|
Pedestal Software, LLC |
|
|
Intact™
System Integrity Checker and Intrusion Detector for
Windows NT®
VERSION 2.0
|
Pedestal Software, LLC |
|
|
Intact™
System Integrity Checker and Intrusion Detector for
Windows NT®
VERSION 2.0
|
Chapter 1 |
Intrusion detection and integrity checking
Welcome to Pedestal Software’s Intact intrusion detection system for Windows NT. We start this guide with a chapter outlining some basic concepts in computer security which you may want to skip if you’re already an experienced professional and are familiar with the concepts of Integrity Checking, Intrusion Detection and Corruption Detection.
Intrusion Detection Systems (IDS) help administrators locate compromises or attempts to gain access to a system without proper authorization. Intact helps security administrators monitor systems for security breaches by detecting changes to a computer system and reporting on them.
Intrusion detection has three aspects:
1) Detecting a break-in
2) Assessing damage
3) Repairing the damage and closing security holes
Intact helps you manage this by proving administrators with a comprehensive integrity check of the system.
Integrity checking considers a system as a whole unit independent of its external interfaces and tracks any changes to the system. An integrity checker will store all relevant information about a system, its hardware, software, operating system and files in a database. This database can be systematically compared with the active system to detect any changes. This database may contain all the data stored in the system. More commonly, only the configuration files, significant parameters and file signatures[1] are stored.
This approach has the advantage of detecting changes to the system. It does not detect unauthorized access, per se. It does, however, detect if an insider changes any security parameters which allow intruders (or other insiders) to gain access to important and sensitive information. Intact will also help to locate Trojan horse programs which may have surreptitiously been copied onto your computer (for example, Back Orifice or Netbus).
Proper planning and policy design is crucial. Nothing can take the place of professional systems design which very carefully considers security issues.
If implemented correctly, an integrity checker will detect any change to your system even if the attacker is sophisticated enough to cover his tracks in the log files.
Integrity checking is also important in tracking the activities of software. As software becomes more sophisticated it is important to keep track of changes they perform to the system. Many installation programs require to be run as “Administrator” which allows them to easily undo your carefully implemented security setup, either maliciously, or through the careless programming of the program designer.
There are several file integrity checkers for Unix and a few for NT. No other integrity checker, however, verifies information about the sophisticated levels of security which NT provides. Intact use a sophisticated security engine which extracts and synthesizes every aspect of a file or registry’s content, security and auditing.
n Comprehensive system auditing
n Intrusion detection
n Data integrity and data corruption detection
n Track changes made by installation programs or other applications
n Monitory daily system activity
n Hardware change detection
n Year 2000 compliance
Network intrusion detection systems actively scan the network and some intrusion detection systems simply scan system logs and report unusual activity. This approach, often called scanning, is pro-active and may potentially catch an intruder before he causes damage or steals sensitive information. However, the tools only look for approaches which are well known. A hacker who discovers a new strategy may be able to slip through the limited set of tests which scanning software performs. By the time the alarm is sounded the intruder may already have gained access to the system. Furthermore, scanning software normally does not report what, if anything, an intruder has changed.
Scanning software also tends to give many false positives and warnings. Many scanners closely examine system and file audit logs. However, if the system has been compromised, then system and file logs can also be changed. Furthermore, the hacker may only be interested in weakening the security of your system in order to be able to extract sensitive information in the future. Lastly, the culprit may not be an intruder at all, but a malicious insider.
Although scanning is a valuable resource for preventing and detecting unauthorized access to your system, it is often of little value when managing a break-in’s impact or for gathering evidence after a break-in has occurred.
This manual will assume that the reader is familiar with the configuration and maintenance of a Windows NT system. It will not delve into the system layout, directory structure, or registry structure of the Windows NT operating system. There are many books available which discuss this at length. Chapter 3 will outline some considerations which are important when integrating Intact into your security processes
|
2 |
Intact is distributed on write-protected diskettes or a CD. It includes a “SETUP.EXE” application which will create a simple configuration for you and optionally schedule execution. Make sure you start with a completely secure, clean and virus-free system.
The default installation will copy over all the files, create a configuration set which uses auto-mode which will try to identify the important components of your system for 6 days and then begin checking. By selecting different options, you will be able to modify this default behavior.
1) Execute “SETUP.EXE” in the installation directory.
2) Click “NEXT” to continue with the installation. If at any time, you wish to stop the installation, click “CANCEL”. If you make a mistake and want to return to an earlier box, press “BACK”.
3) Enter the information required keeping in mind the following points.
4) The installation directory is where all the files are stored by default.
5) Some of the following points may not apply if you did not select to create a configuration file..
6) When Intact asks you whether you want to create a log file locally or email it, you can choose one or the other. If you decide to mail the log output, you will need to know the email address you wish to send to as well as the name of the computer which can accept and forward email for your network. Intact uses it’s own email delivery system rather than the Windows NT messaging system because of security considerations.
7) If you choose syslog or Event Log notifications, you can optionally select a server to receive them. If you want the notifications sent to the local machine, leave the Server field blank.. If you do select a remote server, make sure you change the permissions on the remote system so that it accepts remote notifications.
8) Intact will make a best attempt at determining which drives are local to your system (that is, physically connected). For security reasons and for network efficiency, a computer should check only its local drives. If you want to check additional drives or remove some from consideration, change the items listed in the box, but make sure you put a “\” after the “:” of the drive designation and separate entries with spaces.
9) At the end of the installation, you will be given the opportunity to create an initial database. Otherwise, this initial database will be created when Intact is first executed.
Intact creates a Control Panel which will handle most of the functionality of the Intact programs. When you start up the control panel, you should get the command screen. The numbers below indicate regions which will be explained in detail.
