Re: tripwire log checking
- From: Gustavo Castro <gcastrop@xxxxxxxxx>
- Date: Fri, 30 Jan 2009 13:40:55 -0200
Dolf,
Is almost impossible to assure the integrity of a log file. Any good
cracker can easily play with any log file unnoticeably. The best way
to avoid tampering, is using a secure remote syslog or remote storage
system to send the logs to. Any local security measure (even tripwire)
will not be reliable in all conditions.
2009/1/29 Dolf Andringa <dolf.andringa@xxxxxxxxx>:
Hey all,
From a security point of view it is wise I think to know that nobody has
messed with the logs on a linux machine, because hackers often try to remove
any evidence of their presence. So tripwire, which I use to keep an eye on
file modifications, watches my /var/log folder for changes (which it does by
default on Ubuntu Hardy Heron server edition). But due to logrotation and
additions to my logs, tripwire keeps complaining that files have been added
and modified. Of course tripwire says that since after every logrotation,
files are moved around (/var/log/syslog->/var/log/syslog.0,
syslog.0->syslog.1.gz, etc).
So, my question is, do other people check their logs for integrity, and if
so, how?
Cheers,
Dolf.
--
Saludos,
Gustavo Castro Puig.
E-Mail: gcastrop@xxxxxxxxx
LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342
- References:
- tripwire log checking
- From: Dolf Andringa
- tripwire log checking
- Prev by Date: RE: Porn Blacklist for Forensics Search
- Previous by thread: tripwire log checking
- Next by thread: Re: tripwire log checking
- Index(es):
Relevant Pages
|
Loading
