Re: syslog idea

Howard the Energizer (bampton@cs.utk.edu)
Mon, 10 Oct 1994 13:25:01 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Derik Jarne x353-2490: "Re: Time for moderation?"
Previous message: Derik Jarne x353-2490: "Re: Time for moderation?"
In reply to: Paul Howell: "Re: syslog idea"

In a message posted Monday, October 10 Paul Howell writes:

> 
> Fred Blonder writes:
>  > The limitation of Tripwire in this application is that log files are
>  > ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a
>  > logfile, your reaction should be: "So what?".  ;-)
> 
> I thought that tripwire would report if the log file got smaller, 
> an indication that someone is removing records, yes?
> 
> At least that seems like a reasonable thing to me.

I think the point was that a hacker could replace your 200KB log file
that shows his activities with a 201KB (or whatever) one that is
garbage (or been edited a bit). Tripwire will miss this.

If you have a program that checksums the file up to byte XXXX,
compares that to what it was, then checksums it up to its current size
(YYYY) which saves that value/size for the next run, you make it
harder for the hacker to replace your logs. [I think this has been
mentioned in this thread, however]

Howard Bampton                      "The man without love gives no hostages 
Internet: bampton@cs.utk.edu        to fortune." -- Black Omne

Next message: Derik Jarne x353-2490: "Re: Time for moderation?"
Previous message: Derik Jarne x353-2490: "Re: Time for moderation?"
In reply to: Paul Howell: "Re: syslog idea"