· Figure 1: Control panel
Region 1 contain a button which starts or stops the Intact service. Intact runs as a service in order to schedule itself and have access to all system objects. The current status of the service is displayed on the left. Press the button to start if Intact is not running, or to stop if Intact is running.
To enable or disable the Intact service, you can also use the “Services” control panel.
The Enterprise version of the software contains parameters for connecting to a centralized secure repository of configuration information. This feature is disabled in the Open Use version and the Intelligence version of the software.
For the Open Use and Intelligence versions, you must use a configuration file. For the Enterprise version, you may use a configuration file or an ODBC database, but not both. Choose on or the other by selecting the appropriate radio button.
The configuration file can be located anywhere in the file system, including in remote read-only directories, or diskettes. It is highly recommended that the configuration file be secure against unauthorized tampering and review. The best way to do this is to place it in read-only media or share and grant read/write access to only Administrator and everyone else has no rights. Regular users should not be able to look at this file.
The contents of this file will be described below in the “Configuration file” section.
The Intact service can be activated in one of three ways:
1) Control panel
2) Execution: By executing the Intact executable you can perform all functions
3) Polling: The creation of a file, or a table in ODBC “wakes up” intact so that it can execute any pending commands.
Polling is the process of looking to see if a file exists or a table in ODBC has pending commands. Intact will look for the existence of the file indicated in the “Forcepoll file” entry box. Polling is only available in the Enterprise version. The polling interval is the number of minutes between checks for the file or ODBC table.
Intact can be scheduled to run unattended at various times[2]. You schedule Intact by selecting the minutes, hours, etc. for which you want to execute. When you select multiple items in one list, Intact will run at each one. For example, if you select “Any” for hour and “00” and “30” for minutes, Intact will run twice every hour, once on the hour and once on the half hour.
The buttons along the bottom of the Control Panel allow you to immediately begin a check, build, or other function. Pressing these buttons to “Build” or “Check” will bring up a window which will display the output and messages from Intact. Pressing the “Edit Config” button will bring up a configuration browser which will be described in the section “Configuration Browser”.
|
Button |
Action |
|
Help |
Bring up the HTML help file |
|
Apply |
Make changes permanent but do not close window |
|
OK |
Apply changes and close the window |
|
Cancel |
Do not make any changes and close the window |
This option allows you to add additional variables which you want to define in the configuration file. This is a comma-separated list of “var=val” pairs. This feature will become clearer in the context of the configuration file description later in this manual.
The Intact Control Panel applet uses the following registry key values under HKEY_LOCAL_MACHINE\Software\Pedestal Software\Intact
|
Key |
Description |
|
ServiceConfigFile |
Location of Intact configuration file. Eg. “c:\applications\intact\intact.icf”. |
|
ServiceConfigType |
Boolean: 0=Enterprise 1=Intelligence/Open Use |
|
ServiceExecutionSchedule |
Cron formatted execution schedule. Eg. “0 1 * * *”. |
|
ServiceExtraDefines |
Comma separated list of NAME=VALUE pairs. |
|
ServiceForcepollFile |
File location of Enterprise version polling file. |
|
ServiceODBCDatasource |
Enterprise version datasource name. |
|
ServiceODBCLogin |
Enterprise version login name. |
|
ServiceODBCPassword |
Enterprise version database password stored in a reversible obfuscated format. |
|
ServiceODBCTable |
Enterprise version database configuration name. Normally the COMPUTERNAME of the workstation or server. |
|
ServicePollingInterval |
Enterprise version polling interval, in minutes. |
|
<behavior db path> |
In Intelligence and Enterprise, this is a full path to a behavior database. This value is use to countdown self-identification runs in auto mode. |
This functionality is not supported in the Open Use or Intelligence versions.
intact.exe is the command which builds and checks the database. This command performs all the critical functions of Intact. It is typically executed by the Control Panel, but may also be executed independently. This section describes how to execute intact.exe independently. Not all functions described here are available in the Open Use version. Self-ident, make-conf and auto mode are only available in the Intelligence and Enterprise versions.
intact.exe has several command-line options which affect reporting and performance. Each time intact is executed, it will read the configuration file you specify. That configuration file contains rules for processing the file system and the registry. The format of this file is outlined in the next section.
Intact works in five operating modes, build, check, self-identification, make-conf and auto.
|
Mode |
Description |
|
Build |
Build mode builds a new detection databases for use in subsequent check mode or self-identification mode executions |
|
check |
Check mode reports on changes to the system as last recorded in an Intact detection database. |
|
self-identification |
Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. The scope and duration of the observation period is user-defined. |
|
make-conf |
After a sufficient observation period you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file. |
|
auto |
Auto mode is intended for completely automated installation and configuration. This is the default mode when Intact is installed. In auto mode, Intact will observe the system for some period of time, automatically produce a configuration file, and automatically report on changes forthwith to a centralized management station |
|
· Figure 2: Creating a new database |
When creating a database, you execute intact.exe specifying a configuration file and database file name such as
intact -build web1.icf a:\web1.idb
intact will then read the configuration file which specifies which directories, files and registries to read (or not read) and begin storing all relevant information about these objects into the detection database. If you are running in self-identification mode, Intact will also create the initial behavior database. Typically, the database is stored on a removable media, such as.
