[Aide] Advanced Log Handling with aide 0.18

[Marc Haber]

On Thu, Mar 02, 2023 at 08:55:57PM +0100, Hannes von Haugwitz wrote:
> On Tue, Feb 28, 2023 at 07:13:04PM +0100, Marc Haber wrote:
> > Here is my suggestion to handle this kind of log rotation:
> >
> > Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H
> > /var/log/apache$ d p+u+g+ftype+n+i+X
> > /var/log/apache/access\\.log$ f Full+growing+ANF+I
> > /var/log/apache/access\\.log\\.1$ f Full+ARF
> > /var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF
> > /var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I
> > /var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF
> >
> > This seems to work reasonably well for a few days, but I am not fully
> > sure whether those rules can be improved. May I ask for your comments?
> 
> The rules look good for this use case.

Very well, thank you!

> To mitigate the attack window for access.log.2.gz you could run AIDE
> limited to /var/log/apache/access.log.2.gz right after rotation:
> 
> aide --config /etc/aide/aide.conf --update --limit '/var/log/apache/access\.log\.2\.gz'

I have postponed this until after the bookworm release, but noted.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421