From owner-freebsd-bugs@FreeBSD.ORG  Thu Jul 19 13:30:26 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4F04916A400
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Jul 2007 13:30:26 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 3F12013C4C5
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Jul 2007 13:30:26 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6JDUQWt067866
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 Jul 2007 13:30:26 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6JDUPbE067865;
	Thu, 19 Jul 2007 13:30:26 GMT (envelope-from gnats)
Date: Thu, 19 Jul 2007 13:30:26 GMT
Message-Id: <200707191330.l6JDUPbE067865@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Gavin Atkinson <gavin@FreeBSD.org>
Cc: 
Subject: Re: conf/70715: Lack of year in dates in auth.log can cause
 confusing security reports (and resulting fear of break-in)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Gavin Atkinson <gavin@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2007 13:30:26 -0000

The following reply was made to PR conf/70715; it has been noted by GNATS.

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/70715: Lack of year in dates in auth.log can cause confusing
 security reports (and resulting fear of break-in)
Date: Thu, 19 Jul 2007 14:27:35 +0100 (BST)

 From PR conf/99844 (which confirms this is still an issue with 6.1):
 
 
 The problem is a combination of two facts:
 
 1) According to default newsyslog.conf settings some log files
 are rotated only by size, on reaching 100K size limit.
 
 2) syslogd has hard-coded format for writing date into log files.
 Year is not included and hence can't be written into logs.
 
 The problem appears when the log file grows slower then 100K per year.
 In this case it becomes hard (or even impossible) to distinguish
 records created on the same day but different years.
 
 One visible effect is 'false positives' of 
 /etc/periodic/security/800.loginfail script, which analyses 
 /var/log/auth.log file and may report about events happened one or more 
 years ago while it's expected to report only 'yesterday' login failures as 
 it's result is included in daily security reports.
 
 
 Fix:
 Variants are:
 a) to teach syslogd writing date in log files with year value
 b) rotate log files at least once a year despite of their sizes