When you have created the database remove the disk and store it on a secure location. The database contains information about where and when it was created and with what configuration file, but is not itself guarded against alteration. Any person with physical access to the disk could alter the database in conjunction with malicious changes to the system. Write-protecting the disk will at least prevent programs from changing the data without physical interaction.
|
· Figure 3: Comparing a database with a system |
When you wish to check the system against the database, first reinsert the disk or removable media with the database, or connect to the network drive which contains the database. Then execute the check command. Make sure you use the same configuration file.
intact -check web1.icf a:\web1.idb
The configuration file contains information about notification of errors. They may be reported on the screen or sent via e-mail to a particular user. Additionally, if running in self-identification mode, the behavior database will be updated to reflect detected changes. You may also specify more parameters on the command line to control various aspects of verification, creation and reporting. See the section Command line interface below on page 0.
Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. Auto mode described in the next section makes this process easy to use and administer.
The scope and duration of the observation period is user-defined. Self identification mode requires a configuration file, a detection database, and a behavior database as arguments. The behavior database argument must be supplied in the configuration file by #define’ing BEHAVIORDB, and the syntax to Intact is the same as for check mode:
Intact –check myconfig.icf moving-baseline.idb
When preparing for self-identification mode, the general idea is to keep the configuration file broad and simple, including even those files which you know change frequently or are even inaccessible (for example “c:\pagefile.sys”). Intact will observe which aspects of all objects[3] within this scope do not change and all aspects of objects within the scope that do change. For example, the file “c:\winnt\system32\config\system” may not be accessible for recording the SHA hash, but is accessible for recording the ACL and last modified time. Intact will observe this behavior and build a configuration file (in make-conf mode) instructing Intact to report on the aspects of objects not likely to change. It is acceptable to ignore the errors and other output during this phase.
Self-identification mode creates a new detection database each time it is run which permits Intact to observe changes in the system between runs. The old detection database is discarded each time as it is no longer needed. More specifically, during a self-identification run the system is compared to the current detection database and at the same time a new database is built with the old name plus a “.inuse” extension. When the self-identification process has completed the old detection database is removed and the new one renamed to the original name. At the same time, the behavior database is updated to reflect the observed changes and object properties. If an existing behavior database does not exist, a new one is created.
After an observation period you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file. The behavior database parameter must be supplied in the configuration file by #define’ing BEHAVIORDB (or by running Intact with –D BEHAVIORDB=myconfig.icf). For example:
Intact –makeconf myconfig.icf output-config.icf
Auto mode helps you automat installation and configuration of self-identification. This is the default mode when installing Intact. In auto mode, Intact will observe the system for some period of time. Then, it will produce a configuration file. After that, it will report on changes to a centralized management station. See the section on event notification for information on the options and configuration details. In this mode, the system uses the “hklm\software\pedestal software\intact” registry key to keep a countdown timer for self-identification mode. When this timer has expired a new configuration file is automatically generated replacing the existing one by renaming it with a “.orig” extension and subsequent runs are in check mode. You can revert back to self-identification mode simply by copying the original configuration file over the current configuration file.
You generally want to retain the behavior database even when the self-identification mode observation period has completed. When new software is added to the system and as changes are made, Intact can reuse the behavior database to continually learn more about the system’s behavior and subsequently produce more accurate configuration files. It’s also advisable to save the detection database used for self-identification and not to overwrite it with a new baseline. When you reset Intact into self-identification mode because of system changes, Intact will be able to observe changes since the last self-identification run.
Intact relies on your operating system and standard protocols to report on system changes to a centralized console. Intact supports syslog, NT Event Log, files (including file systems accessible via NT networking), and SMTP e-mail.
You may want to deploy more than one of these protocols in your environment. One typical combination is both e-mail and NT Event Log notification. Another possibility is saving all output to a “write-only” centralized share. You could also save the output file locally within a protected area of a running web server and retrieve the output via HTTP or HTTPS and receive notifications via syslog and/or NT Event Log.
Using standard file extensions will also help to manage your system. The table below outlines the recommended file extensions for each type of file.
|
File |
Extension |
|
Detection database |
.idb |
|
Behavior database |
.bhv |
|
Configuration file |
.icf |
|
Output file |
.iof |
· Recommended file extensions
The configuration file describes which objects and properties Intact should monitor. An easy-to-use GUI is provided with the software. Information about the GUI can be found in the section below titled “Configuration Browser”. The configuration file, however, is a language. All of the language’s functionality is not covered by the GUI. Also, understanding the language will be useful to understand the use of the GUI.
Comments in the configuration file begin with the semi-colon character (“;”) and can occur anywhere in the line; all characters after the “;” character are ignored by intact.exe.
Commands begin with a “#” character. Readers familiar with C and C++ will recognize many of the commands as standard pre-processor commands. Note, however that there are some differences in syntax when using variables. As in C, commands are followed by a list of parameters separated by spaces if any parameters are required. The commands are shown in the table below. The column labeled Parameters indicates the name of each parameter
|
Command |
Parameters |
Meaning |
|
#define |
VAR TEXT |
Define VAR so that wherever $(VAR) is found, TEXT is substituted in the file. VAR and TEXT should be replaced with a specific variable name and a text to define |
|
#ifdef |
VAR |
Process until “#endif” if variable VAR is defined |
|
#ifndef |
VAR |
Process if VAR is not defined |
|
#if |
EXPR |
Evaluate an expression EXPR and process if true. Expressions are algebraic. The operators are described below. |
|
#else |
|
Follows an “#if”, “#ifdef” or “#ifndef” to indicate that what the commands after the “#else” should be executed if the commands above were not. |
|
#endif |
|
Terminates an “#if”, “#ifdef” or “#ifndef” command |
· Table
1: Configuration file
commands
In expressions, several operators can be used. They will be explained in the table below. The Syntax column will contain upper case letter which represent variables or values.
|
Operator |
Syntax |
Meaning |
|
== |
A==B |
True if A and B are the same |
|
> |
A>B |
True if A is greater than B |
|
>= |
A>=B |
True if A is greater than or equal to B |
|
< |
A<B |
True if A is less than B |
|
<= |
A<=B |
True if A is less than or equal to B |
|
&& |
A&&B |
Logical and |
|
|| |
A||B |
Logical or |
|
+ |
A+B |
Add two integers |
|
- |
A-B |
Subtract two integers |
|
* |
A*B |
Multiply two integers |
|
/ |
A/B |
Divide two integers |
|
int() |
int(expr) |
Force interpretation of expr as integer. |
· Table 2: Configuration file expression operators
Accociativity is left to right with standard precedences.
