|
Pedestal Software, LLC |
|
|
Intact™
Change Detection and Integrity Checking for Windows NT®
VERSION 2.0
|
Pedestal Software, LLC |
|
|
Intact™
Change Detection and Integrity Checking for Windows NT®
VERSION 2.0
· Figure 7: Comparing a database with
a system................................................ 18
· Figure 18: NTUSER and NTGROUP
changes detected..................................... 35
|
Chapter 1 |
Change detection and integrity checking
Intact is Pedestal Software’s Change Detection System for Windows NT. Chapter 1 is a general discussion of some uses for change detection including basic concepts in computer security, a typical use for change detection. You may want to skip if you are familiar with the concepts of change detection, integrity checking and intrusion detection.
This manual assumes that the reader is familiar with the configuration and maintenance of a Windows NT system. It will not delve into the system layout, directory structure, or registry structure of the Windows NT operating system. There are many books available which discuss this at length. Chapter 3 will outline some considerations that are important when integrating Intact into your security processes
Intact reports on changes made to computer systems. The most common use for change detection today is for recognizing host intrusion. Intrusion Detection Systems (IDS) assist administrators in locating compromises and attempts to gain access to a computer system without proper authorization. Intact helps security administrators monitor systems for security breaches by detecting changes to a computer system and reporting on them.
Intrusion detection has three aspects:
1) Detecting a break-in
2) Assessing damage
3) Repairing the damage and closing security holes
Intact helps you manage this by proving administrators with details on when, how, and what changes were made.
By considering a system as a whole unit independent of its external interfaces, Intact tracks any additions, deletions and changes to the integrity of data which may be evidence of unauthorized access. This information can help you asses and repair security holes in your system. For instance, it can detect if an insider changes any security parameters which would allow intruders (or other insiders) to gain access to important and sensitive information. It can help to locate Trojan horse programs, which may have surreptitiously been copied onto your computer (for example, Back Orifice or Netbus).
Intact does not secure your computer systems or network but does report on changes to the existing security configuration. Properly locking down your network and computer systems requires planning and policy design.
If implemented correctly, an integrity checker will detect any change to your system even if the attacker is sophisticated enough to cover his tracks in the log files.
Intact can verify the integrity of data. It answers the question: has my data been altered?
Intact verifies data integrity by keeping a copy of all relevant information about the system, its hardware, software, operating system and files in a database. This database can be systematically compared with the active system to detect any changes to that data and the system. The database may contain all the actual data stored in the system. More commonly, only the configuration files, significant parameters and file signatures[1] are stored.
One example is tracking the activities of software. For example, installation programs require to be run as “Administrator” which allows them to easily undo your carefully implemented security setup, either maliciously, or through the careless programming of the program designer.
Another example is verifying that core operating files and settings have not been altered on laptops borrowed by staff at your organization.
There are several file integrity checkers for Unix and NT. No other integrity checker, however, is as integrated with NT which verifies information about NT users and groups and the sophisticated levels of security which NT provides. Intact uses the sophisticated security engine found at the core of our NTSEC suite of tools that extracts and synthesizes every aspect of a file or registry’s content, security and auditing. Intact provides an easy-to-use graphical user interface. Intact Intelligence and Intact Enterprise can watch the change behavior of a computer system for several days and automatically create a comprehensive list of non-changing data and characteristics that should have integrity verified without reporting on expected changes. This greatly enhances the ease of configuration.
n Comprehensive system auditing
n Intrusion and Change Detection
n Data integrity and data corruption detection
n Track changes made by installation programs or other applications
n Monitory daily system activity
n Hardware change detection
n Year 2000 compliance
Network Intrusion Detection Systems actively scan the network. Other host Intrusion Detection Systems simply scan system logs and report unusual activity. This approach, often called scanning, is pro-active and may potentially catch an intruder before he causes damage or steals sensitive information. However, the tools only look for approaches which are well known. A hacker who discovers a new strategy may be able to slip through the limited set of tests which scanning software performs. By the time the alarm is sounded the intruder may already have gained access to the system. Furthermore, scanning software normally does not report what, if anything, an intruder has changed.
Scanning software also tends to give many false positives and warnings. Many scanners closely examine system and file audit logs. However, if the system has been compromised, then system and logs can also be changed. Furthermore, the hacker may only be interested in weakening the security of your system in order to be able to extract sensitive information in the future. Lastly, the culprit may not be an intruder at all, but a malicious insider.
Although scanning is a valuable resource for preventing and detecting unauthorized access to your system, it is often of little value when managing a break-in’s impact or for gathering evidence after a break-in has occurred.
|
2 |
Intact is distributed on write-protected diskettes or a CD. It includes a “SETUP.EXE” application that will install all necessary files and create a simple configuration for you and optionally schedule execution. When installing Intact, make sure you start with a completely secure, clean and virus-free system.
The default installation will copy over all the files, create a configuration that uses self-ident mode to try to identify the important components of your system for 6 days before it begins detecting changes. By selecting different options, you will be able to modify this default behavior.
1) Execute “SETUP.EXE”.
2) Click “NEXT” to continue with the installation. If at any time, you wish to stop the installation, click “CANCEL”. If you make a mistake and want to return to an earlier box, press “BACK”.
3) Enter the information required keeping in mind the following points (some of the following points may not apply if you did not select to create a configuration file).
n The installation directory is where all the files are stored by default.
n When Intact asks you whether you want to create a log file locally or email it, you can choose either one or both. If you decide to mail the log output, you will need to know the email address you wish to send to as well as the name of the computer which can accept and forward email for your network (the SMTP server). Intact uses it’s own email delivery system rather than the Windows NT messaging system because of security considerations.
n If you choose syslog or eventlog notifications, you can optionally select a server to receive them. If you want the notifications sent to the local machine, leave the Server field blank.. If you do select a remote server, make sure you change the permissions on the remote system so that it accepts remote notifications.
n Intact will make a best attempt at determining which drives are local to your system (that is, physically connected). For security reasons and for network efficiency, a computer should check only its local drives.
Installing Enterprise requires consideration of how much control you wish to give the remote machine. Enterprise works on a client/server model. There are three distinct components which comprise Intact Enterprise.
1) SQL database which will store all the tables necessary for the operation of Intact across your network.
2) Administrator: this program will connect to the SQL database and view events, change configurations, add hosts, and other administrative tasks. Furthermore, it will connect remotely to client machines to browse drives, registry hives and send commands directly to clients.
3) Client: this program will reside on client machines and connect to the SQL database periodically to receive commands and send events.
A typical setup has one SQL database, one Administrator and many Clients.
To prepare a SQL database, you must set up a new database or namespace for Intact, create user accounts which the clients will use to connect to the database and initialize the database with the Administrator.
1) Create a database. Each database vendor works differently in terms of creating databases or namespaces so this document assumes you know how to do that. The Administrator will connect to this database using an SA or DBA account so that it may create tables and assign permissions. Clients will connect using special user accounts which will be used exclusively to connect to the database. Each client machine should have its own account so that when the Administrator grants and revokes permissions depending on the working stage of the client (build vs. check) such changes will not affect other machines. Furthermore, it the client machine is compromised, the only tables exposed will be those belonging to the client machine.
2) Initialize. The Intact Administrator will initialize a database when it first connects to it. It will detect that certain tables are not present, prompt you for the database vendor and create tables as it needs to.
3) Connect clients. After the Administrator initializes the database, you should create accounts for each client that will connect. Use the Host/New menu. When prompted fill in the form with the required information. The defaults are recommended, except for the user account where you will have to enter the user account name that you created for each client.
The administrator can be set up on the same machine as the database or on a separate machine. It does not require the Intact executable or the Intact service to run. However, you must set up an ODBC connection to the SQL database which you have created. This must be done on all machines which will connect to the database. To do this, bring up the Settings from the Start menu and choose “ODBC data sources”. If you are installing the Client and the Administrator, make sure you set up a “System DSN” and not a “User DSN” so that the DSN will be available to the services which may run on that machine. Your database manual should cover the details of creating a new DSN.
