Date: Mon, 20 Feb 2012 18:57:48 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-security@freebsd.org, Glen Barber <glen.j.barber@gmail.com> Subject: Re: periodic security run output gives false positives after 1 year Message-ID: <4F42899C.1000408@quip.cz> In-Reply-To: <20120220145348.GD78733@in-addr.com> References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> <4F3D441A.4040303@quip.cz> <20120216190124.GB1989@schism.local> <20120220145348.GD78733@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary Palmer wrote:
> On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote:
>> On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote:
>>> Glen Barber wrote:
>>>> On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
>>>>> Hi,
>>>>>
>>>>> I see it many times before, but never take a time to post about it.
>>>>>
>>>>> Scrips in /etc/periodic are grepping logs for yesterday date, but
>>>>> without specifying year (because some logs do not have year logged).
>>>>>
>>>>> This results in false positive alerts in security e-mails from our
>>>>> lightly loaded servers, where logs are not enough rotated.
>>>>>
>>>>> For example /var/log/auth.log is 62KB (838 lines) and contains entries
>>>>> for almost 2 years.
>>>>>
>>>>> Today I get following alert:
>>>>>
>>>>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
>>>>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
>>>>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
>>>>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>>>>>
>>>>> (hostname and IP are replaced by X)
>>>>>
>>>>> But looking in to auth.log I found zero entries from yesterday - Feb 15
>>>>> entries were logged 1 year ago!
>>>>>
>>>>> So I propose to set all daemons / syslog to log year too (as %Y) and
>>>>> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
>>>>> %e %Y"` in periodic scripts.
>>>>>
>>>>> The affected scripts are:
>>>>> 460.status-mail-rejects
>>>>> 470.status-named
>>>>> 800.loginfail
>>>>> 900.tcpwrap
>>>>>
>>>>> Maybe some others, I did just a quick grep -rsn 'date -v-1d'
>>>>> /etc/periodic and I don't know the logic used in other script to get
>>>>> yesterday messages.
>>>>>
>>>>> What do you think about it?
>>>>>
>>>>
>>>> Rotating the appropriate logs daily/weekly/monthly/whatever will silence
>>>> these false alarms.
>>>
>>> My post was not about "how can I fix it localy", but what sould be done
>>> in FreeBSD distribuition, because these false alerts were made by
>>> default FreeBSD configuration (coincidence of newsyslog settings,
>>> periodic scripts and log format)
>>>
>>
>> IMHO, this isn't something the FreeBSD installation can "guess" as a
>> suitable default, but up to the administrator to define what is
>> appropriate for their system.
>
> Whether or not the administrator tunes their setup to meet their
> requirements, the default newsyslog.conf should not allow these
> alerts to happen by enforcing a minimum of 1 roll over per year.
>
> Miroslav, please file a bug report requesting newsyslog.conf be updated
> to mitigate this problem.
PR submitted as conf/165331, but 1 roll over per year will not fix it.
As I wrote in another message in this thread, the script 800.loginfail
is reading all archived logs on disk:
catmsgs() {
find ${LOG} -name 'auth.log.*' -mtime -2 |
sort -t. -r -n -k 2,2 |
while read f
do
case $f in
*.gz) zcat -f $f;;
*.bz2) bzcat -f $f;;
esac
done
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}
The fix must ensure that there will not be any file (including
compressed) with entries older than 364 days.
Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F42899C.1000408>