Symantec Critical System Protection 5.2.9 Detection Policy ...
Transcript of Symantec Critical System Protection 5.2.9 Detection Policy ...
Symantec Critical System Protection Detection PolicyReference Guide
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Documentation version: 5.2.9
Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.
This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web siteat the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Detection policy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About the detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About rulesets and rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12About policy options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About monitored files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About date and time restrictions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Using the management console to learn more about policy
options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Viewing the policy option settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2 Windows detection policy reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
About the Windows detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17List of policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CSP_Agent_Diagnostics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18CSP_Agent_Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21CSP_Server_Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Global_Watch_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Windows_Template_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Kill_Prevention_PSET .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Creating custom rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Host Intrusion Detection policies enhancements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 3 UNIX detection policy reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
About the UNIX detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45List of policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
UNIX_CSP_Agent_Diagnostics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46UNIX_CSP_Agent_Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46UNIX_Template_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Chapter 4 Policy examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
About Policy examples ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Forcing rollover of the agent event log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Contents
Creating a filewatch rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 5 Windows Baseline Detection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55File monitoring improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Windows-specific policy improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59About rule options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 6 Policy options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
System User and Group Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63System User Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63System Group Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
System Active Directory Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Active Directory Domain Trust Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . 83Active Directory FSMO Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Authentication and Encryption Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . 86
System Login Activity and Access Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93System Login Success Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93System Logoff Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98System Failed Login Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
System Hardening Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108System Autorun Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Network Comm Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111System File Protection Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112System Security Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115System StartStop Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131System Audit Tampering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134System Hardening User Interactive ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
System File and Directory Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141System File Shares Configuration Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141System FileWatch Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
System Registry Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156System Registry Monitor - AutoStart Keys .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
System Symantec Software Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Symantec AntiVirus Client Communication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Symantec Endpoint Protection Client Communication .... . . . . . . . . . . . . 166
System External Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172USB Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172CD/DVD Burning Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172USB Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
System Attack Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Generic Web Attack Detection Monitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Contents8
Chapter 7 UNIX Baseline Detection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181File monitoring improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Advanced per-rule tuning improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Console changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Unicode Log Monitoring for UNIX .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186How wildcard characters and recursion levels work in IDS file
monitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 8 Policy options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
System User and Group Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Global User and Group Change Monitor Settings ... . . . . . . . . . . . . . . . . . . . . . 189System User Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190System Group Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Privileged User and Group Configuration Activity ... . . . . . . . . . . . . . . . . . . 198
System Login Activity and Access Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200System Login Success Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200System Logoff Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205System Failed Login Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
System Privileged Command and Bash History Monitor ... . . . . . . . . . . . . . . . . . . 219Sudo Monitoring Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219User Command History Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Superuser (Root Level) Command History Options .... . . . . . . . . . . . . . . . . . . 222
System Hardening Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223System File and Directory Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
System FileWatch Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225System Symantec Software Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239System External Device Activity Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243System Attack Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Generic Web Attack Detection Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246UNIX Rootkit File / Directory Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249UNIX WormFile / Directory Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Malicious Module Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Suspicious Permission Change Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Appendix A Parameter reference syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Parameter reference syntax overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Simple policy parameter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Compound policy parameter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Process List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Process List without Arguments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
9Contents
Resource List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Network List with Processes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Network List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Date/Time Value .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Operating system environment variable ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Windows registry value .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Agent translator function .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Appendix B Translator function reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Generic functions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285%?LocalIPs()?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285%?LocalIPAddresses()?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?AgentParams(<param name>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?SplitPath(<path>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?ImportFileList(<filepath>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Contents10
Detection policy overview
This chapter includes the following topics:
■ About the detection policies
■ About rulesets and rules
■ About policy options
■ About monitored files
■ About date and time restrictions
■ Using the management console to learn more about policy options
■ Viewing the policy option settings
About the detection policiesSymantec™ Critical System Protection includes detection policies for computersthat run the following operating systems:
■ Microsoft® Windows®
■ IBM® AIX®
■ Sun™ Solaris™
■ Red Hat® Enterprise Linux
■ SUSE® Linux Enterprise
■ Hewlett-Packard® HP-UX®
■ Hewlett-Packard Tru64 UNIX®
A detection policy is a collection of rules that are configured to detect specificevents and take action. Detection policies define which system events or
1Chapter
user-defined criteria are selected, which criteria are ignored, and what actionsare performed after select and ignore criteria are met.
The Symantec Critical System Protection detection policies monitor events andsyslogs, and report anomalous behavior. Features include sophisticatedpolicy-based auditing andmonitoring; log consolidation for easy search, archival,and retrieval; advanced event analysis and response capabilities; and file andregistry protection and monitoring.
About rulesets and rulesEvery Symantec Critical System Protection detection policy contains exactly oneruleset, and each ruleset contains one ormore rules. Each rule is grouped by type.
The rule types are as follows:
■ NT event log
■ Filewatch
■ Prevention watch
■ Text log
■ Generic
■ C2 log
■ Syslog
■ UNIX activity log
Rule types are associatedwith collectors that gather data fromahost system. Thecollectors format data from events, system logs, application logs, file systems,the Windows registry, and other sources. The collectors compare events withrules to determine matches.
The detection policies use the following collectors:
Looks for matches in the Windows event log files. The event log filesare theMicrosoft standard format .evt files. In standard installations,three event log files exist: Security, System, and Application.
The filtered events appear in the Evt_filter.ini file on the agentcomputer.
Event log
Looks formatches in user-specified text logs. You can specify the pathto a log file, and a text pattern that determines how data from the logfile is parsed and recorded.
Text log
Detection policy overviewAbout rulesets and rules
12
Watches changes to user-specified registry keys. You can watchchanges tokey/value, operations (created,modified, deleted), operationresults (success, failure, either), and process.
The key/value string supportswildcard characters.Multiple key/valuestrings are allowed in a rule. The filteredkeys appear in theRegistry.inifile on the agent computer.
You can watch all operations or none (meaning any activity). You canfilter the result of the operation. The process can be specified onlyonce in the rule.
Registry
Determines how agents monitor files. Intruders often attempt toreplace critical system fileswithTrojanhorse versions, or alter systemfiles to create a back door for future intrusions. The file collectordetects changes to these system critical files.
The file collector is associatedwith the filewatch rule type,which logsactivity to files and directories. You can specify the file/directory towatch, the file operation, and the protection settings.
File
Watches for syslog daemon tampering on UNIX operating systems.The syslogd daemon must run for the syslog collector to work.Normally, syslogd runs at all times on a secured UNIX system. Uponinitialization, the syslog collector checks that syslogd is running andstarts it if it is not running.
Subsequently, if syslogd is killed while an agent is running, an errorevent is generated andmatched against a suitable SyslogdTamperingpolicy. No attempts are made to restart syslogd.
The syslog collector monitors and parses the following named pipe:
/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe
This pipe is specified in /etc/syslog.conf.
Syslog
Looks for matches in the C2 audit logs on agent computers that runSolaris, HP-UX, and AIX operating systems.
C2 log
13Detection policy overviewAbout rulesets and rules
Looks for matches in the WTMP file on UNIX operating systems (andBTMP file on some operating systems). This file collects userauthentication and account information. You can specify text patternsto parse.
The WTMP file captures successful login events. The WTMP file thatis watched varies, depending on the operating system. All UNIXoperating systems at one point used theWTMP format, butmanynowuse the newer WTMPX format. On some systems, this filename maybe WTMP, WTMPX, or WTMPS, even though the format internally isWTMPX.
BTMP/BTMPS (HP-UX only) is read to capture failed login attempts.If the WTMP or BTMP file does not exist when the agent is started,an error is reported, and events are not captured. If the file is createdwhile the agent is running, the agent captures the events without arestart. Also, onHP-UX, the collectorwatchesWTMP,WTMPS, BTMP,and BTMPS for events.
WTMP
Looks for matches from all collectors, as well as internal agent statusand error messages including Symantec Critical System Protectionagents. The status and errormessages are specified in status and errorrule types.
Generic
Looks formatches in Symantec Critical SystemProtection agent errormessages. You can specify text patterns to parse.
Error
The status collector looks for matches in Symantec Critical SystemProtection agent status messages. You can specify text patterns toparse.
Status
About policy optionsYou use policy options to configure a detection policy for assignment to a targetcomputer. Policy options comprise a simplified set of controls that you can useto enable or disable features in a policy. Someoptions have associated parameters,which let you customize the behavior of an option.
About monitored filesDetection policiesmonitor files that are listed under the FileMonitor Groups andFile Path Groups policy options.
For example, the Windows Baseline Detection policy for Windows contains thefollowing under Monitor System-Critical Files:
■ Monitor System-Critical Files
Detection policy overviewAbout policy options
14
Dll Cache Files■
■ Driver Cache Files
■ Security Database Files
■ Core System Files
To view theMonitor System-Critical Files in theWindowsBaseline Detection policy
1 In the management console, click Policies.
2 Under the Policies tab, click Detection.
3 On the Policies page, in the Workspace tree, click the Symantec folder.
4 Double-click Windows_Baseline_Detection policy.
5 In the Policy Editor dialog box, select System File and Directory Monitor.
About date and time restrictionsMany of the Symantec Critical System Protection detection policies include rulesfor date restrictions. You use date restrictions to select or ignore events that occurwithin a specified time frame. Date restrictions are active when a rule is enabled,and inactive when a rule is disabled.
When enabling a date restriction rule, you must specify the following:
■ Start of time interval
■ Duration of time interval
■ Frequency of time interval
Using the management console to learn more aboutpolicy options
To learnmore about a policy option, use the Symantec Critical SystemProtectionmanagement console in conjunction with this manual.
To use the management console to learn more about policy options
1 In the management console, on the Policies page, click Detection, and thenedit a policy.
2 In the Policy Editor dialog box, select any options to know more about thepolicy options.
See the SymantecCritical SystemProtectionAdministrationGuide for instructionson how to use the management console.
15Detection policy overviewAbout date and time restrictions
Viewing the policy option settingsYou use themanagement console to view a summary of the policy option settingsfor the detection policies.
To view the policy option settings
1 In the management console, click Policies.
2 Under the Policies tab, clilck Detection.
3 On the Policies page, click the Symantec folder.
4 In the workspace pane, double-click a Symantec Critical System Protectiondetection policy.
5 In thepolicy dialog box, underPolicyChangesandSummary, clickSummary.
A summary of the policy options is shown in tree form.The tree includes onlythose options that are enabled (shown in bold text) and the parameters thathave values.
Note:TheWindows Baseline Detection policy does not support the SymIDS ISAPIfilter anymore. Older detection policies required the SymIDS ISAPI filter to beinstalled and they monitored the filter's log file. The new Windows BaselineDetection policymonitors IIS log files directly and it does not require the SymIDSISAPI filter to provide additional information.
Detection policy overviewViewing the policy option settings
16
Windows detection policyreference
This chapter includes the following topics:
■ About the Windows detection policies
■ List of policies
■ Host Intrusion Detection policies enhancements
About the Windows detection policiesSymantec Critical System Protection includes detection policies for computersthat run supported Windows operating system. Some policies require that youenableWindows features; these featuresmay also require a configuration change.In this manual, when an enabled Windows feature is required, the policydescription identifies the feature that you must enable.
