Hi, On Tue, Feb 28, 2023 at 07:13:04PM +0100, Marc Haber wrote: > Here is my suggestion to handle this kind of log rotation: > > Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H > /var/log/apache$ d p+u+g+ftype+n+i+X > /var/log/apache/access\\.log$ f Full+growing+ANF+I > /var/log/apache/access\\.log\\.1$ f Full+ARF > /var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF > /var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I > /var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF > > This seems to work reasonably well for a few days, but I am not fully > sure whether those rules can be improved. May I ask for your comments?
The rules look good for this use case. To mitigate the attack window for access.log.2.gz you could run AIDE limited to /var/log/apache/access.log.2.gz right after rotation: aide --config /etc/aide/aide.conf --update --limit '/var/log/apache/access\.log\.2\.gz' The ANF attribute for /var/log/apache/access.log.2.gz should no longer be necessary then. The disadvantage of this approach is that the checksums of the aide database are changed. Best regards Hannes _______________________________________________ Aide mailing list Aide@ipi.fi https://www.ipi.fi/mailman/listinfo/aide