The “Typical” installation will install both the Administrator and the Client software. If you just want the Administrator, choose “Custom”.
Additionally, the Administrator requires the Microsoft ActiveX Data Objects to connect to the SQL database. If you received a CD, you may install ADO by executing “mdac_typ.exe” located on your CD. This file may also be obtained from Pedestal by request, or on the web from Microsoft by visiting “http://www.microsoft.com/Data/mdac2.htm” and downloading “MDAC 2.1 typical install”.
The client only needs the Intact program, the Intact service and the Intact Control Panel. The “Compact” installation option is suitable for a client machine which will do no administration. The Intact Control Panel is needed in order to configure the connection to the database. It may be removed after the configuration is complete, or it’s installation may be skipped if you alter the registry directly. These topics will be covered in Control Panel Registry Keys in page 8
Before a client can connect to the SQL database, you must set up an ODBC connection. To do this, bring up the Settings from the Start menu and choose “ODBC data sources”. Make sure you set up a “System DSN” and not a “User DSN” so that the DSN will be available to the service which will run on that machine. Your database manual should cover the details of creating a new DSN.
Intact creates a Control Panel which will handle most of the functionality of the Intact programs. When you start up the control panel, you should get the command screen. The numbers below indicate regions which will be explained in detail.
· Figure 1: Control panel
Region 1 contain a button which starts or stops the Intact service. Intact runs as a service in order to schedule itself and have access to all system objects. The current status of the service is displayed on the left. Press the button to start if Intact is not running, or to stop if Intact is running.
To enable or disable the Intact service, you can also use the “Services” control panel.
The Enterprise version of the software contains parameters for connecting to a centralized secure repository of configuration information. This feature is disabled in the Open Use version and the Intelligence version of the software.
For the Open Use and Intelligence versions, you must use a configuration file. For the Enterprise version, you may use a configuration file or an ODBC database, but not both. Choose on or the other by selecting the appropriate radio button.
The configuration file can be located anywhere in the file system, including in remote read-only directories, or diskettes. It is highly recommended that the configuration file be secure against unauthorized tampering and review. The best way to do this is to place it in read-only media or share and grant read/write access to only Administrator and everyone else has no rights. Regular users should not be able to look at this file.
The contents of this file will be described below in the “Configuration file” section on page 20.
Intact can be activated in one of three ways:
1) From the Control Panel.
2) Execution: By executing the intact.exe executable you can perform all functions.
3) Polling: The creation of a file, or a table entry in ODBC “wakes up” intact so that it can execute any pending commands.
Polling is the process of looking to see if a file exists or a table in ODBC has pending commands. Intact will continuously look for the existence of the file indicated in the “Forcepoll file” entry box. The polling interval is the number of minutes between checks for the ODBC table. Polling is only available in the Enterprise version.
Intact can be scheduled to run unattended at various times[2]. You schedule Intact by selecting the minutes, hours, etc. for which you want to execute. When you select multiple items in one list, Intact will run at each one. For example, if you select “Any” for hour and “00” and “30” for minutes, Intact will run twice every hour, once on the hour and once on the half hour.
The buttons along the bottom of the Control Panel allow you to immediately begin a check, build, or other function. Pressing these buttons to “Build” or “Check” will bring up a window which will display the output and messages from Intact. Pressing the “Edit Config” button will bring up a configuration browser which will be described in the section “Configuration Browser”.
|
Button |
Action |
|
Help |
Bring up the HTML help file |
|
Apply |
Make changes permanent but do not close window |
|
OK |
Apply changes and close the window |
|
Cancel |
Do not make any changes and close the window |
· Table 1: Control panel buttons
This option allows you to add additional variables which you want to define in the configuration file. This is a comma-separated list of “variable=value” pairs. This feature will become clearer in the context of the configuration file description later in this manual.
Intact and the Intact Control Panel applet use the following registry key values under HKEY_LOCAL_MACHINE\Software\Pedestal Software\Intact. For the Enterprise version, most of this information is stored in the SQL database, and not in the registry.
|
Key |
Description |
|
ServiceConfigFile |
Location of Intact configuration file. Eg. “c:\applications\intact\intact.icf”. |
|
ServiceConfigType |
Boolean: 0=Enterprise 1=Intelligence/Open Use |
|
ServiceExecutionSchedule |
Cron formatted execution schedule. Eg. “0 1 * * *”. |
|
ServiceExtraDefines |
Comma separated list of NAME=VALUE pairs. |
|
ServiceForcepollFile |
File location of Enterprise version polling file. |
|
ServiceNonStop |
Boolean: 0=run as scheduled; 1=run continuously |
|
ServiceODBCDatasource |
Enterprise version datasource name. |
|
ServiceODBCLogin |
Enterprise version login name. |
|
ServiceODBCPassword |
Enterprise version database password stored in a reversible obfuscated format. |
|
ServiceODBCTable |
Enterprise version database configuration name. Normally the COMPUTERNAME of the workstation or server. |
|
ServicePollingInterval |
Enterprise version polling interval, in minutes. |
|
ServiceScheduleActivate |
Boolean: 0=disable execution schedule; 1=enable execution schedule |
|
<behavior db path> |
In Intelligence and Enterprise, this is a full path to a behavior database. This value is use to countdown self-identification runs in auto mode. |
· Table 2: Registry keys for Control Panel
This functionality is not supported in the Open Use or Intelligence versions.
The Intact Enterprise Administrator is a GUI tool for administering the central repository of Intact databases, configurations and output logs. It will also allow you to modify the settings on client machines, schedule builds, checks and issue other commands to the clients.
· Figure 2: Intact Enterprise Administrator
When first run, the administrator will prompt you to log into an ODBC data source which connects to the Intact database. You must first set this up on your system using the ODBC control panel which NT provides. Please make sure to read “ODBC Setup” on page 14 later in this chapter for important information about getting Intact to work with your particular database vendor.
If you plan on making changes to the database, the login you use must have select, update, insert, delete access to all tables in the database as well as create, grant, revoke access on the database. The best type of account to use is an SA or DBA account.
Also, some databases create user spaces for tables created by specific users. For example, if you log in as “db2admin”, all your tables will be preceded by “db2admin”. This is important because the Administrator expects certain tables to be in the default name space. So if a different user logs in, he or she may be unable to see any configurations. This is useful in order to manager permissions and to create sandbox environments where administrators are only allowed to manage a subset of systems. More information is in the section “SQL Table Structures” on page 14.
The first thing which the Enterprise Administrator does when connecting to a new database is ask whether you want to prepare the database for Intact use. If you select “No”, nothing will happen.
If you choose “Yes”. The Enterprise Administrator will first ask you about what type of database server you are using. Intact will use this information to determine how to access your database and create tables. If you need more information see “SQL Table Structures” on page 14. After selecting the best choice, the Enterprise Administrator will attempt to create all the necessary tables and open up a blank Hosts List.
The first window to come up is the hosts list which lists all the host managed by this user on this server. This list contains four columns.
· Figure 3: Hosts list
These columns are:
4) Computer name: the host name known to the database. This may or may not correspond to the actual hostname used by TCP/IP networks or Netbios.
5) Status: indicates whether there are any pending commands or actions.
6) Mode: a guess of the current mode of operation. This field is determined by looking at the detection database.
7) Items Flagged: Number of records
flagged in the output table.
Right clicking on a single host to get a menu as shown in the previous figure. This menu allows you to operate on the host entries. The options are
1) Properties: Display information about the host, its settings, how to establish connections, database properties, permissions, etc.
2) Configure: Bring up the configuration browser for this host. The configuration browser is described in its own section.
3) View Output: Bring up the output viewer and display all output in the database. The output viewer is described in its own section.
4) Commands: Display the client commands issues, pending and executed.
5) Delete: Delete the entry from your host list and remove all its associated tables. This command will permanently remove the detection database, configuration, and output for this host.
6) New: Create a new entry for a new or existing host.
Selecting the properties menu option brings up the properties dialog box.
· Figure 4: Properties dialog box
This dialog box allows you to change all sorts of parameters about the host and connectivity.
This section includes information about connecting to the database server.
