting 5 bytes on every line of every syslog log file. YMMV. Roger From owner-freebsd-security@FreeBSD.ORG Sat Feb 18 00:51:43 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 536DA1065672 for ; Sat, 18 Feb 2012 00:51:43 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 4008B8FC14 for ; Sat, 18 Feb 2012 00:51:42 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id C2BD067CDC; Fri, 17 Feb 2012 16:51:42 -0800 (PST) Date: Fri, 17 Feb 2012 16:51:42 -0800 (PST) From: Roger Marquis To: Mike Kelly In-Reply-To: References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120218005143.536DA1065672@hub.freebsd.org> Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 00:51:43 -0000 > 1) Make it an option. > 2) If it isn't set, keep the output like it is now. > 3) Set it by default in new installs, with a comment above it that it > might break things. That way people upgrading get a warning, too, and > can keep it the way it has been if they'd like. You can, but it'd be like sendmail logging which has no fixed format and correspondingly few log report programs. OTOH Postfix learned from that and made its log format immutable. As a result there are some nice syslog-reading report utilities for postfix. POSIX' Austin group tried to do something similar by proposing a LOCALE-dependent month field of variable length instead of 3 char English month names. Not aware of anyone who used that. It was never a good idea but the Austin group is small, has alarmingly little concern for backwards compatibility, and does not solicit end-user input. FreeBSD is still my favorite OS in large part because it is not like POSIX' Austin group in those respects. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Sat Feb 18 00:53:56 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FDBE106566B for ; Sat, 18 Feb 2012 00:53:56 +0000 (UTC) (envelope-from emilien@tlapale.com) Received: from mail.atelo.org (mail.atelo.org [87.98.156.81]) by mx1.freebsd.org (Postfix) with ESMTP id C8A848FC08 for ; Sat, 18 Feb 2012 00:53:55 +0000 (UTC) Received: from [128.200.46.45] (dhcp046045.mobile.ss.uci.edu [128.200.46.45]) by mail.atelo.org (Postfix) with ESMTPSA id 4D0E761F0D for ; Sat, 18 Feb 2012 00:35:32 +0000 (UTC) Message-ID: <4F3EF2BC.7050206@tlapale.com> Date: Fri, 17 Feb 2012 16:37:16 -0800 From: =?ISO-8859-1?Q?=C9milien_Tlapale?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120212 Thunderbird/10.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> In-Reply-To: <20120217235620.4BEF4106566B@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 00:53:56 -0000 On 17/02/2012 15:56, Roger Marquis wrote: >> It is similar to y2k problem and dates with YY format instead of YYYY >> - it was fine for many years... > > Is it? If I recall Y2K had more to do with 2 digit year fields that > should > have been 4 digit. Whereas we have a 0 digits year field. > > I suspect it was not common practice to leave logs on the server for more > than a year when Allman originally wrote syslog, and I have not seen an > environment where logs are left in /var/log for over a year. But now, fascist-like laws in a lot of countries require us to store log files for a *long* time, for everything. From owner-freebsd-security@FreeBSD.ORG Sat Feb 18 01:10:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEB9F1065676 for ; Sat, 18 Feb 2012 01:10:40 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6893B8FC1E for ; Sat, 18 Feb 2012 01:10:39 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4C7B128433; Sat, 18 Feb 2012 02:10:37 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id CB0832842D; Sat, 18 Feb 2012 02:10:35 +0100 (CET) Message-ID: <4F3EFA8B.50002@quip.cz> Date: Sat, 18 Feb 2012 02:10:35 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Roger Marquis References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> In-Reply-To: <20120217235620.4BEF4106566B@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 01:10:40 -0000 Roger Marquis wrote: >>> The current syslog syntax timestamp has been reliable now for what, 25+ >>> years? I don't personally see any measurable ROI from changing it. >>> YMMV of >>> course. >> >> It is similar to y2k problem and dates with YY format instead of YYYY >> - it was fine for many years... > > Is it? If I recall Y2K had more to do with 2 digit year fields that should > have been 4 digit. > >> But did you noticed, that almost everything else is already logging >> with year in date? > > I don't personally recall a time when everything else wasn't logging the > year, in one format or another. That's not to imply that syslogs > shouldn't be distinguishable by year but the question seems to be where > the year should be logged, A) on every line or B) in the archive file > name. The problem is, that filename can be easily changed by mistake and then you can't tell, what date you have stored in file. > I suspect it was not common practice to leave logs on the server for more > than a year when Allman originally wrote syslog, and I have not seen an > environment where logs are left in /var/log for over a year. Personally, > I would rather see FreeBSD stay backwards compatible and A) leave the > syslog timestamp format alone instead opting for KIS by simply writing > the year in the archive file name rather than wasting 5 bytes on every > line of every syslog log file. YMMV. I understand your point of view, but very little in FreeBSD is (and will be forever) backward compatible. It is an evolution. And if we are talking about space - FreeBSD installation doesn't fit floppy disk drive for a long time :) Just for curiosity - logs are stored mostly in compressed state and there is almost no difference in size of compressed file if there is four digits year or not. I did a quick test where I changed "Feb 15 01:52:06" to "2012-02-15 01:52:06" format. 