From owner-freebsd-security@FreeBSD.ORG Sun Feb 19 04:52:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD113106564A for ; Sun, 19 Feb 2012 04:52:10 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5C9248FC15 for ; Sun, 19 Feb 2012 04:52:10 +0000 (UTC) Received: by iaeo4 with SMTP id o4so8153473iae.13 for ; Sat, 18 Feb 2012 20:52:09 -0800 (PST) Received-SPF: pass (google.com: domain of jhellenthal@gmail.com designates 10.50.178.38 as permitted sender) client-ip=10.50.178.38; Authentication-Results: mr.google.com; spf=pass (google.com: domain of jhellenthal@gmail.com designates 10.50.178.38 as permitted sender) smtp.mail=jhellenthal@gmail.com; dkim=pass header.i=jhellenthal@gmail.com Received: from mr.google.com ([10.50.178.38]) by 10.50.178.38 with SMTP id cv6mr5767131igc.1.1329627129818 (num_hops = 1); Sat, 18 Feb 2012 20:52:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=MKlL6N+fGkN/VS5W6sy5AHdY0iRXkhDOlRD6t1nAG9g=; b=VfwNanAS8v/L78LTzStGb5A13VuBzKcQIfPkuw/tsaRRRwRWj4A+rxowL7KsmfEllA N5coCrvo4iL5rRIVo7RqSpxQCrxoUvF77bjLmMgvVapIrSzqMxqlJsLR88bilacfYXJE qyAGDGvLkiC+VjpiZvbRTWqJkPsKnYs7HGzOM= Received: by 10.50.178.38 with SMTP id cv6mr4630500igc.1.1329625739710; Sat, 18 Feb 2012 20:28:59 -0800 (PST) Received: from DataIX.net ([99.181.150.215]) by mx.google.com with ESMTPS id l28sm22447044ibc.3.2012.02.18.20.25.50 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 18 Feb 2012 20:28:58 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q1J4Phft030213 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 18 Feb 2012 23:25:43 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q1J4PfRv030070; Sat, 18 Feb 2012 23:25:41 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Sat, 18 Feb 2012 23:25:41 -0500 From: Jason Hellenthal To: Robert Simmons Message-ID: <20120219042540.GA49972@DataIX.net> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline In-Reply-To: Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 04:52:10 -0000 --zhXaljGHf11kAtnf Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 18, 2012 at 04:35:20PM -0500, Robert Simmons wrote: > On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis wrote: > > I don't personally recall a time when everything else wasn't logging the > > year, in one format or another. =A0That's not to imply that syslogs > > shouldn't be distinguishable by year but the question seems to be where > > the year should be logged, A) on every line or B) in the archive file > > name. >=20 > There already is a standard, RFC 5424: > freebsd-security@freebsd.org >=20 > You are asking, should we make our own decision to do this totally > differently than the standard set in that RFC, or should be implement > that RFC? >=20 > Another option is to do nothing and stick with the way it is. >=20 > I think the way to proceed would be to implement RFC 5424, and have it > as a switch in rc.conf, something like: >=20 > syslogd_flags=3D"-x" > where x is the new switch that would enable RFC5424 style logging. How about a environment variable that login.conf could be adjusted for so in-case something else wants to benefit from similiar behavior it can just look for that too ? Similiar to how BLOCKSIZE works. After all this is an environmental change. >=20 > This would be optional for now. Then with FreeBSD 10, 5424 would > become the default with the option now being a flag -y to enable old > style logging for backwards compatibility. >=20 > > I suspect it was not common practice to leave logs on the server for mo= re > > than a year when Allman originally wrote syslog, and I have not seen an > > environment where logs are left in /var/log for over a year. =A0Persona= lly, > > I would rather see FreeBSD stay backwards compatible and A) leave the > > syslog timestamp format alone instead opting for KIS by simply writing > > the year in the archive file name rather than wasting 5 bytes on every > > line of every syslog log file. =A0YMMV. >=20 > It really shouldn't be a common practice, but we live in a world where > governments are forcing data retention laws. In is an unfortunate > reality that needs to be dealt with. > http://en.wikipedia.org/wiki/Telecommunications_data_retention >=20 > Also, I'm not sure I follow the logic behind some of the people on > this list saying not to implement this at all. It should be an option > for now, then the default on the other side of a major OS version with > the old way then available as an option. This seems the most rational > path to take. