Date: Thu, 19 Jul 2007 13:30:26 GMT From: Gavin Atkinson <gavin@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/70715: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in) Message-ID: <200707191330.l6JDUPbE067865@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/70715; it has been noted by GNATS. From: Gavin Atkinson <gavin@FreeBSD.org> To: bug-followup@FreeBSD.org Cc: Subject: Re: conf/70715: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in) Date: Thu, 19 Jul 2007 14:27:35 +0100 (BST) From PR conf/99844 (which confirms this is still an issue with 6.1): The problem is a combination of two facts: 1) According to default newsyslog.conf settings some log files are rotated only by size, on reaching 100K size limit. 2) syslogd has hard-coded format for writing date into log files. Year is not included and hence can't be written into logs. The problem appears when the log file grows slower then 100K per year. In this case it becomes hard (or even impossible) to distinguish records created on the same day but different years. One visible effect is 'false positives' of /etc/periodic/security/800.loginfail script, which analyses /var/log/auth.log file and may report about events happened one or more years ago while it's expected to report only 'yesterday' login failures as it's result is included in daily security reports. Fix: Variants are: a) to teach syslogd writing date in log files with year value b) rotate log files at least once a year despite of their sizes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707191330.l6JDUPbE067865>