Misleading security message output
andrew-freebsd at areilly.bpc-users.org
Sat Apr 16 23:06:51 PDT 2005
I had an interesting experience, this morning. The nightly
security message from a CVS server machine that runs a version
of FreeBSD-4 had arrived, and it claimed that someone who hadn't
done any work for us for some considerable time had had three
failed login attempts, late that night. Curious.
After much hunting around, and checking perimeter logs, it
turned out that nothing of the sort had happened. The security
log script had been fooled by the age of the messages.0.gz file,
which contained messages from more than a year ago. The search
pattern "$yesterday" doesn't contain a year, because log file
timestamps don't contain years. The log file was so old because
rotation is determined by size, and this machine simply doesn't
have much to log, despite being used daily. It never goes down,
and is basically completely stable.
This could be avoided, perhaps, with a NetBSD-style backup/diff
mechanism, or (incompatibly) with daemontools/multilog-style
64-bit time stamps in the log files. It can be worked-around
by forcing faster log-file rotations, now that I know about
the problem. I can't think of a really good widely-applicable
solution, using the existing framework, though.
More information about the freebsd-stable