From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 19:30:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F13B106566C for ; Thu, 16 Feb 2012 19:30:30 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id C5E608FC0C for ; Thu, 16 Feb 2012 19:30:29 +0000 (UTC) Received: by lagz14 with SMTP id z14so4134671lag.13 for ; Thu, 16 Feb 2012 11:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TFTgyFQOsIIb9njTGO9eWPu8+lVAi8mwptAOMmaY1BI=; b=wU/GRRYY9kx4Fqe5OvkBwVE/fIdhZS6aEUMVy2bQ3oF4xN+8YZA1OVXtVu4nqfVR4u 7rJwzp9aQcZBNuf1x1Ds5sWXKZ9RnfavSDO5d7orQquvN/KX9y+6ehy1iy01hyi0nTT8 GYmyH2RcH/0Xd+Mw6+DoTfmTsrogOXTZF69gU= MIME-Version: 1.0 Received: by 10.152.145.137 with SMTP id su9mr3049048lab.23.1329419311564; Thu, 16 Feb 2012 11:08:31 -0800 (PST) Received: by 10.152.18.4 with HTTP; Thu, 16 Feb 2012 11:08:31 -0800 (PST) In-Reply-To: <4F3D3722.2000904@quip.cz> References: <4F3D3722.2000904@quip.cz> Date: Thu, 16 Feb 2012 22:08:31 +0300 Message-ID: From: Sergey Kandaurov To: Miroslav Lachman <000.fbsd@quip.cz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 19:30:30 -0000 2012/2/16 Miroslav Lachman <000.fbsd@quip.cz>: > Hi, > > I see it many times before, but never take a time to post about it. > > Scrips in /etc/periodic are grepping logs for yesterday date, but without > specifying year (because some logs do not have year logged). > > This results in false positive alerts in security e-mails from our lightl= y > loaded servers, where logs are not enough rotated. > > For example /var/log/auth.log is 62KB (838 lines) and contains entries fo= r > almost 2 years. > > Today I get following alert: > > Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xx= x > Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xx= x > > (hostname and IP are replaced by X) > > But looking in to auth.log I found zero entries from yesterday - Feb 15 > entries were logged 1 year ago! > > So I propose to set all daemons / syslog to log year too (as %Y) and chan= ge > =A0yesterday=3D`date -v-1d "+%b %e "` =A0to yesterday=3D`date -v-1d "+%b = %e %Y"` in > periodic scripts. > > The affected scripts are: > 460.status-mail-rejects > 470.status-named > 800.loginfail > 900.tcpwrap > > Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodi= c > and I don't know the logic used in other script to get yesterday messages= . > > What do you think about it? > This is how the traditional BSD syslog was designed (and standardized by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss". In IETF this RFC is marked obsolete and replaced with RFC 5424 with different timestamp format in ISO 8601 form. FreeBSD doesn't implement 5424 yet. Almost complete implementation was done in NetBSD in that regard in 2008. NetBSD before RFC 5424 changes has had pretty similar syslogd source, so if one could analyze and port that changes to FreeBSD, that would be pretty nice. --=20 wbr, pluknet