Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exercise 6: Auditing Your System

Description

After a system has been secured and all unnecessary files have been deleted, the system is in a hardened state. Before it is put into production, one last thing needs to be done. The final step is to baseline it so that changes that might be indicative of a successful intrusion can be detected. Many tools are available for this purpose, but running them can be a time-consuming task. However, with the use of scripting and scheduling tools, effective baselines can be established and used for auditing your systems.

The system logs are an invaluable source of information regarding activity on your systems. However, the logs can provide an overwhelming amount of information. There is also no standard mechanism for consolidating the logs of several systems. However, tools such as dumpel can dump the contents of the logs to files that can be consolidated into a database of events.

Objective

The objective of this exercise is to introduce you to simple tools that can be used to create powerful baseline and auditing methods for your systems.

Requirements

Challenge Procedure

The following are the steps that you will perform for this exercise:

  1. Analyze log files.
  2. Baseline open ports.
  3. Baseline running services.
  4. Schedule baseline audits.

Challenge Procedure Step-by-Step

The following are the detailed steps that you will perform for this exercise:

  1. Analyze log files. To do this, first download and install dumpel. Download dumpel from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp. Next, install dumpel. Then, open a command prompt and navigate to the directory that you installed dumpel in.

  2. Dump the system log by executing the following command:

    dumpel –f event.out –l system –t

    Finally, start Microsoft Excel and open the output file. The Convert Text to Columns Wizard should start automatically. If not, select Data, Text to Columns.

    Figure 3.88

  3. In the wizard's first screen, click the Delimited radio button; then click Next.

  4. Figure 3.89

  5. In the wizard's second screen, click the Tab check box; then click Finish.

  6. Figure 3.90

  7. Sort the data by date and time in descending order by selecting Data, Sort.

  8. Figure 3.91

    Next, click OK to bring up the spreadsheet.

    Figure 3.92

  9. To apply a filter to view only failed logins (Event ID 7013), select Data, Filter, AutoFilter.

  10. Figure 3.93

  11. Down arrow icons appear at the top of each column. Click the arrow icon for column E, scroll down, and select 7013. If it's not available, choose another event number.

  12. Figure 3.94

  13. The following screen shows the filtered output.

  14. Figure 3.95

  15. Now, you'll baseline open ports. Download and install Fport. Open a command prompt, and navigate to the directory where you installed Fport. Execute Fport and view its output.

  16. Figure 3.96

  17. Execute Fport and redirect its output to a file for future reference. This is done by typing the following:

  18. Fport > baseport.txt

    Figure 3.97

  19. Next, baseline the running services. To do this, open a command prompt and execute netsvc with the following parameters:

  20. Figure 3.98

  21. Execute netsvc and redirect its output to a file for future reference.

  22. Figure 3.99

  23. Next, you'll schedule baseline audits. With your favorite text editor, create the following bat file:

  24. Figure 3.100

  25. Type baseline at a command prompt to test the bat file. Type the following command to review baseline's output:

  26. Figure 3.101

  27. Open the Windows Scheduler by clicking the icon under Windows.

  28. Figure 3.102

  29. The Scheduled Task Wizard starts. Click Next.

  30. Figure 3.103

  31. In the program selection screen, click Browse.

  32. Figure 3.104

  33. In the Select Program to Schedule screen, navigate to the directory where you created the baseline.bat file, and then click Open.

  34. Figure 3.105

  35. Enter a name for the task and click off the Daily radio button.

  36. Figure 3.106

  37. In the Start Time field, enter the time the baseline should run at; then click Next.

  38. Figure 3.107

  39. Enter the username and password that should be used to run the baseline operation; then click Next.

  40. Figure 3.108

  41. Click Finish to schedule the task.

  42. Figure 3.109

Additional Reading

Livingston, Gene. "How to Develop Your Company's First Security Baseline Standard," SANS Institute, http://www.sans.org/infosecFAQ/policy/baseline.htm.

Montcrief, George. "Scripting as a Method of Establishing a Reliable Baseline Posture," SANS Institute, http://www.sans.org/infosecFAQ/start/scripting.htm.

Summary

Before a hardened system is put into production, a baseline of the system should be taken for future audit purposes. Simple tools can then be scripted to easily monitor the system for unexpected changes.

Additionally, it is vital to review logs to detect attempts to compromise a system before a breach actually occurs. Since neither Windows NT nor Windows 2000 have standard mechanisms to consolidate log files, and both are capable of generating vast amounts of data, tools such as dumpel work to export the log data in a form that can be imported into a database for easier manipulation.

  • + Share This
  • 🔖 Save To Your Account