From owner-freebsd-security@FreeBSD.ORG Sun Feb 19 16:50:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B43B01065674 for ; Sun, 19 Feb 2012 16:50:28 +0000 (UTC) (envelope-from lists@mschuette.name) Received: from mail.mschuette.name (lisa.mschuette.name [IPv6:2a01:4f8:d13:4d41::3deb:2d1b]) by mx1.freebsd.org (Postfix) with ESMTP id 42BE78FC0C for ; Sun, 19 Feb 2012 16:50:28 +0000 (UTC) Received: from lisa.mschuette.name (localhost [127.0.0.1]) by mail.mschuette.name (Postfix) with ESMTP id 876AF12542A for ; Sun, 19 Feb 2012 17:50:26 +0100 (CET) Received: from mail.mschuette.name ([127.0.0.1]) by lisa.mschuette.name (mail.mschuette.name [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_AiL8-sHKLa for ; Sun, 19 Feb 2012 17:50:25 +0100 (CET) Received: from [192.168.2.198] (dslb-088-072-223-147.pools.arcor-ip.net [88.72.223.147]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (not verified)) (Authenticated sender: mschuett) by mail.mschuette.name (Postfix) with ESMTPSA for ; Sun, 19 Feb 2012 17:50:25 +0100 (CET) Message-ID: <4F412850.3020705@mschuette.name> Date: Sun, 19 Feb 2012 17:50:24 +0100 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20120217120034.201EB106574C@hub.freebsd.org> <20120217152400.261AC106564A@hub.freebsd.org> <20120217194851.D76DE1065670@hub.freebsd.org> In-Reply-To: <20120217194851.D76DE1065670@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 16:50:28 -0000 On 17.02.2012 20:48, Roger Marquis wrote: > and difficult to change without breaking more than it fixes. The current > syslog syntax timestamp has been reliable now for what, 25+ years? I > don't personally see any measurable ROI from changing it. YMMV of > course. I really understand the concern, but some requirements do change over time. Staying at the lowest common denominator for 25+ years may indicate robustness, but it may also indicate obsolence. I would like to ask a different question: what is our target? What kind of logging infrastructure should a current operating system provide? And how can we move forward toward that? YMMV, but for me this target includes ISO timestamps, TLS network transport, UTF-8 support, and more structured messages. The IETF protocols are part of the solution, traditional BSD Syslog is not enough. A few more thoughts for the discussion: - with ISO dates it is easy to pipe logs through a timestamp-rewriting perl script for older analysis tools. And some tools already support ISO dates (for example the latest version of pflogsumm). - similar compatibility questions arise with UTF-8 data in logs. syslogd(8) writes ASCII-only logs to ensure wide compatibility. - some admins (including myself) already moved to syslog-ng for these two reasons: TLS transport and ISO timestamps. - regarding timestamps: I guess everyone with a long-term log archive already has some year/month scheme, so IMHO the year is only a nice bonus rather than a big feature. -- Bigger benefits are sub-second resolution and timezone information (because with daylight saving time even a standalone system spans two timezones). - in principle the NetBSD-current syslogd(8) even supports a per-target configuration of old/new log format. But iirc this is not enabled, because such a flag would add more clutter to the syslog.conf(5) syntax. -- Martin Schütte