Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Sep 2009 12:03:01 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Kurt Buff <kurt.buff@gmail.com>
Cc:        Mark Stapper <stark@mapper.nl>, freebsd-questions@freebsd.org
Subject:   Re: Daily security report oddity...
Message-ID:  <20090902170301.GE2855@dan.emsphone.com>
In-Reply-To: <a9f4a3860909020954w710734a0id653adee080bc9d0@mail.gmail.com>
References:  <a9f4a3860909011556m4ceafe2drf93460842a64e99a@mail.gmail.com> <4A9E1D63.8030101@mapper.nl> <a9f4a3860909020954w710734a0id653adee080bc9d0@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Sep 02), Kurt Buff said:
> On Wed, Sep 2, 2009 at 00:23, Mark Stapper<stark@mapper.nl> wrote:
> > Kurt Buff wrote:
> >> I traced it down, and found out that he had not logged in on Sunday.
> >> The auth.log is, as you can see from the listing below, quite old. The
> >> entries referenced above are from two years ago.
> >>
> >>       zmx1# ll /var/log/a*
> >>       -rw-------  1 root  wheel  71845 Sep  1 15:42 /var/log/auth.log
> >>       -rw-------  1 root  wheel   6087 Aug 29  2007 /var/log/auth.log.0.bz2
> >>       -rw-------  1 root  wheel   5774 Aug 12  2007 /var/log/auth.log.1.bz2
> >>       -rw-------  1 root  wheel   5795 Jul 24  2007 /var/log/auth.log.2.bz2
> >>       -rw-------  1 root  wheel   6813 Jul  6  2007 /var/log/auth.log.3.bz2
> >>
> >> So, a couple of questions:
> >>
> >> Why would the daily security run pick up something from *two years ago*
> >> and only report it again today?  The machine hasn't been rebooted in a
> >> very long time, if that makes a difference.
> >>
> >> Is there any way to prevent something like this happening again - or
> >> perhaps can I force the entry of the year into the date field for the
> >> auth.log entries?
> >
> > If you look at the syntax of the logfile, you will see no year is
> > listed.  Most likely the whole file is parsed on security run.  Since
> > the logfile has been rotated the 30th of august 2007, it's very much
> > possible you'll get all your messages all over again.  Perhaps it's wise
> > to rotate you logfiles once a year just in case...  And it make no
> > difference the machine hasn't been rebooted in a very long time... 
> > (define "very long time" ;-) http://uptimes-project.org/hosts/view/150 )
> 
> Heh. Well, for me a very long time is more than a year, because
> security patches for the OS will at some point mandate a reboot - and
> usually in less than a year.
> 
> I suppose there's a way to do auth log rotation automagically - would
> that be sysutils/logrotate?

The system already rotates auth.log.  Just edit /etc/newsyslog.conf and add
a date check to the line for auth.log.  The default is to roll it when it
hits 100KB, but if you add something like $M1D0 to the "when" column it'll
rotate it monthly as well.

-- 
	Dan Nelson
	dnelson@allantgroup.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090902170301.GE2855>