From owner-freebsd-questions@FreeBSD.ORG  Wed Sep  2 16:54:43 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8AB5106566C
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Sep 2009 16:54:43 +0000 (UTC)
	(envelope-from kurt.buff@gmail.com)
Received: from mail-ew0-f208.google.com (mail-ew0-f208.google.com
	[209.85.219.208])
	by mx1.freebsd.org (Postfix) with ESMTP id 321EC8FC0C
	for <freebsd-questions@freebsd.org>;
	Wed,  2 Sep 2009 16:54:42 +0000 (UTC)
Received: by ewy4 with SMTP id 4so1012307ewy.36
	for <freebsd-questions@freebsd.org>;
	Wed, 02 Sep 2009 09:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=LSB9kOgG5oGKCVY0A0VJpOFb2Bxx8nOcnKWqlT6euvk=;
	b=XSPLnq4aH12rnvvB62j+2nl0+lY+Cbe7M9pwYhpGfqi4kVi1VkFgR7GO9Kz9P4JTcs
	miijY/r3GF38QslnBdvnK4jCxf/ajyEGtVDt5YU8ZOfjalnWvylOR795zuDArbFeys6f
	uBWpQkRF2DQjVazGTPZjkSkmNhcqKHJxY89vg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=hpyDtH3TsDUXbFM7uumH6E79Q7sHz1Co4SaWHoX3lp9JZDC8ttHgVTuhE2mTVaP+I1
	InFIG+HrbKWNNzxos7rL2GzJ4X3wT1QrYrSs8bKhUWODSF00Kr3ghS9qrsNXD+MDaagf
	Ya40lw3Bgo7zjlcv+UjV238P0rCrzBsHEU128=
MIME-Version: 1.0
Received: by 10.210.3.21 with SMTP id 21mr9068143ebc.40.1251910482054; Wed, 02 
	Sep 2009 09:54:42 -0700 (PDT)
In-Reply-To: <4A9E1D63.8030101@mapper.nl>
References: <a9f4a3860909011556m4ceafe2drf93460842a64e99a@mail.gmail.com>
	<4A9E1D63.8030101@mapper.nl>
Date: Wed, 2 Sep 2009 09:54:41 -0700
Message-ID: <a9f4a3860909020954w710734a0id653adee080bc9d0@mail.gmail.com>
From: Kurt Buff <kurt.buff@gmail.com>
To: Mark Stapper <stark@mapper.nl>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: Daily security report oddity...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2009 16:54:43 -0000

On Wed, Sep 2, 2009 at 00:23, Mark Stapper<stark@mapper.nl> wrote:
> Kurt Buff wrote:
>> I got a daily security run email from one of my machines on Monday
>> morning, with the following entry:
>>
>> =C2=A0 =C2=A0 =C2=A0zmx1.zetron.com login failures:
>> =C2=A0 =C2=A0 =C2=A0Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev=
/ttyp2
>> =C2=A0 =C2=A0 =C2=A0Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev=
/ttyp0
>>
>> What's puzzling is that this account has been completely inactive for
>> well over a year - this fellow is long gone, and I simply didn't clean
>> it up - that's my bad, but that's not the puzzling part.
>>
>> I traced it down, and found out that he had not logged in on Sunday.
>> The auth.log is, as you can see from the listing below, quite old. The
>> entries referenced above are from two years ago.
>>
>> =C2=A0 =C2=A0 =C2=A0 zmx1# ll /var/log/a*
>> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A071845 Sep=
 =C2=A01 15:42 /var/log/auth.log
>> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 6087 Aug=
 29 =C2=A02007 /var/log/auth.log.0.bz2
>> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 5774 Aug=
 12 =C2=A02007 /var/log/auth.log.1.bz2
>> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 5795 Jul=
 24 =C2=A02007 /var/log/auth.log.2.bz2
>> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 6813 Jul=
 =C2=A06 =C2=A02007 /var/log/auth.log.3.bz2
>>
>>
>> So, a couple of questions:
>>
>> Why would the daily security run pick up something from *two years
>> ago* and only report it again today? The machine hasn't been rebooted
>> in a very long time, if that makes a difference.
>>
>> Is there any way to prevent something like this happening again - or
>> perhaps can I force the entry of the year into the date field for the
>> auth.log entries?
>>
>> Kurt
>
> Hello,
>
> If you look at the syntax of the logfile, you will see no year is listed.
> Most likely the whole file is parsed on security run. Since the logfile
> has been rotated the 30th of august 2007, it's very much possible you'll
> get all your messages all over again.
> Perhaps it's wise to rotate you logfiles once a year just in case...
> And it make no difference the machine hasn't been rebooted in a very
> long time... (define "very long time" ;-)
> http://uptimes-project.org/hosts/view/150 )

Heh. Well, for me a very long time is more than a year, because
security patches for the OS will at some point mandate a reboot - and
usually in less than a year.

I suppose there's a way to do auth log rotation automagically - would
that be sysutils/logrotate?

Kurt