Using Snare Agents for File Integrity Monitoring (FIM)



Similar documents
The Snare Agents Commercial or Open Source? - White Paper -

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Hyper-V Installation Guide for Snare Server

Windows ADM Templates and Group Policy

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

User Guide to the Snare Agent Management Console in Snare Server v7.0

Over-the-top Upgrade Guide for Snare Server v7

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Side-by-side Migration Guide for Snare Server v7

Snare for Firefox Snare Agent for the Firefox Browser

Installation Guide to the Snare Server Installation Guide to the Snare Server

Installation Manual UC for Business Unified Messaging for Exchange 2010

How To Login To The Mft Internet Server (Mft) On A Pc Or Macbook Or Macintosh (Macintosh) With A Password Protected (Macbook) Or Ipad (Macro) (For Macintosh) (Macros

Snare System Version Release Notes

Trend Micro KASEYA INTEGRATION GUIDE

Sun ONE Identity Server Web Policy Agents Release Notes

Snare System Version Release Notes

System Security Guide for Snare Server v7.0

Quest ChangeAuditor 5.1. For Windows File Servers. Events Reference

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

2X Cloud Portal v10.5

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Snare Server v6 VMware Logging Guide Using the Snare Server to collect VMware ESXi Logs

Find the Who, What, Where and When of Your Active Directory

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Snare System Version Release Notes

ChangeAuditor. Migration Guide CA-MG

User Guidance. CimTrak Integrity & Compliance Suite

Helm 4 Windows Event Viewer

CA Nimsoft Monitor. Probe Guide for E2E Application Response Monitoring. e2e_appmon v2.2 series

Guide to Snare for Windows v4.2

Musition 4. Installation & Quick Start

Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

Compliance Guide: PCI DSS

Monitor DHCP Logs. EventTracker. EventTracker Centre Park Drive Columbia MD Publication Date: July 16, 2009

Quest InTrust for Active Directory. Product Overview Version 2.5

Guide to SNARE for MSSQL v1.2

How To Use Libap With A Libap Server With A Mft Command Center And Internet Server

Installing Microsoft Exchange Integration for LifeSize Control

User Guide to Snare Enterprise Agent for MSSQL v1.2

NetIQ AppManager for NetBackup UNIX

Click Start > Control Panel > System icon to open System Properties dialog box. Click Advanced > Environment Variables.

ITIL A guide to event management

Contents Notice to Users

NetBackup Backup, Archive, and Restore Getting Started Guide

Configuration Guide for SQL Server This document explains the steps to configure LepideAuditor Suite to add and audit SQL Server.

Avatier Identity Management Suite

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

Alert Logic Log Manager

Symantec Critical System Protection Configuration Monitoring Edition Release Notes

VERITAS NetBackup 6.0

TIBCO ActiveMatrix BusinessWorks Plug-in for TIBCO Managed File Transfer Software Installation

Installing Software and Options for the Polycom RealPresence Group Series and Accessories

Unicenter NSM Integration for BMC Remedy. User Guide

IBM WebSphere Application Server Version 7.0

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management How to forward logs...

HP OpenView AssetCenter

Quest ChangeAuditor 4.8

Upgrade: SAP Mobile Platform Server for Windows SAP Mobile Platform 3.0 SP02

CA Unified Infrastructure Management

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Database Administration Guide

ACTIVE DIRECTORY DEPLOYMENT

Monitor Print Popup for Mac. Product Manual.

Download and Install the Citrix Receiver for Mac/Linux

CA Nimsoft Monitor. Probe Guide for Active Directory Response. ad_response v1.6 series

Dream Report Version 4.5

2.0. Quick Start Guide

USING TIME MACHINE AND MICROSOFT SQL SERVER

Orientation Course - Lab Manual

WatchDox for Mac User Guide

ALTIRIS Notification Connector Configuration Guide

SecuraLive ULTIMATE SECURITY

Guide to AIX VIOS Monitoring. by: Nigel Adams, Independent IBM Consultant

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

Web Remote Access. User Guide

Symantec NetBackup Backup, Archive, and Restore Getting Started Guide. Release 7.5

McAfee epolicy Orchestrator Software

An Oracle White Paper March Integrating the SharePoint 2007 Adapter with WebCenter Spaces ( & )

MapInfo License Server Utility

Creating Home Directories for Windows and Macintosh Computers

Likewise Security Benefits

Active Directory Change Notifier Quick Start Guide

Registered Trademarks and Proprietary Names

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

Egress Switch Reader. User Guide 2.3

Wazza s QuickStart 13. Leopard Server - Windows Domain

Virtualization Case Study

epolicy Orchestrator Log Files

Kaseya 2. User Guide. Version 1.1

CCH Audit Automation. Version 4.4 Service Pack 2.1. Release Notes

CA Workload Automation Agent for Remote Execution

Crystal Server Upgrade Guide SAP Crystal Server 2013

Cloudera Backup and Disaster Recovery

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

Transcription:

