Daily security report oddity...

Kurt Buff kurt.buff at gmail.com
Wed Sep 2 16:54:43 UTC 2009 

On Wed, Sep 2, 2009 at 00:23, Mark Stapper<stark at mapper.nl> wrote:
> Kurt Buff wrote:
>> I got a daily security run email from one of my machines on Monday
>> morning, with the following entry:
>>
>>      zmx1.zetron.com login failures:
>>      Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev/ttyp2
>>      Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev/ttyp0
>>
>> What's puzzling is that this account has been completely inactive for
>> well over a year - this fellow is long gone, and I simply didn't clean
>> it up - that's my bad, but that's not the puzzling part.
>>
>> I traced it down, and found out that he had not logged in on Sunday.
>> The auth.log is, as you can see from the listing below, quite old. The
>> entries referenced above are from two years ago.
>>
>>       zmx1# ll /var/log/a*
>>       -rw-------  1 root  wheel  71845 Sep  1 15:42 /var/log/auth.log
>>       -rw-------  1 root  wheel   6087 Aug 29  2007 /var/log/auth.log.0.bz2
>>       -rw-------  1 root  wheel   5774 Aug 12  2007 /var/log/auth.log.1.bz2
>>       -rw-------  1 root  wheel   5795 Jul 24  2007 /var/log/auth.log.2.bz2
>>       -rw-------  1 root  wheel   6813 Jul  6  2007 /var/log/auth.log.3.bz2
>>
>>
>> So, a couple of questions:
>>
>> Why would the daily security run pick up something from *two years
>> ago* and only report it again today? The machine hasn't been rebooted
>> in a very long time, if that makes a difference.
>>
>> Is there any way to prevent something like this happening again - or
>> perhaps can I force the entry of the year into the date field for the
>> auth.log entries?
>>
>> Kurt
>
> Hello,
>
> If you look at the syntax of the logfile, you will see no year is listed.
> Most likely the whole file is parsed on security run. Since the logfile
> has been rotated the 30th of august 2007, it's very much possible you'll
> get all your messages all over again.
> Perhaps it's wise to rotate you logfiles once a year just in case...
> And it make no difference the machine hasn't been rebooted in a very
> long time... (define "very long time" ;-)
> http://uptimes-project.org/hosts/view/150 )

Heh. Well, for me a very long time is more than a year, because
security patches for the OS will at some point mandate a reboot - and
usually in less than a year.

I suppose there's a way to do auth log rotation automagically - would
that be sysutils/logrotate?

Kurt

More information about the freebsd-questions mailing list