From owner-freebsd-security@FreeBSD.ORG Thu Feb 16 17:59:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6A5D106564A for ; Thu, 16 Feb 2012 17:59:57 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7E40E8FC16 for ; Thu, 16 Feb 2012 17:59:57 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8FD5828431; Thu, 16 Feb 2012 18:59:56 +0100 (CET) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A965528426; Thu, 16 Feb 2012 18:59:55 +0100 (CET) Message-ID: <4F3D441A.4040303@quip.cz> Date: Thu, 16 Feb 2012 18:59:54 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Glen Barber References: <4F3D3722.2000904@quip.cz> <20120216172652.GA1989@schism.local> In-Reply-To: <20120216172652.GA1989@schism.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: periodic security run output gives false positives after 1 year X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2012 17:59:57 -0000 Glen Barber wrote: > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: >> Hi, >> >> I see it many times before, but never take a time to post about it. >> >> Scrips in /etc/periodic are grepping logs for yesterday date, but >> without specifying year (because some logs do not have year logged). >> >> This results in false positive alerts in security e-mails from our >> lightly loaded servers, where logs are not enough rotated. >> >> For example /var/log/auth.log is 62KB (838 lines) and contains entries >> for almost 2 years. >> >> Today I get following alert: >> >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx >> >> (hostname and IP are replaced by X) >> >> But looking in to auth.log I found zero entries from yesterday - Feb 15 >> entries were logged 1 year ago! >> >> So I propose to set all daemons / syslog to log year too (as %Y) and >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b >> %e %Y"` in periodic scripts. >> >> The affected scripts are: >> 460.status-mail-rejects >> 470.status-named >> 800.loginfail >> 900.tcpwrap >> >> Maybe some others, I did just a quick grep -rsn 'date -v-1d' >> /etc/periodic and I don't know the logic used in other script to get >> yesterday messages. >> >> What do you think about it? >> > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence > these false alarms. My post was not about "how can I fix it localy", but what sould be done in FreeBSD distribuition, because these false alerts were made by default FreeBSD configuration (coincidence of newsyslog settings, periodic scripts and log format) Miroslav Lachman