Re: periodic security run output gives false positives after 1 y
Sergey Kandaurov wrote:
> 2012/2/16 Miroslav Lachman<000.fbsd@quip.cz>:
>> Hi,
>>
>> I see it many times before, but never take a time to post about it.
>>
>> Scrips in /etc/periodic are grepping logs for yesterday date, but without
>> specifying year (because some logs do not have year logged).
>>
>> This results in false positive alerts in security e-mails from our lightly
>> loaded servers, where logs are not enough rotated.
>>
>> For example /var/log/auth.log is 62KB (838 lines) and contains entries for
>> almost 2 years.
>>
>> Today I get following alert:
>>
>> Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
>> Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
>> Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
>> Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx
>>
>> (hostname and IP are replaced by X)
>>
>> But looking in to auth.log I found zero entries from yesterday - Feb 15
>> entries were logged 1 year ago!
>>
>> So I propose to set all daemons / syslog to log year too (as %Y) and change
>> yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b %e %Y"` in
>> periodic scripts.
>>
>> The affected scripts are:
>> 460.status-mail-rejects
>> 470.status-named
>> 800.loginfail
>> 900.tcpwrap
>>
>> Maybe some others, I did just a quick grep -rsn 'date -v-1d' /etc/periodic
>> and I don't know the logic used in other script to get yesterday messages.
>>
>> What do you think about it?
>>
>
> This is how the traditional BSD syslog was designed (and standardized
> by RFC 3164). It has timestamp of fixed format: "Mmm dd hh:mm:ss".
>
> In IETF this RFC is marked obsolete and replaced with RFC 5424 with
> different timestamp format in ISO 8601 form. FreeBSD doesn't implement
> 5424 yet. Almost complete implementation was done in NetBSD in that
> regard in 2008. NetBSD before RFC 5424 changes has had pretty similar
> syslogd source, so if one could analyze and port that changes to FreeBSD,
> that would be pretty nice.
Thank you for pointing this out. It would be the right step forward.
Unfortunately I am not a C developer, so I cannot port it my self.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 26 篇):