Date: Sat, 18 Feb 2012 23:25:41 -0500 From: Jason Hellenthal <jhell@DataIX.net> To: Robert Simmons <rsimmons0@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year Message-ID: <20120219042540.GA49972@DataIX.net> In-Reply-To: <CA%2BQLa9BWtSND-VOTxXxOJOzy=SsJuJcsDs-9ndpoPnGyKe3THg@mail.gmail.com> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <CAE-mSO%2Bsa2Cu0aQksEXGyMnyns3=aAL8odmzQNMEJ77dpUAgmw@mail.gmail.com> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> <CA%2BQLa9BWtSND-VOTxXxOJOzy=SsJuJcsDs-9ndpoPnGyKe3THg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--zhXaljGHf11kAtnf Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 18, 2012 at 04:35:20PM -0500, Robert Simmons wrote: > On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis <marquis@roble.com> wrote: > > I don't personally recall a time when everything else wasn't logging the > > year, in one format or another. =A0That's not to imply that syslogs > > shouldn't be distinguishable by year but the question seems to be where > > the year should be logged, A) on every line or B) in the archive file > > name. >=20 > There already is a standard, RFC 5424: > freebsd-security@freebsd.org >=20 > You are asking, should we make our own decision to do this totally > differently than the standard set in that RFC, or should be implement > that RFC? >=20 > Another option is to do nothing and stick with the way it is. >=20 > I think the way to proceed would be to implement RFC 5424, and have it > as a switch in rc.conf, something like: >=20 > syslogd_flags=3D"-x" > where x is the new switch that would enable RFC5424 style logging. How about a environment variable that login.conf could be adjusted for so in-case something else wants to benefit from similiar behavior it can just look for that too ? Similiar to how BLOCKSIZE works. After all this is an environmental change. >=20 > This would be optional for now. Then with FreeBSD 10, 5424 would > become the default with the option now being a flag -y to enable old > style logging for backwards compatibility. >=20 > > I suspect it was not common practice to leave logs on the server for mo= re > > than a year when Allman originally wrote syslog, and I have not seen an > > environment where logs are left in /var/log for over a year. =A0Persona= lly, > > I would rather see FreeBSD stay backwards compatible and A) leave the > > syslog timestamp format alone instead opting for KIS by simply writing > > the year in the archive file name rather than wasting 5 bytes on every > > line of every syslog log file. =A0YMMV. >=20 > It really shouldn't be a common practice, but we live in a world where > governments are forcing data retention laws. In is an unfortunate > reality that needs to be dealt with. > http://en.wikipedia.org/wiki/Telecommunications_data_retention >=20 > Also, I'm not sure I follow the logic behind some of the people on > this list saying not to implement this at all. It should be an option > for now, then the default on the other side of a major OS version with > the old way then available as an option. This seems the most rational > path to take. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 ;s =3D; --zhXaljGHf11kAtnf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPQHnEAAoJEJBXh4mJ2FR++IkH/0eNNNZ3ahksXxIPck51/neP UQh2zMJdZv6JKjfOYw9f2Ep+kdJBMyHRwqvPbV9D65tZeJc4bC/u6hQYsO/wEs0N WVeg0iCLHRLYV6UeTr7z5sdJHkhThNaKPGUBfjdiB7VEhydmTpwIUyjcf2JBv6Y0 bQMCQoU7T8SjZLIbzL0Ol/5ZbKEOfYAwvgCM0lDMjsW8LFTyRmTEyssQiUu4v0zb A3BOzoTyfABjOSyve42JwQc64sDEzAWk3u29qU16rruYnA0li8U+DZtO5bR8QwZI Ze4c5+Ntj9Ucmp/L3vZMSqoAG0V2aHL3LoqJigaxOHrQHJHu38b3tW/Brvmv/7M= =UBAM -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120219042540.GA49972>