[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] Monitoring permission changes to directories with server sensor



Chris,
I have configured directory tampering in Server Sensor 6.5 on Windows 2000
and it runs successfully. Here's the configuration

Type = 8             ;  Type  : Event Outcome 8  : success
Category= 0        ;  0  : match all categories
ID = 560             ; 560 = Object Access
Origin = Security     ; Security (Security Event Viewer Log)

Regular Expression
1537|4417|4418|4420|4424
Where :
 1537 = Delete
 1538 = Read_CONTROL
 1541 = synchronize
 4416 = ReadData(or List Directory)
 4417 = WriteData(or Add File)
 4418 = AppendData (or AddSubdirectory or CreatePipeInstance)
 4419 = ReadEA
 4420 = WriteEA
 4423 = ReadAttributes
 4424 = WriteAttributes

Info
@String0  = Object Server :
@String1  = Object Type :
@String2  = File Name :
@String3  = New Handle ID :
@String4  = Operation ID Start
@String5  = Operation ID End
@String6  = Process ID
@String7  = Primary User Name :
@String8  = Primary Domain :
@String9  = Primary Logon ID :
@String10 = Client User Name :
@String11 = Client Domain :
@String12 = Client Logon ID :
@String13 = Accesses :
@String14 = Privileges :

Audit -> File ->File List :
<drive_name>:\<dir_name>\*
<drive_name>:\<dir_name>\<subdir_name>\*

I used the SecureLogic scripting like in the help file about file tampering
to monitor file tampering, may be it's basically the same with directory
permission.
And don't forget to enable auditing on Security properties of the
directory/files.

Unfortunately I have no luck when I try to use the SecureLogic script I used
on server sensor 6.5 as the Fusion script on Server Sensor 7.0. It detected
the events but failed to respond. It said something like unknown command
Fusion script error. Anybody has the experience on using Fusion scripting on
Server sensor 7.0

----- Original Message -----
From: "Cunningham, Chris, R." <CCunningham@xxxxxxxxxxxxxxxxxxx>
To: <issforum@xxxxxxx>
Sent: Wednesday, January 07, 2004 8:18 PM
Subject: [ISSForum] Monitoring permission changes to directories with server
sensor


> We are attempting to use server sensor to monitor changes to directory
permissions on our Win2000 servers via the user defined rules.  the event ID
is 560, but we have not had any luck, even though we are currently
monitoring several other event ID's.  The events do appear in the event log,
but never get picked up by the server sensor (ver 6.5) Does anyone know of
any other way to monitor these events and alert on them?
>
> Thanks,
>
> Chris


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo