From owner-freebsd-bugs@FreeBSD.ORG Fri Aug 20 15:00:39 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79A9716A4CE for ; Fri, 20 Aug 2004 15:00:39 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FD0A43D31 for ; Fri, 20 Aug 2004 15:00:39 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KF0dja019838 for ; Fri, 20 Aug 2004 15:00:39 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7KF0dET019836; Fri, 20 Aug 2004 15:00:39 GMT (envelope-from gnats) Resent-Date: Fri, 20 Aug 2004 15:00:39 GMT Resent-Message-Id: <200408201500.i7KF0dET019836@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Chris Johnson Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C7916A4CE for ; Fri, 20 Aug 2004 14:55:31 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2B843D3F for ; Fri, 20 Aug 2004 14:55:31 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KEtU2k097305 for ; Fri, 20 Aug 2004 14:55:30 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.11/8.12.11/Submit) id i7KEtUPc097304; Fri, 20 Aug 2004 14:55:30 GMT (envelope-from nobody) Message-Id: <200408201455.i7KEtUPc097304@www.freebsd.org> Date: Fri, 20 Aug 2004 14:55:30 GMT From: Chris Johnson To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: misc/70715: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 15:00:39 -0000 >Number: 70715 >Category: misc >Synopsis: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Aug 20 15:00:38 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Chris Johnson >Release: 5.2.1, 4.10, 4.9 >Organization: ClaimLynx, Inc. >Environment: N/A >Description: Entries logged to /var/log/auth.log, in particular sshd entries, contain only the month, day and time without the year, e.g. "Aug 19 09:17:09 hostname sshd[342]: ..." The daily security report includes all failure messages from yesterday, or at least that's the intention. I believe /etc/periodic/800.loginfail is one such script. Due to the lack of year in the dates, the security report will group messages from a year ago (or two years ago, etc.) from the same month and day into the report. This can cause heart palpitations in some system administrators when they see a report showing multiple failed attempts to access a system in a manner which they know (this year, anyway) should be impossible. On a well-controlled system behind a firewall, it's not at all unlikely that the volume of messages in auth.log would be so small so as to prevent it from hitting the 100K size needed to cause newsyslog to create a new log. Moreover, it appears the code in 800.loginfail looks at old, compressed logs anyway, so even rolling over the auth.log file once a year, my initial thought for a work-around, won't solve the problem. >How-To-Repeat: Mistype your password and fail to login on same date. Do the same a year later. Receive the daily security report on the following day. >Fix: Add the year to the auth.log date/time stamp. >Release-Note: >Audit-Trail: >Unformatted: