From owner-freebsd-security@FreeBSD.ORG Fri Feb 17 12:40:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 799AF1065673 for ; Fri, 17 Feb 2012 12:40:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 2DD658FC1D for ; Fri, 17 Feb 2012 12:40:10 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 90E0128426; Fri, 17 Feb 2012 13:40:09 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6A1F128423; Fri, 17 Feb 2012 13:40:04 +0100 (CET) Message-ID: <4F3E4AA3.8000004@quip.cz> Date: Fri, 17 Feb 2012 13:40:03 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Sergey Kandaurov References: <4F3D3722.2000904@quip.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2012 12:40:11 -0000 Sergey Kandaurov wrote: > 2012/2/16 Miroslav Lachman<000.fbsd@quip.cz>: >> Hi, >> >> I see it many times before, but never take a time to post about it. >> >> Scrips in /etc/periodic are grepping logs for yesterday date, but without >> specifying year (because some logs do not have year logged). >> >> This results in false positive alerts in security e-mails from our lightly >> loaded servers, where logs are not enough rotated. >> >> For example /var/log/auth.log is 62KB (838 lines) and contains entries for >> almost 2 years. >> >> Today I get following alert: >> >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >> >> (hostname and IP are replaced by X) >> >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! >> >> So I propose to set all daemons / syslog to log year too (as %Y) and change >> yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in >> periodic scripts. >> >> The affected scripts are: >> 460.status-mail-rejects >> 470.status-named >> 800.loginfail >> 900.tcpwrap >> >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic >> and I don't know the logic used in other script to get yesterday messages. >> >> What do you think about it? >> > > This is how the traditional BSD syslog was designed (and standardized > by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss". > > In IETF this RFC is marked obsolete and replaced with RFC 5424 with > different timestamp format in ISO 8601 form. FreeBSD doesn't implement > 5424 yet. Almost complete implementation was done in NetBSD in that > regard in 2008. NetBSD before RFC 5424 changes has had pretty similar > syslogd source, so if one could analyze and port that changes to FreeBSD, > that would be pretty nice. Thank you for pointing this out. It would be the right step forward. Unfortunately I am not a C developer, so I cannot port it my self. Miroslav Lachman