From owner-freebsd-bugs Sun Mar 14 12:20:15 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 084F614F34 for ; Sun, 14 Mar 1999 12:20:13 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id MAA16045; Sun, 14 Mar 1999 12:20:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from niobe.ewox.org (ppp044.uio.no [129.240.240.45]) by hub.freebsd.org (Postfix) with ESMTP id 3EDFE14EF6 for ; Sun, 14 Mar 1999 12:16:45 -0800 (PST) (envelope-from des@niobe.ewox.org) Received: (from des@localhost) by niobe.ewox.org (8.9.3/8.9.1) id UAA91122; Sun, 14 Mar 1999 20:38:24 +0100 (CET) (envelope-from des) Message-Id: <199903141938.UAA91122@niobe.ewox.org> Date: Sun, 14 Mar 1999 20:38:24 +0100 (CET) From: des@flood.ping.uio.no Reply-To: des@flood.ping.uio.no To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: misc/10589: Incorrect assumptions in /etc/security Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 10589 >Category: misc >Synopsis: Incorrect assumptions in /etc/security >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 14 12:20:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Dag-Erling Smørgrav >Release: FreeBSD 4.0-CURRENT i386 >Organization: >Environment: All FreeBSD releases since 2.2.7 >Description: /etc/security makes at least two assumptions about /var/log/messages: - that it is rotated daily; since it is normally only rotated when it reaches 100 kB, /etc/security will report certain items (login failures, refused connections) repeatedly until the log is rotated. I have a box which has been screaming about the same old login failures for more than two weeks. - that it contains all log messages from the preceding 24 hours. Since the log file can be rotated at any time, perhaps only seconds before /etc/security is run, it is entirely possible for /etc/security to never report anything at all. For instance, if newsyslog.conf is modified so that /var/log/messages is rotated daily (perhaps in an attempt to fix the problem described above), and a default /etc/crontab is used (which runs the daily maintenance scripts at 2 am every morning), the security check will only report login failures and refused connections which occur between 12 am and 2 am every morning. >How-To-Repeat: Leave your computer on for a few days. Read root mail. >Fix: The solution is left as an exercise to the reader. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message