When processing periodic daily security scripts and 800.loginfail is enabled, the script fails to report any login failures when: 1. It is the first day of a new logfile (so the previous day is turned over by newsyslog). 2. The turned over logfile does NOT end in .gz or .bz2 This occurs within the catmsgs() function in 800.loginfail, specifically: --- case $f in *.gz) zcat -f $f;; *.bz2) bzcat -f $f;; esac --- I understand that the default newsyslog.conf turns over auth.log with bzip2 (flag J), however I do not compress turned over text logfiles (am running root on ZFS and taking advantage of dataset-level compression at /var/log), and as such they get renamed auth.log.X instead of auth.log.X.bz2. While this is probably an overly simplistic solution, the following modification allows 800.loginfail to function properly on {gz,bz2}-lacking files if they are not compressed: --- case $f in *.gz) zcat -f $f;; *.bz2) bzcat -f $f;; *) cat $f;; esac --- I understand I may be an edge case here, but thought I would bring it to the attention of the developers. I presume it also extends to weekly or monthly scheduling of 800.loginfail for any turned over logfiles that fail to have {gz,bz2} appended to the filenames. Similarly, I also expect that it also extends across most recent versions of FreeBSD (at least 8 through CURRENT) as it appears 800.loginfail has not been updated in almost 7 years.
Created attachment 238766 [details] fix
Hi, this is still a problem, both in 800.loginfail and 900.tcpwrap. Adding a possible patch. Regards.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1fa4ddcc6de6a0c46416f719a5b7efa1169f51ce commit 1fa4ddcc6de6a0c46416f719a5b7efa1169f51ce Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2024-01-10 11:48:56 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2024-01-10 11:48:56 +0000 periodic: Fix periodic reports when log files are not compressed. The modern zcat(1) is capable of handling compressed and uncompressed text files, so we can simply use zcat command. PR: 253168 Reviewed by: delphij MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D43357 usr.sbin/periodic/etc/security/800.loginfail | 7 +------ usr.sbin/periodic/etc/security/900.tcpwrap | 7 +------ 2 files changed, 2 insertions(+), 12 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=dd5dabe284831a40bb8ef4749b352c03bf9f4a44 commit dd5dabe284831a40bb8ef4749b352c03bf9f4a44 Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2024-01-10 11:48:56 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2024-01-24 12:04:50 +0000 periodic: Fix periodic reports when log files are not compressed. The modern zcat(1) is capable of handling compressed and uncompressed text files, so we can simply use zcat command. PR: 253168 Reviewed by: delphij MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D43357 (cherry picked from commit 1fa4ddcc6de6a0c46416f719a5b7efa1169f51ce) usr.sbin/periodic/etc/security/800.loginfail | 7 +------ usr.sbin/periodic/etc/security/900.tcpwrap | 7 +------ 2 files changed, 2 insertions(+), 12 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f148fbe153738776c0e2263754e38cf7e0beb63e commit f148fbe153738776c0e2263754e38cf7e0beb63e Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2024-01-10 11:48:56 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2024-01-24 12:08:58 +0000 periodic: Fix periodic reports when log files are not compressed. The modern zcat(1) is capable of handling compressed and uncompressed text files, so we can simply use zcat command. PR: 253168 Reviewed by: delphij MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D43357 (cherry picked from commit 1fa4ddcc6de6a0c46416f719a5b7efa1169f51ce) usr.sbin/periodic/etc/security/800.loginfail | 5 +---- usr.sbin/periodic/etc/security/900.tcpwrap | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-)