Re: periodic security run output gives false positives after 1 year



On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote:
Hi,

I see it many times before, but never take a time to post about it.

Scrips in /etc/periodic are grepping logs for yesterday date, but
without specifying year (because some logs do not have year logged).

This results in false positive alerts in security e-mails from our
lightly loaded servers, where logs are not enough rotated.

For example /var/log/auth.log is 62KB (838 lines) and contains entries
for almost 2 years.

Today I get following alert:

Feb 15 22:36:03 XXX sshd[89758]: Invalid user t1na from xxx.xxx.xxx.xxx
Feb 15 22:50:56 XXX sshd[89850]: Invalid user medina from xxx.xxx.xxx.xxx
Feb 15 22:50:57 XXX sshd[89852]: Invalid user student from xxx.xxx.xxx.xxx
Feb 15 22:50:58 XXX sshd[89854]: Invalid user student from xxx.xxx.xxx.xxx

(hostname and IP are replaced by X)

But looking in to auth.log I found zero entries from yesterday - Feb 15
entries were logged 1 year ago!

So I propose to set all daemons / syslog to log year too (as %Y) and
change yesterday=`date -v-1d "+%b %e "` to yesterday=`date -v-1d "+%b
%e %Y"` in periodic scripts.

The affected scripts are:
460.status-mail-rejects
470.status-named
800.loginfail
900.tcpwrap

Maybe some others, I did just a quick grep -rsn 'date -v-1d'
/etc/periodic and I don't know the logic used in other script to get
yesterday messages.

What do you think about it?


Rotating the appropriate logs daily/weekly/monthly/whatever will silence
these false alarms.

Glen

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Javascript on steroids!
    ... a reliable means to match their logs against our logs ... potential malicious script insertions. ... employing third party scripts is qualified to identify ... But your system could be nothing but a scam. ...
    (comp.lang.javascript)
  • Re: Stamp out Java chat!!!!
    ... This is almost funny - it's real easy to see this type of activity - all ... scripts it would show that the external IP belonged to a DHCP scope ... As a security admin, you take the logs from the firewall, run them ... abusing company resources. ...
    (comp.security.firewalls)
  • Re: gpo scripts
    ... Well, the way I know they're running, is the fact that i can see the drives ... And yes, if the machine is started, newuserA logs in, the scripts ... scripts look for %username% profile. ...
    (microsoft.public.windows.server.active_directory)
  • RE: cron scripts for maintenance
    ... Oh yes, I know about everything that Red Hat includes, how it works, etc., ... Subject: cron scripts for maintenance ... your logs won't grow out of control. ... maintenance scripts which are setup to email all information (via ...
    (RedHat)
  • Re: newbie question: alias for a login name
    ... You can create an alias that logs you onto a system. ... you can create many many aliases and scripts ... I also don't know what shell you are using. ... with no arguments places you in your $HOME directory. ...
    (comp.unix.shell)