Security Basics mailing list archives
tripwire log checking
From: Dolf Andringa <dolf.andringa () elcyon nl>
Date: Thu, 29 Jan 2009 11:00:00 +0100
Hey all,From a security point of view it is wise I think to know that nobody has messed with the logs on a linux machine, because hackers often try to remove any evidence of their presence. So tripwire, which I use to keep an eye on file modifications, watches my /var/log folder for changes (which it does by default on Ubuntu Hardy Heron server edition). But due to logrotation and additions to my logs, tripwire keeps complaining that files have been added and modified. Of course tripwire says that since after every logrotation, files are moved around (/var/log/syslog->/var/log/syslog.0, syslog.0->syslog.1.gz, etc). So, my question is, do other people check their logs for integrity, and if so, how?
Cheers, Dolf.
Current thread:
- tripwire log checking Dolf Andringa (Jan 29)
- Re: tripwire log checking Gustavo Castro (Jan 30)
- <Possible follow-ups>
- Re: tripwire log checking Steve Johnston (Jan 29)
- Re: tripwire log checking Vitaly Nikolaev (Jan 30)
- Re: tripwire log checking support (Jan 30)