How do I identify if any changes were made

Hi All,

According to our change management policy, all changes to production servers should be supported by supporting documents.  I would like to perform a test by looking for files that have been created/changed recently and comparing with supporting documents.  What is the best way of doing this on Windows and Unix servers?  Can I use the create date or modified date?  fyi there is no auditing of changes to files and system objects.

Thanks.
LVL 1
ISS_ExpertAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PhateonCommented:
For Linux/Unix, there is Tripwire - http://sourceforge.net/projects/tripwire/
or
AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide/

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire has two versions - Free & Semi-Free. AIDE is based on Tripwire and is free.

For Windows, many open source options:
DirGuard - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=36266&lngWId=1
Directory Monitor - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=24225&lngWId=1
BlackWire (Incomplete, based on Tripwire) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=72266&lngWId=1
BcwanBlue (Sends alerts to Bluetooth enabled devices) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=64615&lngWId=1

Many more. I have used TripWire for Unix & Directory Monitor for Win32.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Since you are looking for existence to files existences in compliance to the workflow (and not auditing to file content, etc). Hence, the simple solution is just to set up the baseline and thereafter compare the differences made thereafter. Correlation of workflow and difference automatically is challenging but solution can ease the direct approach - you create your desired profile (identify the storage folders, etc) and the tracking reports are generated on the target with parameters like
- Filename, Date timestamp on creation, User  

You may like to take a look at the below solution:

a) Security Manager Plus 5.3 (Free Edition for windows and Linux, in Security Manager Plus, Change Management of Windows machines is governed by Profiles. Profiles are nothing but custom templates that are defined by users to capture a list of important files, folders and registry entries that need to be periodically tracked for changes during every scan. Change tracking can be done on Assets or Asset Groups. Multiple profiles can be associated to the same asset or asset group.

On the other thoughts, you may also want to monitor folders and sub folders for additional following changes:-
>File/Folder Attributes (read only or write/read - live doc)
>File/Folder Last Write Time (trace back actions)
>File/Folder Security Attributes (encrypt, compressed, specific group can access, etc)

For enterprise level (don't mind $$), check out FileSystemAuditor - http://www.scriptlogic.com/products/Filesystemauditor/

There is a free tool CDirectoryChangeWatcher doing similar - but no scalar
- http://www.codeproject.com/KB/files/directorychangewatcher.aspx

Last words, I see that change management should be automated as much but not forgetting security log collation - various log collation will help (if may server) and looking thru the report to flag any alert. Also having preventing external storage device connecting to server will have better constraint any hiccups to change mgmt....just my two cents.

Hope it helps
ISS_ExpertAuthor Commented:
Thanks guys.  At the moment I am not looking for a solution, but am trying to investigate changes that were made to files on certain servers (IIS web server).  Also, wouldn't enabling the audit object access in windows provide the same result as using a host based IDS?
btanExec ConsultantCommented:
Check out this this link talking about the possible auditing capability on servers. The key things are that there can be granular tracking for objects, events, access and etc. I will say that the Windows audit serve as baseline as whole platform and the rest of the software will be value add by doing correlation or having more details instead.

For example, in the tools mentioned above it can track specfic target folder/file you want to track but (at least to best knowledge) not for Window Audit whcih tends to be the whole OS. At least searching through will be easier using the 'focused' tools. The Windows will complement to check the other 'non-focused' events for correlation (in investigation like who is the last user that have login and etc).

Overall, they are complementary and good to have both - just like security pitch "defense in depth"

Link: http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
ISS_ExpertAuthor Commented:
Thanks guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.