1) Client user name: This is the name which the client will use to connect to the server. The password is stored on the client only and must be changed from there.
2) Table name prefix: Intact creates all sorts of tables for this host. They all begin with this prefix (such as “www_det”, “www_output”).
3) Change Permissions: This will issue grant and revoke commands to the database so that the user in “Client user name” will have limited permissions to perform only the roles you select.
4) SQL Settings: Allows you to modify the type of database and database defaults which the Enterprise Administrator will use. This rarely needs to be changed.
This is the schedule which the client will keep for running “Auto mode” of intact. The schedule is in the cron[3] format.
To edit using an easy-to-use graphical form, press the “?” button. This button will bring up a window with five listboxes which allow you to select the times and days to execute.
An example may serve to illustrate the cron format. If you select “0” and “30” for minutes, the scheduler will execute every time the system clock shows minutes of 0 or 30 such as 1:00, 1:30, 2:00, 2:30, etc. If, in addition, you select only hours of “5”, it will execute only at 5:00 and 5:30. It will execute every time the system clock matches all of the parameters you select.
Polling is when the client looks to see if there are any pending commands to execute. Commands are covered later in this section.
The client will look for commands at an interval which is specified by the “minutes” field at the bottom of the dialog box. If this item is set to 0, the client will not check at all. Keep in mind that if the client is not checking, the only way to issue commands is by using a force poll method described below or by logging on directly to the client.
Additionally, you can select a force poll method. This method will create a file on the remote system. The client is configured to look for this file at all times. When it sees the file, it will look for pending commands and execute them. The client will look for the file specified in the box “Forcepoll path”.
These are the supported methods:
1) None: Don’t create a file.
2) FTP: Use FTP to create the file.
3) Windows Net: Use Windows Networking to create the file.
4) Command: Execute an external command which will create the file.
If you select FTP or Windows Net, another dialog box will come up asking for information about how to establish the connection, such as the remote host, user, password, path, etc. You can select the checkbutton at the bottom of the dialog to have the Administrator prompt you for this information every time before creating the file. Keep in mind that anything you enter in this dialog box will be stored in the database in a scrambled but crackable form, so you may not want to enter the password.
The action tab covers a variety of operations you may want to perform for the host.
1) Send Command: Bring up the commands dialog described below.
2) Show Output: Bring up the Output Viewer.
3) Edit Configuration: Bring up the Configuration Browser.
4) Poll Now: Create a forcepoll file.
5) Duplicate Host: Create a new entry in the host list based on this host.
Additionally, a checkbox allows you to select whether a forcepoll file should be created every time you issue a new command to the remote host. This simplifies remote administration and ensures that commands will be executed promptly.
A text area is provided for entering any notes you wish.
Commands are issued by the Enterprise Administrator to the clients. Typical commands are “Build”, “Check”, etc. When a command is issued, it is placed in a table on the database. The client periodically looks at the table for new commands and when it finds them, it executes them. The interval for checks is set at the client or in the Properties dialog box. After choosing “Commands” from the pop-up menu or the pull-down menu, a dialog box comes up listing all the commands on the table.
· Figure 5: Host commands dialog box
Commands which are no longer needed are moved with the “Delete” button. This button will remove all entries with the same “Order” column value as the currently select item. Thus, with this button, you can easily remove all completed items.
New commands are issued by choosing an item from the “New client command” pull-down listbox. The commands provided are:
1) Build: build a new database based on the current configuration.
2) Check: check an existing database against the current state of the system.
3) Make configuration: during self-identification mode, you can cause intact to create a new configuration file even if self-identification mode has not finished.
4) Auto configure: run Intact automatically. This is the mode which is typically used for self-identification mode. Intact will determine whether it should be checking the behavior of the system, creating a new configuration, building a new database or checking the system.
5) Reload settings: when you change settings (schedule, ODBC, etc.), use this command to make sure the client software will use the new settings.
6) Ping: checks to make sure the client is responding. The client marks these commands as successful without doing anything.
Both the Administrator and the Intact client use ODBC to communicate with your central database. Therefore, you must set up a valid ODBC DSN to connect to the same database. Instructions for setting up the DSN vary depending on the database vendor. However, some considerations are important.
1) Not all ODBC drivers support all features necessary to run Intact properly. Ensure that you are using the latest ODBC drives. Use of old or incorrect drivers may crash Intact. Your driver must be ODBC 3.0 Level 2 compliant. We recommend installing MDAC 2.1, which is downloadable from Microsoft.
2) The Administrator uses ADO 2.0 to access data through ODBC. Both ADO and ODBC must be installed on the computers which will run the Administrator. Most installations of NT have the proper library support.
The Enterprise Administrator creates two tables to keep track of hosts and database settings.
|
Table |
Purpose |
|
host_list |
This table has a list of hosts. It has the following columns Host name of host displayed in host list Stable SQL table prefix for host-specific tables Notes any notes displayed in the Properties dialog box |
|
host_info |
This table contains key/value paris of configuration information related to the database. |
· Table 3: SQL configuration tables
Additionally, for each host, four tables are created. Each table name is the “stable” table prefix followed by the extension given in the table below.
|
Extension |
Purpose |
|
_det |
This is the detection database. It contains the following columns: k, i, s ,v. These columns are used internally for various purposes. |
|
_conf |
This is the configuration and command table. It contains the following columns: Name setting Statusid status of command if this is a command setting Status text representation of statusid with explanation S size of config column Config value of setting |
|
_output |
This is the output log. It contains the following columns: Id a line number Itemtype type of record Item name of item being flagged Rtype type of flag Msg text message |
|
_cinfo |
This is information about the computer. The client does not have access to this table. It is used by the Administrator. It contains key/value paris. |
· Table 4: SQL client tables
The user name used to log in with the Administrator must have the following access to the database used.
1) CREATE TABLE
2) DROP TABLE
The user which logs into the client should have no access to the tables when it is created. The Administrator will grant and revoke access as needed when the host changes roles. There are two roles:
1) Check: This role grants only select access to the _det and _conf tables. It grants update access to _conf columns status and statusid. It also grants only insert access to _output (and select to _output column id so it can keep writing sequentially)
2) Build: In addition to the check permissions, this mode grants insert, update and delete access to the _det table.
The same user name can be used by more than one client to access the database, however, because of the sensitive nature of the Intact database, this is not recommended. Each client machine should use its own user name so that in case the client is compromised, they can only cause damage for one machine by altering the status of commands or entering rows into the _output table.
It is typical for many database servers to assign created tables to the creating user’s space. A database which does this will require tables to be accessed as username.table instead of simply table. If this is the case for you, you will have to take extra precautions that on each client machine the “Intact Config Name” entry in the Control Panel is preceded by the appropriate username.
Furthermore, since the Administrator creates global tables “host_list” and “host_info” in its own space, only the user used to log into the Administrator when this tables are created will be able to see these tables. You can use this to your advantage by creating different “views” of the Intact database for different users.
This database is the preferred database for using Intact. It is the only fully-supported database because it handles Unicode characters properly. There are no special considerations for using SQL Server. One thing to keep in mind is to set the “Clear log on checkpoint” option when installing SQL Server.
In addition, MS SQL Server and Sybase both require the periodic running of an “update statistics” command on all the tables which contain indexes in order to achieve optimal performance. If SQL accesses seem slow, it is advisable to have your DBA issues this commands. Since performance degrades over time, it is probably even better, if the execution of this command is scheduled periodically.
Oracle will work well with Intact. However, because the current version does not handle Unicode completely, some features may look strange. For example, file names with Unicode characters will show up with a “?” in the non-ASCII characters. Intact will function properly, but the reporting will not be as clear.
Also, some versions of Oracle may not support SELECT permissions on specific columns, so this feature is turned off. This means that anyone who gets the client-side username and password will be able to read the output table (but not update it).
IBM’s DB2 also works well with Intact. Like Oracle, it cannot handle Unicode properly. Additionally, if you are using an older version of DB2, you must change your db2cli.ini file in your “SQLLIB” (or wherever you installed the DB2 client software) directory. Add “LONGDATACOMPAT=1” to the section where your Intact database is defined.
