From owner-freebsd-bugs Sun Dec 10 2:50: 5 2000 From owner-freebsd-bugs@FreeBSD.ORG Sun Dec 10 02:50:02 2000 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 09ACF37B401 for ; Sun, 10 Dec 2000 02:50:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eBAAo2g84530; Sun, 10 Dec 2000 02:50:02 -0800 (PST) (envelope-from gnats) Resent-Date: Sun, 10 Dec 2000 02:50:02 -0800 (PST) Resent-Message-Id: <200012101050.eBAAo2g84530@freefall.freebsd.org> Resent-From: gnats-admin@FreeBSD.org (GNATS Management) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: gnats-admin@FreeBSD.org, phk@critter.freebsd.dk Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id 7DAAD37B400 for ; Sun, 10 Dec 2000 02:48:31 -0800 (PST) Received: (from phk@localhost) by critter.freebsd.dk (8.11.1/8.11.1) id eBAAmUP97063; Sun, 10 Dec 2000 11:48:30 +0100 (CET) (envelope-from phk) Message-Id: <200012101048.eBAAmUP97063@critter.freebsd.dk> Date: Sun, 10 Dec 2000 11:48:30 +0100 (CET) From: Poul-Henning Kamp Reply-To: phk@critter.freebsd.dk To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/23415: /etc/security fails to show all relevant messages. Resent-Sender: gnats@FreeBSD.org Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23415 >Category: bin >Synopsis: /etc/security fails to show all relevant messages. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Dec 10 02:50:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Poul-Henning Kamp >Release: FreeBSD 5.0-CURRENT i386 >Organization: P. E. Mønsted, fregatten Jylland som barn. >Environment: System: FreeBSD critter.freebsd.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Fri Dec 1 17:26:14 CET 2000 root@critter.freebsd.dk:/freebsd/src/sys/compile/FLUTTER i386 >Description: /etc/security will examine only the current /var/log/messages and /var/log/messages.0 (with and without .gz suffix) for log messages relevant for yesterday. /etc/newsyslog.conf specifies that the messages file is rotated once per day *or* when the size exeeds 100kB. If you are under attack, you are quite likely to have your messages rotated due to the size criteria and the next run of /etc/security will only report on a fraction of the reality. >How-To-Repeat: Piss off a scriptkiddie, notice that /etc/security doesn't show the full magnitude of his lameness. >Fix: I think the catmsgs() function: catmsgs() { [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz [ -f $LOG/messages.0 ] && cat $LOG/messages.0 [ -f $LOG/messages ] && cat $LOG/messages } maybe should do something like: catmsgs() { find $LOG/ -name 'messages.*' -mtime -2 -print | sort -r | xargs zcat -f [ -f $LOG/messages ] && cat $LOG/messages } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message