2.8M auth.log.orig 3.0M auth.log.newdate 284K auth.log.orig.gz 284K auth.log.newdate.gz 76K auth.log.orig.bz2 78K auth.log.newdate.bz2 As you can see, there is 0.2M difference in plain text, but with gzip, there is no difference, with bzip2 there is only 2KB more. Again - I understand your view, but I still think that using new ISO date format is an improvement. Cheers, Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Sat Feb 18 21:58:08 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02912106564A for ; Sat, 18 Feb 2012 21:58:08 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id AA58F8FC13 for ; Sat, 18 Feb 2012 21:58:07 +0000 (UTC) Received: by yenl12 with SMTP id l12so2609338yen.13 for ; Sat, 18 Feb 2012 13:58:07 -0800 (PST) Received-SPF: pass (google.com: domain of rsimmons0@gmail.com designates 10.101.126.18 as permitted sender) client-ip=10.101.126.18; Authentication-Results: mr.google.com; spf=pass (google.com: domain of rsimmons0@gmail.com designates 10.101.126.18 as permitted sender) smtp.mail=rsimmons0@gmail.com; dkim=pass header.i=rsimmons0@gmail.com Received: from mr.google.com ([10.101.126.18]) by 10.101.126.18 with SMTP id d18mr6453113ann.43.1329602287071 (num_hops = 1); Sat, 18 Feb 2012 13:58:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=00fXMNvu7XwfNsdBXMWRUNLWrSZyCxz3qgj4UgmLO88=; b=Pdhv9LDbQpv3O3oiWXxriRNP09385FyqTIpGVWGWLvKu+BQ3XrtJAsP4tN1bGSM9jp XCJ32X+FSLSCmHF2XwYHeCwK9UQ3kj77BWfhlXhNqS1RjKW/Geu0PTQU1+Dd/QpsU1X7 BUfXtiKIbqWuXNDNeRQeHCvV/YJAC2C1sr7Io= MIME-Version: 1.0 Received: by 10.101.126.18 with SMTP id d18mr4952765ann.43.1329600985821; Sat, 18 Feb 2012 13:36:25 -0800 (PST) Received: by 10.101.102.11 with HTTP; Sat, 18 Feb 2012 13:36:25 -0800 (PST) In-Reply-To: <20120217235620.4BEF4106566B@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> Date: Sat, 18 Feb 2012 16:36:25 -0500 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 21:58:08 -0000 Oops, mouse-o. Here is that actual link to the RFC: http://tools.ietf.org/html/rfc5424 From owner-freebsd-security@FreeBSD.ORG Sat Feb 18 21:59:03 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27BCF106566C for ; Sat, 18 Feb 2012 21:59:03 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id CF62A8FC18 for ; Sat, 18 Feb 2012 21:59:02 +0000 (UTC) Received: by ghbg15 with SMTP id g15so2604589ghb.13 for ; Sat, 18 Feb 2012 13:59:02 -0800 (PST) Received-SPF: pass (google.com: domain of rsimmons0@gmail.com designates 10.101.9.7 as permitted sender) client-ip=10.101.9.7; Authentication-Results: mr.google.com; spf=pass (google.com: domain of rsimmons0@gmail.com designates 10.101.9.7 as permitted sender) smtp.mail=rsimmons0@gmail.com; dkim=pass header.i=rsimmons0@gmail.com Received: from mr.google.com ([10.101.9.7]) by 10.101.9.7 with SMTP id m7mr6503673ani.7.1329602342210 (num_hops = 1); Sat, 18 Feb 2012 13:59:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=q7NH3g8SUBycG6XdDji3Ho7b/iebtYQwgQquBhfGcAY=; b=i5aZIr/yMCBaPcA/UqNU1VvWLKR2U8LHpuPSGTyUQEeyosJLt+8ggRvrxUyYmp0QXI Jv0zqSzkX95psZiewwqAfYB5fjPhxDOJLQ/U4hZE8Adg8Gj4W+/teZp6gq6mQI2kbqjj foV0wbXrOYZWLF0ov6KnIxeAyQ7Kk0vxV04dU= MIME-Version: 1.0 Received: by 10.101.9.7 with SMTP id m7mr4978321ani.7.1329600920937; Sat, 18 Feb 2012 13:35:20 -0800 (PST) Received: by 10.101.102.11 with HTTP; Sat, 18 Feb 2012 13:35:20 -0800 (PST) In-Reply-To: <20120217235620.4BEF4106566B@hub.freebsd.org> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> Date: Sat, 18 Feb 2012 16:35:20 -0500 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2012 21:59:03 -0000 On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis wrote: > I don't personally recall a time when everything else wasn't logging the > year, in one format or another. =A0That's not to imply that syslogs > shouldn't be distinguishable by year but the question seems to be where > the year should be logged, A) on every line or B) in the archive file > name. There already is a standard, RFC 5424: freebsd-security@freebsd.org You are asking, should we make our own decision to do this totally differently than the standard set in that RFC, or should be implement that RFC? Another option is to do nothing and stick with the way it is. I think the way to proceed would be to implement RFC 5424, and have it as a switch in rc.conf, something like: syslogd_flags=3D"-x" where x is the new switch that would enable RFC5424 style logging. This would be optional for now. Then with FreeBSD 10, 5424 would become the default with the option now being a flag -y to enable old style logging for backwards compatibility. > I suspect it was not common practice to leave logs on the server for more > than a year when Allman originally wrote syslog, and I have not seen an > environment where logs are left in /var/log for over a year. =A0Personall= y, > I would rather see FreeBSD stay backwards compatible and A) leave the > syslog timestamp format alone instead opting for KIS by simply writing > the year in the archive file name rather than wasting 5 bytes on every > line of every syslog log file. =A0YMMV. It really shouldn't be a common practice, but we live in a world where governments are forcing data retention laws. In is an unfortunate reality that needs to be dealt with. http://en.wikipedia.org/wiki/Telecommunications_data_retention Also, I'm not sure I follow the logic behind some of the people on this list saying not to implement this at all. It should be an option for now, then the default on the other side of a major OS version with the old way then available as an option. This seems the most rational path to take.