Re: Misleading security message output

Thu, 21 Apr 2005 19:40:39 -0700 

> > The first question that comes to mind: do you really need logs from a
(B> > year back? 
(B> 
(B> Nope.  Should I need to tweak the default config files to ensure
(B> that I dont get them?
(B
(BSince that's the element that brings three possible mis-features
(Btogether in the unfortunate interaction, and is also the element that
(Byou have the most direct and immediate control over, and also should not
(Bbe a difficult fix, I would sure see it as the tempting fix.
(B
(BI think I'd also want to submit a feature request to whoever is
(Bcurrently claiming the program that generates the logs.
(B
(B> > Maybe it's because I'm such a newb, but I'm wondering which program has
(B> > what bug? Is it that the default configuration files for the login logs
(B> > doesn't put on age limit on the rotation? Is it that the log lines don't
(B> > conain a full 4-digit year in the timestamp? Or is it that the
(B> > logscraper doesn't know to check the age of a log file, or doesn't know
(B> > to work on the tail of the log?
(B> 
(B> The bug is in the security logscraper script, because it
(B> presented a log entry from a year ago as something that happened
(B> yesterday. 
(B
(BThe way I see it, that's less where the bug is and more where the bugs
(Bshow up.
(B
(B> The proximate cause of the bug is that the log
(B> files don't contain a year as part of the date format.  The
(B> easy work-around is to include timed rotation as part of the
(B> standard configuration so that the lack of a year in the logfile
(B> date format does not expose the bug in the script.  There are
(B> two plausible "real fixes" for the bug: 1) use a backup+diff
(B> scheme to find "yesterday's log messgaes" -- this is what NetBSD
(B> does, or 2) change the syslog daemon to include the year in the
(B> logfile date stamp -- this is what daemontools' multilog does.
(B> Option 2 is likely to be difficult to roll into the standard
(B> because it would almost certainly break third-party logfile
(B> scrapers.
(B
(BI'm thinking that the logscrapers are likely not to be going to the
(Btrouble of grabbing only two digits out of the year field, but I
(Bprobably don't see as much code as you do.
(B
(BI see I'm preaching to the choir, and that we just have different points
(Bof view about how deep you want to reach into freeBSD to fix your bug.
(B
(B:)
(B
(B--
(BJoel Rees   <[EMAIL PROTECTED]>
(Bdigitcom, inc.   $B3t<02qhttp://www.ddcom.co.jp> **
(B
(B_______________________________________________
([email protected] mailing list
(Bhttp://lists.freebsd.org/mailman/listinfo/freebsd-stable
(BTo unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to