Date: Thu, 23 Oct 2003 20:01:07 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: Brett Glass <brett@lariat.org>, security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install Message-ID: <p0600201bbbbe19a62f97@[128.113.24.47]> In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost> References: <6.0.0.22.2.20031023162326.04c1e008@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 4:41 PM -0600 10/23/03, Brett Glass wrote: > >FreeBSD currently comes configured, in the default install, >to check /var/messages only once a day, and to rotate the >log file if it's above a certain size. My /etc/newsyslog.conf indicates that /var/log/messages should be rotated whenever it gets over 100K. >I've temporarily changed /etc/crontab so that newsyslog is >run every 5 minutes instead of once a day (which may be a >good idea to prevent other denials of service via this sort >of overflow as well). On both my 4.x and 5.x systems, /etc/crontab will run newsyslog once per hour. I'm pretty sure that at least some of the code in newsyslog assumes that the program is run only once per hour. Running it more frequently than that may cause some problems. I'm sure that /var can fill up even if /var/log/messages is rotated every hour, if the error messages are coming in fast enough. But the file should be getting rotated once per hour in the default install, not once per day. I do not think that the correct solution is to rotate the files at an even faster rate. Just how large is /var on the machine where you're seeing this problem? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0600201bbbbe19a62f97>