There are several pre-existing variables which can be used throughout the configuration file. In addition, all environment variables are also available. The internal values are shown in the table below. Variables are not case sensitive.
|
Variable |
Meaning |
Default value |
|
SystemRoot |
Root of the system directory which is usually. |
C:\WINNT |
|
TEMP |
Windows temporary directory |
|
|
FULLNAME |
Domain name of current user |
|
|
COMPUTERNAME |
The Netbios name of the computer. |
|
|
MONTH |
Current month number (1-12) |
|
|
DAY |
Current day of the month (1-31) |
|
|
YEAR |
Current year (including century) |
|
|
HOUR |
Current hour (00-23) |
|
|
MINUTE |
Current minute (00-59) |
|
|
SECOND |
Current second (00-59) |
|
|
PRIORITY |
Set execution priority |
normal |
|
CHECK |
Set if Intact is running in check mode |
|
|
BUILD |
Set if Intact is running in build mode. |
|
|
AUTO |
Set if Intact is running in auto mode. |
|
|
MAKECONF |
Set if Intact is in makeconf mode. |
|
|
CONFIG_FROM |
Set to either ‘FILE’ or ‘ODBC’ depending on where the config file came from. |
|
|
DETECTIONDB |
Path of database file |
|
|
BEHAVIORDB |
Path of the behavior database |
|
|
BEHDBTYPE |
Optimization of behavior db is “mem” or “disk” |
mem |
|
OUTPUTFILE |
Name of file to receive messages |
|
|
EVENTLOG |
Notify Event Log (value is server; blank is local) |
|
|
SYSLOG |
Notify syslog (value is server; blank is local) |
|
|
SYSLOGFACILITY |
Facility for syslog messages |
user |
|
SYSLOGSEVERITY |
Severity for syslog messages |
info |
|
AUTO_COUNTDOWN_TIMER |
Number of times to execute in self-identification mode |
6 |
|
MAKECONF_SENSITIVITY |
Sensitivity to changes during self-identificaiton mode (high, normal, low) |
normal |
|
INTACTPRIORITY |
System priority for process |
|
|
MAILSERVER |
SMTP mail server to use |
|
|
MAILTO |
Address to send mail to |
|
|
MAILFROM |
Return address |
Intact@[host] |
|
MAILSUBJECT |
Subject of mail message |
date and time |
|
MAILTEMPFILE |
Temporary file for mail |
$(TEMP)\intact_tmp.txt |
|
RA |
Registry: all parameters |
ckmogpz1 |
|
A |
File: all parameters |
tcmvsniogpz1 |
|
LOG |
Log file changes |
tcnogpz |
|
UA |
Ntuser: all parameters |
NcCdjhspwlSoaebxmuMgRrfLO |
|
GA |
Ntgroup: all parameters |
ncgm |
· Table 3: Configuration file variables
When accessing these values, the variable name should be preceded by “$(” and terminated by “)”. For example, “$(FULLNAME)” would be substituted by the domain name of the current user. More examples will be given farther along in this section.
Several command require special explanation. PRIORITY sets the execution priority of the process. It can be one of the following:
n lowest
n idle
n low
n normal
n high
n highest
n critical
Keep in mind that screen savers may often have a priority of normal or above. If you set your program to run at a lesser priority than your screen saver, the program may never receive any execution time.
DETECTIONDB specifies the path of the database file. You must specify a database file either on the command line or by using this variable. OUTPUTFILE specifies the path of the text log file for errors, flags and warnings.
In addition to these commands, a line can also contain an object description. This description tells the processor to store the information of an object, sub-objects, permissions, time-stamps, etc. It consists of three parts:
1) Prefix
2) Object: a file, directory, user, group or registry to check
3) Flags
Each prefix is only one or two characters. It precedes the object name and is not separated from it by spaces. There are four prefixes. Not all prefixes apply to all types of objects
|
Prefix |
Meaning |
|
= |
Do not store all files within the given directory but do store directories within that directory. File in subdirectories are stored. |
|
== |
Do not store all files within the given directory nor any files within subdirectories at any level below the given directory. |
|
! |
Do not store item. |
|
!! |
Do not store item or its children. |
· Table 4: Object prefixes
The object specified can be either a file, directory, or registry. Files and directories are specified by giving the complete file path, such as “C:\WEB\DATA.” Registries begin with a hive identifier. The valid identifiers are in the table below. For example, “hklm\Software.”
|
ID |
Registry Hive |
|
hkcu |
HKEY_CURRENT_USER |
|
hkcr |
HKEY_CLASSES_ROOT |
|
hku |
HKEY_USERS |
|
hklm |
HKEY_LOCAL_MACHINE |
|
hkcc |
HKEY_CURRENT_CONFIG |
· Table 5: Registry prefixes
Users and groups begin with an identifier of “ntuser:” or “ntgroup:” followed by a name which may contain wildcards. For example, “ntuser:s*” will check all users whose user id begins with “s”. The wildcard “?” is also supported. If a user or group matches a wildcarded entry and you also specify that user or group without wildcards, the non-wildcarded entry will take precedence. For example:
NTUSER:*admin* amrf
NTUSER:administrators $(UA)
Even though “administrators” matches both lines, the flags $(UA) will be used.
|
ID |
Meaning |
|
Ntuser |
Local or global user |
|
Ntgroup |
Local or global domain groups |
· Figure 4: Users and groups
The object “client:” has special meaning. Currently there is only one client type supported, “drives”:
|
ID |
Meaning |
|
Client:drives |
Intact will add the root directory of all fixed type drives to the configuration file with the specified flags. |
· Figure 5: Special Client object
For example, specifying “client:drives $(A)” in the configuration file will be expanded to the root directory of all fixed drives on the system.
