periodic security run output gives false positives after 1 year

Miroslav Lachman 000.fbsd at quip.cz
Thu Feb 16 17:59:57 UTC 2012


Glen Barber wrote:
> On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
>> Hi,
>>
>> I see it many times before, but never take a time to post about it.
>>
>> Scrips in /etc/periodic are grepping logs for yesterday date, but
>> without specifying year (because some logs do not have year logged).
>>
>> This results in false positive alerts in security e-mails from our
>> lightly loaded servers, where logs are not enough rotated.
>>
>> For example /var/log/auth.log is 62KB (838 lines) and contains entries
>> for almost 2 years.
>>
>> Today I get following alert:
>>
>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>>
>> (hostname and IP are replaced by X)
>>
>> But looking in to auth.log I found zero entries from yesterday - Feb 15
>> entries were logged 1 year ago!
>>
>> So I propose to set all daemons / syslog to log year too (as %Y) and
>> change  yesterday=`date -v-1d "+%b %e "`  to yesterday=`date -v-1d "+%b
>> %e %Y"` in periodic scripts.
>>
>> The affected scripts are:
>> 460.status-mail-rejects
>> 470.status-named
>> 800.loginfail
>> 900.tcpwrap
>>
>> Maybe some others, I did just a quick grep -rsn 'date -v-1d'
>> /etc/periodic and I don't know the logic used in other script to get
>> yesterday messages.
>>
>> What do you think about it?
>>
>
> Rotating the appropriate logs daily/weekly/monthly/whatever will silence
> these false alarms.

My post was not about "how can I fix it localy", but what sould be done 
in FreeBSD distribuition, because these false alerts were made by 
default FreeBSD configuration (coincidence of newsyslog settings, 
periodic scripts and log format)

Miroslav Lachman


More information about the freebsd-security mailing list