From owner-freebsd-security@FreeBSD.ORG Mon Feb 20 17:57:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FA42106564A for ; Mon, 20 Feb 2012 17:57:52 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 181E08FC19 for ; Mon, 20 Feb 2012 17:57:51 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5E5DB28426; Mon, 20 Feb 2012 18:57:50 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id ED7CE28424; Mon, 20 Feb 2012 18:57:48 +0100 (CET) Message-ID: <4F42899C.1000408@quip.cz> Date: Mon, 20 Feb 2012 18:57:48 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Gary Palmer References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz> <20120216190124.GB1989@schism.local> <20120220145348.GD78733@in-addr.com> In-Reply-To: <20120220145348.GD78733@in-addr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Glen Barber Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 17:57:52 -0000 Gary Palmer wrote: > On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote: >> On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: >>> Glen Barber wrote: >>>> On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: >>>>> Hi, >>>>> >>>>> I see it many times before, but never take a time to post about it. >>>>> >>>>> Scrips in /etc/periodic are grepping logs for yesterday date, but >>>>> without specifying year (because some logs do not have year logged). >>>>> >>>>> This results in false positive alerts in security e-mails from our >>>>> lightly loaded servers, where logs are not enough rotated. >>>>> >>>>> For example /var/log/auth.log is 62KB (838 lines) and contains entries >>>>> for almost 2 years. >>>>> >>>>> Today I get following alert: >>>>> >>>>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >>>>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >>>>> >>>>> (hostname and IP are replaced by X) >>>>> >>>>> But looking in to auth.log I found zero entries from yesterday - Feb 15 >>>>> entries were logged 1 year ago! >>>>> >>>>> So I propose to set all daemons / syslog to log year too (as %Y) and >>>>> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b >>>>> %e %Y"` in periodic scripts. >>>>> >>>>> The affected scripts are: >>>>> 460.status-mail-rejects >>>>> 470.status-named >>>>> 800.loginfail >>>>> 900.tcpwrap >>>>> >>>>> Maybe some others, I did just a quick grep -rsn 'date -v-1d' >>>>> /etc/periodic and I don't know the logic used in other script to get >>>>> yesterday messages. >>>>> >>>>> What do you think about it? >>>>> >>>> >>>> Rotating the appropriate logs daily/weekly/monthly/whatever will silence >>>> these false alarms. >>> >>> My post was not about "how can I fix it localy", but what sould be done >>> in FreeBSD distribuition, because these false alerts were made by >>> default FreeBSD configuration (coincidence of newsyslog settings, >>> periodic scripts and log format) >>> >> >> IMHO, this isn't something the FreeBSD installation can "guess" as a >> suitable default, but up to the administrator to define what is >> appropriate for their system. > > Whether or not the administrator tunes their setup to meet their > requirements, the default newsyslog.conf should not allow these > alerts to happen by enforcing a minimum of 1 roll over per year. > > Miroslav, please file a bug report requesting newsyslog.conf be updated > to mitigate this problem. PR submitted as conf/165331, but 1 roll over per year will not fix it. As I wrote in another message in this thread, the script 800.loginfail is reading all archived logs on disk: catmsgs() { find ${LOG} -name 'auth.log.*' -mtime -2 | sort -t. -r -n -k 2,2 | while read f do case $f in *.gz) zcat -f $f;; *.bz2) bzcat -f $f;; esac done [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } The fix must ensure that there will not be any file (including compressed) with entries older than 364 days. Miroslav Lachman