From owner-freebsd-security@FreeBSD.ORG  Thu Oct 23 17:01:13 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DE18A16A4B3
	for <security@freebsd.org>; Thu, 23 Oct 2003 17:01:13 -0700 (PDT)
Received: from smtp1.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DEBC143F85
	for <security@freebsd.org>; Thu, 23 Oct 2003 17:01:12 -0700 (PDT)
	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47])
	by smtp1.server.rpi.edu (8.12.10/8.12.9) with ESMTP id h9O018Lg029690;
	Thu, 23 Oct 2003 20:01:08 -0400
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p0600201bbbbe19a62f97@[128.113.24.47]>
In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost>
References: <6.0.0.22.2.20031023162326.04c1e008@localhost>
Date: Thu, 23 Oct 2003 20:01:07 -0400
To: Brett Glass <brett@lariat.org>, security@freebsd.org
From: Garance A Drosihn <drosih@rpi.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: CanIt (www . canit . ca)
Subject: 
 Re: /var partition overflow (due to spyware?) in FreeBSD default 
  install
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2003 00:01:14 -0000

At 4:41 PM -0600 10/23/03, Brett Glass wrote:
>
>FreeBSD currently comes configured, in the default install,
>to check /var/messages only once a day, and to rotate the
>log file if it's above a certain size.

My /etc/newsyslog.conf indicates that /var/log/messages
should be rotated whenever it gets over 100K.

>I've temporarily changed /etc/crontab so that newsyslog is
>run every 5 minutes instead of once a day (which may be a
>good idea to prevent other denials of service via this sort
>of overflow as well).

On both my 4.x and 5.x systems, /etc/crontab will run
newsyslog once per hour.  I'm pretty sure that at least some
of the code in newsyslog assumes that the program is run only
once per hour.  Running it more frequently than that may
cause some problems.

I'm sure that /var can fill up even if /var/log/messages is
rotated every hour, if the error messages are coming in fast
enough.  But the file should be getting rotated once per hour
in the default install, not once per day.

I do not think that the correct solution is to rotate the
files at an even faster rate.  Just how large is /var on the
machine where you're seeing this problem?

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu