From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 12:24:35 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B98621065680 for ; Fri, 17 Feb 2012 12:24:35 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6D9808FC0A for ; Fri, 17 Feb 2012 12:24:35 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id C918C28431; Fri, 17 Feb 2012 13:24:33 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0325728424; Fri, 17 Feb 2012 13:24:32 +0100 (CET) Message-ID: <4F3E4700.1080206@quip.cz> Date: Fri, 17 Feb 2012 13:24:32 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Gregory Orange References: <4F3D3722.2000904@quip.cz> <4F3E0307.3010909@calorieking.com> In-Reply-To: <4F3E0307.3010909@calorieking.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd security Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 12:24:35 -0000 I re-add list to CC. Gregory Orange wrote: > Hi Miroslav, > I don't know if this message really contributes anything to the list, so > I'll email you directly. > > On 17/02/12 01:04, Miroslav Lachman wrote: >> I see it many times before, but never take a time to post about it. > > Well, thank you for posting it. I'm fairly new to BSD admin (GNU/Linux > for a few years prior), and generally to being the main person > responsible for security. I am really glad to see that my post helped to somebody. >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! > > We've been concerned by some auth.log entries for a week or two, and > only after reading your message and taking a closer look at the context > of the logs did I think of that possibility. It's exactly my issue! Be aware that adding shorter time (or lower file size) for log rotation is not enough. Script 800.loginfail is reading all available rotated compressed logs. So even if you will rotate more often, you will get false positive alerts if some 1 year old entries are stored on disk in /var/log/auth.log.X.bz2 files. Default settings in newsyslog.conf is /var/log/auth.log 600 7 500 * JC This means 7 old compressed archives taken after reaching 500kB in size of the original log. So it can contains more than 10 years of history on our mentioned server. Until FreeBSD will log dates in format with year, you must do something to be sure that none of the files in /var/log stored entries over 364 days. Cheers, Miroslav Lachman