Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Feb 2012 17:33:09 GMT
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   conf/165331: periodic security run output gives false positives after 1 year
Message-ID:  <201202201733.q1KHX9t1041794@red.freebsd.org>
Resent-Message-ID: <201202201740.q1KHe7oZ064731@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         165331
>Category:       conf
>Synopsis:       periodic security run output gives false positives after 1 year
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 20 17:40:07 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Miroslav Lachman
>Release:        7.4-RELEASE, 8.2-RELEASE
>Organization:
codeLab.cz
>Environment:
7.4-RELEASE FreeBSD 7.4-RELEASE #0: Thu Feb 17 03:51:56 UTC 2011     root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
As discussed on links at the bottom, there is a problem with parsing log files for security issues.
Log files does not have year in timestamp and if there are little activity, the log files are not rotated enough. This can cause false positive alerts in periodic e-mails with entries exactly 1 year old (or 2, or 3, or N... years old).

For example in my case /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years.

I get following alert in security run:

Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx

But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago.

http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006175.html
http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006198.html
>How-To-Repeat:
Install any currently available FreeBSD RELEASE on some test machine with low user activity - logins / logouts - (only few entries in auth.log per year). Make some bogus login atempts with nonexistent user names. 
They will appear in periodic security output next day and then *wait 1 year* - They will appear in periodic security output again. 
It is false positive.
>Fix:
1) add support for year field in syslog dates (RFC 5424 / timestamp format in ISO 8601 form)
Changes made to NetBSD syslog is available for porting to FreeBSD
http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006182.html
https://github.com/mschuett/nbsd-syslog

2) change the default newsyslog.conf settings to make sure there are not any entry for more than 364 days (including compressed archives, because periodic scripts read them all)

For examplem, the current default newsyslog.conf entry for auth.log
/var/log/auth.log     600  7     500  *     JC

must be changed to make more than 7 roll overs per year (ignoring size)

Maybe change it to "rotate if size is greater than 500 or once per month"

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202201733.q1KHX9t1041794>