Bugtraq mailing list archives

Re: syslog idea

From: bampton () cs utk edu (Howard the Energizer)
Date: Mon, 10 Oct 1994 13:25:01 -0400


In a message posted Monday, October 10 Paul Howell writes:

Fred Blonder writes:
 > The limitation of Tripwire in this application is that log files are
 > ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a
 > logfile, your reaction should be: "So what?".  ;-)

I thought that tripwire would report if the log file got smaller, 
an indication that someone is removing records, yes?

At least that seems like a reasonable thing to me.


I think the point was that a hacker could replace your 200KB log file
that shows his activities with a 201KB (or whatever) one that is
garbage (or been edited a bit). Tripwire will miss this.

If you have a program that checksums the file up to byte XXXX,
compares that to what it was, then checksums it up to its current size
(YYYY) which saves that value/size for the next run, you make it
harder for the hacker to replace your logs. [I think this has been
mentioned in this thread, however]


Howard Bampton                      "The man without love gives no hostages 
Internet: bampton () cs utk edu        to fortune." -- Black Omne

Current thread:

hmmm..., (continued)
- - - hmmm... Robert Matthew Barrie (Oct 08)
    - Re: Time for moderation? James M Buggar (Oct 08)
    - Re: Time for moderation? G.J.W. Hagenaars (Oct 08)
  - 3 SMAIL BUGS Aleph One (Oct 07)
- Re: syslog idea Dror Matalon (Oct 07)
  - OOOOOOOOOOOPsss..??? Stephen D. Williams (Oct 07)
    - Re: OOOOOOOOOOOPsss..??? Bennett Todd (Oct 07)
  - earlier posting of users' passwords and credit card numbers Dror Matalon (Oct 07)
- Re: syslog idea *Hobbit* (Oct 07)
- Re: syslog idea Paul Howell (Oct 10)
  - Re: syslog idea Howard the Energizer (Oct 10)