periodic security run output gives false positives after 1 year
Miroslav Lachman
000.fbsd at quip.cz
Thu Feb 16 17:59:57 UTC 2012
Glen Barber wrote:
> On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
>> Hi,
>>
>> I see it many times before, but never take a time to post about it.
>>
>> Scrips in /etc/periodic are grepping logs for yesterday date, but
>> without specifying year (because some logs do not have year logged).
>>
>> This results in false positive alerts in security e-mails from our
>> lightly loaded servers, where logs are not enough rotated.
>>
>> For example /var/log/auth.log is 62KB (838 lines) and contains entries
>> for almost 2 years.
>>
>> Today I get following alert:
>>
>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>>
>> (hostname and IP are replaced by X)
>>
>> But looking in to auth.log I found zero entries from yesterday - Feb 15
>> entries were logged 1 year ago!
>>
>> So I propose to set all daemons / syslog to log year too (as %Y) and
>> change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
>> %e %Y"` in periodic scripts.
>>
>> The affected scripts are:
>> 460.status-mail-rejects
>> 470.status-named
>> 800.loginfail
>> 900.tcpwrap
>>
>> Maybe some others, I did just a quick grep -rsn 'date -v-1d'
>> /etc/periodic and I don't know the logic used in other script to get
>> yesterday messages.
>>
>> What do you think about it?
>>
>
> Rotating the appropriate logs daily/weekly/monthly/whatever will silence
> these false alarms.
My post was not about "how can I fix it localy", but what sould be done
in FreeBSD distribuition, because these false alerts were made by
default FreeBSD configuration (coincidence of newsyslog settings,
periodic scripts and log format)
Miroslav Lachman
More information about the freebsd-security
mailing list