conf/165331: periodic security run output gives false positives
after 1 year
000.fbsd at quip.cz
Mon Feb 20 17:40:07 UTC 2012
>Synopsis: periodic security run output gives false positives after 1 year
>Arrival-Date: Mon Feb 20 17:40:07 UTC 2012
>Originator: Miroslav Lachman
>Release: 7.4-RELEASE, 8.2-RELEASE
7.4-RELEASE FreeBSD 7.4-RELEASE #0: Thu Feb 17 03:51:56 UTC 2011 root at walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
As discussed on links at the bottom, there is a problem with parsing log files for security issues.
Log files does not have year in timestamp and if there are little activity, the log files are not rotated enough. This can cause false positive alerts in periodic e-mails with entries exactly 1 year old (or 2, or 3, or N... years old).
For example in my case /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years.
I get following alert in security run:
Feb 15 22:36:03 XXX sshd: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd: Invalid user student from xxx.xxx.xxx.xxx
But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago.
Install any currently available FreeBSD RELEASE on some test machine with low user activity - logins / logouts - (only few entries in auth.log per year). Make some bogus login atempts with nonexistent user names.
They will appear in periodic security output next day and then *wait 1 year* - They will appear in periodic security output again.
It is false positive.
1) add support for year field in syslog dates (RFC 5424 / timestamp format in ISO 8601 form)
Changes made to NetBSD syslog is available for porting to FreeBSD
2) change the default newsyslog.conf settings to make sure there are not any entry for more than 364 days (including compressed archives, because periodic scripts read them all)
For examplem, the current default newsyslog.conf entry for auth.log
/var/log/auth.log 600 7 500 * JC
must be changed to make more than 7 roll overs per year (ignoring size)
Maybe change it to "rotate if size is greater than 500 or once per month"
More information about the freebsd-bugs