Project

General

Profile

Bug #18615

Skip old login failures in daily security run output

Added by Daniel Shaffer almost 2 years ago. Updated 11 months ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Vladimir Vinogradenko
Category:
Middleware
Target version:
Seen in:
Sprint:
Severity:
New
Backlog Priority:
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Platform: Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
Memory: 130964MB
M1015 Flashed to IT mode w/ no BIOS boot option
4x4tb RaidZ2 + 4x4tb RaidZ2
3x4tb are on motherboard SATA ports
5x4tb are on M1015 SAS/SATA ports

ChangeLog Required:
No

Description

I received a daily security run output email last week which reported that I had login failures. Since I hadn't logged in at all that day, I immediately went to check them out thinking a hacker had been targeting my system. It turns out the script which checks for login failures doesn't check the auth.log for a year since the auth.log doesn't log the year, so I was getting reports about errors from 2015 instead of this year (2016).

Summary: The /var/log/auth.log file doesn't include a year when it reports login failures. It also doesn't seem to automatically rollover each year or something equivalent. The /etc/periodic/security/800.loginfail script seems to look for all errors from 'yesterday', where 'yesterday' is defined by

date -v-1d "+%b %e "
and can't check for a year.

Possible solutions:
  • Cause auth.log to rollover either each day/week/month/year?
  • Only count a report as coming from yesterday if there are no more days following it in the log?
  • Start logging the year of the login error as well?
  • etc.
authlogin1.png (13.8 KB) authlogin1.png Rishabh Chauhan, 11/07/2017 11:17 AM
12946

Related issues

Related to FreeNAS - Bug #18319: [Regression] Outdated Security Run OutputsClosed: Duplicate2016-10-18
Has duplicate FreeNAS - Bug #24090: Log from last year sent again in the same day current yearClosed: Duplicate2017-05-22

Associated revisions

Revision 15b43bc2 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(etc): /etc/periodic/security/800.loginfail-freenas that skips messages from previous years

Ticket: #18615

Revision 7f201c55 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(etc): /etc/periodic/security/800.loginfail-freenas that skips messages from previous years

Ticket: #18615

Revision 701af451 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(etc): /etc/periodic/security/800.loginfail-freenas that skips messages from previous years

Ticket: #18615

Revision 5f12b64b (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(etc): /etc/periodic/security/800.loginfail-freenas that skips messages from previous years

Ticket: #18615

Revision 2f393449 (diff)
Added by Vladimir Vinogradenko about 1 year ago

fix(etc): /etc/periodic/security/800.loginfail-freenas that skips messages from previous years

Ticket: #18615

History

#1 Updated by Daniel Shaffer almost 2 years ago

The following link helped me in my debugging in case it helps anyone else.

https://forums.freebsd.org/threads/32926/

#2 Updated by Bonnie Follweiler almost 2 years ago

  • Assignee set to Alexander Motin

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Assignee changed from Alexander Motin to Suraj Ravichandran

I dunno about changing the log format, but perhaps we could do better rotation?

#4 Updated by Alexander Motin almost 2 years ago

I had no time to look how it works on FreeBSD, but I would guess it should be handled there somehow. I would start investigation from what FreeNAS could break.

#5 Updated by Suraj Ravichandran almost 2 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Nice to have
  • Target version set to 9.10.2

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Target version changed from 9.10.2 to 9.10.2-U1

#7 Updated by Suraj Ravichandran almost 2 years ago

  • Related to Bug #18319: [Regression] Outdated Security Run Outputs added

#8 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Target version changed from 9.10.2-U1 to 9.10.2-U2

#9 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 9.10.2-U2 to 9.10.4

#10 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 9.10.4 to 11.1

#11 Updated by Daniel Shaffer over 1 year ago

Sorry, but is this really so unimportant that it won't be fixed until the next version? I realize it may not be a top priority, but I thought it was definitely a bug. If I were to try to look into fixing this myself (it would be my first time in this codebase), would one of those suggestions I made earlier be preferable, or is there something else I should look at?

#12 Updated by Suraj Ravichandran over 1 year ago

@Daniel 9.10.3 got renamed to being called 11.0 and 9.10.4 went to 11.1 ( so not so much a postponing issue as much as a versioning change).

Any changes you make and submit will be gladly looked at and reviwed.

#13 Updated by Daniel Shaffer over 1 year ago

Oh okay, thanks for the information.

#14 Updated by Dru Lavigne about 1 year ago

  • Status changed from Screened to 46
  • Assignee changed from Suraj Ravichandran to Kris Moore

Kris: is this still an issue given the related bug?

#15 Avatar?id=14398&size=24x24 Updated by Kris Moore about 1 year ago

  • Status changed from 46 to Unscreened
  • Assignee changed from Kris Moore to William Grzybowski

Over to William, who can Load Balance it now.

#16 Updated by William Grzybowski about 1 year ago

  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

Vladimir, can you please take a look at this? Thanks!

#17 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Unscreened to Screened

#18 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Screened to Needs Developer Review
  • Assignee changed from Vladimir Vinogradenko to William Grzybowski

Cause auth.log to rollover either each day/week/month/year?

It is already being rotated every year as configured in /etc/newsyslog.conf

# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/var/log/auth.log            600  7     100  @0101T JC

@0101T means «on January 1st». Rotation occurs between 00:00 and 01:00. If device was not powered on in that time interval (which I think is OK for SOHO NAS), next rotation will occur only next year (or when auth.log reaches size of 100 kilobytes).

Start logging the year of the login error as well?

This may break a lot of other scripts depending on current syslog record format. Definitely not an option.

Only count a report as coming from yesterday if there are no more days following it in the log?

This is much less intrusive approach. As bash performance won't be satisfying for required logic (will spawn a lot of egrep processes), I've implemented new periodic script with python.

#19 Updated by William Grzybowski about 1 year ago

  • Status changed from Needs Developer Review to Reviewed by Developer
  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

#20 Updated by Vladimir Vinogradenko about 1 year ago

  • Status changed from Reviewed by Developer to Ready For Release

#21 Updated by Dru Lavigne about 1 year ago

  • Subject changed from Daily Security Run Output includes old login failures to Skip old login failures in daily security run output

#22 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#23 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready For Release to Resolved

#24 Updated by Rishabh Chauhan 11 months ago

12946

I accessed auth.log file and there were no entries prior to today.. It seems it refreshes everyday. Refer screenshot.

#25 Updated by Bonnie Follweiler 11 months ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

#26 Updated by Dru Lavigne 11 months ago

  • Has duplicate Bug #24090: Log from last year sent again in the same day current year added

Also available in: Atom PDF