Symantec Privileged Access Management

 View Only
  • 1.  Monitor changes on System folder

    Posted Dec 22, 2015 09:09 AM

    Hi everyone

    a customer required to monitor the changes of system files (in c:\windows folder , c:\program files folder) using the installed CA ControlMinder endpoint , version 12.8

    is suitable to use Monitored files SECFILE class

    will the following selang command might reflect a good monitor example:

    NEWRES SECFILE ('C:\Windows')

    CHRES SECFILE ('C:\Windows') trust

    CHRES SECFILE ('C:\Windows') flags('Mtime','Size','Crc','Sha1','Inode','Device','Mode','Owner','Group')

    CHRES SECFILE ('C:\Windows') owner('nobody')


    of should I put the wild characters for example ('c:\windows\*')

    if you know better way , I hope to tell me you opinion



  • 2.  Re: Monitor changes on System folder

    Broadcom Employee
    Posted Dec 23, 2015 08:49 AM

    Hi Abdel,


    Directories cannot be defined in the SECFILE class.

    The key of the SECFILE class record is the name of the file that the SECFILE record protects. Specify the full path.


    This means that specifying * in the resource would give an error as it tries to search for a file *, it translates * as the file name and not as a wild character.


    I did the following in my Linux host:


    AC> nr secfile ("/home/reatesh/*") owner(nobody)


    ERROR: /home/reatesh/* not found in file system



    Below is the output from my Windows host:



    Target host: localhost

    CA ControlMinder selang v12.80.1432 - CA ControlMinder command line interpreter

    Copyright (c) 2013 CA. All rights reserved.


    AC> nr secfile ("C:\Windows\*") owner(nobody)


    ERROR: C:\Windows\* not found in file system




    After a resource is protected / set for monitoring using the SECFILE class, you would need to run "seretrust" in frequent intervals to know the cause ...


    Example: I have defined a simple text file in the SECFILE Class and modify the file, then seretrust would give the following:


    nr secfile ("/tmp/hello.txt") owner(nobody)


    AC> sr secfile *


    Data for SECFILE '/tmp/hello.txt'


    Owner             : nobody        (USER   )

    Create time       : 23-Dec-2015 19:00

    Update time       : 23-Dec-2015 19:00

    Updated by        : root          (USER   )

    Trusted Pgm Info  : Mtime, Ctime, Mode, Size, Device, Inode, Crc, Sha1, Owner, Group



    echo "Adding data to the file" >> /tmp/hello.txt



    Retrusting PROGRAMs & SECFILEs, Base path = /



    # SECFILE /tmp/hello.txt content or timestamp has been changed.

    chres SECFILE ("/tmp/hello.txt") trust



    Total of 1 entries found in class SECFILE


    Total of 0 entries found in class PROGRAM



    Hope this helps.


    Thanks and Regards,


  • 3.  Re: Monitor changes on System folder

    Posted Dec 23, 2015 08:00 PM

    Thanks for your full description

    but how i am use to monitor that large amount of files from changes (or to be more specific , audit and record that change has occur )

    in MS WIndows endpoints (c:\windows folder and registry ) and in unix platform (/etc/ ) with of course all the files under those.


    the request is not to monitor the access to folder but monitor if change happened to them via any malicious programs


    Best regards

  • 4.  Re: Monitor changes on System folder

    Broadcom Employee
    Posted Dec 28, 2015 05:02 AM

    Hi Abdel,


    You can make use of the PROGRAM Class as well as the SECFILE class.


    You can define sensitive files in the PROGRAM class and less sensitive files using the SECFILE class.


    For Windows, specific Registry key's can be protected using the REGISTRY class available in Windows OS.


    The "sereturst" utility would give you a result of any resource that is modified in both the PROGRAM as well as SECFILE class. The result would be based on what parameters you would like to monitor.


    Thanks and Regards,


  • 5.  Re: Monitor changes on System folder

    Posted Dec 28, 2015 06:19 AM

    Thanks for reply Reatesh

    but PROGRAM class as I know , select per command (I cannot point it to one directory and all within it)  also will be hard to implement on multiple number of servers (the scope is about 90 Windows server , and about 50 Unix platform servers)  on folder and it's files and subfolders (like c:\windows folder and what under it)



  • 6.  Re: Monitor changes on System folder
    Best Answer

    Broadcom Employee
    Posted Dec 28, 2015 09:30 AM

    Hi Abdel,


    I understand this better now.


    My recommendation below would work only in All your Windows hosts filesystems are identical. Also the same assumption applies to UNIX hosts, file system configuration is similar.


    We can address this is two ways::

    - Using PMDB (the traditional way)

    -- Define the policies and push to each endpoint. (this would include more manual effort)

    In the PMDB architecture, you would have to remember what were the previous policies that were deployed and to which all hosts.


    - Using ENTM (Central management) to push the policies to the endpoints.

    -- Define all your endpoints in ENTM (during the installation of your endpoints itself, you can define your DMS details)

    -- Create the SECFILE and PROGRAM class rules and deploy these to the selected endpoints

    In here, in the ENTM you would be able to see which policies are pushed and the status of the policies, modifying the policies and pushing them again would also be more easy


    But as you were expecting we do not have one step option to monitor using Wild card.


    Thanks and Regards,

    Reatesh Sanghi.

  • 7.  Re: Monitor changes on System folder

    Posted Dec 28, 2015 09:40 AM

    Thanks Reatesh

    I am already working with each platform separately, each type having their own policy ,,,

    of course I use the ENTM to be more central ,,, but the issue for me is how to enter that large amount of files (instead of addressing the folder with the files under it )

    thanks again for your clarification


    Best regards

    Wael abdel-wahab