Skip old login failures in daily security run output
Platform: Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
M1015 Flashed to IT mode w/ no BIOS boot option
4x4tb RaidZ2 + 4x4tb RaidZ2
3x4tb are on motherboard SATA ports
5x4tb are on M1015 SAS/SATA ports
I received a daily security run output email last week which reported that I had login failures. Since I hadn't logged in at all that day, I immediately went to check them out thinking a hacker had been targeting my system. It turns out the script which checks for login failures doesn't check the auth.log for a year since the auth.log doesn't log the year, so I was getting reports about errors from 2015 instead of this year (2016).
/var/log/auth.log file doesn't include a year when it reports login failures. It also doesn't seem to automatically rollover each year or something equivalent. The
/etc/periodic/security/800.loginfail script seems to look for all errors from 'yesterday', where 'yesterday' is defined by
date -v-1d "+%b %e "and can't check for a year. Possible solutions:
- Cause auth.log to rollover either each day/week/month/year?
- Only count a report as coming from yesterday if there are no more days following it in the log?
- Start logging the year of the login error as well?
#11 Updated by Daniel Shaffer almost 4 years ago
Sorry, but is this really so unimportant that it won't be fixed until the next version? I realize it may not be a top priority, but I thought it was definitely a bug. If I were to try to look into fixing this myself (it would be my first time in this codebase), would one of those suggestions I made earlier be preferable, or is there something else I should look at?
#18 Updated by Vladimir Vinogradenko over 3 years ago
- Status changed from Screened to Needs Developer Review
- Assignee changed from Vladimir Vinogradenko to William Grzybowski
Cause auth.log to rollover either each day/week/month/year?
It is already being rotated every year as configured in
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] /var/log/auth.log 600 7 100 @0101T JC
@0101T means «on January 1st». Rotation occurs between 00:00 and 01:00. If device was not powered on in that time interval (which I think is OK for SOHO NAS), next rotation will occur only next year (or when
auth.log reaches size of 100 kilobytes).
Start logging the year of the login error as well?
This may break a lot of other scripts depending on current syslog record format. Definitely not an option.
Only count a report as coming from yesterday if there are no more days following it in the log?
This is much less intrusive approach. As bash performance won't be satisfying for required logic (will spawn a lot of
egrep processes), I've implemented new periodic script with python.