misc/70715: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in)

Chris Johnson chris at claimlynx.com
Fri Aug 20 08:00:39 PDT 2004 

>Number:         70715
>Category:       misc
>Synopsis:       Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 20 15:00:38 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Chris Johnson
>Release:        5.2.1, 4.10, 4.9
>Organization:
ClaimLynx, Inc.
>Environment:
N/A
>Description:
      Entries logged to /var/log/auth.log, in particular sshd entries, contain only the month, day and time without the year, e.g. "Aug 19 09:17:09 hostname sshd[342]: ..."

The daily security report includes all failure messages from yesterday, or at least that's the intention.  I believe /etc/periodic/800.loginfail is one such script.

Due to the lack of year in the dates, the security report will group messages from a year ago (or two years ago, etc.) from the same month and day into the report.  This can cause heart palpitations in some system administrators when they see a report showing multiple failed attempts to access a system in a manner which they know (this year, anyway) should be impossible.

On a well-controlled system behind a firewall, it's not at all unlikely that the volume of messages in auth.log would be so small so as to prevent it from hitting the 100K size needed to cause newsyslog to create a new log.  Moreover, it appears the code in 800.loginfail looks at old, compressed logs anyway, so even rolling over the auth.log file once a year, my initial thought for a work-around, won't solve the problem.
>How-To-Repeat:
      Mistype your password and fail to login on same date.  Do the same a year later.  Receive the daily security report on the following day.
>Fix:
      Add the year to the auth.log date/time stamp.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list