Re: tripwire log checking

[Gustavo Castro <gcastrop () gmail com>]

Dolf,

  Is almost impossible to assure the integrity of a log file. Any good
cracker can easily play with any log file unnoticeably. The best way
to avoid tampering, is using a secure remote syslog or remote storage
system to send the logs to. Any local security measure (even tripwire)
will not be reliable in all conditions.

2009/1/29 Dolf Andringa <dolf.andringa () elcyon nl>:
> Hey all,
>
> From a security point of view it is wise I think to know that nobody has
> messed with the logs on a linux machine, because hackers often try to remove
> any evidence of their presence. So tripwire, which I use to keep an eye on
> file modifications, watches my /var/log folder for changes (which it does by
> default on Ubuntu Hardy Heron server edition). But due to logrotation and
> additions to my logs, tripwire keeps complaining that files have been added
> and modified. Of course tripwire says that since after every logrotation,
> files are moved around (/var/log/syslog->/var/log/syslog.0,
> syslog.0->syslog.1.gz, etc).
> So, my question is, do other people check their logs for integrity, and if
> so, how?
> Cheers,
>
> Dolf.



-- 
Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastrop () gmail com

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342