From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 20 17:40:07 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CD68106566C for ; Mon, 20 Feb 2012 17:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 619498FC15 for ; Mon, 20 Feb 2012 17:40:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1KHe7CL064732 for ; Mon, 20 Feb 2012 17:40:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1KHe7oZ064731; Mon, 20 Feb 2012 17:40:07 GMT (envelope-from gnats) Resent-Date: Mon, 20 Feb 2012 17:40:07 GMT Resent-Message-Id: <201202201740.q1KHe7oZ064731@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Miroslav Lachman <000.fbsd@quip.cz> Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C18BB1065678 for ; Mon, 20 Feb 2012 17:33:10 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 971D98FC1B for ; Mon, 20 Feb 2012 17:33:10 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q1KHXAUV041803 for ; Mon, 20 Feb 2012 17:33:10 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q1KHX9t1041794; Mon, 20 Feb 2012 17:33:09 GMT (envelope-from nobody) Message-Id: <201202201733.q1KHX9t1041794@red.freebsd.org> Date: Mon, 20 Feb 2012 17:33:09 GMT From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: conf/165331: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 17:40:07 -0000 >Number: 165331 >Category: conf >Synopsis: periodic security run output gives false positives after 1 year >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 20 17:40:07 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Miroslav Lachman >Release: 7.4-RELEASE, 8.2-RELEASE >Organization: codeLab.cz >Environment: 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Thu Feb 17 03:51:56 UTC 2011 root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: As discussed on links at the bottom, there is a problem with parsing log files for security issues. Log files does not have year in timestamp and if there are little activity, the log files are not rotated enough. This can cause false positive alerts in periodic e-mails with entries exactly 1 year old (or 2, or 3, or N... years old). For example in my case /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years. I get following alert in security run: Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago. http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006175.html http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006198.html >How-To-Repeat: Install any currently available FreeBSD RELEASE on some test machine with low user activity - logins / logouts - (only few entries in auth.log per year). Make some bogus login atempts with nonexistent user names. They will appear in periodic security output next day and then *wait 1 year* - They will appear in periodic security output again. It is false positive. >Fix: 1) add support for year field in syslog dates (RFC 5424 / timestamp format in ISO 8601 form) Changes made to NetBSD syslog is available for porting to FreeBSD http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006182.html https://github.com/mschuett/nbsd-syslog 2) change the default newsyslog.conf settings to make sure there are not any entry for more than 364 days (including compressed archives, because periodic scripts read them all) For examplem, the current default newsyslog.conf entry for auth.log /var/log/auth.log 600 7 500 * JC must be changed to make more than 7 roll overs per year (ignoring size) Maybe change it to "rotate if size is greater than 500 or once per month" >Release-Note: >Audit-Trail: >Unformatted: