From das@zim.MIT.EDU  Fri Jun 14 03:54:03 2013
Return-Path: <das@zim.MIT.EDU>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id AC187F79
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 14 Jun 2013 03:54:03 +0000 (UTC)
	(envelope-from das@zim.MIT.EDU)
Received: from zim.MIT.EDU (50-196-151-174-static.hfc.comcastbusiness.net [50.196.151.174])
	by mx1.freebsd.org (Postfix) with ESMTP id 9475F1DBD
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 14 Jun 2013 03:54:03 +0000 (UTC)
Received: from zim.MIT.EDU (localhost [127.0.0.1])
	by zim.MIT.EDU (8.14.7/8.14.2) with ESMTP id r5E3ru0a084255
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Jun 2013 20:53:56 -0700 (PDT)
	(envelope-from das@zim.MIT.EDU)
Received: (from das@localhost)
	by zim.MIT.EDU (8.14.7/8.14.2/Submit) id r5E3ru1Z084254;
	Thu, 13 Jun 2013 20:53:56 -0700 (PDT)
	(envelope-from das)
Message-Id: <201306140353.r5E3ru1Z084254@zim.MIT.EDU>
Date: Thu, 13 Jun 2013 20:53:56 -0700 (PDT)
From: David Schultz <das@freebsd.org>
Reply-To: David Schultz <das@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: syslog/newsyslog don't handle years sanely
X-Send-Pr-Version: 3.114
X-GNATS-Notify:

>Number:         179546
>Category:       bin
>Synopsis:       syslog(8)/newsyslog(8) don't handle years sanely
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 14 04:00:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Wed Jul 03 03:09:07 UTC 2013
>Originator:     David Schultz
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:
System: 10.0-CURRENT r250991M: Sun May 26 23:15:39 PDT 2013
>Description:
The daily security run 800.loginfail reported the following login failures:
  Jun 12 23:30:52 zim sshd[79867]: Invalid user xxx from yyy
  Jun 12 23:30:52 zim sshd[79867]: input_userauth_request: invalid user xxx [preauth]
  Jun 12 23:30:52 zim sshd[79867]: Postponed keyboard-interactive for invalid user xxx from yyy port 34743 ssh2 [preauth]
This came as a big surprise, because I haven't used machine yyy in
about 6 months. But in fact, the warnings are from 2012; the script
doesn't handle the situation where auth.log is rotated less often
than once a year:
-rw-------  1 root  0    87k Jun 13 20:26 /var/log/auth.log
-rw-------  1 root  0    34k Mar  3  2012 /var/log/auth.log.0.bz2
-rw-------  1 root  0   8.7k Dec 21  2011 /var/log/auth.log.1.bz2
-rw-------  1 root  0    10k May 23  2011 /var/log/auth.log.2.bz2
-rw-------  1 root  0   9.8k Nov  1  2010 /var/log/auth.log.3.bz2
-rw-------  1 root  0    11k Sep 28  2009 /var/log/auth.log.4.bz2
-rw-------  1 root  0    19k Sep 28  2009 /var/log/auth.log.5.bz2
-rw-------  1 root  0    10k Mar 23  2009 /var/log/auth.log.6.bz2

The out-of-the-box configuration shouldn't have surprises like this. 
It looks like there was an attempt to fix the problem by configuring
newsyslog to rotate the file every year:

> grep auth /usr/src/head/etc/newsyslog.conf
/var/log/auth.log                       600  7     100  @0101T JC

This fix is insufficent, though.  newsyslog won't obey if the
machine is not running between Dec 31 23:00 and Jan 1 01:00.

>How-To-Repeat:
>Fix:
The cleanest fix is probably on the syslog side: either include the year
in log messages, or find a way to make newsyslog rotate logs reliably at
least once a year.
>Release-Note:
>Audit-Trail:
>Unformatted:
