Re: Audit Tools

From: H C (keydet89@yahoo.com)
Date: 08/29/01


Message-ID: <20010829185828.33627.qmail@web14604.mail.yahoo.com>
Date: Wed, 29 Aug 2001 11:58:28 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Re: Audit Tools
To: Serge Wroclawski <serge@tux.org>, milt@necam.com

I agree 100% with the idea of a conceptual framework
for auditing systems. Since I have some experience
with this on Windows systems, I thought I'd respond...

The first step is to understand what it is you're
looking for. Auditing systems for installed software
is different from auditing for security. On NT/2K
systems, 'security' is made up of several components:

1. Permissions/ACLs
2. Audit settings
3. User info, group membership, and privileges
4. Registry settings (keys, values)
5. Services (running, stopped, current status)
6. Etc...

A variety of freeware tools exist to retrieve all of
this information, and more. However, they all provide
different output, so the information must still be
filtered.

Further, the sysadmin must interpret the data.
Commercial tools assume an arbitrary definition of
'security', and generally do not consider issues such
as firewall rulesets, NAT'ing, domain structures,
VLANS, etc. Also, security policies must be
considered.

At Usenix's LISA-NT '00, I presented a framework for
situations just like these...and a very similar
framework is also applicable to incident response. The
solution basically amounts to using either a series of
Perl scripts, or one big one, to retrieve the data of
interest from remote systems. This information may
then be filtered by additional scripts, and analyzed
by the sysadmin.

I'd be happy to discuss this further either here in
the forum, or via email.

Carv

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com



Relevant Pages

  • Re: a pre-beginners question: what is the pros and cons of .net, compared to ++
    ... > party controls is expensive... ... This is where you end up fighting with the framework; ... LSA in the context of "Local Security Policy"? ... Let's say you want to add a new Anti-Virus service account to all ...
    (microsoft.public.dotnet.general)
  • Re: Is there an Open Source Vulnerability Analysis Framework?
    ... Is there an Open Source Vulnerability Analysis Framework? ... end-to-end framework for security assessment. ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: CoBIT a Security Audit Framework?
    ... You can try the "IS Auditing Procedure: P08 Security Assessment - Penetration Testing and Vulnerability Analysis" document at the ISACA web page, it describes a process to execute a pentest aligned to CobiT, also you can add some features from OSSTMM or NIST to obtain a more global pentest process. ... CoBIT a Security Audit Framework? ...
    (Pen-Test)
  • Re: web query builder in php
    ... i have learned to think of SQL injection as a security ... the security beyond what can be arranged on the database. ... Andromeda and phpPeanuts before we can draw conclusions. ... framework connects to the database as a super-user and your code (or ...
    (comp.lang.php)
  • Re: Is there an Open Source Vulnerability Analysis Framework?
    ... i think that ISSAF (Information System Security Assessment ... Framework) could suit your needs. ...
    (Pen-Test)