Re: /var partition overflow (due to spyware?) in FreeBSD default install

• Previous message: Brett Glass: "/var partition overflow (due to spyware?) in FreeBSD default install"
• In reply to: Brett Glass: "/var partition overflow (due to spyware?) in FreeBSD default install"
• Next in thread: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
• Reply: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Oct 2003 20:01:07 -0400
To: Brett Glass <brett@lariat.org>, security@freebsd.org

At 4:41 PM -0600 10/23/03, Brett Glass wrote:
>
>FreeBSD currently comes configured, in the default install,
>to check /var/messages only once a day, and to rotate the
>log file if it's above a certain size.

My /etc/newsyslog.conf indicates that /var/log/messages
should be rotated whenever it gets over 100K.

>I've temporarily changed /etc/crontab so that newsyslog is
>run every 5 minutes instead of once a day (which may be a
>good idea to prevent other denials of service via this sort
>of overflow as well).

On both my 4.x and 5.x systems, /etc/crontab will run
newsyslog once per hour. I'm pretty sure that at least some
of the code in newsyslog assumes that the program is run only
once per hour. Running it more frequently than that may
cause some problems.

I'm sure that /var can fill up even if /var/log/messages is
rotated every hour, if the error messages are coming in fast
enough. But the file should be getting rotated once per hour
in the default install, not once per day.

I do not think that the correct solution is to rotate the
files at an even faster rate. Just how large is /var on the
machine where you're seeing this problem?

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Brett Glass: "/var partition overflow (due to spyware?) in FreeBSD default install"
• In reply to: Brett Glass: "/var partition overflow (due to spyware?) in FreeBSD default install"
• Next in thread: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
• Reply: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]