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 ;s =3D; --zhXaljGHf11kAtnf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPQHnEAAoJEJBXh4mJ2FR++IkH/0eNNNZ3ahksXxIPck51/neP UQh2zMJdZv6JKjfOYw9f2Ep+kdJBMyHRwqvPbV9D65tZeJc4bC/u6hQYsO/wEs0N WVeg0iCLHRLYV6UeTr7z5sdJHkhThNaKPGUBfjdiB7VEhydmTpwIUyjcf2JBv6Y0 bQMCQoU7T8SjZLIbzL0Ol/5ZbKEOfYAwvgCM0lDMjsW8LFTyRmTEyssQiUu4v0zb A3BOzoTyfABjOSyve42JwQc64sDEzAWk3u29qU16rruYnA0li8U+DZtO5bR8QwZI Ze4c5+Ntj9Ucmp/L3vZMSqoAG0V2aHL3LoqJigaxOHrQHJHu38b3tW/Brvmv/7M= =UBAM -----END PGP SIGNATURE----- --zhXaljGHf11kAtnf-- From owner-freebsd-security@FreeBSD.ORG Sun Feb 19 16:50:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B43B01065674 for ; Sun, 19 Feb 2012 16:50:28 +0000 (UTC) (envelope-from lists@mschuette.name) Received: from mail.mschuette.name (lisa.mschuette.name [IPv6:2a01:4f8:d13:4d41::3deb:2d1b]) by mx1.freebsd.org (Postfix) with ESMTP id 42BE78FC0C for ; Sun, 19 Feb 2012 16:50:28 +0000 (UTC) Received: from lisa.mschuette.name (localhost [127.0.0.1]) by mail.mschuette.name (Postfix) with ESMTP id 876AF12542A for ; Sun, 19 Feb 2012 17:50:26 +0100 (CET) Received: from mail.mschuette.name ([127.0.0.1]) by lisa.mschuette.name (mail.mschuette.name [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_AiL8-sHKLa for ; Sun, 19 Feb 2012 17:50:25 +0100 (CET) Received: from [192.168.2.198] (dslb-088-072-223-147.pools.arcor-ip.net [88.72.223.147]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (not verified)) (Authenticated sender: mschuett) by mail.mschuette.name (Postfix) with ESMTPSA for ; Sun, 19 Feb 2012 17:50:25 +0100 (CET) Message-ID: <4F412850.3020705@mschuette.name> Date: Sun, 19 Feb 2012 17:50:24 +0100 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> In-Reply-To: <20120217194851.D76DE1065670@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 16:50:28 -0000 On 17.02.2012 20:48, Roger Marquis wrote: > and difficult to change without breaking more than it fixes. The current > syslog syntax timestamp has been reliable now for what, 25+ years? I > don't personally see any measurable ROI from changing it. YMMV of > course. I really understand the concern, but some requirements do change over time. Staying at the lowest common denominator for 25+ years may indicate robustness, but it may also indicate obsolence. I would like to ask a different question: what is our target? What kind of logging infrastructure should a current operating system provide? And how can we move forward toward that? YMMV, but for me this target includes ISO timestamps, TLS network transport, UTF-8 support, and more structured messages. The IETF protocols are part of the solution, traditional BSD Syslog is not enough. A few more thoughts for the discussion: - with ISO dates it is easy to pipe logs through a timestamp-rewriting perl script for older analysis tools. And some tools already support ISO dates (for example the latest version of pflogsumm). - similar compatibility questions arise with UTF-8 data in logs. syslogd(8) writes ASCII-only logs to ensure wide compatibility. - some admins (including myself) already moved to syslog-ng for these two reasons: TLS transport and ISO timestamps. - regarding timestamps: I guess everyone with a long-term log archive already has some year/month scheme, so IMHO the year is only a nice bonus rather than a big feature. -- Bigger benefits are sub-second resolution and timezone information (because with daylight saving time even a standalone system spans two timezones). - in principle the NetBSD-current syslogd(8) even supports a per-target configuration of old/new log format. But iirc this is not enabled, because such a flag would add more clutter to the syslog.conf(5) syntax. -- Martin Schütte From owner-freebsd-security@FreeBSD.ORG Sun Feb 19 17:43:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BED2106566B for ; Sun, 19 Feb 2012 17:43:06 +0000 (UTC) (envelope-from freebsd@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id 7C7FC8FC08 for ; Sun, 19 Feb 2012 17:43:06 +0000 (UTC) Received: from [192.168.100.166] (traveler.johnea.net [192.168.100.166]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id 78E1D73F187F for ; Sun, 19 Feb 2012 09:25:02 -0800 (PST) Message-ID: <4F41303D.8060409@johnea.net> Date: Sun, 19 Feb 2012 09:24:13 -0800 From: freebsd@johnea.net User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20120202 Thunderbird/10.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F412850.3020705@mschuette.name> In-Reply-To: <4F412850.3020705@mschuette.name> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 17:43:06 -0000 On 2012-02-19 08:50, Martin Schütte wrote: > On 17.02.2012 20:48, Roger Marquis wrote: >> and difficult to change without breaking more than it fixes. The current >> syslog syntax timestamp has been reliable now for what, 25+ years? I >> don't personally see any measurable ROI from changing it. YMMV of >> course. > > I really understand the concern, but some requirements do change over > time. Staying at the lowest common denominator for 25+ years may > indicate robustness, but it may also indicate obsolence. > What seems obsolete is this thread. Can you at least prepended [OT RANT] to the subject? Some people monitor this list to be informed of possible FreeBSD security issues, of which this isn't. Please, get a motel room or something... johnea From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 14:54:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7AAE106566B for ; Mon, 20 Feb 2012 14:54:06 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id B8B328FC08 for ; Mon, 20 Feb 2012 14:54:06 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RzUce-0006V6-Ig; Mon, 20 Feb 2012 09:53:48 -0500 Date: Mon, 20 Feb 2012 09:53:48 -0500 From: Gary Palmer To: Glen Barber Message-ID: <20120220145348.GD78733@in-addr.com> References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz> <20120216190124.GB1989@schism.