For example, the System_User_Configuration policy detects changesmade to useraccounts. To enable this policy, you must enable the Windows Security Policyauditing system for user account management actions at the following location:
Settings >Control Panel >AdministrativeTools > Local Security Policy >SecuritySettings > Local Policies > Audit Policy > Audit account management
In this manual, features that you must enable are marked with the wordConfiguration. The policy descriptions also indicate if other types of configurationchanges are needed.
2Chapter
List of policiesThis sectiondescribes theSymantecCritical SystemProtectionWindowsdetectionpolicies.
CSP_Agent_DiagnosticsThis Windows detection policy includes options for the following:
■ Run the collect info script
■ Restart the IDS service
■ Restart the IPS service
■ Restart the UTIL service
■ Force log rollover of the agent event log file
■ Modify the management server list for an agent
■ Edit agent configuration files
By default, all the options in the policy are disabled. You must enable an optionfor the policy to work. The policy performs the enabled option immediately afterbeing applied to the agent. After confirming that the policy performed the enabledoption, you must clear the policy from the agent.
See “Enabling an option in the policy” on page 20..
The policy options are as follows:
Windows detection policy referenceList of policies
18
Performs the following diagnostic functions on an agent computer:
■ Take no action
■ Run the collect info script
■ Restart the IDS Service
■ Restart the IPS Service
■ Restart the UTIL Service
■ Force log rollover
You use the options to run diagnostic functions to troubleshootproblems with Symantec Critical System Protection. Generally, youwill not enable these options unless instructed by Symantec Support.
Default: Take no action
The collect info script collects information about an agent. The agentautomatically uploads the collect info output file to the managementserver. Log on to the management server to get the output file fromthe server directory:
C:\Program Files\Symantec\Critical SystemProtection\Server\logfiles\<hostname>\<date>\
The options to restart the IDS, IPS, and UTIL services restarts theseservices on the agent computer.
Forcing rollover (rotation) of the current agent event log file closesthe current log file and opens a new log file.
See the Symantec Critical SystemProtectionAdministrationGuide forinformation on collect info and log file rotation.
Diagnosticfunctions
Updates the management server list for an agent. The managementserver list is used in conjunction with simple failover. You can usethis option to change the primary and alternate servers in the list (forexample, if an alternate server is unavailable).
See the Symantec Critical SystemProtectionAdministrationGuide forinformation on simple failover.
Enable the option, and then specify the servers in a comma-separatedlist. You must specify the primary management server as the firstserver, followed by any optional alternate servers. Specify the IPaddress or fully qualified host name of each server in the list. All theservers in the listmust use the same server certificate and agent port.
Advanced agentsettings:
Modify themanagementserver list used bythe agent
You use this option to edit agent configuration files.
Note: Do not enable this option unless instructed by SymantecSupport.
Advanced agentsettings:
Edit configurationfile
19Windows detection policy referenceList of policies
Enabling an option in the policyThe following instructions enable an option in the CSP_Agent_Diagnostics policy,apply the policy to an agent, and clear the policy from the agent.
Note: Instead of applying the CSP_Agent_Diagnostics policy directly to an agent,you can create a group and then apply the policy to the group. When you need toperform an enabled option in the policy, simply add the agent to the group. Youmust delete the agent from the group after the policy has performed the enabledoption.
To enable an option in the policy
1 Log on to the management console as an administrator.
2 In themanagement console, on the Policies page, in the Symantec folder, editthe CSP_Agent_Diagnostics policy.
3 In the policy editor dialog box, under Policy Settings, click Diagnosticfunctions.
4 In the policy editor dialog box, check Select a function to run on the agentand click Edit.
5 In the Value list, select the option for a desired function.
For example, to run the collect info script, select Run the collect info scriptto enable the option.
6 Click OK.
7 Apply the policy to the agent.
The policy performs the enabled option immediately after being applied tothe agent.
8 In themanagement console, on the Monitors tab, under Events, monitor theevents to determine if the enabled option was performed.
For example, to determine if the collect info output file was uploaded to themanagement server, look for management events of type Agent Status. Theevent message contains the name of the collect info output file.
9 In the management console, on the Assets page, select the agent, and thenright-click Clear Policy to clear the policy from the agent.
Windows detection policy referenceList of policies
20
CSP_Agent_StatusThis Windows detection policy detects changes to the Symantec Critical SystemProtection registry keys. The policy also detects if the SymIDSFilter.ddl, whichmonitors Microsoft Internet Information Services (IIS) activity, fails to load.
The policy options are as follows:
Detects changes to the Symantec Critical System Protection registrykeys.
CSP RegistrySettings Modified
Detects if the SymIDSFilter.ddl, which monitors IIS activity, fails toload.
SymIDSFilterLoadFailed
CSP_Server_MonitorThis Windows detection policy watches the CSP Server Tomcat logs and, if thebuilt-in SQL Server 2005 Express database is used, the SQL Server 2005 ExpressDB logs. The policy sends error messages to the management console when alisted error occurs.
The policy options are as follows:
Detects that an error occurred while sending an alert email.Failure to sendemail alert
Detects that an SQL Server 2005 Express database instance used byan evaluation installation of Symantec Critical System Protection isfull.
Depending on which portion of the database is full, the managementserver may not be able to store and display this error.
Evaluationdatabase is full
Detects that management server servlets started.Server startup
Detects that management server servlets stopped.Server shutdown
Detects that period database cleanup activities started.Database cleanupstarted
Global_Watch_PolicyThis Windows detection policy monitors alert text files. An alert text file is auser-specified text file that contains alert-captured events.
Administrators create alerts in the management console. Administrators usealerts to send email messages and SNMP traps when Symantec Critical SystemProtection observes specific events.
21Windows detection policy referenceList of policies
When creating an alert, administrators can set up an alert text file to save eventsof interest. The alert text file can contain text strings and event fields. The file iscreated when the alert captures an event; subsequent records are appended tothe file.
You can use the policy to analyze alert-captured events. The policy includes ruleoptions to define which records in the alert text file are selected and ignored, andhow to extract event data.
The policy includes rule options to aggregate events, which can potentiallyoriginate frommultiple agents. Events are aggregated based on event count, timeinterval, and optional field value.
When an event in an alert text filematches the criteria specified in the policy, thepolicy sends the event to the management console.
To use this policy effectively, you must understand how the alert text file isconstructed, including the following:
■ Name and path of the alert text file
■ Record content
■ Record format (fields and field order)
See the SymantecCritical SystemProtectionAdministrationGuide for informationon alerts and alert files.
Alert text files reside on the Symantec Critical System Protection managementserver computer. The default alerts directory is as follows:
C:\Program Files\Symantec\Critical System Protection\Server\alerts\
You apply the Global_Watch_Policy to the Symantec Critical System Protectionmanagement server computer.
The policy rules are as follows:
Windows detection policy referenceList of policies
22
Specify the alert text file to monitor.
The rule options are as follows:
■ File path
Specify the complete file path of the alert text file. Wildcardcharacters are not permitted in the file path. Use the percent sign(%) to delimit variables.
■ Parse definitions
Select this check box to define the parse definitions in the alerttext file, and then specify the parse pattern.
Parse definitions define how to extract fields from the alert textfile and assign the fields to variables. You format variables as{variable}.
Example: *user_name={user name},*
This parse definition extracts user_name from the alert text fileand assigns it to the variable {user_name}.
Parse strings support wildcard characters. Type an asterisk (*) asthe wildcard character for zero or more characters.
File description
Select this check box to aggregate events.
The rule options are as follows:
■ Number of occurrences during time interval
■ Time interval
Thepolicy records an eventwhen the event count equals the specifiednumber of occurrences, during the specified time interval.
See also Grouped counting.
Event counting
23Windows detection policy referenceList of policies
Select this check box to count events in groups.
Events are grouped based on a field value. For example, suppose thealert text file contains events from multiple agents, and each recordcontains agent name. You can select the Grouped counting check boxto group event counting based on agent name.
When using grouped counting, use parse definitions to define thefields to extract from the alert text file.
The rule options are as follows:
■ Count repetition of the same field value
Select this check box to have the policy record an event based onthe number of repetitions of the same field value, during thespecified time interval.
Example: You specify that the policy record an event if threerecords during a one-minute interval contain the sameagentname.
■ Count number of different field values
Select this check box to have the policy record an event based onthe number of different field values, during the specified timeinterval.
Example: You specify that the policy record an event if threerecords during a one-minute interval contain different agentnames.
Event counting:Grouped counting
Select this check box to define which records in the alert text file thepolicy should select and ignore. The policy selects and ignores recordsbased on text patterns.
The rule options are as follows:
■ Patterns to match on
Specify a list of text patterns to match. The policy selects a recordif it contains a specified pattern.
■ Patterns to ignore
Select this check box to have the policy ignore records that containa specified text pattern. Specify the list of patterns to ignore.
Matching criteria
Windows_Template_PolicyThe Windows_Template_Policy is a reusable workspace container policy thatcreates custom rules.
The policy includes rule options for the following rule types:
■ NT event log
■ Filewatch
Windows detection policy referenceList of policies
24
■ Registry watch
■ Prevention watch
■ Text log
■ Generic
Each rule that you create in the policy is controlled by rule options that are enabledor disabled in the management console. You can customize the rule options byediting the rule parameters.
Management console functions are available to help you maintain custom rules.You can modify a custom rule name, description, and options. A special copycommand lets you reuse custom rules across multiple policies; you can copy theoptions for a custom rule that is defined in the template policy to anotherworkspace policy, without re-keying the options.
When importing and exportingworkspace policies, the options to control customrules are also imported and exported. When updating workspace policies, theoptions to control custom rules are also updated.
The template policy is intended for use as a container policy formanaging customrules. The policy contains only the rules that you define.
When creating a custom rule, you specify general rule options and rule-specificoptions.
See “About general rule options” on page 28..
See “About NT event log rules” on page 30..
See “About filewatch rules” on page 31..
See “About registry watch rules” on page 35..
See “About prevention watch rules” on page 36..
See “About text log rules” on page 37..
See “About generic rules” on page 39..
Kill_Prevention_PSETThisWindows detection policy attempts to kill any process that acts as an injecteeor an injector. The Kill_Prevention_PSET policy is used in combination with theprevention policies.When Kill_Prevention_PSET policy is applied to an agent, allprocesses routed to thread_injectee_nopriv_ps or thread_injector_nopriv_ps arekilled by using the taskkill.exe application.
25Windows detection policy referenceList of policies
Note: The processes are routed to thread_injectee_nopriv_ps orthread_injector_nopriv_psPSETsonlywhenyouapply the IPSpolicy andconfigurethe policy to detect thread injection. By default, the thread injection is enabled inthe core, strict, and limited execution prevention policies.
