Strange OS Account Changes log records

Wolfgangthegreat

@stephenw10 It is Linode (now Akamai who bought them)

It is not logical to me - before NTP, I expect an install and OS to take the date and time from the "local" computer clock, and only later, when there is a working networking and NTP, to adjust the time, and even then, it should not be by a gap of several months...

Isn't it possible that these logs remained in the install ISO and copied to the new install as part of the install process?

stephenw10

Yes, it would only do that on systems where it cannot read the system clock or the system clock is not battery backed like the 1100.

Yes, it's possible something remained logged from the build process.

Wolfgangthegreat

@stephenw10 to open a bug for this?
I guess it needs to be checked - either the release process or the install process

stephenw10

I see exactly the same thing on an instance I installed two days ago:

2023-06-28 04:45:51 [root:groupadd] cyrus(60)
2023-06-28 04:45:51 [root:useradd] cyrus(60):cyrus(60):the cyrus mail server:/nonexistent:/usr/sbin/nologin
2023-06-28 04:45:52 [root:groupadd] messagebus(556)
2023-06-28 04:45:52 [root:useradd] messagebus(556):messagebus(556):D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
2023-06-28 04:45:54 [root:groupadd] openvpn(301)
2023-06-28 04:45:54 [root:useradd] openvpn(301):openvpn(301):OpenVPN pseudo-user:/nonexistent:/usr/sbin/nologin
2023-06-28 04:45:54 [root:groupadd] dhcpd(136)
2023-06-28 04:45:54 [root:useradd] dhcpd(136):dhcpd(136):ISC DHCP daemon:/nonexistent:/usr/sbin/nologin
2023-10-20 22:07:43 [unknown:groupadd] all(1998)
2023-10-20 22:07:43 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2023-10-20 22:07:43 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
2023-10-20 22:07:43 [unknown:useradd] admin(0) home /root made
2023-10-20 22:07:43 [unknown:groupmod] all(1998)
2023-10-20 22:07:43 [unknown:groupadd] admins(1999)
2023-10-20 22:23:41 [root:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
2023-10-20 22:23:41 [root:usermod] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial

So I don't think this is a bug.

Wolfgangthegreat

@stephenw10 The other way round... ;) it is a consistent bug...

In my view a newly installed software, assuming the local "pc" has a correct date and time, should not have any log record that is prior to the date-time the installation started. Looks logical and basic to me.

stephenw10

I guess you can view it like that.

Open a bug report for discussion.

Wolfgangthegreat

@stephenw10 Of course... https://redmine.pfsense.org/issues/14909

jimp

I mentioned it on the Redmine issue but I'll add it here as well: Those entries are from when the installation image itself was built for that version.

It's normal/expected for them to have that date/time because that's when those users were added to the system as it was being built.

Wolfgangthegreat

@jimp But why do you think is it OK to ship a product to customers with existing logs from before the installation time?

jimp

Because it accurately reflects when those changes were made to the system accounts.

We could wipe that log during the installation but then the data about when those accounts were added would be lost/hidden which is worse, IMO.

At least until the system is updated, the log entries line up with the system and kernel build times which are easy to verify.

Wolfgangthegreat

@jimp Thanks for your reply.
My view is that customers need to get a clean system, without any historical logs, which I don't see as helpful in any way, to get a clean system, but of course it is your call.

johnpoz

@Wolfgangthegreat you can just clean the log when you install.. Its a simple click of a button ;)

jimp

It's more "clean" (as in unaltered) to leave the records as they are from the builder than to delete data for the sake of hiding it. I'd rather a system have an audit trail from the time it was built, not just when it was installed/instantiated.