periodic security run output gives false positives after 1 year
Glen Barber
glen.j.barber at gmail.com
Thu Feb 16 17:49:44 UTC 2012
On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
> Hi,
>
> I see it many times before, but never take a time to post about it.
>
> Scrips in /etc/periodic are grepping logs for yesterday date, but
> without specifying year (because some logs do not have year logged).
>
> This results in false positive alerts in security e-mails from our
> lightly loaded servers, where logs are not enough rotated.
>
> For example /var/log/auth.log is 62KB (838 lines) and contains entries
> for almost 2 years.
>
> Today I get following alert:
>
> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>
> (hostname and IP are replaced by X)
>
> But looking in to auth.log I found zero entries from yesterday - Feb 15
> entries were logged 1 year ago!
>
> So I propose to set all daemons / syslog to log year too (as %Y) and
> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
> %e %Y"` in periodic scripts.
>
> The affected scripts are:
> 460.status-mail-rejects
> 470.status-named
> 800.loginfail
> 900.tcpwrap
>
> Maybe some others, I did just a quick grep -rsn 'date -v-1d'
> /etc/periodic and I don't know the logic used in other script to get
> yesterday messages.
>
> What do you think about it?
>
Rotating the appropriate logs daily/weekly/monthly/whatever will silence
these false alarms.
Glen
More information about the freebsd-security
mailing list