Following are the Kill_Prevention_PSET policy options:
The prevention policy applies this optiononly when it finds that the unauthorizedcode is injected into a specific process.
Kill all thread injectee processes
The prevention policy applies this optiononly when it finds that the process hasinjected the code into another processagainst the policy restrictions.
Kill all thread injector processes
It kills any process that is routed to it.
To enable this option, check Show advancedoptions.
Kill New Processes in a Specific PSET
Creating custom rulesYou can create as many custom rules as you need. You can create multiple rulesof different types and multiple rules of the same type. You can create the rules inthe original template policy or in a template copy.
Verify the rule order. Detection rules are ordered top to bottom. Changing therule order changes the meaning of the rules.
As an example, the following instructions create a text log rule.
To create custom rules
1 In the management console, click Policies.
2 Under the Policies tab, click Detection.
3 On the policies page, double-click Windows_Template_Policy.
4 In the policy editor dialog box, underPolicySettings, clickMyCustomRules,and then click Add a new Custom Control icon.
Windows detection policy referenceList of policies
26
5 In theNewCustomRuleWizarddialog box, specify the following information.
Type a descriptive name for the custom rule.
This text appears in the policy editor, under My Custom Rules.
In the text log rule example, type Text Log Rule.
Display Name
Select a rule type.
In the text log rule example, select Text Log.
Category
Type aname that the policy uses internally to identify the customrule. The name must not include spaces or special characters.
In the text log rule example, type textlog.
Identifier
Type a full description of the custom rule.Description
6 Click Finish.
7 In the policy editor dialog box, click Edit to view the policy options.
8 In the policy editor dialog box, check Text log rule options and then clickEdit.
9 In the policy editor dialog box, enable or disable the rule options, andmodifythe rule parameters as needed.
10 If the rules need reordering, select a rule, and then click Move Up or MoveDown; repeat as needed.
11 Click OK.
Reusing custom rulesYou can copy a custom rule that is defined in the template policy to anotherworkspace policy. The options that control the custom rule are copied to theworkspace policy.
You can copy a rule using the following methods:
■ On the Policies page, select the template policy, and then right-click CopyCustom Controls.
■ Edit the template policy, select one or more custom rules, and then click CopyTo Other Policy.
If the customrule being copied does not exist in the target policy, the rule is addedto the target policy. If the custom rule being copied already exists in the targetpolicy, the rule is updated in the target policy.
27Windows detection policy referenceList of policies
TheCopy PolicyOptionsWizard prompts you to select one of the followingmergeoptions:
Ignores the target policy and uses the option settings in the templatepolicy.
Default
If the custom rule does not exist in the target policy, you will selectthis option.
Take the newoption settings
Merges the option settings in the target policywith the option settingsin the template policy.
Merge thechangedoptions
Note: Only the options for the selected custom rules are merged.
After copying a custom rule to a workspace policy, you should verify the ruleoptions. Verify that the custom rule appears in the policy; click Settings to viewthe options. Verify that the custom rule is enabled in the policy.
To reuse custom rules
1 In the management console, click Policies.
2 Under the Policies tab, click Detection.
3 On the policies page, selectWindows_Template_Policy, and then right-clickCopy Custom Controls.
4 In theCopyPolicyOptionsWizard dialog box, select a custom rule, and thenclick Next.
To select multiple custom rules, press and hold the Shift or Ctrl key whileselecting the rules.
5 In the Copy Policy Options Wizard dialog box, select one or more targetpolicies to receive the selected custom rules, and then click Next.
To select multiple target policies, press and hold the Shift or Ctrl key whileselecting the policies.
6 In the Copy Policy Options Wizard dialog box, select the merge option, andthen click Finish.
About general rule optionsThe following rule options apply to all rule types:
Windows detection policy referenceList of policies
28
In the Value box, type the rule name. This value appears in themanagement console. Required.
In the Rule Name box, type a name to associate internally with therule. Rules names are carried throughout the systemandare recordedin each event that is generated by the policy. Rule names help provideinsight into why an event was recorded. Optional.
In the Comment box, type notes or comments about the rule. Optional.
Rule name
Select the severity number from the following range of rule severitynumbers:
■ Info: Events with a severity of 0-19 contain information aboutnormal system operation.
■ Notice: Events with a severity of 20-39 contain information aboutnormal system operation.
■ Warning: Events with a severity of 40-59 indicate unexpectedactivity or problems that have already been handled by SymantecCritical System Protection.
■ Major: Events with a severity of 60-79 imply more impact thanWarning and less impact than Critical.
■ Critical: Events with a severity of 80-99 indicate activity orproblems thatmight require administrator intervention to correct.
Rule severity
Specify additional patterns to match in an event.
If specifying multiple patterns, any matching pattern triggers therule.
Select the check box to enable the option, and then specify the eventpatterns to match.
To ignore events containing specific patterns, select the ignore checkbox, and then specify the event patterns to ignore.
When specifying a text pattern, you can use the following wildcardcharacters:
■ Use a question mark (?) to match a single character, including thequestion mark itself. Examples: ab?c matches abcxc or ab?c, butnot abc.
■ Use an asterisk (*) to match zero or more characters, includingasterisks embedded in a text pattern. Examples: *abc matchesa*b*cabc, where the initial asterisk is equivalent to a*b*c.
■ Use a backward slash (\) as an escape character. Use two backwardslashes (\\) for a backward slash embedded in a text pattern.
■ Use a percent sign (%) to delimit variables, including environmentvariables. Use one backward slash and one percent sign (\%) for apercent sign embedded in a text pattern.
Matching eventpatterns
29Windows detection policy referenceList of policies
Select this check box to send the event to the management consolewhen activity matches the conditions.
This rule option creates a record in the event log (.CSV) file.
Record event toSCSP console
Specify a command-line string, including path and arguments, toexecute when the rule to execute the specified command is triggered.
For an agent to properly execute a command, you should create thecommands.txt file on the agent computer, in the \IDS\Systemdirectory. List each command-line string, including path andarguments, on a separate line in the commands.txt file. Thecommands.txt file must not require user interaction at a commandline or with a graphical user interface.
Execute command
Add date restrictions that specify a time interval when a rule is activeor inactive. Date restrictions are active when the rule is enabled,inactive when the rule is disabled.
Select the check box to enable the option.
Specify whether to select or ignore events during the time interval.
Specify the start, duration, and frequency of the time interval.
Date and timerestrictions
Specify the full path and name of the file to be monitored. You canspecify multiple files. If the path refers to a directory, then only thechanges to the directory are monitored.
Click the Add button, and then in the Value box, type the path andname of the file. Repeat to specify another file.
Unless otherwise stated, you can use wildcard characters in path andfile name specifications. To monitor all files and subdirectories (upto two subdirectory levels), type an asterisk (*) for the file name.
Files to monitor
About NT event log rulesThis rule type monitors user-specified events in the Windows event log.
The NT event log rule type is associated with the NT event log collector. The NTevent log collector looks for matches in Windows event log files. These event logfiles are the Microsoft standard format .evt files. In standard installations, threeevent log files exist: Security, System, and Application.
The rule is created with the following rule options:
Select this check box to enable the rule.NT event log ruleoptions
See “About general rule options” on page 28..Rule name
Windows detection policy referenceList of policies
30
See “About general rule options” on page 28..Rule severity
Type a comma-separated list of Windows event IDs to monitor.
You can specify event IDs as the following:
■ Unsigned integer (for example, 529)
■ Variable (for example, %EventID%)
■ Comma-separated list of unsigned integers (for example,617,618,619)
Windows event IDto monitor
Type thenameof theWindows event log tomonitor (System, Security,or Application).
Windowsevent logfile name
See “About general rule options” on page 28..Record event toSCSP console
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..Event patterns
See “About general rule options” on page 28..Date and timerestrictions
About filewatch rulesThis rule type monitors changes to user-specified files, and ignores changes touser-specified files. These changes comprise creating, deleting, modifying, andaccessing user-specified files. You can enable or disable monitoring or ignoringspecific files, and you can adjust the list of files that are monitored or ignored.
The filewatch rule type is associatedwith the file collector, which determines howagents monitor files. Intruders often attempt to replace critical system files withTrojan horse versions, or alter system files to create a back door for futureintrusions. The file collector detects changes to these system critical files. Also,the FileWatch collector monitors all NTFS alternative data streams that areassociatedwith a file name for creations, deletion, and changes. Symantec CriticalSystem Protection does not support automatic file comparison of alternate datastreams. You can compare individual data streams by specifying the absolute pathfor alternate data streams in a policy. Use file_path:stream_name to specify theabsolute path.
The Windows filewatch implementation monitors files and directories onremovablemedia. Filewatch generates a singleMount orUnmount event for eachmonitoredpathwhenever awatched file ordirectory appears ordisappears becauseof amount, dismount, insertion or removal. Filewatchmonitors removablemediasuch as floppy drives, CD/DVD drives, USB drives, and firewire drives. The stateof a removable drive is maintained across IDS Service restarts. (If a removable
31Windows detection policy referenceList of policies
drive is beingmonitoredwhen the IDSService is stopped, and the drive is removedbefore the service is restarted, filewatch recognizes that the drive was removedand avoids generating FileDeleted events for the contents of the drive.) TheMountand Unmount events are generated directly into the CSV event log and do nothave tomatch a policy rule. If you are not interested in these events, you can filterthe events using log rules or real-time monitor filters.
The filewatch rule is created with the following rule options:
Select this check box to enable the rule.filewatch rule options
See “About general rule options” on page 28..Rule name
See “About general rule options” on page 28..Rule severity
The frequency at which files are polled for changes. All fileslisted in a filewatch rule are monitored based on the pollinginterval.
A low polling interval valuemight impact system performance.
For high-priority files, polling interval is typically set to 60seconds.
Polling interval
The number of directory levels to monitor for file differences.
Select a value (1-10) from the list or type a value.
File differences include file creation, deletion,modification, andaccess.
Search depth
Select this check box tomonitor user-specified files for creation.Monitor file creation
Select this check box tomonitor user-specified files for deletion.Monitor file deletion
Select this check box to monitor user-specified files formodification.
Additionally, you can enable or disable the following options:
■ Use file checksum to check if files are modified
Select this check box to compare the current contents of afile with the previous version's contents. A file's checksumis calculated at agent startup to determine whether the filewasmodified since Symantec Critical SystemProtectionwaslast shut down.
■ Report file differences
Select this check box to report the file differences in theevent, and then select the differences algorithm (TXT forgeneric text files or INI forWindows .ini configuration files).
Monitor file modification
Windows detection policy referenceList of policies
32
Select this check box to monitor user-specified files for fileaccess.
Monitor file access
See “About general rule options” on page 28..Additional patterns tomatch
Select this check box to monitor specific files, and then list thefiles to monitor.
Files to watch
Select this check box to ignore specific files, and then list thefiles to ignore.
Files to ignore
See “About general rule options” on page 28..Record event to SCSPconsole
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..Date and time restrictions
The FileWatch feature monitors changes in the following file system attributes.
