periodic security run output gives false positives after 1 year
Gary Palmer
gpalmer at freebsd.org
Mon Feb 20 14:54:07 UTC 2012
On Thu, Feb 16, 2012 at 02:01:24PM -0500, Glen Barber wrote:
> On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote:
> > Glen Barber wrote:
> > > On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
> > >> Hi,
> > >>
> > >> I see it many times before, but never take a time to post about it.
> > >>
> > >> Scrips in /etc/periodic are grepping logs for yesterday date, but
> > >> without specifying year (because some logs do not have year logged).
> > >>
> > >> This results in false positive alerts in security e-mails from our
> > >> lightly loaded servers, where logs are not enough rotated.
> > >>
> > >> For example /var/log/auth.log is 62KB (838 lines) and contains entries
> > >> for almost 2 years.
> > >>
> > >> Today I get following alert:
> > >>
> > >> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
> > >> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
> > >> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
> > >> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
> > >>
> > >> (hostname and IP are replaced by X)
> > >>
> > >> But looking in to auth.log I found zero entries from yesterday - Feb 15
> > >> entries were logged 1 year ago!
> > >>
> > >> So I propose to set all daemons / syslog to log year too (as %Y) and
> > >> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
> > >> %e %Y"` in periodic scripts.
> > >>
> > >> The affected scripts are:
> > >> 460.status-mail-rejects
> > >> 470.status-named
> > >> 800.loginfail
> > >> 900.tcpwrap
> > >>
> > >> Maybe some others, I did just a quick grep -rsn 'date -v-1d'
> > >> /etc/periodic and I don't know the logic used in other script to get
> > >> yesterday messages.
> > >>
> > >> What do you think about it?
> > >>
> > >
> > > Rotating the appropriate logs daily/weekly/monthly/whatever will silence
> > > these false alarms.
> >
> > My post was not about "how can I fix it localy", but what sould be done
> > in FreeBSD distribuition, because these false alerts were made by
> > default FreeBSD configuration (coincidence of newsyslog settings,
> > periodic scripts and log format)
> >
>
> IMHO, this isn't something the FreeBSD installation can "guess" as a
> suitable default, but up to the administrator to define what is
> appropriate for their system.
Whether or not the administrator tunes their setup to meet their
requirements, the default newsyslog.conf should not allow these
alerts to happen by enforcing a minimum of 1 roll over per year.
Miroslav, please file a bug report requesting newsyslog.conf be updated
to mitigate this problem.
Thanks,
Gary
More information about the freebsd-security
mailing list