periodic security run output gives false positives after 1 year
Miroslav Lachman
000.fbsd at quip.cz
Fri Feb 17 12:24:35 UTC 2012
I re-add list to CC.
Gregory Orange wrote:
> Hi Miroslav,
> I don't know if this message really contributes anything to the list, so
> I'll email you directly.
>
> On 17/02/12 01:04, Miroslav Lachman wrote:
>> I see it many times before, but never take a time to post about it.
>
> Well, thank you for posting it. I'm fairly new to BSD admin (GNU/Linux
> for a few years prior), and generally to being the main person
> responsible for security.
I am really glad to see that my post helped to somebody.
>> But looking in to auth.log I found zero entries from yesterday - Feb 15
>> entries were logged 1 year ago!
>
> We've been concerned by some auth.log entries for a week or two, and
> only after reading your message and taking a closer look at the context
> of the logs did I think of that possibility. It's exactly my issue!
Be aware that adding shorter time (or lower file size) for log rotation
is not enough. Script 800.loginfail is reading all available rotated
compressed logs. So even if you will rotate more often, you will get
false positive alerts if some 1 year old entries are stored on disk in
/var/log/auth.log.X.bz2 files.
Default settings in newsyslog.conf is
/var/log/auth.log 600 7 500 * JC
This means 7 old compressed archives taken after reaching 500kB in size
of the original log. So it can contains more than 10 years of history on
our mentioned server.
Until FreeBSD will log dates in format with year, you must do something
to be sure that none of the files in /var/log stored entries over 364 days.
Cheers,
Miroslav Lachman
More information about the freebsd-security
mailing list