From owner-freebsd-questions@FreeBSD.ORG Wed Sep 2 17:03:04 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22A4E10656A6 for ; Wed, 2 Sep 2009 17:03:04 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id D30958FC27 for ; Wed, 2 Sep 2009 17:03:03 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email2.allantgroup.com (8.14.0/8.14.0) with ESMTP id n82H32ZY027508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Sep 2009 12:03:03 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id n82H3249031877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Sep 2009 12:03:02 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.3/Submit) id n82H32Rs031863; Wed, 2 Sep 2009 12:03:02 -0500 (CDT) (envelope-from dan) Date: Wed, 2 Sep 2009 12:03:01 -0500 From: Dan Nelson To: Kurt Buff Message-ID: <20090902170301.GE2855@dan.emsphone.com> References: <4A9E1D63.8030101@mapper.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-OS: FreeBSD 7.2-STABLE User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email2.allantgroup.com [199.67.51.78]); Wed, 02 Sep 2009 12:03:03 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Cc: Mark Stapper , freebsd-questions@freebsd.org Subject: Re: Daily security report oddity... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2009 17:03:04 -0000 In the last episode (Sep 02), Kurt Buff said: > On Wed, Sep 2, 2009 at 00:23, Mark Stapper wrote: > > Kurt Buff wrote: > >> I traced it down, and found out that he had not logged in on Sunday. > >> The auth.log is, as you can see from the listing below, quite old. The > >> entries referenced above are from two years ago. > >> > >>       zmx1# ll /var/log/a* > >>       -rw-------  1 root  wheel  71845 Sep  1 15:42 /var/log/auth.log > >>       -rw-------  1 root  wheel   6087 Aug 29  2007 /var/log/auth.log.0.bz2 > >>       -rw-------  1 root  wheel   5774 Aug 12  2007 /var/log/auth.log.1.bz2 > >>       -rw-------  1 root  wheel   5795 Jul 24  2007 /var/log/auth.log.2.bz2 > >>       -rw-------  1 root  wheel   6813 Jul  6  2007 /var/log/auth.log.3.bz2 > >> > >> So, a couple of questions: > >> > >> Why would the daily security run pick up something from *two years ago* > >> and only report it again today? The machine hasn't been rebooted in a > >> very long time, if that makes a difference. > >> > >> Is there any way to prevent something like this happening again - or > >> perhaps can I force the entry of the year into the date field for the > >> auth.log entries? > > > > If you look at the syntax of the logfile, you will see no year is > > listed. Most likely the whole file is parsed on security run. Since > > the logfile has been rotated the 30th of august 2007, it's very much > > possible you'll get all your messages all over again. Perhaps it's wise > > to rotate you logfiles once a year just in case... And it make no > > difference the machine hasn't been rebooted in a very long time... > > (define "very long time" ;-) http://uptimes-project.org/hosts/view/150 ) > > Heh. Well, for me a very long time is more than a year, because > security patches for the OS will at some point mandate a reboot - and > usually in less than a year. > > I suppose there's a way to do auth log rotation automagically - would > that be sysutils/logrotate? The system already rotates auth.log. Just edit /etc/newsyslog.conf and add a date check to the line for auth.log. The default is to roll it when it hits 100KB, but if you add something like $M1D0 to the "when" column it'll rotate it monthly as well. -- Dan Nelson dnelson@allantgroup.com