NotesOld andNewvaluesrecorded
Attribute
YesUnix Permissionbitmask
■ User
■ Group
■ Other
■ Setuid bit
■ Setgid bit
■ Sticky bit
33Windows detection policy referenceList of policies
NotesOld andNewvaluesrecorded
Attribute
Changes to attributes marked with an asterisk (*) are onlyrecorded if changes to the file’s access time are beingmonitored.
YesWindows Permissionbitmask
■ Archive*
■ Directory
■ Encrypted
■ Hidden
■ Indexed*
■ Offline
■ Read Only
■ System
■ Temporary*
YesFile size
WindowsFAT file systemshave a two second resolution on theirtimestamps. If multiple changes happen within a two secondwindow, Symantec Critical System Protection may not recordthem as separate events.
YesModification Date
Symantec Critical System Protection monitors the access timeonly if the underlying file system supports recording accesstime. Following are the situations where file systems do notrecord access time:
■ Most current releases ofWindows (Windows2008andnewer,Windows Vista and newer) do not record access time bydefault. Itmust be explicitly enabled. For example, fsutil.exebehavior set disablelastaccess 0.
■ Windows FAT file systems do not record access time even ifthe operating system has it enabled.
YesAccess Date
YesCreation Date
UNIX and Linux onlyYes# of Hard Links
UNIX and Linux onlyYesSymlink value
YesOwner
Primary Group for WindowsYesGroup
Windows detection policy referenceList of policies
34
NotesOld andNewvaluesrecorded
Attribute
Flags indicating if the path or filename switched to or from afile, from or to a directory, or a symlink.
UNIX and Linux only
YesFile type
YesNTFS DiscretionaryACL
YesNTFS Extended FileAttributes
YesNTFS Alternate DataStream Size
YesFile Checksum Value(SHA-256)
RT-FIM platforms and events onlyN/AUser thatmade change
RT-FIM platforms and events onlyN/AProcess that madechange
RT-FIM platforms and events onlyN/AProcess ID that madechange
RT-FIM platforms and events onlyN/AUser Session # thatmade change
In addition to monitoring the file system attributes, Symantec Critical SystemProtection records detailed changesmade to the content of text files. The changesare recorded in a typical diff format with old and new lines from the file shown.
About registry watch rulesThis rule type monitors changes to user-specified registry keys, and ignoreschanges touser-specified registry keys. These changes comprise creating, deleting,andmodifying user-specified registry keys. You can enable or disablemonitoringor ignoring specific registry keys, and you can adjust the list of registry keys thatare monitored or ignored.
The registrywatch rule type is associatedwith the registry collector. The registrycollector watches for changes made to user-specified registry keys.
The rule is created with the following rule options:
35Windows detection policy referenceList of policies
Select this check box to enable the rule.Registry watchrule options
See “About general rule options” on page 28..Rule name
See “About general rule options” on page 28..Rule severity
Select this check box tomonitor the creation of user-specified registrykeys.
Monitor creationof registry keys
Select this check box tomonitor the deletion of user-specified registrykeys.
Monitor deletionof registry keys
Select this check box to monitor the modification of user-specifiedregistry keys.
Monitormodification ofregistry keys
See “About general rule options” on page 28..Additionalpatterns to match
Select this check box to monitor specific registry keys, and then listthe keys to monitor.
Registry keys towatch
Select this check box to ignore specific registry keys, and then list thekeys to ignore.
Registry keys toignore
See “About general rule options” on page 28..Record event toSCSP console
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..date and timerestrictions
About prevention watch rulesThis rule type monitors user-specified prevention events.
The rule is created with the following rule options:
Select this check box to enable the rule.Prevention watchrule options
See “About general rule options” on page 28..Rule name
See “About general rule options” on page 28..Rule severity
Windows detection policy referenceList of policies
36
This option matches event fields. It is always enabled.
Select one of the following prevention event types:
■ All prevention events
■ Buffer overflow
■ File access
■ Mount
■ Network access
■ OS Call
■ Process assignment
■ Process create
■ Process destroy
■ Registry access
Specify the event variables to monitor, with values for each variable.
Specify any additonal patterns to match and patterns to ignore.
See “About general rule options” on page 28..
Prevention eventfields to match on
See “About general rule options” on page 28..Record event toSCSP console
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..Date and timerestrictions
About text log rulesThis rule type monitors user-specified text patterns in user-specified text logs.The rule type is associated with the text log collector, which watches for matchesin user-specified text logs.
The text log rule type is also used with virtual agents. Symantec Critical SystemProtection recognizes and processes virtual event data indirectly via a text logrule, where you designate resulting events as originating from virtual agents. Inamanner similar to specifying a user-defined text string, you can identify a sourcesystem identification tag that indicates the events are from an agent other thanthe host machine that processed the events.
See the SymantecCritical SystemProtectionAdministrationGuide for informationon virtual agents.
The text log rule is created with the following rule options:
Select this check box to enable the text log rule.Text log ruleoptions
37Windows detection policy referenceList of policies
See “About general rule options” on page 28..Rule name
See “About general rule options” on page 28..Rule severity
Specify the text log file to monitor. Specify the compete file path.Wildcard characters are not permitted in the path. Use the percentsign (%) to delimit variables.
Text log path
This rule option defines the text log file structure. It is always enabled.Log file structuredefinitions
Select this check box to indicate that the records in the text log fileare from a virtual agent, and then specify the virtual agent name.
You can specify the virtual agent nameas a text string.Use this formatwhen all the records in the text log file are from the samevirtual agent.
Example: Mainframe01
You can specify the virtual agent name as a variable. Youmust definethe variable using the parse definitions option. Use this format whenthe records in the text log file are from multiple virtual agents.
Example: {Virtual Agent Tag}
Log file containsevents comingfrom a virtualagent
Windows detection policy referenceList of policies
38
Select this checkbox to indicate that the virtual agentname is specifiedin a parse string, and then specify the parse string.
Example: *agent name={Virtual Agent Tag},*
Use this option when the records in the text log file are frommultiplevirtual agents.
Parse strings support wildcard characters. Type an asterisk (*) as thewildcard character for zero or more characters.
When mixing literal text strings with wildcard characters, do notprecede the literal text stringwith a delimiter character (space or tab),unless the character is not found anywhere before the literal textstring. For example, if the space delimiter is foundbefore the followingliteral text string, then the text pattern will not match *user=*:
a string user=joe a string
The pattern parser algorithm works from left to right to match*<space>user=* with a<space>string user==joe a string.
When specifying a variable, include a literal delimiter/terminatorafter the variable. Otherwise, the pattern parser algorithm cannotdetermine where the variable data ends. For example:
user={User Name} *
Note the space after the variable. If it were defined as
*user={User Name}*
then the algorithm would fail to extract the {User Name} portion ofthe string.
Parse definitions
If the records in the text log file contain multiple lines, select thischeck box, and then specify the character used to use to delimit therecords.
Records in filecontain multiplelines
See “About general rule options” on page 28..Record event toSCSP console
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..Event patterns
See “About general rule options” on page 28..Date and timerestrictions
About generic rulesThis rule type monitors user-specified events from any of the Symantec CriticalSystem Protection event sources.
39Windows detection policy referenceList of policies
The generic rule is created with the following rule options:
Select this check box to enable the generic rule.Generic ruleoptions
See “About general rule options” on page 28..Rule name
See “About general rule options” on page 28..Rule severity
See “About general rule options” on page 28..Record event toSCSP console
See “About general rule options” on page 28..Execute command
See “About general rule options” on page 28..Event patterns
See “About general rule options” on page 28..Date and timerestrictions
Host Intrusion Detection policies enhancementsThe Host Intrusion Detection policies have been redesigned and rewritten toenhance stability, provide greater ease of use and detection accuracy, and addfunctionality.
Multiple policies have been reorganized into two baseline monitoring solutionsfor the Windows and the UNIX operating system environments.
The Windows Baseline policy includes the following improvements:
■ The IDS policy has been rewritten to improve functionality and accuracy inmonitoring security events.
■ The file monitoring area has been redesigned and rewritten to provide a largenumber of new file and directory monitoring functions.For example, you can now control and enable the access, delete, modify, andcreate change monitoring functions by group.
■ You cannowperformadvanced rule-by-rule tuningdirectly from theSymantecCritical System Protection console. These rules now also use ignore logic andselect logic methodology.
■ You can now configure and view all rule content from the Symantec CriticalSystem Protection console.
■ Policy option group naming conventions have been standardized for ease ofadministration. You can now enable and disable entire areas of the policieswith option check boxes.
Windows detection policy referenceHost Intrusion Detection policies enhancements
40
■ Automatic application detection has been updated to enable and disablemonitoring without the need for administrators to configure the policyindividually per host.
■ You can now configure many parameter options individually for each rule.For example, you can configure the Rule Name, Rule Severity, and Rulemonitoring content separately for each rule.
■ You can now select a severity level for each rule. You no longer need to knowspecific numerical values for the severity base types.
■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory traversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.
■ You can now mouse over parts of the user interface to display descriptions toassist in policy navigation and rule-by-rule overview.
Table 2-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2.6 top-level option groups.
Table 2-1 Detection options organization map
Detection option organization in release5.2.6
Options in previous releases, with newmaterial noted
System User and Group Change MonitorSystem_Group_Management_Change
System_User_Configuration
Enhanced_System_Group_Change (NEW)
System Active-Directory Change MonitorDomain_Trust_Configuration
MS_ActiveDirectory_FSMO_Changed
System_AuthEncrypt_Configuration
AD_Priviledged_Group/User_Change (NEW)
System Login Activity and Access MonitorSystem_Logoff
System_Logon_Success
System_Failed_Access_Status
Domain_Priviledged_User_Login (NEW)
41Windows detection policy referenceHost Intrusion Detection policies enhancements
Table 2-1 Detection options organization map (continued)
Detection option organization in release5.2.6
Options in previous releases, with newmaterial noted
System Hardening MonitorSystem_Autorun_Configuration
Network_Comm_Configuration
System_File_Protection_Status
System_Security_Configuration
System_StartStop_Options
System_Audit_Tampering
System_ Hardening
System File and Directory MonitorSystem_Shares_ Configuration
Host_IDS_File_Tampering
Critical_System_File_Monitor (NEW)
System Registry MonitorCritical_ Registry_StartPath_Monitor
Critical_ System_Registry_Monitor (NEW)
Symantec Software MonitoringSymantec_AV_Client_Communication
SAV_Critical_Action_Monitor (NEW)
SEP_Critical_Action_Monitor (NEW)
External Device Activity MonitorUSB_Device_Activity
USB_Device_Vendor_Detection (NEW)
CD/DVD_Burning_Activity (NEW)
System Attack DetectionGeneric_Web_Attack_Detection
Web_Attack_Detection (NEW)
Thepolicies thatperformadministrativeor troubleshootingactivities forSymantecCritical System Protection agents and management server-specific policies werenot combined with the Windows Baseline policy.
