Date: Mon, 18 Aug 2003 13:24:21 +0200 From: Roman Neuhauser <dev-null@bellavista.cz> To: Kris Kennaway <kris@obsecurity.org> Cc: Ralph Dratman <ralph@maxsoft.com> Subject: Re: Fragments of kernel log text in "security run" message Message-ID: <20030818112421.GE94462@freepuppy.bellavista.cz> In-Reply-To: <20030818060154.GA70687@rot13.obsecurity.org> References: <v04210101bb65e6df4e60@[192.168.1.27]> <20030818052132.GA70374@rot13.obsecurity.org> <20030818055019.GF2653@dan.emsphone.com> <20030818060154.GA70687@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
# kris@obsecurity.org / 2003-08-17 23:01:54 -0700:
> On Mon, Aug 18, 2003 at 12:50:19AM -0500, Dan Nelson wrote:
>
> > > I get this as well on RELENG_4...I wish I knew why. Often it causes
> > > syslogd to log it at LOG_EMERG priority (=spams every logged in user
> > > with the truncated message).
> >
> > I think this happens after the kernel's message buffer starts rolling
> > over. The very first line in the dmesg output sometimes gets cut in
> > half, so diff prints it as a change block, and the security script
> > prints the "add" portion. Maybe the check_diff function should remove
> > the first line of the dmesg output before doing the diff?
>
> I guess I'm talking about a different problem, actually (syslogd),
> although I see the truncated security script mail as well.
The oldest security run mail I found this artifact in is dated
Fri, 6 Sep 2002 03:01:14 +0000 (GMT):
ishtar.bellavista.cz kernel log messages:
> tfix/local[3952]: fatal: open database /etc/aliases.db: No such file or directory
Next day's security run shows I updated the box to 4.7-PRERELEASE on
Sep 7, but I don't know what version it was running till then.
Hope this is of *some* help.
--
If you cc me or remove the list(s) completely I'll most likely ignore
your message. see http://www.eyrie.org./~eagle/faqs/questions.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030818112421.GE94462>