Solved

How do I identify if any changes were made

Posted on 2009-07-13
5
259 Views
Last Modified: 2012-05-07
Hi All,

According to our change management policy, all changes to production servers should be supported by supporting documents.  I would like to perform a test by looking for files that have been created/changed recently and comparing with supporting documents.  What is the best way of doing this on Windows and Unix servers?  Can I use the create date or modified date?  fyi there is no auditing of changes to files and system objects.

Thanks.
0
Comment
Question by:ISS_Expert
  • 2
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
Phateon earned 250 total points
ID: 24869473
For Linux/Unix, there is Tripwire - http://sourceforge.net/projects/tripwire/
or
AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide/

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

Tripwire has two versions - Free & Semi-Free. AIDE is based on Tripwire and is free.

For Windows, many open source options:
DirGuard - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=36266&lngWId=1
Directory Monitor - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=24225&lngWId=1
BlackWire (Incomplete, based on Tripwire) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=72266&lngWId=1
BcwanBlue (Sends alerts to Bluetooth enabled devices) - http://www.pscode.com/vb/scripts/ShowCode.asp?txtCodeId=64615&lngWId=1

Many more. I have used TripWire for Unix & Directory Monitor for Win32.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 24884752
Since you are looking for existence to files existences in compliance to the workflow (and not auditing to file content, etc). Hence, the simple solution is just to set up the baseline and thereafter compare the differences made thereafter. Correlation of workflow and difference automatically is challenging but solution can ease the direct approach - you create your desired profile (identify the storage folders, etc) and the tracking reports are generated on the target with parameters like
- Filename, Date timestamp on creation, User  

You may like to take a look at the below solution:

a) Security Manager Plus 5.3 (Free Edition for windows and Linux, in Security Manager Plus, Change Management of Windows machines is governed by Profiles. Profiles are nothing but custom templates that are defined by users to capture a list of important files, folders and registry entries that need to be periodically tracked for changes during every scan. Change tracking can be done on Assets or Asset Groups. Multiple profiles can be associated to the same asset or asset group.

On the other thoughts, you may also want to monitor folders and sub folders for additional following changes:-
>File/Folder Attributes (read only or write/read - live doc)
>File/Folder Last Write Time (trace back actions)
>File/Folder Security Attributes (encrypt, compressed, specific group can access, etc)

For enterprise level (don't mind $$), check out FileSystemAuditor - http://www.scriptlogic.com/products/Filesystemauditor/

There is a free tool CDirectoryChangeWatcher doing similar - but no scalar
- http://www.codeproject.com/KB/files/directorychangewatcher.aspx

Last words, I see that change management should be automated as much but not forgetting security log collation - various log collation will help (if may server) and looking thru the report to flag any alert. Also having preventing external storage device connecting to server will have better constraint any hiccups to change mgmt....just my two cents.

Hope it helps
0
 
LVL 1

Author Comment

by:ISS_Expert
ID: 24901463
Thanks guys.  At the moment I am not looking for a solution, but am trying to investigate changes that were made to files on certain servers (IIS web server).  Also, wouldn't enabling the audit object access in windows provide the same result as using a host based IDS?
0
 
LVL 62

Expert Comment

by:btan
ID: 24904077
Check out this this link talking about the possible auditing capability on servers. The key things are that there can be granular tracking for objects, events, access and etc. I will say that the Windows audit serve as baseline as whole platform and the rest of the software will be value add by doing correlation or having more details instead.

For example, in the tools mentioned above it can track specfic target folder/file you want to track but (at least to best knowledge) not for Window Audit whcih tends to be the whole OS. At least searching through will be easier using the 'focused' tools. The Windows will complement to check the other 'non-focused' events for correlation (in investigation like who is the last user that have login and etc).

Overall, they are complementary and good to have both - just like security pitch "defense in depth"

Link: http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
0
 
LVL 1

Author Closing Comment

by:ISS_Expert
ID: 31602749
Thanks guys.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
thick vs thin client forensics 1 1,117
Mobile Tracking 8 476
It Auditing & Penetration Testing 11 220
forensics diagnostic netcat 10 85
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question