Using Snare Agents for File Integrity Monitoring (FIM) Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks' and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. Page 1 of 10

Table of Contents 1. About this paper....................................................... 3 2. General Overview...................................................... 4 3. FIM Settings for Snare Enterprise Agent for Windows.......................... 5 4. FIM Settings for Snare Enterprise Agent for Linux............................. 7 5. FIM Settings for Snare Enterprise Agent for Solaris and OS X.................... 8 6. About................................................................ 10 Page 2 of 10

1. About this paper This document is designed to assist a systems/security administrator with managing the File Integrity Monitoring (FIM) with Snare Enterprise Agents. Intersect Alliance International Pty Ltd Page 3 of 10

2. General Overview For many years systems have used third party software features to perform checksums on a selected group of files and directories as a method to track file changes. This has been known as File Integrity Monitoring also known as FIM. This software would keep a master database repository of the checksums of the selected files and directories. It would then run periodic checks of all the files again to compare the current state to the master copy. These software checks would typically be performed once a week or daily depending on the business needs. The principal behind the checksum approach was to detect a change to a file or directory, this would then trigger an alert report to highlight the file or contents of a directory had changed from the master copy. The report would show the details of the file including the change time, file size, or owner information along with the before and after details. The administrator would then have to determine who, how and what data had actually changed, if it was of concern and if any action was required. While the traditional FIM solutions are very good for detecting that a change has occurred they are limited and don't allow the administrator to know who did the change, how many times they changes files and what they used to make the change. The Snare Enterprise agents for Windows and Unix have the ability to monitor all file based activity and provide a much greater depth of information than traditional FIM solutions. The reporting ability of the Enterprise agents includes all read, write, change and delete activity on a file or directory. The Snare Enterprise agents can track and report on these changes in near real time. So if unauthorised activity is occurring the events are being captured and sent to the SIEM system as they are occurring with minimal delay. These events can then be processed and real time alerts initiated to warn security staff that changes are occurring. If the SIEM system is the Snare Server then it can generate these alerts as the events are received or be based on specific threshold levels before being reported on. The events provide much greater detail than traditional FIM solutions in that it will show the specific userid, commands used to change or view the file (ie text editor, script, programs that was run). If they were to make multiple changes to the file, each instance of the change is recorded, compared to only a single summary that a change occurred with traditional FIM solutions. Additionally the Snare Enterprise agent will report on any attempted access to files or directories that were not successful as failure events. This can also capture potential malicious activity on systems and may give early warning to a potential data breach. There are several Snare Enterprise agents that are available that can support FIM needs: Snare Enterprise Agent for Windows Snare Enterprise Agent for Linux Snare Enterprise Agent for Solaris Snare Enterprise Agent for OS X To see the feature set of the Enterprise Agents, go to the InterSect Alliance website at https://www.intersectalliance.com/our-product/snare-agent/. This document instructs users of the Snare Enterprise Agent on how to use it for File Integrity Monitoring based on your operating system platform. Intersect Alliance International Pty Ltd Page 4 of 10

3. FIM Settings for Snare Enterprise Agent for Windows To configure the Snare Enterprise Windows agent to perform File Integrity Monitoring perform the following basic steps. Review the critical parts of the operating system and applications that need to be monitored. In general there will be many files, directories and registry keys that need to be monitored. Document these parts of the system that need to be audited and monitored. Create Snare objectives to match the configuration that you documented. The basic process to configure a file monitoring objective is as follows: Allow SNARE to automatically set file audit configuration on the network configuration screen. If this is not set in the agent then all of the objective settings will need to be set manually or via group policy. Using this setting enables the file system auditing to be controlled by the Snare objective settings. In order for Windows to collect file and registry access records, not only must the correct audit category be selected, but also the correct object auditing parameters must also be set. Setting this field will automatically set these parameters, based on the objectives which have been set. It is highly recommended that this checkbox be selected. Open the objective screen and select Access to a file or directory radio button. For file auditing, enter the target file or directory into the General Search Term of the objective, e.g. c:\payroll\. For registry auditing (HKEY_LOCAL_MACHINE only), enter MACHINE\keyname into the General Search Term of the objective, e.g. MACHINE\SOFTWARE\InterSectAlliance\AuditService Select the event types to be collected ie Success, Failure, Informational, Warning. The source of these logs will generally be Security. If applicable, set the criticality of the event so it can be tracked in Snare Server if events are being tracked in this way. Some events may be more critical than others so this feature allows events to be grouped in ways to make its more applicable for reporting. Intersect Alliance International Pty Ltd Page 5 of 10

