From root@m2.inba.fr Tue Jun 15 17:48:23 1999
Return-Path: <root@m2.inba.fr>
Received: from m2.inba.fr (m2.inba.fr [194.51.120.39])
	by hub.freebsd.org (Postfix) with ESMTP id F3899151EB
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 15 Jun 1999 17:48:10 -0700 (PDT)
	(envelope-from root@m2.inba.fr)
Received: (from root@localhost)
	by m2.inba.fr (8.8.8/8.8.8) id CAA01167;
	Wed, 16 Jun 1999 02:43:56 +0200 (CEST)
	(envelope-from root)
Message-Id: <199906160043.CAA01167@m2.inba.fr>
Date: Wed, 16 Jun 1999 02:43:56 +0200 (CEST)
From: phschack@inba.fr
Sender: root@m2.inba.fr
Reply-To: phschack@inba.fr
To: FreeBSD-gnats-submit@freebsd.org
Subject: /etc/security don't search in all the files
X-Send-Pr-Version: 3.2

>Number:         12228
>Category:       misc
>Synopsis:       /etc/security don't search in all the files
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    phantom
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 15 17:50:01 PDT 1999
>Closed-Date:    Tue Oct 24 08:13:40 PDT 2000
>Last-Modified:  Tue Oct 24 08:14:29 PDT 2000
>Originator:     Philippe SCHACK
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
>Environment:

Tested in FreeBSD 3.1-RELEASE i386

>Description:

Because of the rotation of the log files (/etc/messages) when /etc/security sear
ch for the 'login failure' and 'refused connect', it can miss some of them in th
e compressed files.

If the rotation is slow because of changes in /etc/newsyslog.conf or small numbe
r of events, it reports the same event each day until the rotation is done.

>How-To-Repeat:

Make some login failures and make the /var/log/message rotate.

or

Make a login failure one day and wait for the security report during few days.

>Fix:
        
Here is a patch I applied to /etc/security :


--- security.orig       Wed Jun 16 02:16:03 1999
+++ security    Wed Jun 16 02:16:14 1999
@@ -11,6 +11,8 @@
        echo ""
 }
 
+yesterday=`date -v-1d "+%b %e "`
+
 host=`hostname`
 echo "Subject: $host security check output"
 
@@ -103,11 +105,11 @@
 # show login failures
 separator
 echo "$host login failures:"
-grep -i "login failure" $LOG/messages
+zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*login failure"
 
 # show tcp_wrapper warning messages
 separator
 echo "$host refused connections:"
-grep -i "refused connect" $LOG/messages
+zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*refused connect"
 
 rm -f $TMP


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->phantom 
Responsible-Changed-By: phantom 
Responsible-Changed-When: Mon Dec 20 09:34:05 PST 1999 
Responsible-Changed-Why:  
Patch commited in -CURRENT. 

I'll merge it to -STABLE soon. 
State-Changed-From-To: open->closed 
State-Changed-By: phantom 
State-Changed-When: Tue Oct 24 08:13:40 PDT 2000 
State-Changed-Why:  
3.x branch not supported anymore 


http://www.freebsd.org/cgi/query-pr.cgi?pr=12228 
>Unformatted:
