NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 2004-q1

Re: [ISSForum] Monitoring permission changes to directories with server sensor

From: Adjie Pamungkas (adjieipnsecurity.com)
Date: Thu Jan 08 2004 - 21:18:02 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris,
I have configured directory tampering in Server Sensor 6.5 on Windows 2000
and it runs successfully. Here's the configuration

Type = 8 ; Type : Event Outcome 8 : success
Category= 0 ; 0 : match all categories
ID = 560 ; 560 = Object Access
Origin = Security ; Security (Security Event Viewer Log)

Regular Expression
1537|4417|4418|4420|4424
Where :
1537 = Delete
1538 = Read_CONTROL
1541 = synchronize
4416 = ReadData(or List Directory)
4417 = WriteData(or Add File)
4418 = AppendData (or AddSubdirectory or CreatePipeInstance)
4419 = ReadEA
4420 = WriteEA
4423 = ReadAttributes
4424 = WriteAttributes

Info
String0 = Object Server :
String1 = Object Type :
String2 = File Name :
String3 = New Handle ID :
String4 = Operation ID Start
String5 = Operation ID End
String6 = Process ID
String7 = Primary User Name :
String8 = Primary Domain :
String9 = Primary Logon ID :
String10 = Client User Name :
String11 = Client Domain :
String12 = Client Logon ID :
String13 = Accesses :
String14 = Privileges :

Audit -> File ->File List :
<drive_name>:\<dir_name>\*
<drive_name>:\<dir_name>\<subdir_name>\*

I used the SecureLogic scripting like in the help file about file tampering
to monitor file tampering, may be it's basically the same with directory
permission.
And don't forget to enable auditing on Security properties of the
directory/files.

Unfortunately I have no luck when I try to use the SecureLogic script I used
on server sensor 6.5 as the Fusion script on Server Sensor 7.0. It detected
the events but failed to respond. It said something like unknown command
Fusion script error. Anybody has the experience on using Fusion scripting on
Server sensor 7.0

----- Original Message -----
From: "Cunningham, Chris, R." <CCunninghamwilmingtontrust.com>
To: <issforumiss.net>
Sent: Wednesday, January 07, 2004 8:18 PM
Subject: [ISSForum] Monitoring permission changes to directories with server
sensor

> We are attempting to use server sensor to monitor changes to directory
permissions on our Win2000 servers via the user defined rules. the event ID
is 560, but we have not had any luck, even though we are currently
monitoring several other event ID's. The events do appear in the event log,
but never get picked up by the server sensor (ver 6.5) Does anyone know of
any other way to monitor these events and alert on them?
>
> Thanks,
>
> Chris

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]