conf/70715: Lack of year in dates in auth.log can cause
confusing security reports (and resulting fear of break-in)
Gavin Atkinson
gavin at FreeBSD.org
Thu Jul 19 13:30:26 UTC 2007
The following reply was made to PR conf/70715; it has been noted by GNATS.
From: Gavin Atkinson <gavin at FreeBSD.org>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: conf/70715: Lack of year in dates in auth.log can cause confusing
security reports (and resulting fear of break-in)
Date: Thu, 19 Jul 2007 14:27:35 +0100 (BST)
From PR conf/99844 (which confirms this is still an issue with 6.1):
The problem is a combination of two facts:
1) According to default newsyslog.conf settings some log files
are rotated only by size, on reaching 100K size limit.
2) syslogd has hard-coded format for writing date into log files.
Year is not included and hence can't be written into logs.
The problem appears when the log file grows slower then 100K per year.
In this case it becomes hard (or even impossible) to distinguish
records created on the same day but different years.
One visible effect is 'false positives' of
/etc/periodic/security/800.loginfail script, which analyses
/var/log/auth.log file and may report about events happened one or more
years ago while it's expected to report only 'yesterday' login failures as
it's result is included in daily security reports.
Fix:
Variants are:
a) to teach syslogd writing date in log files with year value
b) rotate log files at least once a year despite of their sizes
More information about the freebsd-bugs
mailing list