Re: Audit Tools

From: H C (keydet89@yahoo.com)
Date: 08/29/01


Message-ID: <20010829185828.33627.qmail@web14604.mail.yahoo.com>
Date: Wed, 29 Aug 2001 11:58:28 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Re: Audit Tools
To: Serge Wroclawski <serge@tux.org>, milt@necam.com

I agree 100% with the idea of a conceptual framework
for auditing systems. Since I have some experience
with this on Windows systems, I thought I'd respond...

The first step is to understand what it is you're
looking for. Auditing systems for installed software
is different from auditing for security. On NT/2K
systems, 'security' is made up of several components:

1. Permissions/ACLs
2. Audit settings
3. User info, group membership, and privileges
4. Registry settings (keys, values)
5. Services (running, stopped, current status)
6. Etc...

A variety of freeware tools exist to retrieve all of
this information, and more. However, they all provide
different output, so the information must still be
filtered.

Further, the sysadmin must interpret the data.
Commercial tools assume an arbitrary definition of
'security', and generally do not consider issues such
as firewall rulesets, NAT'ing, domain structures,
VLANS, etc. Also, security policies must be
considered.

At Usenix's LISA-NT '00, I presented a framework for
situations just like these...and a very similar
framework is also applicable to incident response. The
solution basically amounts to using either a series of
Perl scripts, or one big one, to retrieve the data of
interest from remote systems. This information may
then be filtered by additional scripts, and analyzed
by the sysadmin.

I'd be happy to discuss this further either here in
the forum, or via email.

Carv

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com