From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 19:41:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091E116A4B3 for ; Thu, 23 Oct 2003 19:41:19 -0700 (PDT) Received: from smtp1.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F0C243F3F for ; Thu, 23 Oct 2003 19:41:18 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp1.server.rpi.edu (8.12.10/8.12.9) with ESMTP id h9O1cCLg008253; Thu, 23 Oct 2003 21:38:12 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <6.0.0.22.2.20031023183427.04e18d10@localhost> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> Date: Thu, 23 Oct 2003 21:38:11 -0400 To: Brett Glass , security@freebsd.org From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: CanIt (www . canit . ca) Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 02:41:19 -0000 At 6:41 PM -0600 10/23/03, Brett Glass wrote: >At 06:01 PM 10/23/2003, Garance A Drosihn wrote: > > > I do not think that the correct solution is to rotate > > the files at an even faster rate. > >Running newsyslog doesn't ALWAYS rotate the log Uh, yeah, I know. I'm the one who has been writing updates to newsyslog for the past year. I am pretty familiar with it. What I meant was that in circumstances where "once per hour" is not fast enough, then I do not believe the right solution is to rotate files every five minutes. Just MO. The main point of my message was just to say that you're going to cause other problems by running newsyslog so often, so you need to come up with some better solution. > > Just how large is /var on the machine where you're > > seeing this problem? > >On the machine from which I took those messages, it's 256M. Well, it is certainly a problem if you're getting enough messages to fill that up that quickly. From the details you gave in your original message, it *may* be that the thing to do is to change bind so: sysquery: no addrs found for root NS (ns0.opennic.glue) sysquery: no addrs found for root NS (ns1.opennic.glue) sysquery: no addrs found for root NS (ns2.opennic.glue) is collapsed into: sysquery: no addrs found for root NS (ns*.opennic.glue) and then syslogd's standard handling of "multiple lines" would come into play. Of course, that isn't really a great solution either. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu