bin/49031: /etc/security tries to track /var/log/authlog

[dholland%eecs.harvard.edu@localhost]

>Number:         49031
>Category:       bin
>Synopsis:       /etc/security tries to track /var/log/authlog
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 25 00:55:00 +0000 2014
>Originator:     David A. Holland
>Release:        NetBSD 6.99.47 (20140723)
>Organization:
>Environment:
System: NetBSD amberdon 6.99.47 NetBSD 6.99.47 (AMBERDON) #14: Wed Jul 23 
02:12:28 EDT 2014  root@amberdon:/usr/src/sys/arch/amd64/compile/AMBERDON amd64
Architecture: x86_64
Machine: amd64
>Description:

After updating a couple days ago, /etc/security decided it needed to
start tracking /var/log/authlog, and now every night (well, one so far
but it will continue until stopped) I get this spam in the daily
insecurity output:

   ======
   /var/log/authlog diffs (OLD < > NEW)
   ======
   [changes omitted]

Routine chatter that needs to be ignored is bad for security
monitoring; also, as this will frequently be the difference between
getting output from /etc/security and not getting any, it's
particularly irritating.

This needs to be fixed before -7 goes out.

Also, while accumulating copies of authlog in /var/backups might have
some merit, it shouldn't be done by default and has the potential to
consume a lot of disk space over time.

>How-To-Repeat:

Nothing special.

>Fix:

I dunno. I'm not sure what happened; it appears that the file got
added to the list of things tracked because it's in etc/mtree/special;
but it's been there for a long time. The trigger for the behavior
appears to have been adding "nodiff" to the mtree entry, in -r1.147,
but on the face of it, it seems like there must be a bug in
/etc/security for this to prompt tracking the file.

There's also a question of whether and how to clean up the leftover
/var/backups/log/authlog.current{,\,v} arising from this bug.