[Aide] Advanced Log Handling with aide 0.18
Hannes von Haugwitz
hannes at vonhaugwitz.com
Thu Mar 2 21:55:57 EET 2023
Hi,
On Tue, Feb 28, 2023 at 07:13:04PM +0100, Marc Haber wrote:
> Here is my suggestion to handle this kind of log rotation:
>
> Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H
> /var/log/apache$ d p+u+g+ftype+n+i+X
> /var/log/apache/access\\.log$ f Full+growing+ANF+I
> /var/log/apache/access\\.log\\.1$ f Full+ARF
> /var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF
> /var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I
> /var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF
>
> This seems to work reasonably well for a few days, but I am not fully
> sure whether those rules can be improved. May I ask for your comments?
The rules look good for this use case.
To mitigate the attack window for access.log.2.gz you could run AIDE
limited to /var/log/apache/access.log.2.gz right after rotation:
aide --config /etc/aide/aide.conf --update --limit '/var/log/apache/access\.log\.2\.gz'
The ANF attribute for /var/log/apache/access.log.2.gz should no longer
be necessary then. The disadvantage of this approach is that the
checksums of the aide database are changed.
Best regards
Hannes
More information about the Aide
mailing list