Re: Daily security report oddity...

On Wed, Sep 2, 2009 at 00:23, Mark Stapper<stark@xxxxxxxxx> wrote:
Kurt Buff wrote:
I got a daily security run email from one of my machines on Monday
morning, with the following entry:

     zmx1.zetron.com login failures:
     Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev/ttyp2
     Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev/ttyp0

What's puzzling is that this account has been completely inactive for
well over a year - this fellow is long gone, and I simply didn't clean
it up - that's my bad, but that's not the puzzling part.

I traced it down, and found out that he had not logged in on Sunday.
The auth.log is, as you can see from the listing below, quite old. The
entries referenced above are from two years ago.

      zmx1# ll /var/log/a*
      -rw-------  1 root  wheel  71845 Sep  1 15:42 /var/log/auth.log
      -rw-------  1 root  wheel   6087 Aug 29  2007 /var/log/auth.log.0.bz2
      -rw-------  1 root  wheel   5774 Aug 12  2007 /var/log/auth.log.1.bz2
      -rw-------  1 root  wheel   5795 Jul 24  2007 /var/log/auth.log.2.bz2
      -rw-------  1 root  wheel   6813 Jul  6  2007 /var/log/auth.log.3.bz2


So, a couple of questions:

Why would the daily security run pick up something from *two years
ago* and only report it again today? The machine hasn't been rebooted
in a very long time, if that makes a difference.

Is there any way to prevent something like this happening again - or
perhaps can I force the entry of the year into the date field for the
auth.log entries?

Kurt

Hello,

If you look at the syntax of the logfile, you will see no year is listed.
Most likely the whole file is parsed on security run. Since the logfile
has been rotated the 30th of august 2007, it's very much possible you'll
get all your messages all over again.
Perhaps it's wise to rotate you logfiles once a year just in case...
And it make no difference the machine hasn't been rebooted in a very
long time... (define "very long time" ;-)
http://uptimes-project.org/hosts/view/150 )

Heh. Well, for me a very long time is more than a year, because
security patches for the OS will at some point mandate a reboot - and
usually in less than a year.

I suppose there's a way to do auth log rotation automagically - would
that be sysutils/logrotate?

Kurt
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Daily security report oddity...
    ... it up - that's my bad, but that's not the puzzling part. ... perhaps can I force the entry of the year into the date field for the ... If you look at the syntax of the logfile, you will see no year is listed. ... Perhaps it's wise to rotate you logfiles once a year just in case... ...
    (freebsd-questions)
  • Re: SBS 2K3 reboots at noon everyday
    ... reboots the server, and the permission issue was apparently crashing the ... it is the System Event Log entry to which I am refering. ... > events and save the files, it uses the System account. ... it does not reboot at noon now. ...
    (microsoft.public.windows.server.sbs)
  • Re: Finding out how the machine last rebooted and when.
    ... You should write some code to check the operating system event log. ... On windows 2003 each time you reboot your computer a new entry is added ... And if by a system crash you mean bsod there is an event entry too i'm ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: The system file cannot be specified
    ... It actually DOES remove it, but then when I reboot, the ... entry has magically reappeared. ... listing to see if the file is still there. ... there's only a General Tab. ...
    (microsoft.public.windowsxp.help_and_support)