Re: tripwire log checking

[Vitaly Nikolaev <vnikolaev () unison com>]

The best thing would be logging to remote "secure" server. Hacker,  
when login to the server, will most likely modify current file syslog  
file (not rotated one), which is constantly growing. I am not sure  
tripwire can detect changes in this case. (not sure about enterprise  
version, but it sounds complicated, does it do frequent checksums for  
portions of the file?)








On Jan 29, 2009, at 12:15 PM, Steve Johnston wrote:

> Hey dolf,
> What you want to do is use the growing criteria set. This criteria  
> is used to verify that logs have not been modified. Another option  
> is to use conditional actions to auto promote added and removed  
> files but alert on log file changes.
>
> I'm assuming you are using tripwire enterprise.
>
> Let me know if I can help
>
> Thank you,
> Steve Johnston
>
>
>
> ----- Original Message -----
> From: listbounce () securityfocus com <listbounce () securityfocus com>
> To: security-basics () securityfocus com <security-basics () securityfocus com 
> >
> Sent: Thu Jan 29 02:00:00 2009
> Subject: tripwire log checking
>
> Hey all,
>
> From a security point of view it is wise I think to know that nobody
> has messed with the logs on a linux machine, because hackers often try
> to remove any evidence of their presence. So tripwire, which I use to
> keep an eye on file modifications, watches my /var/log folder for
> changes (which it does by default on Ubuntu Hardy Heron server  
> edition).
> But due to logrotation and additions to my logs, tripwire keeps
> complaining that files have been added and modified. Of course  
> tripwire
> says that since after every logrotation, files are moved around
> (/var/log/syslog->/var/log/syslog.0, syslog.0->syslog.1.gz, etc).
> So, my question is, do other people check their logs for integrity,  
> and
> if so, how?
> Cheers,
>
> Dolf.