On Thu, Mar 02, 2023 at 08:55:57PM +0100, Hannes von Haugwitz wrote: > On Tue, Feb 28, 2023 at 07:13:04PM +0100, Marc Haber wrote: > > Here is my suggestion to handle this kind of log rotation: > > > > Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H > > /var/log/apache$ d p+u+g+ftype+n+i+X > > /var/log/apache/access\\.log$ f Full+growing+ANF+I > > /var/log/apache/access\\.log\\.1$ f Full+ARF > > /var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF > > /var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I > > /var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF > > > > This seems to work reasonably well for a few days, but I am not fully > > sure whether those rules can be improved. May I ask for your comments? > > The rules look good for this use case.
Very well, thank you! > To mitigate the attack window for access.log.2.gz you could run AIDE > limited to /var/log/apache/access.log.2.gz right after rotation: > > aide --config /etc/aide/aide.conf --update --limit > '/var/log/apache/access\.log\.2\.gz' I have postponed this until after the bookworm release, but noted. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ Aide mailing list [email protected] https://www.ipi.fi/mailman/listinfo/aide