Other databases may or may not work depending on the syntax they use to define binary objects and large text object and their support of GRANT/REVOKE. You may want to try different settings and checking to see if tables were created, errors generated and permission set properly. Your best bet is to try “Oracle” first.
intact.exe is the command which builds and checks the database. This command performs all the critical functions of Intact. It is typically executed by the Control Panel, but may also be executed independently. This section describes how to execute intact.exe independently. Not all functions described here are available in the Open Use version. Self-ident, make-conf and auto mode are only available in the Intelligence and Enterprise versions.
intact.exe has several command-line options which affect reporting and performance. Each time intact is executed, it will read the configuration file you specify. That configuration file contains rules for processing the file system and the registry. The format of this file is outlined in the next section.
Intact works in five operating modes, build, check, self-identification, make-conf and auto.
|
Mode |
Description |
|
build |
Build mode builds a new detection databases for use in subsequent check mode or self-identification mode executions |
|
check |
Check mode reports on changes to the system as last recorded in an Intact detection database. |
|
self-identification |
Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. The scope and duration of the observation period is user-defined. |
|
make-conf |
After a sufficient observation period you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file. |
|
auto |
Auto mode is intended for completely automated installation and configuration. This is the default mode when Intact is installed. In auto mode, Intact will observe the system for some period of time, automatically produce a configuration file, and automatically report on changes forthwith to a centralized management station |
· Table 5: Intact execution modes
|
· Figure 6: Creating a new database |
When creating a database, you execute intact.exe specifying a configuration file and database file name such as
intact -build web1.icf a:\web1.idb
intact will then read the configuration file which specifies which directories, files and registries to read (or not read) and begin storing all relevant information about these objects into the detection database. If you are running in self-identification mode, Intact will also create the initial behavior database. Typically, the database is stored on a removable media, such as.
When you have created the database remove the disk and store it on a secure location. The database contains information about where and when it was created and with what configuration file, but is not itself guarded against alteration. Any person with physical access to the disk could alter the database in conjunction with malicious changes to the system. Write-protecting the disk will at least prevent programs from changing the data without physical interaction.
|
· Figure 7: Comparing a database with a system |
When you wish to check the system against the database, first reinsert the disk or removable media with the database, or connect to the network drive which contains the database. Then execute the check command. Make sure you use the same configuration file.
intact -check web1.icf a:\web1.idb
The configuration file contains information about notification of errors. They may be reported on the screen or sent via e-mail to a particular user. Additionally, if running in self-identification mode, the behavior database will be updated to reflect detected changes. You may also specify more parameters on the command line to control various aspects of verification, creation and reporting. See the section Command line interface below on page 27.
Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. Auto mode described in the next section makes this process easy to use and administer.
The scope and duration of the observation period is user-defined. Self identification mode requires a configuration file, a detection database, and a behavior database as arguments. The behavior database argument must be supplied in the configuration file by #define’ing BEHAVIORDB, and the syntax to Intact is the same as for check mode:
Intact –check myconfig.icf moving-baseline.idb
When preparing for self-identification mode, the general idea is to keep the configuration file broad and simple, including even those files which you know change frequently or are even inaccessible (for example “c:\pagefile.sys”). Intact will observe which aspects of all objects[4] within this scope do not change and all aspects of objects within the scope that do change. For example, the file “c:\winnt\system32\config\system” may not be accessible for recording the SHA hash, but is accessible for recording the ACL and last modified time. Intact will observe this behavior and build a configuration file (in make-conf mode) instructing Intact to report on the aspects of objects not likely to change. It is acceptable to ignore the errors and other output during this phase.
Self-identification mode creates a new detection database each time it is run which permits Intact to observe changes in the system between runs. The old detection database is discarded each time as it is no longer needed. More specifically, during a self-identification run the system is compared to the current detection database and at the same time a new database is built with the old name plus a “.inuse” extension. When the self-identification process has completed the old detection database is removed and the new one renamed to the original name. At the same time, the behavior database is updated to reflect the observed changes and object properties. If an existing behavior database does not exist, a new one is created.
After an observation period you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file. The behavior database parameter must be supplied in the configuration file by #define’ing BEHAVIORDB (or by running Intact with –D BEHAVIORDB=myconfig.icf). For example:
Intact –makeconf myconfig.icf output-config.icf
Auto mode helps you automat installation and configuration of self-identification. This is the default mode when installing Intact. In auto mode, Intact will observe the system for some period of time. Then, it will produce a configuration file. After that, it will report on changes to a centralized management station. See the section on event notification for information on the options and configuration details. In this mode, the system uses the “hklm\software\pedestal software\intact” registry key to keep a countdown timer for self-identification mode. When this timer has expired a new configuration file is automatically generated replacing the existing one by renaming it with a “.orig” extension and subsequent runs are in check mode. You can revert back to self-identification mode simply by copying the original configuration file over the current configuration file.
You generally want to retain the behavior database even when the self-identification mode observation period has completed. When new software is added to the system and as changes are made, Intact can reuse the behavior database to continually learn more about the system’s behavior and subsequently produce more accurate configuration files. It’s also advisable to save the detection database used for self-identification and not to overwrite it with a new baseline. When you reset Intact into self-identification mode because of system changes, Intact will be able to observe changes since the last self-identification run.
Intact utilizes your operating system and standard protocols to report on system changes to a centralized console. Intact supports syslog, NT eventlog, files (including file systems accessible via NT networking), and SMTP e-mail. If you are using the Enterprise version, your output will also be sent to a central respository.
You may want to deploy more than one of these protocols in your environment. One typical combination is both e-mail and NT Event Log notification. If you are not using the Enterprise version, another possibility is saving all output to a “write-only” centralized share. You could also save the output file locally within a protected area of a running web server and retrieve the output via HTTP or HTTPS and receive notifications via syslog and/or NT Event Log.
Using standard file extensions will also help to manage your system. The table below outlines the recommended file extensions for each type of file.
|
File |
Extension |
|
Detection database |
.idb |
|
Behavior database |
.bhv |
|
Configuration file |
.icf |
|
Output file |
.iof |
· Table 6: Recommended file extensions
The configuration file describes which objects and properties Intact should monitor. An easy-to-use GUI is provided with the software. Information about the GUI can be found in the section below titled “Configuration Browser”. The configuration file, however, is a language. All of the language’s functionality is not covered by the GUI. Also, understanding the language will be useful to understand the use of the GUI.
Comments in the configuration file begin with the semi-colon character (“;”) and can occur anywhere in the line; all characters after the “;” character are ignored by Intact.
Commands begin with a “#” character. Readers familiar with C and C++ will recognize many of the commands as standard pre-processor commands. Note, however that there are some differences in syntax when using variables. As in C, commands are followed by a list of parameters separated by spaces if any parameters are required. The commands are shown in the table below. The column labeled Parameters indicates the name of each parameter
|
Command |
Parameters |
Meaning |
|
#define |
VAR TEXT |
Define VAR so that wherever $(VAR) is found, TEXT is substituted in the file. VAR and TEXT should be replaced with a specific variable name and a text to define |
|
#undef |
VAR |
Removes VAR from the list of defined variables. You must issue this command before redefining a variable |
|
#ifdef |
VAR |
Process until “#endif” if variable VAR is defined |
|
#ifndef |
VAR |
Process if VAR is not defined |
|
#if |
EXPR |
Evaluate an expression EXPR and process if true. Expressions are algebraic. The operators are described below. |
|
#else |
|
Follows an “#if”, “#ifdef” or “#ifndef” to indicate that what the commands after the “#else” should be executed if the commands above were not. |
|
#endif |
|
Terminates an “#if”, “#ifdef” or “#ifndef” command |
· Table
7: Configuration file
commands
In expressions, several operators can be used. They will be explained in the table below. The Syntax column will contain upper case letter which represent variables or values.
|
Operator |
Syntax |
Meaning |
|
== |
A==B |
True if A and B are equal |
|
!= |
A!=B |
True if A and B are not equal |
|
> |
A>B |
True if A is greater than B |
|
>= |
A>=B |
True if A is greater than or equal to B |
|
< |
A<B |
True if A is less than B |
|
<= |
A<=B |
True if A is less than or equal to B |
|
&& |
A&&B |
Logical and |
|
|| |
A||B |
Logical or |
|
+ |
A+B |
Add two integers |
|
- |
A-B |
Subtract two integers |
|
* |
A*B |
Multiply two integers |
|
/ |
A/B |
Divide two integers |
|
% |
A%B |
Modulus |
|
int() |
int(expr) |
Force interpretation of expr as integer. |
· Table 8: Configuration file expression operators
Accociativity is left to right with standard precedences.
