Symantec Privileged Access Management

Expand all | Collapse all

Monitor changes on System folder

Jump to Best Answer
  • 1.  Monitor changes on System folder

    Posted 12-22-2015 09:09 AM


    Hi everyone

    a customer required to monitor the changes of system files (in c:\windows folder , c:\program files folder) using the installed CA ControlMinder endpoint , version 12.8

    is suitable to use Monitored files SECFILE class

    will the following selang command might reflect a good monitor example:

    NEWRES SECFILE ('C:\Windows')

    CHRES SECFILE ('C:\Windows') trust

    CHRES SECFILE ('C:\Windows') flags('Mtime','Size','Crc','Sha1','Inode','Device','Mode','Owner','Group')

    CHRES SECFILE ('C:\Windows') owner('nobody')

     

    of should I put the wild characters for example ('c:\windows\*')

    if you know better way , I hope to tell me you opinion

     

    thanks



  • 2.  Re: Monitor changes on System folder

    Posted 12-23-2015 08:49 AM

    Hi Abdel,

     

    Directories cannot be defined in the SECFILE class.

    The key of the SECFILE class record is the name of the file that the SECFILE record protects. Specify the full path.

     

    This means that specifying * in the resource would give an error as it tries to search for a file *, it translates * as the file name and not as a wild character.

     

    I did the following in my Linux host:

     

    AC> nr secfile ("/home/reatesh/*") owner(nobody)

    (localhost)

    ERROR: /home/reatesh/* not found in file system

    AC>

    =====================

    Below is the output from my Windows host:

     

    C:\Users\Administrator>selang

    Target host: localhost

    CA ControlMinder selang v12.80.1432 - CA ControlMinder command line interpreter

    Copyright (c) 2013 CA. All rights reserved.

     

    AC> nr secfile ("C:\Windows\*") owner(nobody)

    (localhost)

    ERROR: C:\Windows\* not found in file system

    AC>

    ========================

     

    After a resource is protected / set for monitoring using the SECFILE class, you would need to run "seretrust" in frequent intervals to know the cause ...

     

    Example: I have defined a simple text file in the SECFILE Class and modify the file, then seretrust would give the following:

     

    nr secfile ("/tmp/hello.txt") owner(nobody)

     

    AC> sr secfile *

    (localhost)

    Data for SECFILE '/tmp/hello.txt'

    -----------------------------------------------------------

    Owner             : nobody        (USER   )

    Create time       : 23-Dec-2015 19:00

    Update time       : 23-Dec-2015 19:00

    Updated by        : root          (USER   )

    Trusted Pgm Info  : Mtime, Ctime, Mode, Size, Device, Inode, Crc, Sha1, Owner, Group

    -------------------------------------------------------------

     

    echo "Adding data to the file" >> /tmp/hello.txt

     

    #seretrust

    Retrusting PROGRAMs & SECFILEs, Base path = /

     

     

    # SECFILE /tmp/hello.txt content or timestamp has been changed.

    chres SECFILE ("/tmp/hello.txt") trust

     

     

    Total of 1 entries found in class SECFILE

     

    Total of 0 entries found in class PROGRAM

    ---------------------------------------------------------------

     

    Hope this helps.

     

    Thanks and Regards,

    Reatesh.



  • 3.  Re: Monitor changes on System folder

    Posted 12-23-2015 08:00 PM

    Thanks for your full description

    but how i am use to monitor that large amount of files from changes (or to be more specific , audit and record that change has occur )

    in MS WIndows endpoints (c:\windows folder and registry ) and in unix platform (/etc/ ) with of course all the files under those.

     

    the request is not to monitor the access to folder but monitor if change happened to them via any malicious programs

     

    Best regards



  • 4.  Re: Monitor changes on System folder

    Posted 12-28-2015 05:02 AM

    Hi Abdel,

     

    You can make use of the PROGRAM Class as well as the SECFILE class.

     

    You can define sensitive files in the PROGRAM class and less sensitive files using the SECFILE class.

     

    For Windows, specific Registry key's can be protected using the REGISTRY class available in Windows OS.

     

    The "sereturst" utility would give you a result of any resource that is modified in both the PROGRAM as well as SECFILE class. The result would be based on what parameters you would like to monitor.

     

    Thanks and Regards,

    Reatesh.



  • 5.  Re: Monitor changes on System folder

    Posted 12-28-2015 06:19 AM

    Thanks for reply Reatesh

    but PROGRAM class as I know , select per command (I cannot point it to one directory and all within it)  also will be hard to implement on multiple number of servers (the scope is about 90 Windows server , and about 50 Unix platform servers)  on folder and it's files and subfolders (like c:\windows folder and what under it)

     

    Thanks



  • 6.  Re: Monitor changes on System folder
    Best Answer

    Posted 12-28-2015 09:30 AM

    Hi Abdel,

     

    I understand this better now.

     

    My recommendation below would work only in All your Windows hosts filesystems are identical. Also the same assumption applies to UNIX hosts, file system configuration is similar.

     

    We can address this is two ways::

    - Using PMDB (the traditional way)

    -- Define the policies and push to each endpoint. (this would include more manual effort)

    In the PMDB architecture, you would have to remember what were the previous policies that were deployed and to which all hosts.

     

    - Using ENTM (Central management) to push the policies to the endpoints.

    -- Define all your endpoints in ENTM (during the installation of your endpoints itself, you can define your DMS details)

    -- Create the SECFILE and PROGRAM class rules and deploy these to the selected endpoints

    In here, in the ENTM you would be able to see which policies are pushed and the status of the policies, modifying the policies and pushing them again would also be more easy

     

    But as you were expecting we do not have one step option to monitor using Wild card.

     

    Thanks and Regards,

    Reatesh Sanghi.



  • 7.  Re: Monitor changes on System folder

    Posted 12-28-2015 09:40 AM

    Thanks Reatesh

    I am already working with each platform separately, each type having their own policy ,,,

    of course I use the ENTM to be more central ,,, but the issue for me is how to enter that large amount of files (instead of addressing the folder with the files under it )

    thanks again for your clarification

     

    Best regards

    Wael abdel-wahab