From nobody@FreeBSD.org  Mon Feb 20 17:33:10 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C18BB1065678
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 20 Feb 2012 17:33:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 971D98FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 20 Feb 2012 17:33:10 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q1KHXAUV041803
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 20 Feb 2012 17:33:10 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q1KHX9t1041794;
	Mon, 20 Feb 2012 17:33:09 GMT
	(envelope-from nobody)
Message-Id: <201202201733.q1KHX9t1041794@red.freebsd.org>
Date: Mon, 20 Feb 2012 17:33:09 GMT
From: Miroslav Lachman <000.fbsd@quip.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: periodic security run output gives false positives after 1 year
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         165331
>Category:       conf
>Synopsis:       periodic security run output gives false positives after 1 year
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 20 17:40:07 UTC 2012
>Closed-Date:    Wed Apr 25 07:10:02 UTC 2012
>Last-Modified:  Wed Apr 25 07:10:15 UTC 2012
>Originator:     Miroslav Lachman
>Release:        7.4-RELEASE, 8.2-RELEASE
>Organization:
codeLab.cz
>Environment:
7.4-RELEASE FreeBSD 7.4-RELEASE #0: Thu Feb 17 03:51:56 UTC 2011     root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
As discussed on links at the bottom, there is a problem with parsing log files for security issues.
Log files does not have year in timestamp and if there are little activity, the log files are not rotated enough. This can cause false positive alerts in periodic e-mails with entries exactly 1 year old (or 2, or 3, or N... years old).

For example in my case /var/log/auth.log is 62KB (838 lines) and contains entries for almost 2 years.

I get following alert in security run:

Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx

But looking in to auth.log I found zero entries from yesterday - Feb 15 entries were logged 1 year ago.

http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006175.html
http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006198.html
>How-To-Repeat:
Install any currently available FreeBSD RELEASE on some test machine with low user activity - logins / logouts - (only few entries in auth.log per year). Make some bogus login atempts with nonexistent user names. 
They will appear in periodic security output next day and then *wait 1 year* - They will appear in periodic security output again. 
It is false positive.
>Fix:
1) add support for year field in syslog dates (RFC 5424 / timestamp format in ISO 8601 form)
Changes made to NetBSD syslog is available for porting to FreeBSD
http://lists.freebsd.org/pipermail/freebsd-security/2012-February/006182.html
https://github.com/mschuett/nbsd-syslog

2) change the default newsyslog.conf settings to make sure there are not any entry for more than 364 days (including compressed archives, because periodic scripts read them all)

For examplem, the current default newsyslog.conf entry for auth.log
/var/log/auth.log     600  7     500  *     JC

must be changed to make more than 7 roll overs per year (ignoring size)

Maybe change it to "rotate if size is greater than 500 or once per month"

>Release-Note:
>Audit-Trail:

From: Garance A Drosehn <gad@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/165331: periodic security run output gives false positives
 after 1 year
Date: Tue, 21 Feb 2012 12:32:40 -0500

 Note that catmsgs() function in periodic/security/800.loginfail
 starts off with:
 
     find ${LOG} -name 'auth.log.*' -mtime -2   | [...etc...]
 
 Note the '-mtime -2' on that 'find' command.  It is *not* reading
 all archived logs on the disk.  It is reading all files which have
 a last-modified time within 2 days of the time the command is
 executed.
 
 It would still be a good idea to do something to fix the problem
 as described, but that problem would be fixed by having the log
 files rotated just once-per-year.  (Or it could be fixed by
 including the year in timestamps written to the log files).
 
 -- 
 Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
 Senior Systems Programmer           or  gad@freebsd.org
 Rensselaer Polytechnic Institute    or  drosih@rpi.edu
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Mon Mar 19 10:30:53 UTC 2012 
State-Changed-Why:  
Fixed in http://svnweb.freebsd.org/base?view=revision&revision=233167 


Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Mar 19 10:30:53 UTC 2012 
Responsible-Changed-Why:  
Fixed in http://svnweb.freebsd.org/base?view=revision&revision=233167 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165331 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Wed Apr 25 07:09:48 UTC 2012 
State-Changed-Why:  
Fixed in stable/9, would be available in 9.1-RELEASE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165331 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/165331: commit references a PR
Date: Wed, 25 Apr 2012 07:09:13 +0000 (UTC)

 Author: glebius
 Date: Wed Apr 25 07:09:02 2012
 New Revision: 234675
 URL: http://svn.freebsd.org/changeset/base/234675
 
 Log:
   Merge r233167 from head:
     Rotate auth.log and messages at the beginning of a year. Otherwise,
     daily security checks 800.loginfail and 900.tcpwrap may produce
     false positive alerts.
   
   PR:		142467, 165331
 
 Modified:
   stable/9/etc/newsyslog.conf
 Directory Properties:
   stable/9/etc/   (props changed)
 
 Modified: stable/9/etc/newsyslog.conf
 ==============================================================================
 --- stable/9/etc/newsyslog.conf	Wed Apr 25 07:04:48 2012	(r234674)
 +++ stable/9/etc/newsyslog.conf	Wed Apr 25 07:09:02 2012	(r234675)
 @@ -19,7 +19,7 @@
  # logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
  /var/log/all.log			600  7	   *	@T00  J
  /var/log/amd.log			644  7	   100	*     J
 -/var/log/auth.log			600  7     100  *     JC
 +/var/log/auth.log			600  7     100  @0101T JC
  /var/log/console.log			600  5	   100	*     J
  /var/log/cron				600  3	   100	*     JC
  /var/log/daily.log			640  7	   *	@T00  JN
 @@ -27,7 +27,7 @@
  /var/log/kerberos.log			600  7	   100	*     J
  /var/log/lpd-errs			644  7	   100	*     JC
  /var/log/maillog			640  7	   *	@T00  JC
 -/var/log/messages			644  5	   100	*     JC
 +/var/log/messages			644  5	   100	@0101T JC
  /var/log/monthly.log			640  12	   *	$M1D0 JN
  /var/log/pflog				600  3	   100	*     JB    /var/run/pflogd.pid
  /var/log/ppp.log	root:network	640  3	   100	*     JC
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
