Security Basics mailing list archives
Re: tripwire log checking
From: support () la-samhna de
Date: 30 Jan 2009 16:02:37 -0000
So, my question is, do other people check their logs for integrity, and if so, how?
Checking log files is a difficult task. Ideally, what you want to verify for a growing (append-only) logfile is: (1) that the part of the logfile that was there at the last check has not changed, i.e. that only appends did happen, and (2) that a rotated logfile has the same - maybe gzipped - content as the one just prior to rotation (e.g. 'syslog.0' after rotation equals 'syslog' before rotation). Handling (2) is probably only possible if log rotation were done by the file integrity checker itself (don't know any that does). Otherwise you have to either configure the file checker to ignore rotated logs, or live with the reports. I've no idea whether tripwire enterprise can do (1), but I'm pretty sure the free version can't. But (as pointed out by Steve Johnston) there's a template for growing logfiles that ignores checksums and all else that may change for an append-only file. However, that implies that no alert will be raised if e.g. an intruder deletes 100 bytes and syslog then adds at least 100 more, making the total size equal to or larger than before the deletion. Of course, you could also just chattr +a the logfiles, drop CAP_LINUX_IMMUTABLE at boot, and forgo log rotation. Competing interests statement: I'm the author of samhain.
Current thread:
- tripwire log checking Dolf Andringa (Jan 29)
- Re: tripwire log checking Gustavo Castro (Jan 30)
- <Possible follow-ups>
- Re: tripwire log checking Steve Johnston (Jan 29)
- Re: tripwire log checking Vitaly Nikolaev (Jan 30)
- Re: tripwire log checking support (Jan 30)