Each flag is a single character with special meaning. Flags determine what information to store about each object and sub-object in the line which they are specified. Flags are specified by entering them in sequence without any spaces between flag characters. Valid flags for each object type are given in the tables below.
Flags are case sensitive, for example, the NTUSER flag “r” is not the same as “R”.
|
|
Applies to FILES,REGISTRY |
|
Flag |
Meaning |
|
1 |
Store MD5[4] signature of file or value |
|
2 |
Store SHA signature of file or value |
· Table 6: Generic configuration file flags
|
|
Applies to REGISTRY |
|
Meaning |
|
|
C |
Classname |
|
K |
Key info (number of subkeys, values, lengths, etc.) |
|
m |
Last write time |
|
o |
Owner sid |
|
g |
Group acl |
|
p |
Standard acl |
|
z |
Auditing acl |
· Table 7: Registry flags
|
|
Applies to FILES |
|
Flag |
Meaning |
|
t |
Attributes (read-only, system, hidden, etc) |
|
c |
Creation time |
|
a |
Access time |
|
m |
Modification timestamp |
|
v |
Volume serial number |
|
s |
Size of file |
|
n |
Number of links |
|
i |
File index number |
|
o |
Owner sid |
|
g |
Group acl |
|
p |
Standard acl |
|
z |
Auditing acl |
· Table 8: File and directory flags
|
|
Applies to NTUSERS |
|
Flag |
Meaning |
|
n |
Name |
|
c |
Comment (description) |
|
C |
User comment |
|
d |
Country code/code page |
|
j |
Parms (MS-specific parameters) |
|
h |
Home directory |
|
s |
Script path |
|
p |
Profile |
|
w |
Workstations user may logon to |
|
l |
Number of logons |
|
S |
Server |
|
o |
Password |
|
a |
Password age |
|
e |
Password expired |
|
b |
Bad password count |
|
x |
Account expires |
|
m |
Max storage |
|
u |
Uid |
|
g |
Primary gid |
|
M |
Group membership |
|
r |
RAS flags |
|
R |
RAS callback phone number |
|
f |
User flags |
|
L |
Last logon |
|
O |
Last logoff |
· Table 9: NTUSER flags
|
|
Applies to NTGROUPS |
|
Flag |
Meaning |
|
n |
Name |
|
c |
Comment |
|
g |
Group id |
|
m |
Group membership |
· Table 10: NTGROUP flags
Two special flags “+” (plus) and “-“ (minus) allow you to add and subtract flags from existing groups of flags. For example, file flags “tcmpgz-zg” is equivalent to “tcmp”, likewise, ntuser flags “Mfa+r-a” would be equivalent to “Mfr”. To switch from the default SHA1 digest algorithm to MD5 in the set of flags defined in $(RA), specify “$(RA)-2+1” in the flags argument.
Below is a sample configuration file. It will store information about the system directories, the application directory and selected registry keys depending on who executes the program. It is not intended as a production sample. The distribution contains several sample files which are very useful.
“C:\Program Files” $(A)
$(SystemRoot)\system32 $(A)
#if $(FULLNAME) == “SYSTEM”
hkcu\sam $(RA)
#else
hklm\hardware $(RA)-m12
#endif
· Figure
6: Sample configuration file
Below is another, more comprehensive and fully commented sample configuration file.
NTUSER:*admin* $(UA)
NTUSER:guest $(UA)
NTGROUP:*admin* $(GA)
NTGROUP:”domain guests” $(GA)
==$(TEMP) $(LOG) ; just temp alone
$(SystemRoot)\system32 $(A)
==$(SystemRoot)\system32\spool $(LOG) ; just directory
$(SystemRoot)\system32\config\AppEvent.Evt $(LOG)
$(SystemRoot)\system32\config\default $(LOG)
$(SystemRoot)\system32\config\default.LOG $(LOG)
$(SystemRoot)\system32\config\SAM $(LOG)
$(SystemRoot)\system32\config\SAM.LOG $(LOG)
$(SystemRoot)\system32\config\SecEvent.Evt $(LOG)
$(SystemRoot)\system32\config\SECURITY $(LOG)
$(SystemRoot)\system32\config\SECURITY.LOG $(LOG)
$(SystemRoot)\system32\config\software $(LOG)
$(SystemRoot)\system32\config\software.LOG $(LOG)
$(SystemRoot)\system32\config\SysEvent.Evt $(LOG)
$(SystemRoot)\system32\config\system $(LOG)
$(SystemRoot)\system32\config\SYSTEM.ALT $(LOG)
=$(SystemRoot)\system32\ras $(A) ; skip files in ras, not subdirs
!!$(SystemRoot)\system32\os2 ; skip os2 and everything under it
C:\DOCS $(A)
D:\WWWROOT $(A)
hklm\Software $(RA)
#if $(FULLNAME) == "NT AUTHORITY\SYSTEM"
hklm\sam $(RA)
hklm\security $(RA)
hklm\hardware $(RA)-m
#else
hklm\hardware $(RA)-m
#endif
· Figure 7: Sample configuration file
Intact installs a configuration browser which facilitates some of the tedious functions of creating and maintaining a configuration file. The editor can be invoked from the command line or through the Control Panel when pressing the “Edit Config” button. The Configuration Browser is only available in the Server or Enterprise versions of Intact.
