Date: Sun, 16 May 2004 22:53:46 -0700 (PDT) From: Mark Steven Baker <msbaker@cs.uoregon.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/66726: /etc/periodic/security/ 800.loginfail script reports failed logins from previous year Message-ID: <200405170553.i4H5rkCV066522@www.freebsd.org> Resent-Message-ID: <200405170600.i4H60eCm015182@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 66726 >Category: misc >Synopsis: /etc/periodic/security/ 800.loginfail script reports failed logins from previous year >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 16 23:00:39 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Mark Steven Baker >Release: 4.8 Release >Organization: >Environment: FreeBSD xxxxx 4.8-RELEASE FreeBSD 4.8-RELEASE >Description: The 800.loginfail script in /etc/periodic/security that normally runs via cron every night is supposed to report login failures from /var/log/auth.log for the previous day and email this to root as part of the daily security report. If a single auth.log file exists on a system with a year of syslog data, the current script will report failed login errors from the previous date one year earlier as well. >How-To-Repeat: Edit the /var/log/auth.log file, creating some bogus login failures for one year earlier than the previous day. Then manually run the /etc/periodic/security/800.loginfail script and see that these year-old login failures are reported. >Fix: I had some trouble understanding the catmsg function in 800.loginfail, so I can't suggest a fix. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405170553.i4H5rkCV066522>