Security Basics mailing list archives
Re: tripwire log checking
From: Vitaly Nikolaev <vnikolaev () unison com>
Date: Thu, 29 Jan 2009 21:47:37 -0500
The best thing would be logging to remote "secure" server. Hacker, when login to the server, will most likely modify current file syslog file (not rotated one), which is constantly growing. I am not sure tripwire can detect changes in this case. (not sure about enterprise version, but it sounds complicated, does it do frequent checksums for portions of the file?)
On Jan 29, 2009, at 12:15 PM, Steve Johnston wrote:
Hey dolf,What you want to do is use the growing criteria set. This criteria is used to verify that logs have not been modified. Another option is to use conditional actions to auto promote added and removed files but alert on log file changes.I'm assuming you are using tripwire enterprise. Let me know if I can help Thank you, Steve Johnston ----- Original Message ----- From: listbounce () securityfocus com <listbounce () securityfocus com>To: security-basics () securityfocus com <security-basics () securityfocus com >Sent: Thu Jan 29 02:00:00 2009 Subject: tripwire log checking Hey all, From a security point of view it is wise I think to know that nobody has messed with the logs on a linux machine, because hackers often try to remove any evidence of their presence. So tripwire, which I use to keep an eye on file modifications, watches my /var/log folder forchanges (which it does by default on Ubuntu Hardy Heron server edition).But due to logrotation and additions to my logs, tripwire keepscomplaining that files have been added and modified. Of course tripwiresays that since after every logrotation, files are moved around (/var/log/syslog->/var/log/syslog.0, syslog.0->syslog.1.gz, etc).So, my question is, do other people check their logs for integrity, andif so, how? Cheers, Dolf.
Current thread:
- tripwire log checking Dolf Andringa (Jan 29)
- Re: tripwire log checking Gustavo Castro (Jan 30)
- <Possible follow-ups>
- Re: tripwire log checking Steve Johnston (Jan 29)
- Re: tripwire log checking Vitaly Nikolaev (Jan 30)
- Re: tripwire log checking support (Jan 30)