Once the all the settings are set as desired then press the Change Configuration button to save the objective. Repeat this approach for all desired files or folders that require auditing enabled. Once all the objectives have been made then select Apply the latest audit configuration button and restart the agent. Intersect Alliance International Pty Ltd Page 6 of 10

4. FIM Settings for Snare Enterprise Agent for Linux The approach for enabling File Integrity Monitoring for Linux is similar to Windows however the directory structure and options available are slightly different due to the operating system. The Unix / Linux agents have a separate file watch section in the objective screen that allows objectives to be created on files or directories. To configure the Snare Enterprise linux agent to perform File Integrity Monitoring perform the following basic steps. 1. 2. 3. 4. 5. 6. 7. Review the critical parts of the operating system and applications that need to be monitored. In general there will be many files and directories that need to be monitored. Document these the parts of the system that need to be audited and monitored. Create Snare objectives to match the configuration that you documented. To configure a file watch objective in Linux: Allow SNARE to automatically set audit configuration on the network configuration screen. If this is not set in the agent then all of the objective settings will need to be set manually or via manual updates to the audit.rules configuration file. Using this setting enables the file system auditing to be controlled by the Snare objective settings. In order for Linux to collect file and directory access logs, not only must the correct audit category be selected, but also the correct audit rules be applied to the auditing system. Setting this field will automatically set these parameters, based on the objectives which have been set. It is highly recommended that this checkbox be selected. Open the objective screen and select Add for a new file watch radio button. For file auditing, enter the target file or directory into the File watch path of the objective, e.g. c:\payroll\. Select the event permissions to watch ie wa for all writes and accesses to files Enter a regex to match events of a specific type or user If applicable set the alert level of the event so it can be tracked in Snare Server if events are being tracked in this way. Some events may be more critical than others so this feature allows events to be grouped in ways to make its more applicable for reporting. Once complete press the Change Configuration button and apply the latest audit configuration to restart the agent. The figure below displays a file watch objective for the Snare Enterprise Linux agent: Intersect Alliance International Pty Ltd Page 7 of 10

5. FIM Settings for Snare Enterprise Agent for Solaris and OS X The approach for enabling File Integrity Monitoring for Solaris and Mac OSX is similar to Linux however the objective settings are slightly different due to the operating system audit differences. The Solaris and OSX agents need to use filtering options on the objectives to select the files or directories. For Sun Solaris and Mac OSX agents the operating system does not have the same facility as Linux so the events have to be selected based on the search term parameters. To configure the Snare Enterprise Solaris and OSX agent to perform File Integrity Monitoring perform the following basic steps. Review the critical parts of the operating system and applications that need to be monitored. In general there will be many files and directories that need to be monitored. Document these the parts of the system that need to be audited and monitored.?create Snare objectives to match the configuration that you documented. The basic process to configure an objective to capture file auditing events is as follows: Allow SNARE to automatically set audit configuration on the network configuration screen. If this is not set in the agent then all of the objective settings will need to be set manually or via manual updates to the audit.rules configuration file. Using this setting enables the file system auditing to be controlled by the Snare objective settings. In order for Solaris or OSX to collect file and directory access logs, not only must the correct audit category be selected, but also the correct audit rules auditing parameters must also be set. Setting this field will automatically set these parameters, based on the objectives which have been set. It is highly recommended that this checkbox be selected. Open the objective screen and select Add for a new objective button Select the any event radio button Enter the event id to be monitored ie the following example will monitor all file opens, changes and writes to the file: open_rc,open_rt,open_rtc,open_rw,open_rwc,open_rwt,open_rwtc,creat,mkdir,mknod,link,symli In the Search Term field enter the file(s) to be monitored. ie ^/etc/(passwd shadow)$ Adjust the user Search Term to match or exclude users as desired. Select the type of event to be collected being success or failure or both. If applicable set the alert level of the event so it can be tracked in Snare Server if events are being tracked in this way. Some events may be more critical than others so this feature allows events to be grouped in ways to make its more applicable for reporting. Once complete press the Change Configuration button and apply the latest audit configuration to restart the agent. In the Snare Enterprise Solaris agent the screen is as follows: Intersect Alliance International Pty Ltd Page 8 of 10

Intersect Alliance International Pty Ltd Page 9 of 10

6. About Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors. Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems. Intersect Alliance welcomes and values your support, comments, and contributions. For more information on the Enterprise Agents, Snare Server and other Snare products and licensing options, please contact us as follows: The Americas +1 (800) 834 1060 Toll Free +1 (303) 771 2666 Denver Asia Pacific +61 8 8213 1200 Adelaide Australia Europe and the UK +44 (797) 090 5011 Email intersect@intersectalliance.com Visit www.intersectalliance.com Intersect Alliance International Pty Ltd Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information