Security Basics mailing list archives
Re: tripwire log checking
From: Gustavo Castro <gcastrop () gmail com>
Date: Fri, 30 Jan 2009 13:40:55 -0200
Dolf, Is almost impossible to assure the integrity of a log file. Any good cracker can easily play with any log file unnoticeably. The best way to avoid tampering, is using a secure remote syslog or remote storage system to send the logs to. Any local security measure (even tripwire) will not be reliable in all conditions. 2009/1/29 Dolf Andringa <dolf.andringa () elcyon nl>:
Hey all, From a security point of view it is wise I think to know that nobody has messed with the logs on a linux machine, because hackers often try to remove any evidence of their presence. So tripwire, which I use to keep an eye on file modifications, watches my /var/log folder for changes (which it does by default on Ubuntu Hardy Heron server edition). But due to logrotation and additions to my logs, tripwire keeps complaining that files have been added and modified. Of course tripwire says that since after every logrotation, files are moved around (/var/log/syslog->/var/log/syslog.0, syslog.0->syslog.1.gz, etc). So, my question is, do other people check their logs for integrity, and if so, how? Cheers, Dolf.
-- Saludos, Gustavo Castro Puig. E-Mail: gcastrop () gmail com LPI Level-1 Certified (https://www.lpi.org/es/verify.html LPID:LPI000042304 Verification Code: hp6re8w5qg ) -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o? K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++ D++ G++ e++ h--- r y+++ ------END GEEK CODE BLOCK------ Registered Linux User #69342
Current thread:
- tripwire log checking Dolf Andringa (Jan 29)
- Re: tripwire log checking Gustavo Castro (Jan 30)
- <Possible follow-ups>
- Re: tripwire log checking Steve Johnston (Jan 29)
- Re: tripwire log checking Vitaly Nikolaev (Jan 30)
- Re: tripwire log checking support (Jan 30)