Re: /var partition overflow (due to spyware?) in FreeBSD default install

From: Garance A Drosihn (drosih_at_rpi.edu)
Date: 10/24/03

  • Next message: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install" 
    Date: Thu, 23 Oct 2003 20:01:07 -0400
To: Brett Glass <brett@lariat.org>, security@freebsd.org

    At 4:41 PM -0600 10/23/03, Brett Glass wrote:
    >
    >FreeBSD currently comes configured, in the default install,
    >to check /var/messages only once a day, and to rotate the
    >log file if it's above a certain size.

    My /etc/newsyslog.conf indicates that /var/log/messages
    should be rotated whenever it gets over 100K.

    >I've temporarily changed /etc/crontab so that newsyslog is
    >run every 5 minutes instead of once a day (which may be a
    >good idea to prevent other denials of service via this sort
    >of overflow as well).

    On both my 4.x and 5.x systems, /etc/crontab will run
    newsyslog once per hour. I'm pretty sure that at least some
    of the code in newsyslog assumes that the program is run only
    once per hour. Running it more frequently than that may
    cause some problems.

    I'm sure that /var can fill up even if /var/log/messages is
    rotated every hour, if the error messages are coming in fast
    enough. But the file should be getting rotated once per hour
    in the default install, not once per day.

    I do not think that the correct solution is to rotate the
    files at an even faster rate. Just how large is /var on the
    machine where you're seeing this problem? 

    -- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Brett Glass: "Re: /var partition overflow (due to spyware?) in FreeBSD default install"

    Relevant Pages

    • Re: /var partition overflow (due to spyware?) in FreeBSD default install
      ... Absolutely correct. ... run newsyslog often enough to catch it before it overflows the ... >in the default install, not once per day. ... Running newsyslog doesn't ALWAYS rotate the log. ...
      (FreeBSD-Security)
    • Re: Windmills, Wires and Right Angles
      ... On Sat, 16 Sep 2006 05:28:34 GMT, Bruce L. Bergman ... BIG SNIP ... build and install, but it can rotate around as many times as it likes ...
      (rec.crafts.metalworking)
    • RE: Force newsyslog to rotate from custon script
      ... I need an return code or exit code from the newsyslog command to ... Does newsyslog issue such codes and how would I code an csh script ... Force newsyslog to rotate from custon script ...
      (freebsd-questions)
    • Re: Minor HEADSUP - "New order" for newsyslog
      ... waits 10 seconds (after all signals are sent) ... are done in a safer order, and any single daemon is sent only ... one signal (instead of one signal for each log file that needed ... to rotate a large number of apache log files, ...
      (freebsd-current)
    • Re: How to remove a single line from a flat file (Still very off-topic.)
      ... Every program that writes a log file under UNIX needs a way to split the old from the current. ... Contrast with a file system that actually stores records you can delete. ... Simply open the log file, copy the records you want to "rotate", and delete them off the front of the log file as you go. ... And that lock should be in the file system, rather than as a user-level work-around for a lack of functionality. ...
      (comp.lang.tcl)