There are several pre-existing variables which can be used throughout the configuration file. In addition, all environment variables are also available. The internal values are shown in the table below. Variables are not case sensitive.
|
Variable |
Meaning |
Default value |
|
SystemRoot |
Root of the system directory which is usually. |
C:\WINNT |
|
TEMP |
Windows temporary directory |
|
|
FULLNAME |
Domain name of current user |
|
|
COMPUTERNAME |
The Netbios name of the computer. |
|
|
MONTH |
Current month number (1-12) |
|
|
DAY |
Current day of the month (1-31) |
|
|
YEAR |
Current year (including century) |
|
|
HOUR |
Current hour (00-23) |
|
|
MINUTE |
Current minute (00-59) |
|
|
SECOND |
Current second (00-59) |
|
|
PRIORITY |
Set execution priority |
normal |
|
CHECK |
Set if Intact is running in check mode |
|
|
BUILD |
Set if Intact is running in build mode. |
|
|
AUTO |
Set if Intact is running in auto mode. |
|
|
MAKECONF |
Set if Intact is in makeconf mode. |
|
|
CONFIG_FROM |
Set to either ‘FILE’ or ‘ODBC’ depending on where the config file came from. |
|
|
DETECTIONDB |
Path of database file |
|
|
BEHAVIORDB |
Path of the behavior database |
|
|
BEHDBTYPE |
Optimization of behavior db is “mem” or “disk” |
mem |
|
OUTPUTFILE |
Name of file to receive messages |
|
|
EVENTLOG |
Notify Event Log (value is server; blank is local) |
|
|
SYSLOG |
Notify syslog (value is server; blank is local) |
|
|
SYSLOGFACILITY |
Facility for syslog messages |
user |
|
SYSLOGSEVERITY |
Severity for syslog messages |
info |
|
AUTO_COUNTDOWN_TIMER |
Number of times to execute in self-identification mode |
6 |
|
MAKECONF_SENSITIVITY |
Sensitivity to changes during self-identificaiton mode (high, normal, low) |
normal |
|
PRIORITY |
System priority for process |
|
|
MAILSERVER |
SMTP mail server to use |
|
|
MAILTO |
Address to send mail to |
|
|
MAILFROM |
Return address |
Intact@[host] |
|
MAILSUBJECT |
Subject of mail message |
date and time |
|
MAILTEMPFILE |
Temporary file for mail |
$(TEMP)\intact_tmp.txt |
|
RA |
Registry: all parameters |
ckmogpz2 |
|
A |
File: all parameters |
tcmvsniogpz2 |
|
LOG |
Log file changes |
tcnogpz |
|
UA |
Ntuser: all parameters |
ncCdjhspwlSoebxmuMgRrfLO |
|
GA |
Ntgroup: all parameters |
ncgm |
· Table 9: Configuration file variables
When accessing these values, the variable name should be preceded by “$(” and terminated by “)”. For example, “$(FULLNAME)” would be substituted by the domain name of the current user. More examples will be given farther along in this section.
Several command require special explanation. PRIORITY sets the execution priority of the process. It can be one of the following, in order of slowest to fastest:
n idle
n lowest
n low
n normal
n high
n highest
n critical
Keep in mind that other programs may be executing at the same time. If you set your configuration to run at idle the program may never receive any execution time. For example, screen savers may often have a priority of normal or above. If you set your program to run at a lesser priority than your screen saver, the program may never receive any execution time.
DETECTIONDB specifies the path of the database file. You must specify a database file either on the command line or by using this variable. OUTPUTFILE specifies the path of the text log file for errors, flags and warnings.
In addition to these commands, a line can also contain an object description. This description tells the processor to store the information of an object, sub-objects, permissions, time-stamps, etc. It consists of three parts:
1) Prefix
2) Object: a file, directory, user, group or registry to check
3) Flags
Each prefix is only one or two characters. It precedes the object name and is not separated from it by spaces. There are four prefixes. Not all prefixes apply to all types of objects
|
Prefix |
Meaning |
|
= |
Directory: Do not store all files within the given directory but do store directories within that directory. Files in subdirectories are stored. Registry: Store the given key only. |
|
== |
Directory: Do not store all files within the given directory nor any files within subdirectories at any level below the given directory. Registry: Store the given key but not subkeys. |
|
! |
All objects: Do not store item. |
|
!! |
Directory and Registry: Do not store item or its children. |
· Table 10: Object prefixes
Objects specified can be a file, directory, registry key, or user or group name.
Files and directories are entered as a complete path, such as “C:\WEB\DATA.” Wild cards may be used to identify specific file and directory names matching a specified criteria. Wild cards may only be used within the file portion of a path specification, such as c:\winnt\system32\*.dll. Placing wildcards within the path is not supported, for example, c:\winnt\*\data will report an error. Both the “*” and “?” shell expression characters may be used.
Registry keys begin with a hive identifier. The valid identifiers are in the table below. For example, “hklm\Software.”
|
ID |
Registry Hive |
|
hkcu |
HKEY_CURRENT_USER |
|
hkcr |
HKEY_CLASSES_ROOT |
|
hku |
HKEY_USERS |
|
hklm |
HKEY_LOCAL_MACHINE |
|
hkcc |
HKEY_CURRENT_CONFIG |
· Table 11: Registry prefixes
Users and groups begin with an identifier of “ntuser:” or “ntgroup:” followed by a name which may contain wildcards. For example, “ntuser:s*” will check all users whose user id begins with “s”. The wildcard “?” is also supported. If a user or group matches a wildcarded entry and you also specify that user or group without wildcards, the non-wildcarded entry will take precedence. For example:
NTUSER:*admin* amrf
NTUSER:administrators $(UA)
Even though “administrators” matches both lines, the flags $(UA) will be used.
|
ID |
Meaning |
|
Ntuser |
Local or global user |
|
Ntgroup |
Local or global domain groups |
· Figure 8: Users and groups
The object “client:” has special meaning. Currently there is only one client type supported, “drives”:
|
ID |
Meaning |
|
Client:drives |
Intact will add the root directory of all fixed type drives to the configuration file with the $(A) flags. |
· Figure 9: Special Client object
For example, specifying “client:drives” in the configuration file will be expanded to the root directory of all fixed drives on the system and have flags equivalent to $(A).
Each flag is a single character with special meaning. Flags determine what information to store about each object and sub-object in the line in which they are specified. Flags are listed in sequence without any spaces between flag characters. Valid flags for each object type are given in the tables below.
