Date: Wed, 2 Sep 2009 09:54:41 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: Mark Stapper <stark@mapper.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Daily security report oddity... Message-ID: <a9f4a3860909020954w710734a0id653adee080bc9d0@mail.gmail.com> In-Reply-To: <4A9E1D63.8030101@mapper.nl> References: <a9f4a3860909011556m4ceafe2drf93460842a64e99a@mail.gmail.com> <4A9E1D63.8030101@mapper.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 2, 2009 at 00:23, Mark Stapper<stark@mapper.nl> wrote: > Kurt Buff wrote: >> I got a daily security run email from one of my machines on Monday >> morning, with the following entry: >> >> =C2=A0 =C2=A0 =C2=A0zmx1.zetron.com login failures: >> =C2=A0 =C2=A0 =C2=A0Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev= /ttyp2 >> =C2=A0 =C2=A0 =C2=A0Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev= /ttyp0 >> >> What's puzzling is that this account has been completely inactive for >> well over a year - this fellow is long gone, and I simply didn't clean >> it up - that's my bad, but that's not the puzzling part. >> >> I traced it down, and found out that he had not logged in on Sunday. >> The auth.log is, as you can see from the listing below, quite old. The >> entries referenced above are from two years ago. >> >> =C2=A0 =C2=A0 =C2=A0 zmx1# ll /var/log/a* >> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A071845 Sep= =C2=A01 15:42 /var/log/auth.log >> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 6087 Aug= 29 =C2=A02007 /var/log/auth.log.0.bz2 >> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 5774 Aug= 12 =C2=A02007 /var/log/auth.log.1.bz2 >> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 5795 Jul= 24 =C2=A02007 /var/log/auth.log.2.bz2 >> =C2=A0 =C2=A0 =C2=A0 -rw------- =C2=A01 root =C2=A0wheel =C2=A0 6813 Jul= =C2=A06 =C2=A02007 /var/log/auth.log.3.bz2 >> >> >> So, a couple of questions: >> >> Why would the daily security run pick up something from *two years >> ago* and only report it again today? The machine hasn't been rebooted >> in a very long time, if that makes a difference. >> >> Is there any way to prevent something like this happening again - or >> perhaps can I force the entry of the year into the date field for the >> auth.log entries? >> >> Kurt > > Hello, > > If you look at the syntax of the logfile, you will see no year is listed. > Most likely the whole file is parsed on security run. Since the logfile > has been rotated the 30th of august 2007, it's very much possible you'll > get all your messages all over again. > Perhaps it's wise to rotate you logfiles once a year just in case... > And it make no difference the machine hasn't been rebooted in a very > long time... (define "very long time" ;-) > http://uptimes-project.org/hosts/view/150 ) Heh. Well, for me a very long time is more than a year, because security patches for the OS will at some point mandate a reboot - and usually in less than a year. I suppose there's a way to do auth log rotation automagically - would that be sysutils/logrotate? Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a9f4a3860909020954w710734a0id653adee080bc9d0>