periodic security run output gives false positives after 1 year
Sergey Kandaurov
pluknet at gmail.com
Thu Feb 16 19:30:30 UTC 2012
2012/2/16 Miroslav Lachman <000.fbsd at quip.cz>:
> Hi,
>
> I see it many times before, but never take a time to post about it.
>
> Scrips in /etc/periodic are grepping logs for yesterday date, but without
> specifying year (because some logs do not have year logged).
>
> This results in false positive alerts in security e-mails from our lightly
> loaded servers, where logs are not enough rotated.
>
> For example /var/log/auth.log is 62KB (838 lines) and contains entries for
> almost 2 years.
>
> Today I get following alert:
>
> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>
> (hostname and IP are replaced by X)
>
> But looking in to auth.log I found zero entries from yesterday - Feb 15
> entries were logged 1 year ago!
>
> So I propose to set all daemons / syslog to log year too (as %Y) and change
> yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in
> periodic scripts.
>
> The affected scripts are:
> 460.status-mail-rejects
> 470.status-named
> 800.loginfail
> 900.tcpwrap
>
> Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic
> and I don't know the logic used in other script to get yesterday messages.
>
> What do you think about it?
>
This is how the traditional BSD syslog was designed (and standardized
by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss".
In IETF this RFC is marked obsolete and replaced with RFC 5424 with
different timestamp format in ISO 8601 form. FreeBSD doesn't implement
5424 yet. Almost complete implementation was done in NetBSD in that
regard in 2008. NetBSD before RFC 5424 changes has had pretty similar
syslogd source, so if one could analyze and port that changes to FreeBSD,
that would be pretty nice.
--
wbr,
pluknet
More information about the freebsd-security
mailing list