Date: Fri, 17 Feb 2012 13:24:32 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Gregory Orange <gregory.orange@calorieking.com> Cc: freebsd security <freebsd-security@freebsd.org> Subject: Re: periodic security run output gives false positives after 1 year Message-ID: <4F3E4700.1080206@quip.cz> In-Reply-To: <4F3E0307.3010909@calorieking.com> References: <4F3D3722.2000904@quip.cz> <4F3E0307.3010909@calorieking.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I re-add list to CC. Gregory Orange wrote: > Hi Miroslav, > I don't know if this message really contributes anything to the list, so > I'll email you directly. > > On 17/02/12 01:04, Miroslav Lachman wrote: >> I see it many times before, but never take a time to post about it. > > Well, thank you for posting it. I'm fairly new to BSD admin (GNU/Linux > for a few years prior), and generally to being the main person > responsible for security. I am really glad to see that my post helped to somebody. >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! > > We've been concerned by some auth.log entries for a week or two, and > only after reading your message and taking a closer look at the context > of the logs did I think of that possibility. It's exactly my issue! Be aware that adding shorter time (or lower file size) for log rotation is not enough. Script 800.loginfail is reading all available rotated compressed logs. So even if you will rotate more often, you will get false positive alerts if some 1 year old entries are stored on disk in /var/log/auth.log.X.bz2 files. Default settings in newsyslog.conf is /var/log/auth.log 600 7 500 * JC This means 7 old compressed archives taken after reaching 500kB in size of the original log. So it can contains more than 10 years of history on our mentioned server. Until FreeBSD will log dates in format with year, you must do something to be sure that none of the files in /var/log stored entries over 364 days. Cheers, Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F3E4700.1080206>