From phk@critter.freebsd.dk  Sun Dec 10 02:48:32 2000
Return-Path: <phk@critter.freebsd.dk>
Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147])
	by hub.freebsd.org (Postfix) with ESMTP id 7DAAD37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 10 Dec 2000 02:48:31 -0800 (PST)
Received: (from phk@localhost)
	by critter.freebsd.dk (8.11.1/8.11.1) id eBAAmUP97063;
	Sun, 10 Dec 2000 11:48:30 +0100 (CET)
	(envelope-from phk)
Message-Id: <200012101048.eBAAmUP97063@critter.freebsd.dk>
Date: Sun, 10 Dec 2000 11:48:30 +0100 (CET)
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Reply-To: phk@critter.freebsd.dk
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: /etc/security fails to show all relevant messages.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         23415
>Category:       bin
>Synopsis:       /etc/security fails to show all relevant messages.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 10 02:50:01 PST 2000
>Closed-Date:    Fri Feb 2 17:28:57 PST 2001
>Last-Modified:  Fri Feb 02 17:29:29 PST 2001
>Originator:     Poul-Henning Kamp
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
P. E. Mnsted, fregatten Jylland som barn.
>Environment:
System: FreeBSD critter.freebsd.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Fri Dec 1 17:26:14 CET 2000 root@critter.freebsd.dk:/freebsd/src/sys/compile/FLUTTER i386


>Description:

	/etc/security will examine only the current /var/log/messages
	and /var/log/messages.0 (with and without .gz suffix) for log
	messages relevant for yesterday.

	/etc/newsyslog.conf specifies that the messages file is rotated
	once per day *or* when the size exeeds 100kB.

	If you are under attack, you are quite likely to have your
	messages rotated due to the size criteria and the next run
	of /etc/security will only report on a fraction of the reality.

>How-To-Repeat:

	Piss off a scriptkiddie, notice that /etc/security doesn't show
	the full magnitude of his lameness.

>Fix:

	I think the catmsgs() function:
		catmsgs() {
		  [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz
		  [ -f $LOG/messages.0 ] && cat $LOG/messages.0
		  [ -f $LOG/messages ] && cat $LOG/messages
		}
	maybe should do something like:

		catmsgs() {
		 find $LOG/ -name 'messages.*' -mtime -2 -print | 
		    sort -r |
		    xargs zcat -f
		 [ -f $LOG/messages ] && cat $LOG/messages
		}


>Release-Note:
>Audit-Trail:

From: Brian Somers <brian@Awfulhak.org>
To: phk@critter.freebsd.dk
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org
Subject: Re: bin/23415: /etc/security fails to show all relevant messages. 
Date: Mon, 11 Dec 2000 01:24:01 +0000

 > >Number:         23415
 > >Category:       bin
 > >Synopsis:       /etc/security fails to show all relevant messages.
 [.....]
 > 	I think the catmsgs() function:
 > 		catmsgs() {
 > 		  [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz
 > 		  [ -f $LOG/messages.0 ] && cat $LOG/messages.0
 > 		  [ -f $LOG/messages ] && cat $LOG/messages
 > 		}
 > 	maybe should do something like:
 > =
 
 > 		catmsgs() {
 > 		 find $LOG/ -name 'messages.*' -mtime -2 -print | =
 
 > 		    sort -r |
 > 		    xargs zcat -f
 > 		 [ -f $LOG/messages ] && cat $LOG/messages
 > 		}
 
 This could be sorted better - messages.10* would be out of place :o]
 
 -- =
 
 Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org=
 >
       <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org=
 >
 Don't _EVER_ lose your sense of humour !
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Fri Feb 2 17:28:57 PST 2001 
State-Changed-Why:  
-current has been fixed.  I'll mfc in 2 weeks if things are ok 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23415 
>Unformatted:
