misc/66726: /etc/periodic/security/ 800.loginfail script reports
failed logins from previous year
Mark Steven Baker
msbaker at cs.uoregon.edu
Sun May 16 23:00:42 PDT 2004
>Number: 66726
>Category: misc
>Synopsis: /etc/periodic/security/ 800.loginfail script reports failed logins from previous year
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 16 23:00:39 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Mark Steven Baker
>Release: 4.8 Release
>Organization:
>Environment:
FreeBSD xxxxx 4.8-RELEASE FreeBSD 4.8-RELEASE
>Description:
The 800.loginfail script in /etc/periodic/security that normally runs
via cron every night is supposed to report login failures from /var/log/auth.log for the previous day and email this to root as part of the daily security report.
If a single auth.log file exists on a system with a year of syslog data, the current script will report failed login errors from the previous date one year earlier as well.
>How-To-Repeat:
Edit the /var/log/auth.log file, creating some bogus login failures for one year earlier than the previous day. Then manually run the
/etc/periodic/security/800.loginfail script and see that these year-old login failures are reported.
>Fix:
I had some trouble understanding the catmsg function in 800.loginfail, so I can't suggest a fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list