periodic security run output gives false positives after 1 year
Roger Marquis
marquis at roble.com
Fri Feb 17 15:24:00 UTC 2012
Sergey Kandaurov wrote:
> In IETF this RFC is marked obsolete and replaced with RFC 5424 with
> different timestamp format in ISO 8601 form. FreeBSD doesn't implement
> 5424 yet. Almost complete implementation was done in NetBSD in that
> regard in 2008. NetBSD before RFC 5424 changes has had pretty similar
> syslogd source, so if one could analyze and port that changes to FreeBSD,
> that would be pretty nice.
Problem with that would be backwards compatibility, and it's not IMO
worth breaking everyone's syslog parsing scripts to fix an issue that
really isn't due to the date format as much as it is to log rotation.
That's not to say that security scripts don't need to parse archived
logs, just that they should perhaps check the date stamp of the archive
files before parsing.
Have to admit we don't use FreeBSD (or any other OS's) log rotation or
log-related periodic scripts. Would love to submit replacements though.
Our logic is a bit different:
* rotating current log files, to /var/log/$log.$i only when they grow
larger than 100MB,
* checking log file size hourly,
* rotating all logs regardless of size only at the end of the month, to
a compressed file with the date stamp as part of the filename,
* maintaining monthly archived log files in a dedicated subdirectory
(/var/log/logarchive),
* writing each syslog facility to its own file (kern.log, local1.log,
...).
It is unfortunate that syslog is such a neglected and unoptimized aspect
of nearly all Unix and Linux default installs but SA's don't have to
restrict their systems to those defaults.
Roger Marquis
More information about the freebsd-security
mailing list