periodic security run output gives false positives after 1 year
Jason Hellenthal
jhell at DataIX.net
Sun Feb 19 04:52:10 UTC 2012
On Sat, Feb 18, 2012 at 04:35:20PM -0500, Robert Simmons wrote:
> On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis <marquis at roble.com> wrote:
> > I don't personally recall a time when everything else wasn't logging the
> > year, in one format or another. That's not to imply that syslogs
> > shouldn't be distinguishable by year but the question seems to be where
> > the year should be logged, A) on every line or B) in the archive file
> > name.
>
> There already is a standard, RFC 5424:
> freebsd-security at freebsd.org
>
> You are asking, should we make our own decision to do this totally
> differently than the standard set in that RFC, or should be implement
> that RFC?
>
> Another option is to do nothing and stick with the way it is.
>
> I think the way to proceed would be to implement RFC 5424, and have it
> as a switch in rc.conf, something like:
>
> syslogd_flags="-x"
> where x is the new switch that would enable RFC5424 style logging.
How about a environment variable that login.conf could be adjusted for
so in-case something else wants to benefit from similiar behavior it can
just look for that too ? Similiar to how BLOCKSIZE works. After all this
is an environmental change.
>
> This would be optional for now. Then with FreeBSD 10, 5424 would
> become the default with the option now being a flag -y to enable old
> style logging for backwards compatibility.
>
> > I suspect it was not common practice to leave logs on the server for more
> > than a year when Allman originally wrote syslog, and I have not seen an
> > environment where logs are left in /var/log for over a year. Personally,
> > I would rather see FreeBSD stay backwards compatible and A) leave the
> > syslog timestamp format alone instead opting for KIS by simply writing
> > the year in the archive file name rather than wasting 5 bytes on every
> > line of every syslog log file. YMMV.
>
> It really shouldn't be a common practice, but we live in a world where
> governments are forcing data retention laws. In is an unfortunate
> reality that needs to be dealt with.
> http://en.wikipedia.org/wiki/Telecommunications_data_retention
>
> Also, I'm not sure I follow the logic behind some of the people on
> this list saying not to implement this at all. It should be an option
> for now, then the default on the other side of a major OS version with
> the old way then available as an option. This seems the most rational
> path to take.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
;s =;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120219/da85d507/attachment.pgp
More information about the freebsd-security
mailing list