From nobody@FreeBSD.org  Wed Dec 20 14:08:36 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8F07B16A5D6
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Dec 2006 14:08:36 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5987243CA0
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Dec 2006 14:08:36 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kBKE8Zor038796
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Dec 2006 14:08:35 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kBKE8ZxY038794;
	Wed, 20 Dec 2006 14:08:35 GMT
	(envelope-from nobody)
Message-Id: <200612201408.kBKE8ZxY038794@www.freebsd.org>
Date: Wed, 20 Dec 2006 14:08:35 GMT
From: Edward Speyer<edward.aepeek@tropic.org.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "daily run" incorrectly assumes auth.log is rolled more than once a year!
X-Send-Pr-Version: www-3.0

>Number:         106978
>Category:       conf
>Synopsis:       "daily run" incorrectly assumes auth.log is rolled more than once a year
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 20 14:10:18 GMT 2006
>Closed-Date:    Thu Jul 19 13:00:13 GMT 2007
>Last-Modified:  Thu Jul 19 13:00:13 GMT 2007
>Originator:     Edward Speyer
>Release:        5.4-RELEASE
>Organization:
Qube Software Ltd
>Environment:
FreeBSD ** 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8 10:21:06 UTC 2005     root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
I got a warning today ("Dec 20", 2006) about someone trying to break into
my system on "Dec 19".  I was very confused by this until I realised that
the log lines in question were from "Dec 19" 2005, not "Dec 19" 2006.

I'm guessing the problem here is that the log checkers don't account for
the fact that logs don't necessarily roll more than once a year.  My
auth.log happens to be less than the default rolling size (100k:
newsyslog.conf) because this machine is a stable webserver.

I only mention this bug because it's rather bad practice to give admins
these false alarms!  Especially with stuff from auth.log!
>How-To-Repeat:

>Fix:
Log checkers need to be cleverer about remembering which log lines they've
seen before...

..or syslog should include the year in date stamps!
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Dec 20 14:54:28 UTC 2006 
Responsible-Changed-Why:  
reassign to rc team 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106978 
Responsible-Changed-From-To: freebsd-rc->freebsd-bugs 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Tue Feb 20 18:52:49 UTC 2007 
Responsible-Changed-Why:  

periodic != rc.d 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106978 
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Thu Jul 19 12:59:27 UTC 2007 
State-Changed-Why:  
Duplicate of conf/70715 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106978 
>Unformatted:
