How do I identify if any changes were made

Posted on 2009-07-13
Medium Priority
Last Modified: 2012-05-07
Hi All,

According to our change management policy, all changes to production servers should be supported by supporting documents.  I would like to perform a test by looking for files that have been created/changed recently and comparing with supporting documents.  What is the best way of doing this on Windows and Unix servers?  Can I use the create date or modified date?  fyi there is no auditing of changes to files and system objects.

Question by:ISS_Expert
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

Phateon earned 500 total points
ID: 24869473
For Linux/Unix, there is Tripwire - http://sourceforge.net/projects/tripwire/
AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide/

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire has two versions - Free & Semi-Free. AIDE is based on Tripwire and is free.

For Windows, many open source options:
DirGuard - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=36266&lngWId=1
Directory Monitor - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=24225&lngWId=1
BlackWire (Incomplete, based on Tripwire) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=72266&lngWId=1
BcwanBlue (Sends alerts to Bluetooth enabled devices) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=64615&lngWId=1

Many more. I have used TripWire for Unix & Directory Monitor for Win32.
LVL 64

Assisted Solution

btan earned 500 total points
ID: 24884752
Since you are looking for existence to files existences in compliance to the workflow (and not auditing to file content, etc). Hence, the simple solution is just to set up the baseline and thereafter compare the differences made thereafter. Correlation of workflow and difference automatically is challenging but solution can ease the direct approach - you create your desired profile (identify the storage folders, etc) and the tracking reports are generated on the target with parameters like
- Filename, Date timestamp on creation, User  

You may like to take a look at the below solution:

a) Security Manager Plus 5.3 (Free Edition for windows and Linux, in Security Manager Plus, Change Management of Windows machines is governed by Profiles. Profiles are nothing but custom templates that are defined by users to capture a list of important files, folders and registry entries that need to be periodically tracked for changes during every scan. Change tracking can be done on Assets or Asset Groups. Multiple profiles can be associated to the same asset or asset group.

On the other thoughts, you may also want to monitor folders and sub folders for additional following changes:-
>File/Folder Attributes (read only or write/read - live doc)
>File/Folder Last Write Time (trace back actions)
>File/Folder Security Attributes (encrypt, compressed, specific group can access, etc)

For enterprise level (don't mind $$), check out FileSystemAuditor - http://www.scriptlogic.com/products/Filesystemauditor/

There is a free tool CDirectoryChangeWatcher doing similar - but no scalar
- http://www.codeproject.com/KB/files/directorychangewatcher.aspx

Last words, I see that change management should be automated as much but not forgetting security log collation - various log collation will help (if may server) and looking thru the report to flag any alert. Also having preventing external storage device connecting to server will have better constraint any hiccups to change mgmt....just my two cents.

Hope it helps

Author Comment

ID: 24901463
Thanks guys.  At the moment I am not looking for a solution, but am trying to investigate changes that were made to files on certain servers (IIS web server).  Also, wouldn't enabling the audit object access in windows provide the same result as using a host based IDS?
LVL 64

Expert Comment

ID: 24904077
Check out this this link talking about the possible auditing capability on servers. The key things are that there can be granular tracking for objects, events, access and etc. I will say that the Windows audit serve as baseline as whole platform and the rest of the software will be value add by doing correlation or having more details instead.

For example, in the tools mentioned above it can track specfic target folder/file you want to track but (at least to best knowledge) not for Window Audit whcih tends to be the whole OS. At least searching through will be easier using the 'focused' tools. The Windows will complement to check the other 'non-focused' events for correlation (in investigation like who is the last user that have login and etc).

Overall, they are complementary and good to have both - just like security pitch "defense in depth"

Link: http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Author Closing Comment

ID: 31602749
Thanks guys.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question