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120216190124.GB1989@schism.local> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 14:54:07 -0000 On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote: > On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: > > Glen Barber wrote: > > > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > > >> Hi, > > >> > > >> I see it many times before, but never take a time to post about it. > > >> > > >> Scrips in /etc/periodic are grepping logs for yesterday date, but > > >> without specifying year (because some logs do not have year logged). > > >> > > >> This results in false positive alerts in security e-mails from our > > >> lightly loaded servers, where logs are not enough rotated. > > >> > > >> For example /var/log/auth.log is 62KB (838 lines) and contains entries > > >> for almost 2 years. > > >> > > >> Today I get following alert: > > >> > > >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > > >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > > >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > > >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > > >> > > >> (hostname and IP are replaced by X) > > >> > > >> But looking in to auth.log I found zero entries from yesterday - Feb 15 > > >> entries were logged 1 year ago! > > >> > > >> So I propose to set all daemons / syslog to log year too (as %Y) and > > >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > > >> %e %Y"` in periodic scripts. > > >> > > >> The affected scripts are: > > >> 460.status-mail-rejects > > >> 470.status-named > > >> 800.loginfail > > >> 900.tcpwrap > > >> > > >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' > > >> /etc/periodic and I don't know the logic used in other script to get > > >> yesterday messages. > > >> > > >> What do you think about it? > > >> > > > > > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence > > > these false alarms. > > > > My post was not about "how can I fix it localy", but what sould be done > > in FreeBSD distribuition, because these false alerts were made by > > default FreeBSD configuration (coincidence of newsyslog settings, > > periodic scripts and log format) > > > > IMHO, this isn't something the FreeBSD installation can "guess" as a > suitable default, but up to the administrator to define what is > appropriate for their system. Whether or not the administrator tunes their setup to meet their requirements, the default newsyslog.conf should not allow these alerts to happen by enforcing a minimum of 1 roll over per year. Miroslav, please file a bug report requesting newsyslog.conf be updated to mitigate this problem. Thanks, Gary From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 15:14:48 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CC3E106566C for ; Mon, 20 Feb 2012 15:14:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id F13168FC13 for ; Mon, 20 Feb 2012 15:14:47 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 536576976; Mon, 20 Feb 2012 14:55:14 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 1D57088F2; Mon, 20 Feb 2012 15:55:14 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Miroslav Lachman <000.fbsd@quip.cz> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> <4F3EFA8B.50002@quip.cz> Date: Mon, 20 Feb 2012 15:55:13 +0100 In-Reply-To: <4F3EFA8B.50002@quip.cz> (Miroslav Lachman's message of "Sat, 18 Feb 2012 02:10:35 +0100") Message-ID: <86fwe5blm6.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Roger Marquis , Sergey Kandaurov Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 15:14:48 -0000 Miroslav Lachman <000.fbsd@quip.cz> writes: > I did a quick test where I changed "Feb 15 01:52:06" to > "2012-02-15 01:52:06" format. The correct format is "2012-02-20T01:23:45.6789+01:00" DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 15:53:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8443D1065676 for ; Mon, 20 Feb 2012 15:53:33 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 6F11C8FC17 for ; Mon, 20 Feb 2012 15:53:33 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id CB1C56783B; Mon, 20 Feb 2012 07:53:32 -0800 (PST) Date: Mon, 20 Feb 2012 07:53:32 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <86fwe5blm6.fsf@ds4.des.no> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> <4F3EFA8B.50002@quip.cz> <86fwe5blm6.fsf@ds4.