From des@niobe.ewox.org Sun Mar 14 12:16:57 1999
Return-Path: <des@niobe.ewox.org>
Received: from niobe.ewox.org (ppp044.uio.no [129.240.240.45])
	by hub.freebsd.org (Postfix) with ESMTP id 3EDFE14EF6
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Mar 1999 12:16:45 -0800 (PST)
	(envelope-from des@niobe.ewox.org)
Received: (from des@localhost)
	by niobe.ewox.org (8.9.3/8.9.1) id UAA91122;
	Sun, 14 Mar 1999 20:38:24 +0100 (CET)
	(envelope-from des)
Message-Id: <199903141938.UAA91122@niobe.ewox.org>
Date: Sun, 14 Mar 1999 20:38:24 +0100 (CET)
From: des@flood.ping.uio.no
Sender: des@niobe.ewox.org
Reply-To: des@flood.ping.uio.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: Incorrect assumptions in /etc/security
X-Send-Pr-Version: 3.2

>Number:         10589
>Category:       misc
>Synopsis:       Incorrect assumptions in /etc/security
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 14 12:20:00 PST 1999
>Closed-Date:    Mon Jun 18 03:40:09 PDT 2001
>Last-Modified:  Mon Jun 18 03:43:27 PDT 2001
>Originator:     Dag-Erling Smrgrav
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
>Environment:

All FreeBSD releases since 2.2.7

>Description:

/etc/security makes at least two assumptions about /var/log/messages:

 - that it is rotated daily; since it is normally only rotated when it
   reaches 100 kB, /etc/security will report certain items (login
   failures, refused connections) repeatedly until the log is rotated.
   I have a box which has been screaming about the same old login
   failures for more than two weeks.

 - that it contains all log messages from the preceding 24 hours. Since
   the log file can be rotated at any time, perhaps only seconds before
   /etc/security is run, it is entirely possible for /etc/security to
   never report anything at all. For instance, if newsyslog.conf is
   modified so that /var/log/messages is rotated daily (perhaps in an
   attempt to fix the problem described above), and a default
   /etc/crontab is used (which runs the daily maintenance scripts at
   2 am every morning), the security check will only report login
   failures and refused connections which occur between 12 am and 2 am
   every morning.

>How-To-Repeat:

Leave your computer on for a few days. Read root mail.

>Fix:
	
The solution is left as an exercise to the reader.


>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: des@flood.ping.uio.no
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: misc/10589: Incorrect assumptions in /etc/security
Date: Sun, 14 Mar 1999 18:10:55 -0500 (EST)

 <<On Sun, 14 Mar 1999 20:38:24 +0100 (CET), des@flood.ping.uio.no said:
 
 >> Fix:
 	
 > The solution is left as an exercise to the reader.
 
 Replace the `100 *' in /etc/newsyslog.conf with `* @T04'.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
 

From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: misc/10589: Incorrect assumptions in /etc/security
Date: 15 Mar 1999 12:02:00 +0100

 Garrett Wollman <wollman@khavrinen.lcs.mit.edu> writes:
 > <<On Sun, 14 Mar 1999 20:38:24 +0100 (CET), des@flood.ping.uio.no said:
 > > The solution is left as an exercise to the reader.
 > Replace the `100 *' in /etc/newsyslog.conf with `* @T04'.
 
 You'll still lose a couple of hours of logs (one at best, three at
 worst). A better solution would be to rotate /var/log/messages when
 (and only when) /etc/security is run.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@flood.ping.uio.no
 

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: misc/10589: Incorrect assumptions in /etc/security
Date: Mon, 15 Mar 1999 10:31:21 -0500 (EST)

 <<On 15 Mar 1999 12:02:00 +0100, Dag-Erling Smorgrav <des@flood.ping.uio.no> said:
 
 > You'll still lose a couple of hours of logs (one at best, three at
 > worst).
 
 No, you won't.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
 
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sat Jun 16 16:26:29 PDT 2001 
Responsible-Changed-Why:  
Over to originator, who can decide whether this is still a problem, and 
whether Garrett's solution s good enough. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=10589 

From: Dag-Erling Smorgrav <des@ofug.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/10589: Incorrect assumptions in /etc/security
Date: 17 Jun 2001 02:33:16 +0200

 dd@FreeBSD.org writes:
 > Over to originator, who can decide whether this is still a problem, and
 > whether Garrett's solution s good enough.
 
 As far as I know, it's still a problem, and Garrett's solution won't
 work.  What will work is to have /etc/security rotate the log itself,
 either by just calling 'newsyslog -F /var/log/messages', or, to be
 completely safe, by doing the following:
 
 echo '/var/log/messages 644 10 * * BZ' |
     /usr/sbin/newsyslog -F -f /dev/stdin /var/log/messages
 
 Then just 'zgrep whatever /var/log/messages.0.gz'.
 
 Of course, we'd also have to replace the /var/log/messages line in
 /etc/newsyslog.conf with a comment mentioning that it's rotated
 manually by /etc/security.
 
 Another possibility is to extend the newsyslog.conf syntax to allow
 specifying a program to run on the old log file right after it's been
 rotated, and use that to run a script that mails relevant excerpts to
 root.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Mon Jun 18 03:40:09 PDT 2001 
State-Changed-Why:  
I can't see what's wrong with the solution that was committed in February. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=10589 
>Unformatted:
