Re: tripwire log checking

[support () la-samhna de]

> So, my question is, do other people check their 
> logs for integrity, and if so, how?

Checking log files is a difficult task. Ideally, what you want to verify for a growing (append-only) logfile is:

(1) that the part of the logfile that was there at the last check has not changed, i.e. that only appends did happen, 
and

(2) that a rotated logfile has the same - maybe gzipped -  content as the one just prior to rotation (e.g. 'syslog.0' 
after rotation equals 'syslog' before rotation).

Handling (2) is probably only possible if log rotation were done by the file integrity checker itself (don't know any 
that does). Otherwise you have to either configure the file checker to ignore rotated logs, or live with the reports.

I've no idea whether tripwire enterprise can do (1), but I'm pretty sure the free version can't. But (as pointed out by 
Steve Johnston) there's a template for growing logfiles that ignores checksums and all else that may change for an 
append-only file. However, that implies that no alert will be raised if e.g. an intruder deletes 100 bytes and syslog 
then adds at least 100 more, making the total size equal to or larger than before the deletion.

Of course, you could also just chattr +a the logfiles, drop CAP_LINUX_IMMUTABLE at boot, and forgo log rotation.

Competing interests statement: I'm the author of samhain.