From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 17:49:44 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B95171065670 for ; Thu, 16 Feb 2012 17:49:44 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qw0-f47.google.com (mail-qw0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id 55E248FC23 for ; Thu, 16 Feb 2012 17:49:44 +0000 (UTC) Received: by qadz30 with SMTP id z30so5207910qad.13 for ; Thu, 16 Feb 2012 09:49:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-operating-system :user-agent; bh=/yM0iL53/ejjIy2t/Su5Gs2sgUvHyPgjiLPexXA4Kn0=; b=QoH5ErmUGHs7sAmptiQ5f7dEfzX+LjOWa3u+v05AyTJrKom5ePLrtccJzr2OcIGTN1 ODzhrPBQ0d/XaGZJmGjY863bajCDsuJKmX+pIDk2HluuDghnkE2etNMXjd8XPU8UUHkL SDy4w2i+KjHiGvXw0NotfOeTDh4o1Z9rZf5cI= Received: by 10.229.76.69 with SMTP id b5mr2415440qck.22.1329413217044; Thu, 16 Feb 2012 09:26:57 -0800 (PST) Received: from schism.local (75-146-225-65-Philadelphia.hfc.comcastbusiness.net. [75.146.225.65]) by mx.google.com with ESMTPS id gw4sm19059941qab.13.2012.02.16.09.26.54 (version=SSLv3 cipher=OTHER); Thu, 16 Feb 2012 09:26:55 -0800 (PST) Date: Thu, 16 Feb 2012 12:26:52 -0500 From: Glen Barber To: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <20120216172652.GA1989@schism.local> References: <4F3D3722.2000904@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F3D3722.2000904@quip.cz> X-Operating-System: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 17:49:44 -0000 On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: > Hi, > > I see it many times before, but never take a time to post about it. > > Scrips in /etc/periodic are grepping logs for yesterday date, but > without specifying year (because some logs do not have year logged). > > This results in false positive alerts in security e-mails from our > lightly loaded servers, where logs are not enough rotated. > > For example /var/log/auth.log is 62KB (838 lines) and contains entries > for almost 2 years. > > Today I get following alert: > > Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx > Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx > Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx > Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx > > (hostname and IP are replaced by X) > > But looking in to auth.log I found zero entries from yesterday - Feb 15 > entries were logged 1 year ago! > > So I propose to set all daemons / syslog to log year too (as %Y) and > change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b > %e %Y"` in periodic scripts. > > The affected scripts are: > 460.status-mail-rejects > 470.status-named > 800.loginfail > 900.tcpwrap > > Maybe some others, I did just a quick grep -rsn 'date -v-1d' > /etc/periodic and I don't know the logic used in other script to get > yesterday messages. > > What do you think about it? > Rotating the appropriate logs daily/weekly/monthly/whatever will silence these false alarms. Glen