Bug 253168 - 800.loginfail fails to process at end/start of logfile turnover period if old logfiles not appended with .gz or .bz2
Summary: 800.loginfail fails to process at end/start of logfile turnover period if old...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 12.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
Keywords: easy
Depends on:
Reported: 2021-02-01 17:27 UTC by Jamie Baxter
Modified: 2021-02-01 19:03 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jamie Baxter 2021-02-01 17:27:12 UTC
When processing periodic daily security scripts and 800.loginfail is enabled, the script fails to report any login failures when:
1. It is the first day of a new logfile (so the previous day is turned over by newsyslog).
2. The turned over logfile does NOT end in .gz or .bz2

This occurs within the catmsgs() function in 800.loginfail, specifically:
case $f in
  *.gz)       zcat -f $f;;
  *.bz2)      bzcat -f $f;;

I understand that the default newsyslog.conf turns over auth.log with bzip2 (flag J), however I do not compress turned over text logfiles (am running root on ZFS and taking advantage of dataset-level compression at /var/log), and as such they get renamed auth.log.X instead of auth.log.X.bz2. While this is probably an overly simplistic solution, the following modification allows 800.loginfail to function properly on {gz,bz2}-lacking files if they are not compressed:
case $f in
  *.gz)       zcat -f $f;;
  *.bz2)      bzcat -f $f;;
  *)          cat $f;;
I understand I may be an edge case here, but thought I would bring it to the attention of the developers. I presume it also extends to weekly or monthly scheduling of 800.loginfail for any turned over logfiles that fail to have {gz,bz2} appended to the filenames. Similarly, I also expect that it also extends across most recent versions of FreeBSD (at least 8 through CURRENT) as it appears 800.loginfail has not been updated in almost 7 years.