The following policies were not combined because they serve an administrativepurpose outside of normal detection functionality or facilitate the Global Watchfunctionality:
■ CSP_Agent_Diagnostics
■ CSP_Agent_Status
Windows detection policy referenceHost Intrusion Detection policies enhancements
42
■ CSP_Server_Monitor
■ Global_Watch_Policy
43Windows detection policy referenceHost Intrusion Detection policies enhancements
UNIX detection policyreference
This chapter includes the following topics:
■ About the UNIX detection policies
■ List of policies
About the UNIX detection policiesSymantec Critical System Protection includes UNIX detection policies forcomputers that run the following operating systems:
■ IBM AIX
■ Sun Solaris
■ Red Hat Enterprise Linux
■ SUSE Linux Enterprise
You can apply the UNIX detection policies to any Solaris, Linux, AIX, HP-UX, andTru64 agent or agent group.
The UNIX detection policies are as follows:
■ UNIX_CSP_Agent_Diagnostics
■ UNIX_CSP_Agent_Status
■ UNIX_Host_IDS_FIle_Tampering
■ UNIX_NetRecon_Scan_Detected
■ UNIX_Sendmail_BrokenPipe_Messages
■ UNIX_Stack_Execution_Denied (Solaris, HP-UX, Tru64)
3Chapter
■ UNIX_System_Logon_Failure
■ UNIX_System_Logon_Success
■ UNIX_System_Time_Change (Solaris, AIX, HP-UX, Tru64)
■ UNIX_System_User_Configuration
■ UNIX_Template_Policy
In addition to the UNIX policies, Symantec Critical System Protection includesOS-specific policies. A version of each OS-specific policy is provided for Solaris,Linux, AIX, HP-UX, and Tru64 agents.
The OS-specific policies are as follows:
■ Apache_Vulnerable_CGI_Scripts
■ SANS
List of policiesThe section describes the Symantec Critical System Protection UNIX detectionpolicies.
UNIX_CSP_Agent_DiagnosticsThis UNIX detection policy includes options to do the following:
■ Run the collect info script
■ Restart the IDS service
■ Restart the IPS service
■ Restart the UTIL service
■ Force log rollover of the agent event log file
■ Modify the management server list for an agent
■ Edit configuration files
For more information, see the Windows version of this policy.
See “CSP_Agent_Diagnostics” on page 18..
UNIX_CSP_Agent_StatusThis UNIX detection policy runs scripts that provide health checks on IPS agents.The health check scripts run based on user-configurable timers. The timers are
UNIX detection policy referenceList of policies
46
started when the policy is initially applied to an agent or when the agent isrestarted.
The policy options are as follows:
Periodically runs the IPS agent health check script. Specify the healthcheck frequency in days, hours, minutes, and seconds.
By default, the health check script runs every hour.
IPS Health Check
Periodically runs the IPS Util health check script on Solaris or Linuxagents. Specify theUtil health check frequency indays, hours,minutes,and seconds.
By default, the health check script runs every hour.
IPS Util HealthCheck
Monitors syslogs for detected sisipsagent core dump files.IPSCoreDetection
UNIX_Template_PolicyTheUNIX_Template_Policy is a reusableworkspace container policy formanagingcustom rules.
The UNIX_Template_Policy policy includes rule options for the following ruletypes:
■ Filewatch
■ Text log
■ Prevention watch
■ Generic
■ C2 log
■ Syslog
■ UNIX activity log
TheUNIX_Template_Policy is intended for use as a container policy formanagingcustom rules. The policy contains only the rules that you define.
For more information on using the template policy, including how to create andreuse custom rules, see the Windows_Template_Policy.
See “Windows_Template_Policy” on page 24..
47UNIX detection policy referenceList of policies
About C2 log rulesThis rule type monitors the C2 audit logs on Solaris, HP-UX, and AIX agents. Therule type is associated with the C2 collector, which looks for matches in the C2audit logs.
Note: C2 logging must be turned on and configured on the agent computers.
The C2 log rule is created with the following rule options:
Select this check box to enable the C2 rule.C2 rule options
See the Windows_Template_Policy for details.Rule name
See the Windows_Template_Policy for details.Rule severity
See the Windows_Template_Policy for details.Record event toSCSP console
See the Windows_Template_Policy for details.Execute command
See the Windows_Template_Policy for details.Event patterns
See the Windows_Template_Policy for details.Date and timerestrictions
About syslog rulesThis rule type monitors user-specified events in the UNIX syslog. The rule typeis associatedwith the syslog collector,whichwatches for syslogdaemon tamperingon UNIX systems.
The syslog rule is created with the following rule options:
Select this check box to enable the syslog rule.Syslog rule options
See the Windows_Template_Policy for details.Rule name
See the Windows_Template_Policy for details.Rule severity
See the Windows_Template_Policy for details.Record event toSCSP console
See the Windows_Template_Policy for details.Execute command
See the Windows_Template_Policy for details.Event patterns
UNIX detection policy referenceList of policies
48
See the Windows_Template_Policy for details.Date and timerestrictions
About UNIX activity log rulesThis rule type monitors user-specified events in the WTMP and BTMP files. Therule type is associated with the WTMP collector, which watches for matches inthe WTMP and BTMP files.
The UNIX activity log rule is created with the following rule options:
Select this check box to enable the UNIX activity log rule.UNIX activity logrule options
See the Windows_Template_Policy for details.Rule name
See the Windows_Template_Policy for details.Rule severity
See the Windows_Template_Policy for details.Record event toSCSP console
See the Windows_Template_Policy for details.Execute command
See the Windows_Template_Policy for details.Event patterns
See the Windows_Template_Policy for details.Date and timerestrictions
49UNIX detection policy referenceList of policies
Policy examples
This chapter includes the following topics:
■ About Policy examples
■ Forcing rollover of the agent event log file
■ Creating a filewatch rule
About Policy examplesThis chapter includes the following topics:
■ Forcing rollover of the agent event log file
■ Creating a filewatch rule
Forcing rollover of the agent event log fileForcing rollover of the agent event log file closes the current log file and opens anew log file.
The agent event log file is stored in the following directories:
C:\ProgramFiles\Symantec\Critical SystemProtection\Agent\scsplog\Windows
/var/log/scsplog/UNIX
The policy forces rollover of the log file immediately after being applied to theagent.
4Chapter
To force rollover of the agent event log file
1 Log on to the management console as an administrator.
2 In themanagement console, on the Policies page, in the Symantec folder, editthe CSP_Agent_Diagnostics policy.
3 In the policy editor dialog, enable Select a function to run on the agent.
4 In the policy editor dialog, click Select a function, and then select Force LogRollover.
5 Click OK to save the policy changes.
6 Apply the policy to the agent.
7 In the management console, monitor the events on the Monitors page todetermine if the agent event log file rolled over.
8 Check the log file directory to confirm that rollover occurred.
9 On theAssets page, select the agent, and then right-clickClearPolicy to clearthe policy from the agent.
Creating a filewatch ruleCreate a filewatch rule to monitor changes to user-specified files.
To create a filewatch rule
1 In the management console, click Policies.
2 Under the Policies tab, click Detection.
3 On the Policies page, double-click Windows_Template_Policy orUNIX_Template_Policy.
4 In the policy editor dialog box, underPolicySettings, clickMyCustomRules,and then click Add a new Custom Control icon.
5 In theNewCustomRuleWizarddialog box, specify the following information:
Type a descriptive name for the filewatch rule.
Example: My Filewatch Rule
Display Name
Select the filewatch rule type.Category
Type a name that the policy uses internally to identify thefilewatch rule.
Example: myfw
Identifier
Type a full description of the filewatch rule.Description
Policy examplesCreating a filewatch rule
52
6 Click Finish.
7 In the policy editor dialog box, click Edit to display the rule options.
8 In the policy editor dialog box, click Edit before FilewatchRuleOptions, andthen select the check box to enable the filewatch rule.
9 In the policy editor dialog box, enable the rule options tomonitor file creation,deletion, modification, and access.
10 In the policy editor dialog box, enable Additional patterns to match on, andthen specify the list of patterns.
11 In the policy editor dialog box, enable Files to watch, and then specify thelist of files to watch.
12 Click OK.
53Policy examplesCreating a filewatch rule
Windows BaselineDetection policy
This chapter includes the following topics:
■ Introduction
■ File monitoring improvements
■ Windows-specific policy improvements
■ About rule options
IntroductionThe Symantec Critical System Protection Host Intrusion Detection policies havebeen redesigned and rewritten.Multiple policies were reorganized into a baselinemonitoring solution for the Windows operating system environment. The newpolicy provides enhanced stability, greater ease of use and detection accuracy,and added functionality.
The Windows policy includes the following improvements:
■ The IDS policy was rewritten to improve functionality and accuracy inmonitoring security events.
■ The file monitoring area was redesigned and rewritten to provide a largenumber of new file and directory monitoring functions. For example, you cancontrol and enable the access, delete, modify, and create change monitoringfunctions by group.
■ You can perform advanced rule-by-rule tuning directly from the SymantecCritical SystemProtection console. These rules also use ignore logic and selectlogic methodology.
5Chapter
■ You can configure and view all rule content from the Symantec Critical SystemProtection console, which removes the need to use the Authoring Tool.
■ Policy option group naming conventions have been standardized for ease ofadministration. You can enable and disable entire areas of the policies withoption check boxes.
■ Automatic application detection has been updated to enable and disablemonitoring without the need for administrators to configure the policyindividually per host.
■ You can configure many parameter options individually for each rule. Forexample, you can configure theRuleName, Rule Severity, andRulemonitoringcontent separately for each rule.
■ You can select a severity level for each rule. Youno longer need to knowspecificnumerical values for the severity base types.
■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory transversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.
■ You canmouse over parts of the user interface to display descriptions to assistin policy navigation and rule-by-rule overview.
Table 5-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2.6 top level option groups.
Table 5-1 Detection options organization map
Detection option organization in release5.2.6
Options in previous releases, with newmaterial noted
System User and Group Change MonitorSystem_Group_Management_Change
System_User_Configuration
Enhanced_System_Group_Change (NEW)
System Active-Directory Change MonitorDomain_Trust_Configuration
MS_ActiveDirectory_FSMO_Changed
System_AuthEncrypt_Configuration
AD_Priviledged_Group/User_Change (NEW)
Windows Baseline Detection policyIntroduction
56
Table 5-1 Detection options organization map (continued)
Detection option organization in release5.2.6
Options in previous releases, with newmaterial noted
System Login Activity and Access MonitorSystem_Logoff
System_Logon_Success
System_Failed_Access_Status
Domain_Priviledged_User_Login (NEW)
System Hardening MonitorSystem_Autorun_Configuration
Network_Comm_Configuration
System_File_Protection_Status
System_Security_Configuration
System_StartStop_Options
System_Audit_Tampering
System_ Hardening
System File and Directory MonitorSystem_Shares_ Configuration
Host_IDS_File_Tampering
Critical_System_File_Monitor (NEW)
System Registry MonitorCritical_ Registry_StartPath_Monitor
Critical_ System_Registry_Monitor (NEW)
Symantec Software MonitoringSymantec_AV_Client_Communication
SAV_Critical_Action_Monitor (NEW)
SEP_Critical_Action_Monitor (NEW)
External Device Activity MonitorUSB_Device_Activity
USB_Device_Vendor_Detection (NEW)
CD/DVD_Burning_Activity (NEW)
System Attack DetectionGeneric_Web_Attack_Detection
Web_Attack_Detection (NEW)
Thepolicies thatperformadministrativeor troubleshootingactivities forSymantecCritical System Protection agents and management server-specific policies werenot combined with the Windows Baseline policy.
