From nobody@FreeBSD.org  Fri Aug 20 14:55:31 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 32C7916A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 14:55:31 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2B843D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 14:55:31 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7KEtU2k097305
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Aug 2004 14:55:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7KEtUPc097304;
	Fri, 20 Aug 2004 14:55:30 GMT
	(envelope-from nobody)
Message-Id: <200408201455.i7KEtUPc097304@www.freebsd.org>
Date: Fri, 20 Aug 2004 14:55:30 GMT
From: Chris Johnson <chris@claimlynx.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in)
X-Send-Pr-Version: www-2.3

>Number:         70715
>Category:       conf
>Synopsis:       [periodic] Lack of year in dates in auth.log can cause confusing security reports (and resulting fear of break-in)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 20 15:00:38 GMT 2004
>Closed-Date:    Mon Mar 19 10:35:19 UTC 2012
>Last-Modified:  Mon Mar 19 10:35:19 UTC 2012
>Originator:     Chris Johnson
>Release:        5.2.1, 4.10, 4.9
>Organization:
ClaimLynx, Inc.
>Environment:
N/A
>Description:
      Entries logged to /var/log/auth.log, in particular sshd entries, contain only the month, day and time without the year, e.g. "Aug 19 09:17:09 hostname sshd[342]: ..."

The daily security report includes all failure messages from yesterday, or at least that's the intention.  I believe /etc/periodic/800.loginfail is one such script.

Due to the lack of year in the dates, the security report will group messages from a year ago (or two years ago, etc.) from the same month and day into the report.  This can cause heart palpitations in some system administrators when they see a report showing multiple failed attempts to access a system in a manner which they know (this year, anyway) should be impossible.

On a well-controlled system behind a firewall, it's not at all unlikely that the volume of messages in auth.log would be so small so as to prevent it from hitting the 100K size needed to cause newsyslog to create a new log.  Moreover, it appears the code in 800.loginfail looks at old, compressed logs anyway, so even rolling over the auth.log file once a year, my initial thought for a work-around, won't solve the problem.
>How-To-Repeat:
      Mistype your password and fail to login on same date.  Do the same a year later.  Receive the daily security report on the following day.
>Fix:
      Add the year to the auth.log date/time stamp.
>Release-Note:
>Audit-Trail:

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/70715: Lack of year in dates in auth.log can cause confusing
 security reports (and resulting fear of break-in)
Date: Thu, 19 Jul 2007 14:27:35 +0100 (BST)

 From PR conf/99844 (which confirms this is still an issue with 6.1):
 
 
 The problem is a combination of two facts:
 
 1) According to default newsyslog.conf settings some log files
 are rotated only by size, on reaching 100K size limit.
 
 2) syslogd has hard-coded format for writing date into log files.
 Year is not included and hence can't be written into logs.
 
 The problem appears when the log file grows slower then 100K per year.
 In this case it becomes hard (or even impossible) to distinguish
 records created on the same day but different years.
 
 One visible effect is 'false positives' of 
 /etc/periodic/security/800.loginfail script, which analyses 
 /var/log/auth.log file and may report about events happened one or more 
 years ago while it's expected to report only 'yesterday' login failures as 
 it's result is included in daily security reports.
 
 
 Fix:
 Variants are:
 a) to teach syslogd writing date in log files with year value
 b) rotate log files at least once a year despite of their sizes
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Mon Mar 19 10:33:45 UTC 2012 
State-Changed-Why:  
Fixed in http://svnweb.freebsd.org/base?view=revision&revision=233167 


Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Mar 19 10:33:45 UTC 2012 
Responsible-Changed-Why:  
Fixed in http://svnweb.freebsd.org/base?view=revision&revision=233167 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70715 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Mon Mar 19 10:34:22 UTC 2012 
State-Changed-Why:  
- Submitters email bounces. 
- PR is a duplicate of 142467 and 165331. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=70715 
>Unformatted:
