Re: periodic security run output gives false positives after 1 year





On Sat, Feb 18, 2012 at 04:35:20PM -0500, Robert Simmons wrote:
On Fri, Feb 17, 2012 at 6:56 PM, Roger Marquis <marquis@xxxxxxxxx> wrote:
I don't personally recall a time when everything else wasn't logging the
year, in one format or another.  That's not to imply that syslogs
shouldn't be distinguishable by year but the question seems to be where
the year should be logged, A) on every line or B) in the archive file
name.

There already is a standard, RFC 5424:
freebsd-security@xxxxxxxxxxx

You are asking, should we make our own decision to do this totally
differently than the standard set in that RFC, or should be implement
that RFC?

Another option is to do nothing and stick with the way it is.

I think the way to proceed would be to implement RFC 5424, and have it
as a switch in rc.conf, something like:

syslogd_flags="-x"
where x is the new switch that would enable RFC5424 style logging.

How about a environment variable that login.conf could be adjusted for
so in-case something else wants to benefit from similiar behavior it can
just look for that too ? Similiar to how BLOCKSIZE works. After all this
is an environmental change.


This would be optional for now. Then with FreeBSD 10, 5424 would
become the default with the option now being a flag -y to enable old
style logging for backwards compatibility.

I suspect it was not common practice to leave logs on the server for more
than a year when Allman originally wrote syslog, and I have not seen an
environment where logs are left in /var/log for over a year.  Personally,
I would rather see FreeBSD stay backwards compatible and A) leave the
syslog timestamp format alone instead opting for KIS by simply writing
the year in the archive file name rather than wasting 5 bytes on every
line of every syslog log file.  YMMV.

It really shouldn't be a common practice, but we live in a world where
governments are forcing data retention laws. In is an unfortunate
reality that needs to be dealt with.
http://en.wikipedia.org/wiki/Telecommunications_data_retention

Also, I'm not sure I follow the logic behind some of the people on
this list saying not to implement this at all. It should be an option
for now, then the default on the other side of a major OS version with
the old way then available as an option. This seems the most rational
path to take.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

--
;s =;

Attachment: pgp7Ek7sGH0Yw.pgp
Description: PGP signature