Flags are case sensitive, for example, the NTUSER flag “r” is not the same as “R”.
|
Applies to FILES,REGISTRY |
|
|
Flag |
Meaning |
|
1 |
Store MD5[5] signature of file or value |
|
2 |
Store SHA signature of file or value |
· Table 12: Generic configuration file flags
|
Applies to REGISTRY |
|
|
Meaning |
|
|
c |
Classname |
|
k |
Key info (number of subkeys, values, lengths, etc.) |
|
m |
Last write time |
|
o |
Owner sid |
|
g |
Group acl |
|
p |
Standard acl |
|
z |
Auditing acl |
|
G[n] |
Indicate how may values to group together when computing the hash. |
· Table 13: Registry flags
|
Applies to FILES |
|
|
Flag |
Meaning |
|
t |
Attributes (read-only, system, hidden, etc) |
|
c |
Creation time |
|
a |
Access time |
|
A |
Always reset last-access time on files (useful when also using flags 1,2) |
|
m |
Modification timestamp |
|
v |
Volume serial number |
|
s |
Size of file |
|
n |
Number of links |
|
i |
File index number |
|
o |
Owner sid |
|
g |
Group acl |
|
p |
Standard acl |
|
z |
Auditing acl |
· Table 14: File and directory flags
|
Applies to NTUSERS |
|
|
Flag |
Meaning |
|
n |
Name |
|
c |
Comment (description) |
|
C |
User comment |
|
d |
Country code/code page |
|
j |
Logon hours |
|
h |
Home directory |
|
s |
Script path |
|
p |
Profile |
|
w |
Workstations user may logon to |
|
l |
Number of logons |
|
S |
Server |
|
o |
Password |
|
a |
Password age |
|
e |
Password expired |
|
b |
Bad password count |
|
x |
Account expires |
|
m |
Max storage |
|
u |
Uid |
|
g |
Primary gid |
|
M |
Group membership |
|
r |
RAS flags |
|
R |
RAS callback phone number |
|
f |
User flags |
|
L |
Last logon |
|
O |
Last logoff |
· Table 15: NTUSER flags
|
Applies to NTGROUPS |
|
|
Flag |
Meaning |
|
n |
Name |
|
c |
Comment |
|
g |
Group id |
|
m |
Group membership |
· Table 16: NTGROUP flags
Two special flags “+” (plus) and “-“ (minus) allow you to add and subtract flags from existing groups of flags. For example, file flags “tcmpgz-zg” is equivalent to “tcmp”, likewise, ntuser flags “Mfa+r-a” would be equivalent to “Mfr”. To switch from the default SHA1 digest algorithm to MD5 in the set of flags defined in $(RA), specify “$(RA)-2+1” in the flags argument.
The G[n] flag for registry keys specifies how may registry key values to group together when computing hashes for a registry key. The default is 5 values per group. Set to 0 to indicate that all values should be grouped together under one hash computation. Setting the value to 0 will produce the least amount of change detection granularity. The finest granularity is specified using “G1”, which will produce a separate hash for every value.
Below is a sample configuration file. It will store information about the system directories, the application directory and selected registry keys depending on who executes the program. It is not intended as a production sample. The distribution contains several sample files which are very useful.
“C:\Program Files” $(A)
$(SystemRoot)\system32 $(A)
#if $(FULLNAME) == “NT AUTHORITY\SYSTEM”
hkcu\sam $(RA)
#else
hklm\hardware $(RA)-m12
#endif
· Figure
10: Sample configuration file
Below is another, more comprehensive and fully commented sample configuration file.
NTUSER:*admin* $(UA)
NTUSER:guest $(UA)
NTGROUP:*admin* $(GA)
NTGROUP:”domain guests” $(GA)
==$(TEMP) $(LOG) ; just temp alone
$(SystemRoot)\system32 $(A)
==$(SystemRoot)\system32\spool $(LOG) ; just directory
$(SystemRoot)\system32\config\AppEvent.Evt $(LOG)
$(SystemRoot)\system32\config\default $(LOG)
$(SystemRoot)\system32\config\default.LOG $(LOG)
$(SystemRoot)\system32\config\SAM $(LOG)
$(SystemRoot)\system32\config\SAM.LOG $(LOG)
$(SystemRoot)\system32\config\SecEvent.Evt $(LOG)
$(SystemRoot)\system32\config\SECURITY $(LOG)
$(SystemRoot)\system32\config\SECURITY.LOG $(LOG)
$(SystemRoot)\system32\config\software $(LOG)
$(SystemRoot)\system32\config\software.LOG $(LOG)
$(SystemRoot)\system32\config\SysEvent.Evt $(LOG)
$(SystemRoot)\system32\config\system $(LOG)
$(SystemRoot)\system32\config\SYSTEM.ALT $(LOG)
=$(SystemRoot)\system32\ras $(A) ; skip files in ras, not subdirs
!!$(SystemRoot)\system32\os2 ; skip os2 and everything under it
C:\DOCS $(A)
D:\WWWROOT $(A)
hklm\Software $(RA)
#if $(FULLNAME) == "NT AUTHORITY\SYSTEM"
hklm\sam $(RA)
hklm\security $(RA)
hklm\hardware $(RA)-m
#else
hklm\hardware $(RA)-m
#endif
· Figure 11: Sample configuration file
Intact installs a configuration browser which facilitates some of the tedious functions of creating and maintaining a configuration file. The editor can be invoked from the command line or through the Control Panel when pressing the “Edit Config” button. The Configuration Browser is only available in the Intelligence or Enterprise versions of Intact.
· Figure 12: Intact configuration browser
You may open files, save and drag configuration files into this window as you would any other standard Windows application.
The configuration file is explained in the section “Configuration File”. You may want to read that section to understand all the details.
To add a new item select an option from the “Add new object” box as shown in the following figure.
· Figure 13: Create new item
A dialog will come up which contains information relevant for the type of object you have selected. In this example, a registry dialog will come up.
· Figure 14: Registry edit dialog box
You may check off the attributes you want to monitor, or press the shortcut buttons “All” and “Log”. Click on browse to receive a tree of the registry keys so that you can choose the one which is of interest.
To edit an existing line, you can double-click on the line. This will bring up either the specialized dialog box, or a generic dialog box depending on you Options settings (menu View/Options).
This feature is available in the Intelligence and Enterprise versions only. The Output Browser can be run as either a standalone program to view output files or integrated into the Enterprise Administrator if you have the Enterprise version.
· Table 17: Output browser
During installation, the extension “.iof” is registered with the Output Viewer. When Intact mails out an output log, it can send it as an attachment with the extension “.iof” so that you email program will automatically launch the Output Viewer.
The entire file is displayed in a listbox with five columns:
1. Object: name of the object (file, directory, registry key, etc.) to which the row pertains. If this is a general message it may say “CONFIG”.
2. Type: type of object or message.
3. Event: event which triggered the message, such as “CHANGE”, “DELETE”, etc.
4. Message(s): any text explanation of the message.
5. Line: the sequential line number showing the order in which records were entered
The lower section of the window displays additional information about the selected item..
Clicking on the column headers will sort the output by the column.
Clicking on the object name will display the message on the lower portion of the window or right-hand pane if viewing split vertically. The view split can be viewed by clicking on the menu View/Split
If you right-click on an object, a menu pops up with these items:
1. Find: Locate entries based on a text search.
2. Set to update: mark (or unmark) record for updating the database to reflect the new record. Updating is covered in the next section.
3. Begin update: start the update process on marked records.
4. Go to: view the first record of a particular intact run.
5. Truncate: remove old records. This option will allow you to remove all records, records below the selection, above the selection or the selected records. This option is only available on the Enterprise Administrator.
Updating will change the detection database record to reflect the current state of the object. This feature will not check what parameters to check. If an object (such as a configuration file) is changed in your system after you build a database, you can use this feature to change the database so that the change will not be flagged every time Intact runs.
Select the items you want to update by right-clicking on the object name and using the “Set to update”. After you have selected all items, Right-click on any object and click “Begin update”.
If you are using the stand-along Output Viewer and reading from a file, you will be asked to enter the location of the configuration file. Intact will use this configuration file to determine where all the relevant files are located.
If you are running the Enterprise Administrator, the information will be sent to the database, and an “update” command will be sent to the client and will be executed at the next poll (see Polling, page 12).
When you update a file that has been deleted, it will be removed from the detection database. When you update a file which has been added, it will be added to the detection database.
If you want to stop checking for a particular item’s properties (such as access time on a file), you must change the configuration file. Update mode will not do this.
Furthermore, if you want to add whole new objects or containers (directories, hives, etc.) which were previously not being watched, you should add them to the configuration file, run a check and then update the items you wish to add.
The intact core has a command line user interface. Several interfaces such as the Control Panel or Configuration Builder help you work with Intact without understanding the command line usage which may appear cumbersome at first. However, there are several reasons why direct use of the command line executable may sometimes be useful.
n Smaller executable allows you to fit the entire integrity checker and database for small systems on one or two 3˝ inch floppy disk.
n Fewer libraries to load means there’s less chance that altered system library files will affect Intact. This is a very important consideration because there is a very real threat that surreptitiously modified library files may be used to defeat an integrity checker.
n Command line interfaces are easier to script, schedule, and run remotely.
