In a message posted Monday, October 10 Paul Howell writes: > > Fred Blonder writes: > > The limitation of Tripwire in this application is that log files are > > ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a > > logfile, your reaction should be: "So what?". ;-) > > I thought that tripwire would report if the log file got smaller, > an indication that someone is removing records, yes? > > At least that seems like a reasonable thing to me. I think the point was that a hacker could replace your 200KB log file that shows his activities with a 201KB (or whatever) one that is garbage (or been edited a bit). Tripwire will miss this. If you have a program that checksums the file up to byte XXXX, compares that to what it was, then checksums it up to its current size (YYYY) which saves that value/size for the next run, you make it harder for the hacker to replace your logs. [I think this has been mentioned in this thread, however] Howard Bampton "The man without love gives no hostages Internet: bampton@cs.utk.edu to fortune." -- Black Omne