Bug 23415
| Summary: | /etc/security fails to show all relevant messages. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Poul-Henning Kamp <phk> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 5.0-CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
> >Number: 23415 > >Category: bin > >Synopsis: /etc/security fails to show all relevant messages. [.....] > I think the catmsgs() function: > catmsgs() { > [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz > [ -f $LOG/messages.0 ] && cat $LOG/messages.0 > [ -f $LOG/messages ] && cat $LOG/messages > } > maybe should do something like: > = > catmsgs() { > find $LOG/ -name 'messages.*' -mtime -2 -print | = > sort -r | > xargs zcat -f > [ -f $LOG/messages ] && cat $LOG/messages > } This could be sorted better - messages.10* would be out of place :o] -- = Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org= > <http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org= > Don't _EVER_ lose your sense of humour ! State Changed From-To: open->closed -current has been fixed. I'll mfc in 2 weeks if things are ok |
/etc/security will examine only the current /var/log/messages and /var/log/messages.0 (with and without .gz suffix) for log messages relevant for yesterday. /etc/newsyslog.conf specifies that the messages file is rotated once per day *or* when the size exeeds 100kB. If you are under attack, you are quite likely to have your messages rotated due to the size criteria and the next run of /etc/security will only report on a fraction of the reality. Fix: I think the catmsgs() function: catmsgs() { [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz [ -f $LOG/messages.0 ] && cat $LOG/messages.0 [ -f $LOG/messages ] && cat $LOG/messages } maybe should do something like: catmsgs() { find $LOG/ -name 'messages.*' -mtime -2 -print | sort -r | xargs zcat -f [ -f $LOG/messages ] && cat $LOG/messages } How-To-Repeat: Piss off a scriptkiddie, notice that /etc/security doesn't show the full magnitude of his lameness.