Date: Wed, 20 Dec 2006 14:08:35 GMT From: Edward Speyer<edward.aepeek@tropic.org.uk> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/106978: "daily run" incorrectly assumes auth.log is rolled more than once a year! Message-ID: <200612201408.kBKE8ZxY038794@www.freebsd.org> Resent-Message-ID: <200612201410.kBKEAJ8k005030@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 106978
>Category: misc
>Synopsis: "daily run" incorrectly assumes auth.log is rolled more than once a year!
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 20 14:10:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Edward Speyer
>Release: 5.4-RELEASE
>Organization:
Qube Software Ltd
>Environment:
FreeBSD ** 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
I got a warning today ("Dec 20", 2006) about someone trying to break into my system on "Dec 19". I was very confused by this until I realised that the log lines in question were from "Dec 19" 2005, not "Dec 19" 2006.
I'm guessing the problem here is that the log checkers don't account for the fact that logs don't necessarily roll more than once a year. My auth.log happens to be less than the default rolling size (100k: newsyslog.conf) because this machine is a stable webserver.
I only mention this bug because it's rather bad practice to give admins these false alarms! Especially with stuff from auth.log!
>How-To-Repeat:
>Fix:
Log checkers need to be cleverer about remembering which log lines they've seen before...
..or syslog should include the year in date stamps!
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612201408.kBKE8ZxY038794>