Re: tripwire log checking

[Steve Johnston <sjohnston () tripwire com>]

Hey dolf,
What you want to do is use the growing criteria set. This criteria is used to verify that logs have not been modified. 
Another option is to use conditional actions to auto promote added and removed files but alert on log file changes.

I'm assuming you are using tripwire enterprise.

Let me know if I can help

Thank you, 
Steve Johnston



----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Thu Jan 29 02:00:00 2009
Subject: tripwire log checking

Hey all,

 From a security point of view it is wise I think to know that nobody 
has messed with the logs on a linux machine, because hackers often try 
to remove any evidence of their presence. So tripwire, which I use to 
keep an eye on file modifications, watches my /var/log folder for 
changes (which it does by default on Ubuntu Hardy Heron server edition). 
But due to logrotation and additions to my logs, tripwire keeps 
complaining that files have been added and modified. Of course tripwire 
says that since after every logrotation, files are moved around 
(/var/log/syslog->/var/log/syslog.0, syslog.0->syslog.1.gz, etc).
So, my question is, do other people check their logs for integrity, and 
if so, how?
Cheers,

Dolf.