· Figure 8: Intact configuration browser
You may open files, save and drag configuration files into this window as you would any other standard Windows application.
The configuration file is explained in the section “Configuration File”. You may want to read that section to understand all the details.
To add a new item select an option from the “Add new object” box as shown in the following figure.
· Figure 9: Create new item
A dialog will come up which contains information relevant for the type of object you have selected. In this example, a registry dialog will come up.
· Figure 10: Registry edit dialog box
You may check off the attributes you want to monitor, or press the shortcut buttons “All” and “Log”. Click on browse to receive a tree of the registry keys so that you can choose the one which is of interest.
To edit an existing line, you can double-click on the line. This will bring up either the specialized dialog box, or a generic dialog box depending on you Options settings (menu View/Options).
This feature is available in the Intelligence and Enterprise versions only.
The intact core is a command line user interface. Several interfaces such as the Control Panel or Configuration Builder help you work with Intact without understanding the command line usage which may appear cumbersome at first. However, there are several reasons why direct use of the command line executable may sometimes be useful.
n Smaller executable allows you to fit the entire integrity checker and database for small systems on a 3˝ inch floppy disk.
n Fewer libraries to load means there’s less chance that altered system library files will affect Intact. This is a very important consideration because there is a very real threat that surreptitiously modified library files may be used to defeat an integrity checker.
n Command line interfaces are easier to script, schedule, and run remotely.
The intact.exe command has several options. Each option begins with a dash, “-”, not a slash, “/” as is sometimes used in MS-DOS. Some options are followed by one or more parameters. If the parameters contain spaces, they should be enclosed in quotes (“).
|
Option |
Meaning |
|
-S |
Run as SYSTEM in a new window[5] |
|
-build |
Build a new database |
|
-check |
Compare the system against a database |
|
-makeconf |
Create new configuration file from behavior database |
|
-auto |
Run in autoconfigure mode |
|
-digest |
Calculate the MD5 and SHA1 digest for a given file. |
|
-Dname=val |
Set variables (see Configuration File) |
|
-std |
Direct stderr to stdout |
|
-verbose |
Display many messages |
|
-dN |
Debug (N is from 1 to 3 where 1 is least verbose) |
· Table 11: intact.exe command line options
Because the SYSTEM account has permissions to every aspect of the computer, it is often desirable to execute Intact as SYSTEM. SYSTEM is able to see things which not even administrator can. If you specify the “-S” option, Intact will execute in a separate window using the SYSTEM account.
The “-build” option is used to create a new database. The option is followed by the file name of the configuration file and the database file name you want to create or overwrite.
intact -build intact.icf intact.idb
The “-check” option compares an existing database against the files which it represents. You must follow it with the configuration file used to create the database and the database name.
intact -check intact.icf intact.idb
If BEHAVIORDB is defined in the configuration file, the check will run in self-identification mode. In this mode, any changes which are detected are stored in a behavior database. You may want to run in this mode during the normal operation of your system when Intact is initially installed. The database will keep track of all changes so that you can later create a configuration file which more accurately reflects the normal behavior of your system.
The option “-std” makes sure that errors and output are both sent to the standard output of the program so that you can redirect it easily. Normally, errors are not redirectable, but rather display on the console even if you use the “>” operator.
If you specify “-verbose” more messages will be generated during the build and check phases. These messages indicate all the files which are being added or checked. They are interspersed between the error and warning messages which may be generated.
intact -verbose -check intact.icf intact.idb
By using “-dN” options, where N is a number between 1 and 3, you will get even more information about the processing of intact.exe. These options are often used to isolate particular anomalies in your file system or registry which may be causing you problems.
intact -d1 -verbose -check intact.icf intact.idb
If you just enter the command “intact” without any options or parameters, the program will display a summary of its usage.
Section Using the “at” command in page 0 explains how to schedule the execution of Intact. Intact can direct its output to a terminal, a file, or send it via e-mail.
By default, the program will display all the output on the terminal. This output can be redirected to a file using the shell’s “>” option; for example “intact -check intact.icf tb.idb >tb.iof”.
The variables listed in Table 3 on page 0 which begin with “MAIL” allow you to specify an email recipient which will receive the complete output of the run. You should specify at least “MAILSERVER” and “MAILTO” using the standard internet email format, such as “pedestal@pedestalsoftware.com”. You may send to multiple recipients by supplying a comma separated list as the argument.
The first error of concern occurs when you execute the program without Administrator privileges. The program will be unable to detect auditing changes and display:
WARNING: could not assert SECURITY privilege. Access to auditing information will not be permitted.
Occasionally, different system errors will be displayed prefixed by “ERROR”. These errors are the standard windows errors which should be familiar to trained systems administrators. Because there are so many they will not be listed here. However, please keep in mind that all errors should be carefully reviewed because they could indicate a misconfiguration or an attempted hack on the system.
Other errors indicate changes in the object parameters and are clearly labeled. Below is a list of sample reports which should cover most situations.
Report output displays an explanation of what changed. Below is a directory which was modified:
CHANGED: FILE: d:\Apps:
Last write time changed
was: May 06, 1998 10:03:16
is: May 18, 1998 21:00:19
· Figure 11: File last-modified time changed
Below is a file which has been modified. Note that the index is different, so the file has probably been deleted and rewritten, which is common practice with many applications when saving files. The signature is different because the contents of the file have changed.