The intact.exe command has several options. Each option begins with a dash, “-”, not a slash, “/” as is sometimes used in MS-DOS. Some options are followed by one or more parameters. If the parameters contain spaces, they should be enclosed in quotes (“).
|
Option |
Meaning |
|
-S |
Run as SYSTEM in a new window[6] |
|
Odbc:[info] |
Set ODBC connection parameters[7] |
|
-build |
Build a new database |
|
-check |
Compare the system against a database |
|
-makeconf |
Create new configuration file from behavior database |
|
-auto |
Run in autoconfigure mode |
|
-digest |
Calculate the MD5 and SHA1 digest for a given file. |
|
-Dname=val |
Set variables (see Configuration File) |
|
-std |
Direct stderr to stdout |
|
-verbose |
Display many messages |
|
-dN |
Debug (N is from 1 to 3 where 1 is least verbose) |
· Table 18: intact.exe command line options
Because the SYSTEM account has permissions to every aspect of the computer, it is often desirable to execute Intact as SYSTEM. SYSTEM is able to see things which not even administrator can. If you specify the “-S” option, Intact will execute in a separate window using the SYSTEM account.
The “-build” option is used to create a new database. The option is followed by the file name of the configuration file and the database file name you want to create or overwrite.
intact -build intact.icf intact.idb
The “-check” option compares an existing database against the files which it represents. You must follow it with the configuration file used to create the database and the database name.
intact -check intact.icf intact.idb
If BEHAVIORDB is defined in the configuration file, the check will run in self-identification mode. In this mode, any changes which are detected are stored in a behavior database. You may want to run in this mode during the normal operation of your system when Intact is initially installed. The database will keep track of all changes so that you can later create a configuration file which more accurately reflects the normal behavior of your system.
The option “-std” makes sure that errors and output are both sent to the standard output of the program so that you can redirect it easily. Normally, errors are send to standard error.
If you specify “-verbose” more messages will be generated during the build and check phases. These messages indicate all the files which are being added or checked. They are interspersed between the error and warning messages which may be generated.
intact -verbose -check intact.icf intact.idb
By using “-dN” options, where N is a number between 1 and 3, you will get even more information about the processing of intact.exe. These options are often used to isolate particular anomalies in your file system or registry which may be causing you problems. Technical support personnel may as you to provide the output if you are having difficulties.
intact -d1 -verbose -check intact.icf intact.idb
If you just enter the command “intact” without any options or parameters, the program will display a summary of its usage.
Typically, the output is sent to a file, a mail recipient, or a central repository.
The variables listed in Table 9 on page 20 which begin with “MAIL” allow you to specify an email recipient which will receive the complete output of the run. You should specify at least “MAILSERVER” and “MAILTO” using the standard internet email format, such as “pedestal@pedestalsoftware.com”. You may send to multiple recipients by supplying a comma separated list as the argument.
The OUTPUTFILE variable will specify the filename to receive the output.
If you are using the Enterprise version, the output is automatically sent to your central repository.
Section Using the “at” command in page 35 explains how to schedule the execution of Intact without using the Intact Service Scheduler available in the Intact Control Panel.
The first error of concern occurs when you execute the program without Administrator privileges. The program will be unable to detect auditing changes and display:
WARNING: could not assert SECURITY privilege. Access to auditing information will not be permitted.
Occasionally, different system errors will be displayed prefixed by “ERROR”. These errors are the standard windows errors which should be familiar to trained systems administrators. Because there are so many they will not be listed here. However, please keep in mind that all errors should be carefully reviewed because they could indicate a misconfiguration or an attempted hack on the system.
Other errors indicate changes in the object parameters and are clearly labeled. Below is a list of sample reports which should cover most situations.
Report output displays an explanation of what changed. Below is a directory which was modified:
CHANGED: FILE: d:\Apps:
Last write time changed
was: May 06, 1998 10:03:16
is: May 18, 1998 21:00:19
· Figure 15: File last-modified time changed
The format of the output might differ slightly if viewed via the Output Viewer which allow you to search and sort the output.
Below is a file which has been modified. Note that the index is different, so the file has probably been deleted and rewritten, which is common practice with many applications when saving files. The signature is different because the contents of the file have changed.
CHANGED: FILE: c:\data files\letter.doc:
Last write time changed
was: January 26, 1998 14:17:56
is: May 12, 1998 01:22:21
File index different
was: 3490289711212146792
is: 2792794718923138748
DIGEST is different
was: (MD5: 9A 02 17 1E AF 61 52 94 36 66
C6 E5 E1 CD 97 3C)
is: (MD5: 07 B6 B1 44 FA D4 53 2C 8A 64 D7 76 81 C4 71 CD)
· Figure 16: File changes detected
The file below was radically altered. It’s contents were changed. It was rewritten to a disk rather than being modified in place. Furthermore, user joe took ownership of the file from Administrator.
CHANGED: FILE: c:\data files\info:
Creation time changed
was: September 16, 1997 08:40:13
is: May 12, 1998 01:11:31
Last write time changed
was: April 25, 1998 19:21:32
is: May 12, 1998 01:11:31
Size has changed
was: 631344
is: 624514
File index different
was: 2779565395017737866
is: 2824601391291442990
DIGEST is different
was: (MD5: E2 08 B0 DB 05 18 8A C4 D6 7E
89 1D DB 09 63 51)
is:
(MD5: 3C F5 29 04 C4 9A 56 D1 61 43 27 F9 FD D3 E0 7E)
OWNER is different
was: BUILTIN\Administrators
is: USERPC\joe
· Figure 17: Many file changes detected
Here Intact detected some changes to the administrators group: a user account was added to the administrators group. Additionally, the “Account disabled” checkbox was unchecked:
CHANGED: NTUSER: Guest:
Flags changed:
Flag removed: UF_ACCOUNTDISABLE
Local Group membership changed:
Added: 'Administrators'
was: Guests
is: Administrators,Guests
CHANGED: NTGROUP: Administrators:
Group membership changed:
Added: 'PEDESTAL\Guest'
was: PEDESTAL\Administrator,PEDESTAL\Domain Admins
is: PEDESTAL\Administrator,PEDESTAL\Domain Admins,PEDESTAL\Guest
· Figure 18: NTUSER and NTGROUP changes detected
|
Chapter 3 |
Very often, Intact will be executed regularly as part of an ongoing backup, recovery and security monitoring system. This section will focus on the command line interface since the GUI interface use has already been covered.
The Control Panel and the Intact Service have their own scheduling mechanism. See the section “Control Panel” for information about scheduling. Using this interface is the preferred method for scheduling execution. However, because the core executable, intact.exe, has a command-line interface, you can schedule it using any of the OS or third-party schedulers.
The Windows NT “at” command can be used to schedule the execution of programs without user interaction. You may use this option if you have special requirements not covered by the Control Panel.
Programs scheduled with the “at” command will execute with SYSTEM privileges permitting Intact to have full system access.
To start up a command window as “SYSTEM,” specify the following command, substituting 15:30 for some time in the future when you want the window to come up:
at 15:30 /interactive cmd.exe /k
You may run intact.exe with any arguments instead of cmd.exe. To schedule the program to run every day at 4:30 a.m. you may use:
at 4:30 /every:m,t,w,th,f,s,su intact.exe -check intact.icf intact.idb
If a sophisticated hacker can change your system, then he can alter the database to match his changes. It is therefore important to secure the database. The fist thing to consider is that the database should also include the configuration file (as an object) so that it can verify itself for possible misconfigurations.
If you are using the Enterprise version, the database and the configuration are stored securely on a remote database and some of this information may not apply. The remote database controls access.
Storing the Intact detection database on hardware devices having physical write-protection can always prevent a remote attacker from altering a database. For instance, most floppy disks have a tab which can be switched to prevent the hardware from writing to the media. Removable hard disks also have this feature.