57Windows Baseline Detection policyIntroduction
The following policies were not combined because they serve an administrativepurpose outside of normal detection functionality or facilitate the Global Watchfunctionality:
■ CSP_Agent_Diagnostics
■ CSP_Agent_Status
■ CSP_Server_Monitor
■ Global_Watch_Policy
File monitoring improvementsSymantec Critical System Protection has some file monitoring improvements.
Specific file monitoring changes include the following improvements:
■ You can control and enable the access, delete, modify, and create changemonitoring functions on a group-by-group basis.
■ You can control modification differentiating, including algorithm selectionon a group-by-group basis.
■ You can set date and time restrictions within each specific file monitoringgroup.
■ You can tune the filemonitormodified detection operation for specific criteria,such as only for permission changes, size changes, bitmask changes, and soon.
■ You can use specific ignore logic criteria and select logic criteria in each filemonitoring group.For example, you can independently configure each file monitoring group toignore file paths or strings.
Symantec Critical System Protection includes the following enhancements formonitoring files:
■ Symantec Critical System Protection monitors Access Control Lists (ACLs) infile attributes.Table 1-8 describes the Access Control List strings that Symantec CriticalSystem Protection returns.
■ To provide granular control over Windows file change monitoring, SymantecCritical SystemProtectionmonitorsnear real-timechangeson local file systemsand fixed file systems. It does not monitor changes on removable media orremote network drives.It no longer uses polling intervals. Symantec Critical System Protection usesthe FIPS 180-2-compliant Secure Hash Algorithm (SHA-256) to calculate file
Windows Baseline Detection policyFile monitoring improvements
58
hashes or checksums at runtime. The MD5 algorithm is no longer used oravailable.For performance efficiency, you can enable or disable the checksumcalculationfor each filewatch list. A single hash algorithm is used on all the files in awatched list.
Note:Symantec Critical SystemProtection continues to poll remote files, suchas files on network drives or removable media, every specified interval todetect changes.
■ Symantec Critical System Protection tracks the user names and processesassociated with file modifications within Windows Host-based IntrusionDetectionSystems.Modifications that are tracked include file opens, filewrites,file creations, and file deletions. This feature lets you determine who hasaccessed and who changed the local files that were accessed through a fileshare.Symantec Critical System Protection captures the local user names or remoteusernames of theusers that access a file. This feature doesnot rely onWindowsEvent Monitoring, Windows Audit Object Access logging, or UNIX EventMonitoring. Local user names are resolved locally. Remote users' names areobtainedbyusingActiveDirectory queries. If nonames are provided, SymantecCritical System Protection captures the Windows Security IDentifier (SID).The Symantec Critical System Protection detection agent service must berunning for the user name and process tracking functionality to work. If theSymantec Critical System Protection detection agent service is stopped, thenthemoment that it is restarted it reports the filemodification events that tookplace during the time that it was stopped. However, the user names andprocesses that are associated with the modifications that took place while theservice was stopped are not included for those modifications.
Note: This feature makes use of a file filter driver to capture user name andprocesses for filemodifications. If you use only IDS, you do not need to restartafter installation. If you enable IPS features during installation, you do needto restart.
Windows-specific policy improvementsWindows-specific policy changes include the following improvements:
59Windows Baseline Detection policyWindows-specific policy improvements
■ Product-specific monitoring areas for key Symantec applications such asSymantecAntiVirus andSymantec Endpoint Protection. Improvedmonitoringof endpoint security products provides administratorsmore finite events thatare tailored for compatibility.
■ Improved external device detection now includes event generation for CD andDVD burning activity.
■ CriticalWindows registry change detection has been added. Critical auto startareas of the Windows operating system are monitored to ensure that the hostsystem security is maintained. New registry paths for Auto Start Keys havebeen added.
Note: Registry monitoring has the same options as the rewritten file anddirectory monitoring.
About rule optionsSymantec Critical System Protection provides specific content control per rulefrom the console. Each rule in the Baseline policy has required parameters. Theserules can be viewed and customized from the console.
The options in Table 5-2 are available for each rule that is displayed in the PolicySettings pane.
Table 5-2 Rule options
DescriptionOption
Thename that is associatedwith the rule that generates the specificevent. A single string value is allowed in the string field.
Rule Name
The severity of event. Available for each rule of the policy. You canonly select one severity level, Info, Notice, Warning, Major, orCritical, for each rule.
Severity
Parameter options for Windows event log watch rules. Separatemultiple event IDs with a comma (,) in this string list. You can add,edit, and remove event IDs.
Event IDs
Parameter options for filewatch rules. You can use multiple filepaths with associated wildcard entries in this string list. You canadd, edit, and remove file paths.
File Paths
Windows Baseline Detection policyAbout rule options
60
Table 5-2 Rule options (continued)
DescriptionOption
Parameter options for registry watch rules. You can use multipleWindows registry paths with associated wildcard entries in thisstring list. You can add, edit, and remove registry paths.
Registry Paths
Used in rule select logic. Symantec Critical System Protection usesprimary logic or initial sifting method for rule event generation.Use an asterisk (*) to select all the events that the criteria that youentered previously generate.
For example, criteria such as event IDs, file paths, registry paths,or log strings previously defined. With this option you canspecifically tune rules for administrator needs.
For example, if you change the select string on a filewatch rule from* to *Permission*, then that rule only generates a filewatch event ifthat event contains the string “Permission.” You can have multipleselect strings in this string list. All strings are case insensitive. Youcan add, edit, and remove select strings.
Select Strings
Used in rule ignore logic. Symantec Critical SystemProtection usessecondary ignore logic or ignore sifting method for rule eventgeneration. Almost all rule parameter options contain a blank value,which signifies that a null value or no value is associated with theignore logic statement. SymantecCritical SystemProtection ignoresany string in this field other thanblankvalueuponpatternmatchingon the final event generation. Ignore strings also provide you withthe ability to perform advanced rule-by-rule tuning. You can havemultiple ignore strings in this string list. All strings are caseinsensitive. You can add, edit, and remove ignore strings.
The ignore criteria ignores items that have a tendency to changefrequently or items that are not a part of the core system andconfiguration. These ignore items are items such as logs, tempdirectory and so on.
Ignore Strings
Note: Each parameter is preconfigured with default values to ensure thefunctionality of the rule. Changes to rule name and severity do not affect theoverall operation of the rule.
61Windows Baseline Detection policyAbout rule options
Policy options
This chapter includes the following topics:
■ System User and Group Change Monitor
■ System Active Directory Change Monitor
■ System Login Activity and Access Monitor
■ System Hardening Monitor
■ System File and Directory Monitor
■ System Registry Monitor
■ System Symantec Software Monitor
■ System External Device Activity
■ System Attack Detection
System User and Group Change MonitorThis option group section of the policy monitors for specific user and groupchange-based events.
System User Configuration ChangesThis option group subsection monitors user changes from local accountmanipulation to the user activity thatwarrants event detection inActiveDirectoryenvironments.
6Chapter
Table 6-1 Description of the Account Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Account ChangedOption
ZZ_Account_ChangedRule Name
WarningSeverity
642, 4738, 685Event IDs
Detects the changes that aremade touser accounts on the local system.Description
Table 6-2 Description of the Account Created parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Account CreatedOption
AA_Account_CreatedRule Name
WarningSeverity
629, 4720Event IDs
Detects the creation of user accounts on the local system.Description
Table 6-3 Description of the Account Deleted parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Account DeletedOption
Account_DeletedRule Name
WarningSeverity
630, 4726Event IDs
Detects the deletion of user accounts on the local system.Description
Policy optionsSystem User and Group Change Monitor
64
Table 6-4 Description of the Account Disabled parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Account DisabledOption
Account_DisabledRule Name
WarningSeverity
629, 4725Event IDs
Detects the disabling of user accounts on the local system.Description
Table 6-5 Description of the Account Enabled parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Account EnabledOption
Account_EnabledRule Name
WarningSeverity
626, 4722Event IDs
Detects the enabling of user accounts on the local system.Description
Table 6-6 Description of the Local Account Locked Out parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Local Account Locked OutOption
System_User_Configuration_Local_Account_Locked_OutRule Name
WarningSeverity
644, 4740Event IDs
Detects the locking of a user account on the local system.Description
65Policy optionsSystem User and Group Change Monitor
Table 6-7 Description of the Local Account Lock Out Threshold, TimeInterval, and Severity parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Local Account Lock Out Threshold, Time Interval, and SeverityOption
CriticalSeverity
10Count
3Interval
Detects the locking of a user account on the local system thengenerates a higher severity event based on user-defined thresholdvalues.
Description
Table 6-8 Description of the Local Account Unlocked parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Local Account UnlockedOption
Local_Account_UnlockedRule Name
WarningSeverity
671, 4767Event IDs
Detects the unlocking of a user account on the local system.Description
Table 6-9 Description of the Admin Passwd Change Failed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Admin Passwd Change FailedOption
Admin_Passwd_Change_FailedRule Name
CriticalSeverity
627, 4723Event IDs
Policy optionsSystem User and Group Change Monitor
66
Table 6-9 Description of the Admin Passwd Change Failed parameters used(continued)
DescriptionParameter
Detects the failed attempts to change the administrator password.Description
Table 6-10 Description of the User Added to Global Group parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Global GroupOption
User_Added_to_Global_GroupRule Name
WarningSeverity
632, 4728Event IDs
Detects the addition of a user to a global group. This rule applies toWindows servers that act as domain controllers.
Description
Table 6-11 Description of the User Removed from Global Group parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Removed from Global GroupOption
User_Removed_from_Global_GroupRule Name
WarningSeverity
633, 4729Event IDs
Detects the addition of a user to a global group. This rule applies toWindows servers that act as domain controllers.
Description
Table 6-12 Description of theGuest PasswordChange Failed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
67Policy optionsSystem User and Group Change Monitor
Table 6-12 Description of theGuest PasswordChange Failed parameters used(continued)
DescriptionParameter
Guest Password Change FailedOption
Guest_Passwd_Change_FailedRule Name
CriticalSeverity
627, 4723Event IDs
Detects a failed attempt to change the guest's password.Description
Table 6-13 Description of the User Added to Local Group parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Local GroupOption
User_Added_to_Local_GroupRule Name
WarningSeverity
636, 4732Event IDs
Detects the addition of a user to a local group.Description
Table 6-14 Description of the User Removed from Global Group parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Removed from Global GroupOption
User_Removed_from_Global_GroupRule Name
WarningSeverity
637, 4733Event IDs
Detects the removal of a user from a global group. This rule appliesto the Windows servers that act as domain controllers.
