[Dshield] File Trail Audits

Dave Hatz davehatz at hatzventures.org
Fri May 25 20:59:38 GMT 2007


Matt,
What is a SAGE Member?  Just curious.

Thanks,
Dave  

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Matthew Baker
Sent: Friday, May 25, 2007 1:04 PM
To: General DShield Discussion List
Subject: Re: [Dshield] File Trail Audits

A bit late on the reply for this, but I think as far as windows goes the
best tool for this would be WinResMon. This was presented at the LISA
conference last year. It keeps track of all file & registry changes,
software installations: including information of the times of the changes,
users that executed commands that lead to those changes and a dependency
tree view of the system calls or application stacks that lead to a change.

It's a tool being developed by M$ and unfortunately is not yet available. =[

The only data I can find by a google search is restricted to SAGE members
only. However, if you do a search the first result is a PDF for the paper
(hint: click "view as html" ;-).

As for a windows platform people may be interested in the reporting features
of the configuration management tool Bcfg2.
http://trac.mcs.anl.gov/projects/bcfg2/wiki/NewDynamicReports

HIDS are a must for all systems but they do not replace user access
auditing. They can tell you when a change occurred but not by who and why. I
would concur that linking a scm system into configuration management can be
invaluable and can provide a primitive "roleback"
functionality.

Cheers,

Matt

Brad Morgan wrote:
>> ... and I pointed out the 2nd Daniel, but it's good enough to mention 
>> twice If I understand you correctly you want some form of file 
>> integrity checking. You can accomplish it in two
>> ways:
>>
>> -Using Windows file auditing (information will go to the Windows 
>> event log)
>>
>> -Using a file integrity checking tool.
>>
>>
>> Someone already pointed how to do the first, but for
> 
> I deleted the message that described how to do the first. I thought 
> I'd just go to the archives and fetch it again, but the archives don't 
> seem to be up-to-date. Should they be? I found the archives by going 
> to http://www.dshield.org/indexd.html and clicking Contacts. On that 
> page I clicked DShield Discussion List which took me to 
> http://lists.dshield.org/mailman/listinfo/list. On that page I clicked 
> on archive which took me to http://forum.dshield.org/list.php?2.
> 
> I entered the subject of this thread and clicked search. Nothing was 
> found.
> 
> Help!
> 
> Regards,
> 
> Brad Morgan
> 
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught 
> by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

_________________________________________

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught by
our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)



More information about the list mailing list