Re: periodic security run output gives false positives after 1 year



Sergey Kandaurov wrote:
In IETF this RFC is marked obsolete and replaced with RFC 5424 with
different timestamp format in ISO 8601 form. FreeBSD doesn't implement
5424 yet. Almost complete implementation was done in NetBSD in that
regard in 2008. NetBSD before RFC 5424 changes has had pretty similar
syslogd source, so if one could analyze and port that changes to FreeBSD,
that would be pretty nice.

Problem with that would be backwards compatibility, and it's not IMO
worth breaking everyone's syslog parsing scripts to fix an issue that
really isn't due to the date format as much as it is to log rotation.

That's not to say that security scripts don't need to parse archived
logs, just that they should perhaps check the date stamp of the archive
files before parsing.

Have to admit we don't use FreeBSD (or any other OS's) log rotation or
log-related periodic scripts. Would love to submit replacements though.
Our logic is a bit different:

* rotating current log files, to /var/log/$log.$i only when they grow
larger than 100MB,

* checking log file size hourly,

* rotating all logs regardless of size only at the end of the month, to
a compressed file with the date stamp as part of the filename,

* maintaining monthly archived log files in a dedicated subdirectory
(/var/log/logarchive),

* writing each syslog facility to its own file (kern.log, local1.log,
...).

It is unfortunate that syslog is such a neglected and unoptimized aspect
of nearly all Unix and Linux default installs but SA's don't have to
restrict their systems to those defaults.

Roger Marquis
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • The case for FreeBSD
    ... There has been a lot of recent talk and advocacy for NetBSD 2.0 from the ... their claims and much of their criticisms of FreeBSD. ... network stack in a transparent and quick fashion. ... support available in an open source operating system. ...
    (freebsd-current)
  • Re: Quick way to trigger fatal bug in CMU Common Lisp 19c and 19f
    ... This code works fine in 19f on NetBSD, ... What makes you think that NetBSD is likely to derive from FreeBSD? ... list of all my GeoCities files, ... my new shell account (which has about 100 MB disk space unused at ...
    (comp.lang.lisp)
  • Re: The case for FreeBSD
    ... And what about linux 2.6 vs FreeBSD? ... > There has been a lot of recent talk and advocacy for NetBSD 2.0 from the ... A team of FreeBSD developers works closely ... > support available in an open source operating system. ...
    (freebsd-current)
  • Re: The case for FreeBSD
    ... As the old saying goes, FreeBSD is about performance, NetBSD ... and OpenBSD is about security. ... Yes, the issue of advocacy. ...
    (freebsd-current)
  • Re: Benchmark: NetBSD 2.0 beats FreeBSD 5.3 in server performance
    ... This paper presents a suite of benchmarks and results for comparing the ... performance of these operating systems. ... I read the "paper" with which you trolled a couple of FreeBSD lists. ... "The results in Table 1 shows that NetBSD 2.0 marginally out-performs ...
    (freebsd-performance)