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120220155333.8443D1065676@hub.freebsd.org> Cc: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , Sergey Kandaurov , Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 15:53:33 -0000 > The correct format is "2012-02-20T01:23:45.6789+01:00" You guys are aware that RFC 5424 is a proposed standard I trust? By being "proposed" it is not a standard, at least not yet. Perhaps the differences in human-readability of the proposed timestamp, or the fact that it has variable field types and lengths, are part of the reason why it has not been ratified. Other parts of this particular RFC bring its trustworthiness into question. In particular the quote "Research during creation of this document showed that there is very little in common between different syslog implementations on different platforms." with no detail on the so-called "research" methodology. In my own experience syslog timestamps are identical across FreeBSD, CentOS, Debian, Ubuntu and Solaris, which represent well over 99% of the installed base. Regarding backwards compatibility, I'd be interested in knowing how many systems, how many logs and how many log-parsing applications those proposing change are responsible for? Would not be surprised if, like others proposing deprecating long-used Unix standards, those advocating the change are not the ones whose workloads or budgets would be impacted. Roger From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 17:57:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FA42106564A for ; Mon, 20 Feb 2012 17:57:52 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 181E08FC19 for ; Mon, 20 Feb 2012 17:57:51 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5E5DB28426; Mon, 20 Feb 2012 18:57:50 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id ED7CE28424; Mon, 20 Feb 2012 18:57:48 +0100 (CET) Message-ID: <4F42899C.1000408@quip.cz> Date: Mon, 20 Feb 2012 18:57:48 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Gary Palmer References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz> <20120216190124.GB1989@schism.local> <20120220145348.GD78733@in-addr.com> In-Reply-To: <20120220145348.GD78733@in-addr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Glen Barber Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 17:57:52 -0000 Gary Palmer wrote: > On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote: >> On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: >>> Glen Barber wrote: >>>> On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: >>>>> Hi, >>>>> >>>>> I see it many times before, but never take a time to post about it. >>>>> >>>>> Scrips in /etc/periodic are grepping logs for yesterday date, but >>>>> without specifying year (because some logs do not have year logged). >>>>> >>>>> This results in false positive alerts in security e-mails from our >>>>> lightly loaded servers, where logs are not enough rotated. >>>>> >>>>> For example /var/log/auth.log is 62KB (838 lines) and contains entries >>>>> for almost 2 years. >>>>> >>>>> Today I get following alert: >>>>> >>>>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >>>>> >>>>> (hostname and IP are replaced by X) >>>>> >>>>> But looking in to auth.log I found zero entries from yesterday - Feb 15 >>>>> entries were logged 1 year ago! >>>>> >>>>> So I propose to set all daemons / syslog to log year too (as %Y) and >>>>> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b >>>>> %e %Y"` in periodic scripts. >>>>> >>>>> The affected scripts are: >>>>> 460.status-mail-rejects >>>>> 470.status-named >>>>> 800.loginfail >>>>> 900.tcpwrap >>>>> >>>>> Maybe some others, I did just a quick grep -rsn 'date -v-1d' >>>>> /etc/periodic and I don't know the logic used in other script to get >>>>> yesterday messages. >>>>> >>>>> What do you think about it? >>>>> >>>> >>>> Rotating the appropriate logs daily/weekly/monthly/whatever will silence >>>> these false alarms. >>> >>> My post was not about "how can I fix it localy", but what sould be done >>> in FreeBSD distribuition, because these false alerts were made by >>> default FreeBSD configuration (coincidence of newsyslog settings, >>> periodic scripts and log format) >>> >> >> IMHO, this isn't something the FreeBSD installation can "guess" as a >> suitable default, but up to the administrator to define what is >> appropriate for their system. > > Whether or not the administrator tunes their setup to meet their > requirements, the default newsyslog.conf should not allow these > alerts to happen by enforcing a minimum of 1 roll over per year. > > Miroslav, please file a bug report requesting newsyslog.conf be updated > to mitigate this problem. PR submitted as conf/165331, but 1 roll over per year will not fix it. As I wrote in another message in this thread, the script 800.loginfail is reading all archived logs on disk: catmsgs() { find ${LOG} -name 'auth.log.*' -mtime -2 | sort -t. -r -n -k 2,2 | while read f do case $f in *.gz) zcat -f $f;; *.bz2) bzcat -f $f;; esac done [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } The fix must ensure that there will not be any file (including compressed) with entries older than 364 days. Miroslav Lachman