Description
Policy optionsSystem User and Group Change Monitor
68
Table 6-15 Description of the Right Assigned parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Right AssignedOption
Right_AssignedRule Name
WarningSeverity
608, 4704, 4717Event IDs
Detects that an access right has been assigned to a user.Description
Table 6-16 Description of the Right Removed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Right RemovedOption
Right_RemovedRule Name
WarningSeverity
609, 4705, 4718Event IDs
Detects that an access right has been removed from a user.Description
Table 6-17 Description of the User Password Change Failed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Password Change FailedOption
User_Password_Change_FailedRule Name
WarningSeverity
627, 4723Event IDs
Detects the failed attempt to change a user's password.Description
69Policy optionsSystem User and Group Change Monitor
Table 6-18 Description of theUser Added toUniversal Group parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Universal GroupOption
User_Added_to_Universal_GroupRule Name
WarningSeverity
660, 4756Event IDs
Detects the addition of a user to a universal group. This rule appliesto the Windows servers that act as domain controllers.
Description
Table 6-19 Description of the User Removed from Universal Grp parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Removed from to Universal GrpOption
User_Removed_from_Universal_GrpRule Name
WarningSeverity
661, 4757Event IDs
Detects the removal of a user fromauniversal group. This rule appliesto the Windows servers that act as domain controllers.
Description
Table 6-20 Description of the User Added to Local Distribution Groupparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Local Distribution GroupOption
User_Add_Local_Distribution_GrpRule Name
WarningSeverity
Policy optionsSystem User and Group Change Monitor
70
Table 6-20 Description of the User Added to Local Distribution Groupparameters used (continued)
DescriptionParameter
650, 4746Event IDs
Detects the addition of a user to a local distribution group.Description
Table 6-21 Description of the User Added to Global Distribution Groupparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Global Distribution GroupOption
User_Add_Global _Distribution_GrpRule Name
WarningSeverity
655, 4751Event IDs
Detects the addition of a user to a global distribution group.Description
Table 6-22 Description of the User Added to Universal Distribution Groupparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Added to Universal Distribution GroupOption
User_Add_Univ_Distribution_GrpRule Name
WarningSeverity
665, 4761Event IDs
Detects the addition of a user to a universal distribution group.Description
71Policy optionsSystem User and Group Change Monitor
Table 6-23 Description of the Administrator Changed Admin Passwordparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Administrator Changed Admin PasswordOption
Admin_Changed_Admin_PasswdRule Name
WarningSeverity
627, 628, 4723, 4724Event IDs
Detects that the administrator changed the administrator's ownpassword.
Description
Table 6-24 Description of the Guest Changed Admin Password parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Guest Changed Admin PasswordOption
Guest_Changed_Admin_PasswdRule Name
CriticalSeverity
627, 628, 4723, 4724Event IDs
Detects that a guest changed the administrator password.Description
Table 6-25 Description of theUser ChangedAdminPasswordparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Changed Admin PasswordOption
User_Changed_Admin_PasswdRule Name
MajorSeverity
627, 628, 4723, 4724Event IDs
Policy optionsSystem User and Group Change Monitor
72
Table 6-25 Description of theUser ChangedAdminPasswordparameters used(continued)
DescriptionParameter
Detects that a user changed the administrator password.Description
Table 6-26 Description of the Administrator Changed Guest Passwordparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Administrator Changed Guest PasswordOption
Admin_Changed_Guest_PasswdRule Name
WarningSeverity
627, 628, 4723, 4724Event IDs
Detects that the administrator changed the guest password.Description
Table 6-27 Description of the Guest Changed Guest Password parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Guest Changed Guest PasswordOption
Guest_Changed_Guest_PasswdRule Name
NoticeSeverity
627, 628, 4723, 4724Event IDs
Detects that the guest changed the guest password.Description
Table 6-28 Description of theUser ChangedGuest Password parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
73Policy optionsSystem User and Group Change Monitor
Table 6-28 Description of theUser ChangedGuest Password parameters used(continued)
DescriptionParameter
User Changed Guest PasswordOption
User_Changed_Guest_PasswdRule Name
NoticeSeverity
627, 628, 4723, 4724Event IDs
Detects that a user changed the guest password.Description
Table 6-29 Description of the Administrator Changed User Passwordparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Administrator Changed User PasswordOption
Admin_Changed_User_PasswdRule Name
NoticeSeverity
627, 628, 4723, 4724Event IDs
Detects that the administrator changed a user's password.Description
Table 6-30 Description of theGuest ChangedUser Password parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Guest Changed User PasswordOption
Guest_Changed_User_PasswdRule Name
WarningSeverity
627, 628, 4723, 4724Event IDs
Detects that the guest changed the user's password.Description
Policy optionsSystem User and Group Change Monitor
74
Table 6-31 Description of the User Changed User Password parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User Changed User PasswordOption
User_Changed_User_PasswdRule Name
NoticeSeverity
627, 628, 4723, 4724Event IDs
Detects that the user changed another user's password.Description
Table 6-32 Description of the Administrator Changed Guest Passwordparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
Administrator Changed Guest PasswordOption
Admin_Changed_Guest_PasswdRule Name
NoticeSeverity
627, 628, 4723, 4724Event IDs
Detects that the administrator changed the guest password.Description
System Group ChangesThis option group subsection detects group changes by monitoring themanipulation of the following groups:
■ Global groups
■ Local groups
■ Universal groups
■ Local distribution groups
■ Global distribution groups
■ Universal distribution groups
75Policy optionsSystem User and Group Change Monitor
It monitors the security-relevant changes that warrant event detection.
Eventdetection includes administrator actions suchas creation, change, or deletionof security-enabled local, global, or universal groups. Security groups allow thesystem administrator or domain administrator to establish a standard set of userpermissions for application groups of users. Changes, additions, or deletions tothe security groups are normal behavior in an extended enterprise if the systemadministrator actively manipulates these groups. If the system administrator ordomain administrator does not activelymanipulate security groups, these eventscan indicate illegitimate activity.
Table 6-33 Description of the Global Group Changed parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Group ChangedOption
Global_Group_ChangedRule Name
InformationSeverity
641, 4737Event IDs
Detects that a global group was changed.Description
Table 6-34 Description of the Global Group Created parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Group CreatedOption
Global_Group_CreatedRule Name
WarningSeverity
631, 4727Event IDs
Detects that a global group was created.Description
Table 6-35 Description of the Global Group Deleted parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Group DeletedOption
Policy optionsSystem User and Group Change Monitor
76
Table 6-35 Description of the Global Group Deleted parameters used(continued)
DescriptionParameter
Global_Group_DeletedRule Name
WarningSeverity
634, 4730Event IDs
Detects that a global group was deleted.Description
Table 6-36 Description of the Local Group Changed parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Local Group ChangedOption
Local_Group_ChangedRule Name
InfoSeverity
639, 4735Event IDs
Detects that a local group was changed.Description
Table 6-37 Description of the Local Group Created parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Local Group CreatedOption
Local_Group_CreatedRule Name
WarningSeverity
635, 4731Event IDs
Detects that a local group was created.Description
Table 6-38 Description of the Local Group Deleted parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
77Policy optionsSystem User and Group Change Monitor
Table 6-38 Description of the Local GroupDeletedparameters used (continued)
DescriptionParameter
Local Group DeletedOption
Local_Group_DeletedRule Name
WarningSeverity
638, 4734Event IDs
Detects that a local group was deleted.Description
Table 6-39 Description of the Universal Group Changed parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Universal Group ChangedOption
Universal_Group_ChangedRule Name
InfoSeverity
659, 4755Event IDs
Detects that a universal group was changed.Description
Table 6-40 Description of the Universal Group Created parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Universal Group CreatedOption
Universal_Group_CreatedRule Name
WarningSeverity
658 4754Event IDs
Detects that a universal group was created.Description
Table 6-41 Description of the Universal Group Deleted parameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Policy optionsSystem User and Group Change Monitor
78
Table 6-41 Description of the Universal Group Deleted parameters used(continued)
DescriptionParameter
Universal Group DeletedOption
Universal_Group_DeletedRule Name
WarningSeverity
662, 4758Event IDs
Detects that a universal group was deleted.Description
Table 6-42 Description of the Local Distribution Group Created parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Local Distribution Group CreatedOption
Local_Distribution_Grp_CreatedRule Name
WarningSeverity
648, 4744Event IDs
Detects when a local distribution group was created. The distributionlists canbe created andmanaged throughActiveDirectoryMMC. Localdistribution groups can include other groups and accounts fromWindows Server 2003, Windows 2000, or Windows NT domains, andcan be granted permissions only within a domain.
Description
Table 6-43 Description of the Local Distribution Group Changed parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Local Distribution Group ChangedOption
Local_Distribution_Grp_ChangedRule Name
WarningSeverity
649, 4745Event IDs
79Policy optionsSystem User and Group Change Monitor
Table 6-43 Description of the Local Distribution Group Changed parametersused (continued)
DescriptionParameter
Detects when a local distribution group was changed.Description
Table 6-44 Description of the Local Distribution Group Deleted parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Local Distribution Group DeletedOption
Local_Distribution_Grp_DeleteRule Name
WarningSeverity
652, 4748Event IDs
Detects when a local distribution group was deleted.Description
Table 6-45 Description of the Global Distribution Group Created parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Distribution Group CreatedOption
Global_Distribution_Grp_CreatedRule Name
WarningSeverity
653, 4749Event IDs
Detectswhen a global distribution groupwas created. The distributionlists canbe created andmanaged throughActiveDirectoryMMC. Localdistribution groups can include other groups and accounts only fromthe domain in which the group is defined. They can be grantedpermissions in any domain in the forest.
Description
Policy optionsSystem User and Group Change Monitor
80
Table 6-46 Description of theGlobal Distribution Group Changed parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Distribution Group ChangedOption
Global_Distribution_Grp_ChangedRule Name
WarningSeverity
654, 4750Event IDs
Detects when a global distribution group was changed.Description
Table 6-47 Description of the Global Distribution Group Deleted parametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Global Distribution Group DeletedOption
Global_Distribution_Grp_DeletedRule Name
WarningSeverity
657, 4753Event IDs
Detects when a global distribution group was deleted.Description
Table 6-48 Description of theUniversalDistributionGroupCreatedparametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Universal Distribution Group CreatedOption
Univ_Distribution_Grp_CreatedRule Name
WarningSeverity
663, 4759Event IDs
81Policy optionsSystem User and Group Change Monitor
Table 6-48 Description of theUniversalDistributionGroupCreatedparametersused (continued)
DescriptionParameter
Detects when a universal distribution group was created. Thedistribution lists canbe created andmanaged throughActiveDirectoryMMC. Universal distribution groups can include other groups andaccounts from any domain in the domain tree or forest. They can begranted permissions in any domain in the domain tree or forest.