CHANGED: FILE: c:\data files\letter.doc:
Last write time changed
was: January 26, 1998 14:17:56
is: May 12, 1998 01:22:21
File index different
was: 3490289711212146792
is: 2792794718923138748
DIGEST is different
was: (MD5: 9A 02 17 1E AF 61 52 94 36 66 C6 E5 E1 CD 97 3C)
is: (MD5: 07 B6 B1 44 FA D4 53 2C 8A 64 D7 76 81 C4 71 CD)
· Figure 12: File changes detected
The file below was radically altered. It’s contents were changed. It was rewritten to a disk rather than being modified in place. Furthermore, user joe took ownership of the file from Administrator.
CHANGED: FILE: c:\data files\info:
Creation time changed
was: September 16, 1997 08:40:13
is: May 12, 1998 01:11:31
Last write time changed
was: April 25, 1998 19:21:32
is: May 12, 1998 01:11:31
Size has changed
was: 631344
is: 624514
File index different
was: 2779565395017737866
is: 2824601391291442990
DIGEST is different
was: (MD5: E2 08 B0 DB 05 18 8A C4 D6 7E 89 1D DB 09 63 51)
is: (MD5: 3C F5 29 04 C4 9A 56 D1 61 43 27 F9 FD D3 E0 7E)
OWNER is different
was: BUILTIN\Administrators
is: USERPC\joe
· Figure 13: Many file changes detected
Here Intact detected some changes to the administrators group: a user account was added to the administrators group. Additionally, the “Account disabled” checkbox was unchecked:
CHANGED: NTUSER: Guest:
Flags changed:
Flag removed: UF_ACCOUNTDISABLE
Local Group membership changed:
Added: 'Administrators'
was: Guests
is: Administrators,Guests
CHANGED: NTGROUP: Administrators:
Group membership changed:
Added: 'PEDESTAL\Guest'
was: PEDESTAL\Administrator,PEDESTAL\Domain Admins
is: PEDESTAL\Administrator,PEDESTAL\Domain Admins,PEDESTAL\Guest
· Figure 14: NTUSER and NTGROUP changes detected
|
Chapter 3 |
Setting your NT Server and Workstation security is the first and principal step in preventing an intrusion or unauthorized modification in your system. There are many books and guides which give adequate advice on ways of accomplishing this. For those who may not yet have access to these resources, the 6 most common security tasks which you should perform in NT are outlined here.
1) Install all security packs and patches
2) Use NTFS on all your drives. This will give you greater performance, flexibility and security. NTFS is the only file system which will give you the ability to grant or restrict access to files and directories on your system.
3) Don’t use an account with administrative privileges. Although inconvenient, this will prevent you from accidentally executing rouge or trojan horse programs with disastrous results.
4) Disable the “Guest” account.
5) Enable auditing on important files, directories and system events. This will help you determine when unauthorized changes may have occurred.
6) Run Intact on your Windows NT computers.
Very often, Intact will be executed regularly as part of an ongoing backup, recovery and security monitoring system. This section will focus on the command line interface since the GUI interface use has already been covered.
The Control Panel and the Intact service have their own scheduling mechanism. See the section “Control Panel” for information about scheduling. Using this interface is the preferred method for scheduling execution.
The Windows NT “at” command can be used to schedule the execution of programs without user interaction. You may use this option if you have special requirements not covered by the Control Panel.
Programs scheduled with the “at” command will execute with SYSTEM privileges which will permit Intact to store the encrypted user and group information which not even Administrator can access.
To start up a command window as "SYSTEM", specify the following command, substituting 15:30 for some time in the future when you want the window to come up:
at 15:30 /interactive cmd.exe /k
You may run intact.exe with any arguments instead of cmd.exe. To schedule the program to run every day at 4:30 a.m. you may use:
at 4:30 /every:m,t,w,th,f,s,su intact.exe -check intact.icf intact.idb
If a sophisticated hacker can change your system, then he can alter the database to match his changes. It is therefore important to secure the database. The fist thing to consider is that the database should also include the configuration file (as an object) so that it can verify itself for possible misconfigurations.
Only hardware write-protection can always prevent someone from altering the database or spoofing the results. Most floppy disks have a tab which can be switched to prevent the hardware from writing to the media. Removable hard disks also have this feature.
If your disk does not have this feature, you may wish to remove the disk from the computer. Another alternative is to store the database on tape and copy it over to the hard drive every time you wish to check. If the hacker has hacked the intact.exe executable or the restore/backup program, then these options may not help you. A write-protected media is the only way to be sure that your database is clean.
Intact Enterprise utilizes the security features of its back-end RDBMS to keep the detection database and client configurations secure. Access control within the RDBMS will prevent an attacker from removing or tampering with detection database records and configuration parameters and is maintained by the central management console. The exact permissions depend on the execution mode scheduled to run.
Access rights enforced by the central console for each of the Intact operating modes are listed below:
|
Check-mode |
· Select access to detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
|
Build-mode |
· Select, insert, update and delete access to the detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
|
Self-identification Auto-mode |
· Select, insert, update and delete access to the detection table. · Update on statusid and status columns of configuration table. · Select access to the configuration table. · Insert on the output/log table. |
· Table 12: Database access rights.
Some of the operations an Intact Enterprise client will perform against the relational database:
· Reading detection database records.
· Inserting log entries in the output/log table.
· Inserting status id’s and messages for interaction with the central management console.
By using the “#if” command and built-in variables, you can maintain multiple configurations in a single configuration file. This vastly simplifies the distribution and maintenance of integrity checking on several computers. The system is flexible enough to allow for fine tuning of differences among systems. For example, your configuration file could contain lines for all standard directories and then some specifics for servers or other specialized machines.
c:\winnt $(A)
“c:\program files” $(A)
#if $(COMPUTERNAME)==”WWWSR1”
“c:\web data” $(A)
#endif
· Figure 15: Multiple configurations sample
The root directory of any drive such as “C:\” does not contain as much detectable information as other directories. For example, the last modified time is not accessible. Therefore, some checks will not be performed on root directories.
