Date: Thu, 16 Feb 2012 14:01:24 -0500 From: Glen Barber <glen.j.barber@gmail.com> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year Message-ID: <20120216190124.GB1989@schism.local> In-Reply-To: <4F3D441A.4040303@quip.cz> References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: > Glen Barber wrote: > > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > >> Hi, > >> > >> I see it many times before, but never take a time to post about it. > >> > >> Scrips in /etc/periodic are grepping logs for yesterday date, but > >> without specifying year (because some logs do not have year logged). > >> > >> This results in false positive alerts in security e-mails from our > >> lightly loaded servers, where logs are not enough rotated. > >> > >> For example /var/log/auth.log is 62KB (838 lines) and contains entries > >> for almost 2 years. > >> > >> Today I get following alert: > >> > >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > >> > >> (hostname and IP are replaced by X) > >> > >> But looking in to auth.log I found zero entries from yesterday - Feb 15 > >> entries were logged 1 year ago! > >> > >> So I propose to set all daemons / syslog to log year too (as %Y) and > >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > >> %e %Y"` in periodic scripts. > >> > >> The affected scripts are: > >> 460.status-mail-rejects > >> 470.status-named > >> 800.loginfail > >> 900.tcpwrap > >> > >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' > >> /etc/periodic and I don't know the logic used in other script to get > >> yesterday messages. > >> > >> What do you think about it? > >> > > > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence > > these false alarms. > > My post was not about "how can I fix it localy", but what sould be done > in FreeBSD distribuition, because these false alerts were made by > default FreeBSD configuration (coincidence of newsyslog settings, > periodic scripts and log format) > IMHO, this isn't something the FreeBSD installation can "guess" as a suitable default, but up to the administrator to define what is appropriate for their system. Glen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120216190124.GB1989>