From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 15:53:33 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8443D1065676 for ; Mon, 20 Feb 2012 15:53:33 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 6F11C8FC17 for ; Mon, 20 Feb 2012 15:53:33 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id CB1C56783B; Mon, 20 Feb 2012 07:53:32 -0800 (PST) Date: Mon, 20 Feb 2012 07:53:32 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <86fwe5blm6.fsf@ds4.des.no> References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> <4F3EE1C9.4030601@quip.cz> <20120217235620.4BEF4106566B@hub.freebsd.org> <4F3EFA8B.50002@quip.cz> <86fwe5blm6.fsf@ds4.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20120220155333.8443D1065676@hub.freebsd.org> Cc: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= , Sergey Kandaurov , Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 15:53:33 -0000 > The correct format is "2012-02-20T01:23:45.6789+01:00" You guys are aware that RFC 5424 is a proposed standard I trust? By being "proposed" it is not a standard, at least not yet. Perhaps the differences in human-readability of the proposed timestamp, or the fact that it has variable field types and lengths, are part of the reason why it has not been ratified. Other parts of this particular RFC bring its trustworthiness into question. In particular the quote "Research during creation of this document showed that there is very little in common between different syslog implementations on different platforms." with no detail on the so-called "research" methodology. In my own experience syslog timestamps are identical across FreeBSD, CentOS, Debian, Ubuntu and Solaris, which represent well over 99% of the installed base. Regarding backwards compatibility, I'd be interested in knowing how many systems, how many logs and how many log-parsing applications those proposing change are responsible for? Would not be surprised if, like others proposing deprecating long-used Unix standards, those advocating the change are not the ones whose workloads or budgets would be impacted. Roger