[ossec-list] Re: strftime() on Solaris 8

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Leslie,

I was talking to Ahmet about this problem and I think we know what
is going on. Ossec runs on a chroot jail, so it does not have access
to /etc/timezone, /etc/localtime or any other time related file. During
install, the script copies /etc/localtime to /var/ossec/etc/localtime
(which works for Linux and *BSD). However, on Solaris we also need
to copy the following:

cp -pr /etc/timezone /var/ossec/etc/timezone   (if you have it)
cp -pr /etc/TIMEZONE /var/ossec/etc/TIMEZONE
mkdir -p /var/ossec/usr/share/lib/zoneinfo/
cp -p /usr/share/lib/zoneinfo/* /var/ossec/usr/share/lib/zoneinfo/

And restart ossec? It should fix this issue. For the next release, we
are going to do that automatically during install. Let us know
if it works or not.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 6/7/06, Leslie S Arvin <arvin@xxxxxxxxxx> wrote:
>
> Thanks all for replying.  Changing the source to use %Z in maild.c:strftime()
> is quieting SpamAssassin.
>
> I am also seeing strangeness with the dates in the alert logs
> and in the Date: line of emails.  The time value returned is not
> adjusting for timezone/daylight savings time -- it is printing GMT.
>
> Specifically, an alert at 15:11:35 US/East-Indiana -0400 creates
> this in its entry in the alert logs:
>
> ** Alert 1149707495.15121: mail
> 2006 Jun 07 19:11:35 /var/adm/messages
>
> and creates this email header excerpt in its notification:
>
> From: OSSEC HIDS <ossecm@xxxxxxxxxxxxxxxxxxxxxxx>
> Date: Wed, 07 Jun 2006 19:11:45 US/East
>
> Separate tests with localtime() confirm that it returns the correct
> timezone-adjusted time; however, my test C program prints "EDT" for
> the %Z value to strftime(), not "US/East" as in the email headers,
> so I'm wondering if I'm testing the right version of localtime().
>
> This is ossec-hids 0.8 on Solaris 8 sparc.
>
> -- Leslie Arvin
>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
>     Network Systems Administrator, ITI-Unix Platforms
>     Purdue University, Information Technology at Purdue
>
>
> Daniel Cid wrote:
> >>From what I'm seeing (after checking some standards) we should
> > have used the uppercase Z instead of the lowercase one. It will
> > fail on most non-linux and non-bsd systems...
> >
> > Thanks for reporting it!
> >
> > --
> > Daniel B. Cid
> > dcid @ ( at ) ossec.net
> >
> >
> > On 6/7/06, oahmet <oahmet@xxxxxxxxxxx> wrote:
> >> Hi Leslie,
> >>
> >> Thanks for reporting this issue. I'll work on it.
> >> However in order to make ossec-hids work on your environment, you may
> >> want to edit "src/os_maild/sendmail.c" file and change line 212:
> >>
> >> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %z\r\n",p);
> >> to
> >> strftime(snd_msg, 127, "Date: %a, %d %b %Y %T %Z\r\n",p);
> >> (I mean change %z -> %Z). and install ossec-hids.
> >>
> >> Then it will print "timezone name" instead of  "hour offset from GMT".
> >>
> >> Best Regards,
> >>
> >> Ahmet Ozturk.
> >>
> >> Leslie S Arvin wrote:
> >>> I'm getting sendmail errors because the default strftime() on Solaris 8
> >>> does not support %z.  The Date: in the formatted email is displaying as:
> >>>
> >>> Date: Wed, 07 Jun 2006 15:14:31 %z
> >>>
> >>> and getting flagged by SpamAssassin.
> >>>
> >>> Since ossec has been tested on Solaris 2.8 (Sparc) systems, how does one
> >>> get around this?
> >>>
> >>> -- Leslie Arvin
> >>>     arvin@xxxxxxxxxx, Office: FREH G409, Phone: 765-496-3971
> >>>     Network Systems Administrator, ITI-Unix Platforms
> >>>     Purdue University, Information Technology at Purdue
> >>>
> >>>
> >
> >
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---