From owner-freebsd-bugs@FreeBSD.ORG Wed Dec 20 14:10:20 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BB18B16A4C9 for ; Wed, 20 Dec 2006 14:10:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D32743CA8 for ; Wed, 20 Dec 2006 14:10:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBKEAJme005031 for ; Wed, 20 Dec 2006 14:10:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBKEAJ8k005030; Wed, 20 Dec 2006 14:10:19 GMT (envelope-from gnats) Resent-Date: Wed, 20 Dec 2006 14:10:19 GMT Resent-Message-Id: <200612201410.kBKEAJ8k005030@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Edward Speyer Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8F07B16A5D6 for ; Wed, 20 Dec 2006 14:08:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5987243CA0 for ; Wed, 20 Dec 2006 14:08:36 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kBKE8Zor038796 for ; Wed, 20 Dec 2006 14:08:35 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id kBKE8ZxY038794; Wed, 20 Dec 2006 14:08:35 GMT (envelope-from nobody) Message-Id: <200612201408.kBKE8ZxY038794@www.freebsd.org> Date: Wed, 20 Dec 2006 14:08:35 GMT From: Edward Speyer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: misc/106978: "daily run" incorrectly assumes auth.log is rolled more than once a year! X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2006 14:10:20 -0000 >Number: 106978 >Category: misc >Synopsis: "daily run" incorrectly assumes auth.log is rolled more than once a year! >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 20 14:10:18 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Edward Speyer >Release: 5.4-RELEASE >Organization: Qube Software Ltd >Environment: FreeBSD ** 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: I got a warning today ("Dec 20", 2006) about someone trying to break into my system on "Dec 19". I was very confused by this until I realised that the log lines in question were from "Dec 19" 2005, not "Dec 19" 2006. I'm guessing the problem here is that the log checkers don't account for the fact that logs don't necessarily roll more than once a year. My auth.log happens to be less than the default rolling size (100k: newsyslog.conf) because this machine is a stable webserver. I only mention this bug because it's rather bad practice to give admins these false alarms! Especially with stuff from auth.log! >How-To-Repeat: >Fix: Log checkers need to be cleverer about remembering which log lines they've seen before... ..or syslog should include the year in date stamps! >Release-Note: >Audit-Trail: >Unformatted: