[Aide] Non-hash and "growing log" Integrity Checking

[Richard van den Berg]

gentuxx wrote:
> I tried subscribing to this (dev) list, but didn't realize it was
> moderated for non-members. 

Yeah, that's a result of the list being flooded with spam otherwise. You
could simply subscribe, ask your question, and unsubscibe.. it's a
simple process.

> Naturally, as events are added to the Windows Event log, the MD5 hash
> will change (so would SHA1 or any other one-way hash AFAIK).  Aside from
> the obvious, I have reasons for wanting to verify the integrity of these
> files.
> 
> I know that AIDE handles these sorts of things, and I was wondering if
> any of the development team might be willing/able to talk (from a
> logical perspective) about how AIDE is able to verify the integrity of a
> file in these types of situations.

AIDE doesn't really have anything special built in for this. All that
AIDE does is check that various attributes of a file did not change. For
a growing (non-rotating) log file, you could check for:

permissions
inode
number of links
user
group
growing size

That latest versions of AIDE have a special check that ignores the
renaming of a file (it will check a file by inode number instead) so
that rotating log files can be tracked. However, I'm not convinced this
can be used in a practical way.

If you are coding your own app, and find this important enough, you
could calculate MD5 and SHA1 for the file and record the size of the
file(n), and next time around recalculate those hashes for only the
first n bytes of that file. Then store the MD5 and SHA1 for the whole
file again, and so on. Of course this only makes sense for ever growing
files. I am not sure if the event log is limited in size (if so, the
first n bytes will change over time).

Sincerely,

Richard van den Berg