If your disk does not have this feature, you may wish to remove the disk from the computer. Another alternative is to store the database on tape and copy it over to the hard drive every time you wish to check. If the hacker has hacked the intact.exe executable or the restore/backup program, then these options may not help you. A write-protected media is the only way to be sure that your database is clean.
Intact Enterprise utilizes the security features of its back-end RDBMS to keep the detection database and client configurations secure. Access control within the RDBMS will prevent an attacker from removing or tampering with detection database records and configuration parameters and is maintained by the central management console. The exact permissions are handled automatically buy the Enterprise Administrator and are dependent on your database vendor and on the execution mode scheduled to run.
Access rights enforced by the Enterprise Administrator for each of the Intact operating modes are listed below:
|
Check-mode |
· Select access to detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
|
Build-mode |
· Select, insert, update and delete access to the detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
|
Self-identification |
· Select, insert, update and delete access to the detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
· Table 19: Database access rights.
Some of the operations an Intact Enterprise client will perform against the relational database:
· Reading detection database records.
· Inserting log entries in the output/log table.
· Inserting status id’s and messages for interaction with the central management console.
By using the “#if” command and built-in variables, you can maintain multiple configurations in a single configuration file. This vastly simplifies the distribution and maintenance of integrity checking on several computers. The system is flexible enough to allow for fine tuning of differences among systems. For example, your configuration file could contain lines for all standard directories and then some specifics for servers or other specialized machines.
c:\winnt $(A)
“c:\program files” $(A)
#if $(COMPUTERNAME)==”WWWSR1”
“c:\web data” $(A)
#endif
· Figure 19: Multiple configurations sample
The root directory of any drive such as “C:\” does not contain as much detectable information as other directories. For example, the last modified time is not accessible. Therefore, some checks will not be performed on root directories.
If a file is opened by an application while Intact is executing, it may be locked and Intact will not be able to retrieve the information for flags “1”, “2”, “i”, and “v”, which represent the signature, the file index and the volume serial number.
There is no way around this except to manually terminate all running programs. By permanently locking a file, a hacker could prevent Intact from acknowledging that a file has been modified. However, Intact will notify whenever it encounters a locking or sharing violation. These warnings should be examined carefully.
It is important to run Intact often in order to quickly detect clandestine changes. However, running the program too often can often hog precious resources. A good strategy would be to run the check program once a day during a quiet period. This will also help to avoid file locks.
You will have to balance the performance impact and risks according to your needs to keep your information secure. There is a linear relationship between performance and the number of objects you are checking or storing. More files and registries means longer running times and a larger database. On the other hand, the less frequently you run Intact the greater the time window will be for changes to go undetected.
The database should be rebuilt or updated whenever changes are performed on the system. It is also important to keep your list of directories to check up to date. Systems may add and remove directories which may not be checked by Intact because they may not be included in your configuration file. Often, it is undesirable to check all your system when the security requirements are limited. Therefore, the administrator should periodically verify that the list of objects included in the configuration file is comprehensive enough to meet the security requirements. This task may be simplified by periodically, running Intact in self-ident mode.
The database can be rebuilt in the same way it was built. You may not want to overwrite your original file until you have verified the execution of the database by perhaps running a check against the system to see if any changes are reported.
ren a:\web1.idb a:\web1.old.idb
intact -build web1.icf a:\web1.idb
intact -check web1.icf a:\web1.idb
The database may be updated with the “-update” command or through the GUI.
|
Chapter 4 |
The database is a sequence of items representing individual system objects. The contents of the database are compressed, but not encrypted. You may choose to encrypt the database using your own encryption application, but it is not clear that such encryption makes the database or system any more secure.
The contents of files are not stored in the database. A file signature is stored (See Data signatures below). This means that you cannot directly know what part of a file may have changed by examining the database. It is therefore very important to create regular backups of the data in all files.
n Creation date and time
n Last modification date and time
n List of users and groups in ACL (Access Control List)
n Each user’s or group’s permissions
n Each user’s or group’s auditing parameters
The values of keys are not stored. One data signatures of the data is stored for every 5 registry values. This greatly reduces disk space requirements and run-time. However, because of this, the administrator can only know that one of a number of values may have changed. It is therefore important to create regular backups of the registry, either utilizing the standard backup procedure which backs up your files, or any third-party registry dumping utility so that a careful comparison can be made.
n Creation date and time
n Last modification date and time
n List of users and groups in ACL (Access Control List)
n Each user’s or group’s permissions
n Each user’s or group’s auditing parameters
All user settings will be stored with the exception of the password which is not available. Intact cannot detect changes in the password.
Group memberships can be detected at the group level by detecting changes in the membership list or at the user level by detecting changes in group memberships.
All device information is stored in the registry, including hardware addresses, port numbers, interrupt information, etc. NT automatically generates the hardware configuration profile upon startup as it detects installed hardware, so Intact should be able to detect any changes, even the move of a board from one slot to another on some motherboards.
Intact does not store the contents of files and registry values in the database. Instead, it stores a set of data signatures. These signatures are a very good representation of the data being considered. Intact supports two algorithms to generate a unique signature for each file or set of registry values: SHA1[8] and MD5[9]. Any changes in the data would result in a change in the either signature.
SHA is the Secure Hash Algorithm published by the US Government’s National Institute of Standards and Technology (NIST) as Federal Information Processing Standards Publications (FIPS PUBS) 180 Secure Hash Standard (SHS). This is the preferred hashing algorithm. Intact will use this algorithm when specifying the $(A) or $(RA) flags (to switch to a different algorithm such as MD5, specify “$(A)-2+1”).
“at” command, 35
access control list,
39
Auto mode, 19
centralized
management, 19
command line, 30
Commands, 7, 13
Configuration
File and directory
flags, 25
general flags, 25
group flags, 26
registry flags, 25
user flags, 26
Configuration
Browser, 27
configuration file,
20
Configuration File, 7
configuration file,
commands, 20
comments, 20
environment
variables, 21
flags, 24
object description,
23
operators, 20
prefix, 23
sample configuration,
26
specifying
registries, 23
variables, 21, 22
Control Panel, 6
data signatures, 40
Execution mode, 17
file extensions, 20
file information, 39
file locks, 38
file permissions and
auditing, 39
hardware
configuration, 40
Hosts List, 9
Installation, 4
Enterprise, 4
Intelligence, 4
integrity checking, 1
MD5, 40
new database, 17
Notes, 13
Notification, 19
ODBC
Availability, 6
Logging in, 9
Setup, 14
operating modes, 16
Output Viewer, 28
Polling, 7, 12
Properties, 10
registry information,
39
Registry Keys
Control Panel, 8
registry permissions
and auditing, 40
removable media, 17
root drives, 37
scanning, 2
Schedule, 11
Scheduling, 7
security privilege,
33
security tasks, 35
Self-identification,
18
Service, 6
SHA1, 40
SQL, 5
IBM DB2, 16
Microsoft SQL Server,
16
Oracle, 16
Other database
vendors, 16
User space, 15
SQL Permissions, 15
SQL Table Structures,
14
SQL Tables
_cinfo, 15
_conf, 15
_det, 15
_output, 15
system errors, 33
system priviledges,
36
Update mode, 30
verfiy a database, 18
write-protected
media, 36
year 2000, 2
.Copyright © 1998, 1999 by Pedestal Software. Windows NT is a registered trademark of Microsoft Corp. Intact is a trademark of Pedestal Software. All other trademarks are trademarks of their respective companies.
[1] By file signatures we mean only a unique large number which represents the contents of the file.
[2] The scheduling mechanism is similar to “cron” which is widely used in Unix systems.
[3] This format is used on all Unix computers as well as many other systems.
[4] The word “objects” from this point forward will refer to files, directories and registry keys.
[5] MD5 is the RSA Data Security Ind. MD5 Message Digest Algorithm.
[6] Must be the first parameter if specified.
[7] Option available only in Enterprise version.
[8] Intact uses SHI’s implementation of SHA1 which is available for public use.
[9] MD5 is the RSA Data Security Ind. MD5 Message Digest Algorithm. The code is available for public use.