If a file is opened by an application while Intact is executing, it may be locked and Intact will not be able to retrieve the information for flags “1”, “2”, “i”, and “v”, which represent the signature, the file index and the volume serial number.
There is no way around this except to manually terminate all running programs. By permanently locking a file, a hacker could prevent Intact from acknowledging that a file has been modified. However, Intact will notify whenever it encounters a locking or sharing violation. These warnings should be examined carefully.
It is important to run intact.exe often in order to quickly detect clandestine changes. However, running the program too often can often hog precious resources. A good strategy would be to run the check program once a day during a quiet period. This will also help to avoid file locks.
You will have to balance the performance impact and risks according to your needs to keep your information secure. There is a linear relationship between performance and the number of objects you are checking or storing. More files and registries means longer running times and a larger database. On the other hand, the less frequently you run Intact the greater the time window will be for changes to go undetected.
The database should be rebuilt whenever changes are performed on the system. It is also important to keep your list of directories to check up to date. Systems may add and remove directories which are not checked by intact.exe because they are not included in your configuration file. Often, it is undesirable to check all your system when the security requirements are limited. Therefore, the administrator should periodically verify that the list of objects included in the configuration file is comprehensive enough to meet the security requirements.
The database can be rebuilt in the same way it was built. You may not want to overwrite your original file until you have verified the execution of the database by perhaps running a check against the system to see if any changes are reported.
ren a:\web1.idb a:\web1.old.idb
intact -build web1.icf a:\web1.idb
intact -check web1.icf a:\web1.idb
|
Chapter 4 |
The database is a sequence of items representing individual system objects. The contents of the database are compressed, but not encrypted. You may choose to encrypt the database using your own encryption application, but it is not clear that such encryption makes the database or system any more secure.
The contents of files are not stored in the database. A file signature is stored (See Data signatures below). This means that you cannot directly know what part of a file may have changed by examining the database. It is therefore very important to create regular backups of the data in all files.
n Creation date and time
n Last modification date and time
n List of users and groups in ACL (Access Control List)
n Each user’s or group’s permissions
n Each user’s or group’s auditing parameters
The values of keys are not stored. One data signatures of the data is stored for every 5 registry values. This greatly reduces disk space requirements and run-time. However, because of this, the administrator can only know that one of a number of values may have changed. It is therefore important to create regular backups of the registry, either utilizing the standard backup procedure which backs up your files, or any third-party registry dumping utility so that a careful comparison can be made.
n Creation date and time
n Last modification date and time
n List of users and groups in ACL (Access Control List)
n Each user’s or group’s permissions
n Each user’s or group’s auditing parameters
All user settings will be stored with the exception of the password which is not available. Intact cannot detect changes in the password.
Group memberships can be detected at the group level by detecting changes in the membership list or at the user level by detecting changes in group memberships.
All device information is stored in the registry, including hardware addresses, port numbers, interrupt information, etc. NT automatically generates the hardware configuration profile upon startup as it detects installed hardware, so Intact should be able to detect any changes, even the move of a board from one slot to another on some motherboards.
Intact does not store the contents of files and registry values in the database. Instead is stores a set of data signatures. These signatures are a very good representation of the data being considered. Intact supports two algorithms to generate a unique signature for each file or set of registry values: SHA1[6] and MD5[7]. Any changes in the data would result in a change in the either signature.
SHA is the Secure Hash Algorithm published by the US Government’s National Institute of Standards and Technology (NIST) as Federal Information Processing Standards Publications (FIPS PUBS) 180 Secure Hash Standard (SHS). This is the preferred hashing algorithm. Intact will use this algorithm when specifying the $(A) or $(RA) flags (to switch to a different algorithm such as MD5, specify “$(A)-2+1”).
There are many other signature algorithms which could be used. Future versions of this software may add support for different algorithms, enabling you to select the algorithm or algorithms you or your organization finds the most appropriate.
“at” command, 22
access control list,
25
command line, 18
configuration file,
12
configuration file,
commands, 12
comments, 12
environment
variables, 13
flags, 16
object description,
15
operators, 12
prefix, 15
sample configuration,
16
specifying
registries, 15
variables, 13, 14
data signatures, 26
file information, 25
file locks, 24
file permissions and
auditing, 25
hardware
configuration, 26
integrity checking, 1
MD5, 26
new database, 9
operating modes, 8
registry information,
25
registry permissions
and auditing, 26
removable media, 9
root drives, 23
scanning, 2
security privilege,
20
security tasks, 22
SHA1, 26
system errors, 20
system priviledges,
22
tripwire, 2
verfiy a database, 10
write-protected
media, 23
year 2000, 2
.Copyright © 1998, 1999 by Pedestal Software. Windows NT is a registered trademark of Microsoft Corp. Intact is a trademark of Pedestal Software. All other trademarks are trademarks of their respective companies.
[1] By file signatures we mean only a unique large number which represents the contents of the file.
[2] The scheduling mechanism is similar to “cron” which is widely used in Unix systems.
[3] The word “objects” from this point forward will refer to files, directories and registry keys.
[4] MD5 is the RSA Data Security Ind. MD5 Message Digest Algorithm.
[5] Must be the first parameter if specified.
[6] Intact uses SHI’s implementation of SHA1 which is available for public use.
[7] MD5 is the RSA Data Security Ind. MD5 Message Digest Algorithm. The code is available for public use.
