[Dshield] File Trail Audits
davehatz at hatzventures.org
Fri May 25 20:59:38 GMT 2007
What is a SAGE Member? Just curious.
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Matthew Baker
Sent: Friday, May 25, 2007 1:04 PM
To: General DShield Discussion List
Subject: Re: [Dshield] File Trail Audits
A bit late on the reply for this, but I think as far as windows goes the
best tool for this would be WinResMon. This was presented at the LISA
conference last year. It keeps track of all file & registry changes,
software installations: including information of the times of the changes,
users that executed commands that lead to those changes and a dependency
tree view of the system calls or application stacks that lead to a change.
It's a tool being developed by M$ and unfortunately is not yet available. =[
The only data I can find by a google search is restricted to SAGE members
only. However, if you do a search the first result is a PDF for the paper
(hint: click "view as html" ;-).
As for a windows platform people may be interested in the reporting features
of the configuration management tool Bcfg2.
HIDS are a must for all systems but they do not replace user access
auditing. They can tell you when a change occurred but not by who and why. I
would concur that linking a scm system into configuration management can be
invaluable and can provide a primitive "roleback"
Brad Morgan wrote:
>> ... and I pointed out the 2nd Daniel, but it's good enough to mention
>> twice If I understand you correctly you want some form of file
>> integrity checking. You can accomplish it in two
>> -Using Windows file auditing (information will go to the Windows
>> event log)
>> -Using a file integrity checking tool.
>> Someone already pointed how to do the first, but for
> I deleted the message that described how to do the first. I thought
> I'd just go to the archives and fetch it again, but the archives don't
> seem to be up-to-date. Should they be? I found the archives by going
> to http://www.dshield.org/indexd.html and clicking Contacts. On that
> page I clicked DShield Discussion List which took me to
> http://lists.dshield.org/mailman/listinfo/list. On that page I clicked
> on archive which took me to http://forum.dshield.org/list.php?2.
> I entered the subject of this thread and clicked search. Nothing was
> Brad Morgan
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught
> by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught by
our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
More information about the list