Description
Table 6-49 Description of the Universal Distribution Group Changedparameters used
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Universal Distribution Group ChangedOption
Univ_Distribution_Grp_ChangedRule Name
WarningSeverity
664, 4760Event IDs
Detects when a universal distribution group was changed.Description
Table 6-50 Description of theUniversalDistributionGroupDeletedparametersused
DescriptionParameter
System User and Group Change Monitor > System Group ChangesOption Path
Universal Distribution Group DeletedOption
Univ_Distribution_Grp_DeletedRule Name
WarningSeverity
667, 4763Event IDs
Detects when a universal distribution group was deleted.Description
System Active Directory Change MonitorThis option group section of the policy monitors specific Active Directory-basedevents. These events include potentially suspicious domain trust events, FSMO
Policy optionsSystem Active Directory Change Monitor
82
changes, and authentication or encryption configuration changes. These eventsmaybe indicative ofmalicious configuration,whichmayaffect theActiveDirectorysystem itself, as well as downstream systems.
Active Directory Domain Trust ConfigurationThis portion of the policy detects the creation or removal of a trusted domainrelationship and changes to the Windows Domain Policy. Domain Trustrelationships allowmultipleWindowsdomains to share resources. They also allowusers fromone domain to log on and interact as trusted users in a foreign domain.Creation or removal of trusted domain relationships is expected behavior inextended enterprises. If this behavior is unexpected, it could indicate a serioussecurity compromise at the domain level. Configuration: Settings > Control Panel>Administrative Tools > Local Security Policy > Security Settings > Local Policies> Audit Policy > Audit account management for success and failure, Audit policychange for success or failure.
Table 6-51 Description of the Trusted Domain Created parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory DomainTrust Configuration
Option Path
Trusted Domain CreatedOption
Trusteded_Domain_CreatedRule Name
WarningSeverity
610, 4706Event IDs
Detects the creation of a trusted domain relationshipwith the primarydomain controller.
Description
Table 6-52 Description of the Domain Policy Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory DomainTrust Configuration
Option Path
Domain Policy ChangedOption
Domain_Policy_ChangedRule Name
WarningSeverity
83Policy optionsSystem Active Directory Change Monitor
Table 6-52 Description of the Domain Policy Changed parameters used(continued)
DescriptionParameter
643, 4739Event IDs
Detects all Windows Domain Policy changes.Description
Table 6-53 Description of the Trusted Domain Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory DomainTrust Configuration
Option Path
Trusted Domain ChangedOption
Trusted_Domain_ChangedRule Name
WarningSeverity
620, 4716Event IDs
Detects the modification of the trusted domain information.Description
Table 6-54 Description of the Trusted Domain Removed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory DomainTrust Configuration
Option Path
Trusted Domain RemovedOption
Trusted_Domain_RemovedRule Name
WarningSeverity
611, 4707Event IDs
Detects the removal of a trusted domain relationship from theprimarydomain controller.
Description
Active Directory FSMO ChangesThis option group sub-section monitors changes to Active Directory’s FlexibleSingle Master of Operation (FSMO). Changes to Schema Master, Domain Master,RID Master, PDCEmulator, and Infrastructure Master are critical functions of
Policy optionsSystem Active Directory Change Monitor
84
Active Directory that should be monitored. Changes to these settings outsidenormal administrative tasks can indicate illegitimate activity.
Table 6-55 Description of the Schema Master Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory FSMOChanges
Option Path
Schema Master ChangedOption
Schema_Master_ChangedRule Name
WarningSeverity
565, 566, 4661, 4662Event IDs
Detects a change to the Active Directory FSMO schema master role.Description
Table 6-56 Description of the Domain Master Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory FSMOChanges
Option Path
Domain Master ChangedOption
Domain_Master_ChangedRule Name
WarningSeverity
565, 566, 4661, 4662Event IDs
Detects a change to the Active Directory FSMO domain master role.Description
Table 6-57 Description of the RID Master Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory FSMOChanges
Option Path
RID Master ChangedOption
RID_Master_ChangedRule Name
WarningSeverity
565, 566, 4661, 4662Event IDs
85Policy optionsSystem Active Directory Change Monitor
Table 6-57 Description of theRIDMasterChangedparameters used (continued)
DescriptionParameter
Detects a change to the Active Directory FSMO RID master role.Description
Table 6-58 Description of the PDCEmulator Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory FSMOChanges
Option Path
PDCEmulator ChangedOption
PDCEmulator_ChangedRule Name
WarningSeverity
565, 566, 4661, 4662Event IDs
Detects a change to the Active Directory FSMO PDCEmulator.Description
Table 6-59 Description of the InfrastructureMaster Changedparameters used
DescriptionParameter
System Active Directory Change Monitor > Active Directory FSMOChanges
Option Path
Infrastructure Master ChangedOption
Infrastructure_ChangedRule Name
WarningSeverity
565, 566, 4661, 4662Event IDs
Detects a change to theActiveDirectory FSMO InfrastructureMaster.Description
Authentication and Encryption ConfigurationThis option group sub-section detects normal Active Directory authenticationactivity as well as changes to Windows Active Directory authentication andencryption settings. Changes to these settings are normally necessary to allownon-Windows clients to access the domain. Windows writes the events to eventlogs, and Symantec Critical SystemProtectionmonitors the registry keys or EventIDs.
Policy optionsSystem Active Directory Change Monitor
86
Table 6-60 Description of the Authentication Packages Changed parametersused
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Authentication Packages ChangedOption
Authentication_Packages_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\Authentication Packages
Registry Paths
Detects the changes to the Windows authentication packages,according to the registry settings monitored.
Description
Table 6-61 Description of the Auth Ticket Request Failure parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Auth Ticket Request FailureOption
Auth_Ticket_Request_FailureRule Name
NoticeSeverity
676, 672, 4772, 4768Event IDs
Detects the failure of Windows to receive an authentication ticket onrequest by Active Directory.
Description
Table 6-62 Description of the EnableSecuritySignature Changed parametersused
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
EnableSecuritySignature ChangedOption
EnableSecuritySignature_ChangedRule Name
WarningSeverity
87Policy optionsSystem Active Directory Change Monitor
Table 6-62 Description of the EnableSecuritySignature Changed parametersused (continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanMan*\Parameters\EnableSecuritySignature
Registry Paths
Detects the changes to the Windows Security Signature state.Description
Table 6-63 Description of theKerberos Ticket Request Failedparameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Kerberos Ticket Request FailedOption
Kerberos_Service_Ticket_Request_FailedRule Name
NoticeSeverity
677, 673, 4773, 4769Event IDs
Detects the failure of Windows to be granted with a Kerberos serviceticket on request by an Active Directory server. This failure mayhappenwhile satisfactory security credentials are negotiated betweenthe clients and the Active Directory server. This failure can alsoindicate that anuntrusted client has attempted to access the resourcesin this Active Directory domain.
Description
Table 6-64 Description of the LMCompatibilityLevel Changedparameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
LMCompatibilityLevel ChangedOption
LMCompatibilityLevel_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel
Registry Paths
Policy optionsSystem Active Directory Change Monitor
88
Table 6-64 Description of the LMCompatibilityLevel Changedparameters used(continued)
DescriptionParameter
Detects the failure of Windows to be granted with a Kerberos serviceticket on request by an Active Directory server. This failure mayhappenwhile satisfactory security credentials are negotiated betweenthe clients and the Active Directory server. This failure can alsoindicate that anuntrusted client has attempted to access the resourcesin this Active Directory domain.
Description
Table 6-65 Description of theNotificationPackagesChanged parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
NotificationPackages ChangedOption
NotificationPackages_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\NotificationPackages
Registry Paths
Detects the changes in the state of the Windows Local SecurityAuthority Notification Packages.
Description
Table 6-66 Description of the Pre Authentication Failure parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Pre Authentication FailureOption
Pre_Authentication_FailureRule Name
WarningSeverity
675, 4771Event IDs
89Policy optionsSystem Active Directory Change Monitor
Table 6-66 Description of the Pre Authentication Failure parameters used(continued)
DescriptionParameter
Detects the failure of Windows to pre-authenticate with ActiveDirectory. This event happens while satisfactory security credentialsare negotiated between the clients and Active Directory server. Thisdetection can also indicate that an untrusted client has attempted toaccess the resources in this Active Directory domain.
Description
Table 6-67 Description of the RequireSecureSign Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
RequireSecureSign ChangedOption
RequireSecureSign_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanMan*\Parameters\RequireSecuritySignature
Registry Paths
Detects the changes in theWindows LanManager Security Signaturerequirement.
Description
Table 6-68 Description of the RestrictNullSessAccess Changed parametersused
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
RestrictNullSessAccess ChangedOption
RestrictNullSessAccess_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\RestrictNullSessAccess
Registry Paths
Detects the changes in theWindows Null Session Access restrictions.Description
Policy optionsSystem Active Directory Change Monitor
90
Table 6-69 Description of theAuthentication Ticket Granted parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Authentication Ticket GrantedOption
Authentication_Ticket_GrantedRule Name
NoticeSeverity
672, 4768Event IDs
Detects when an Active Directory server grants an authenticationticket to a computer that runs Windows. This behavior is normal andoften indicates that a domain user has logged on to aWindows client.
Description
Table 6-70 Description of the Kerberos Policy Changed parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Kerberos Policy ChangedOption
Kerberos_Policy_ChangedRule Name
NoticeSeverity
617, 4713Event IDs
Detects theupdates to theKerberos authenticationpolicy. This normalactivity occurs at 5-minute intervals when the domain group policyobject is updated every 16 hours, regardless of the following items:
■ Policy object status
■ When the group policies are manually propagated
Description
Table 6-71 Description of the Kerberos Service Ticket Granted parametersused
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Kerberos Service Ticket GrantedOption
91Policy optionsSystem Active Directory Change Monitor
Table 6-71 Description of the Kerberos Service Ticket Granted parametersused (continued)
DescriptionParameter
Kerberos_Service_Ticket_GrantedRule Name
NoticeSeverity
673, 4769Event IDs
Detects the grant of a Kerberos service ticket to Windows by ActiveDirectory. This event indicates that a client has been grantedpermission to interact in this Active Directory domain.
Description
Table 6-72 Description of the Trusted Logon Process Register parametersused
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Trusted Logon Process RegisterOption
Trusted_Logon_Process_RegisterRule Name
NoticeSeverity
515, 4611Event IDs
Detects the Windows registration of a trusted logon process to theLocal Security Authority.
Description
Table 6-73 Description of the Encrypted Data Policy Change parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Encrypted Data Policy ChangeOption
Encrypted_Data_Policy_ChangeRule Name
NoticeSeverity
618, 4714Event IDs
Detects the changes to the encrypted data recovery policy.Description
Policy optionsSystem Active Directory Change Monitor
92
Table 6-74 Description of theQuality Service Policy Changes parameters used
DescriptionParameter
System Active Directory Change Monitor > Authentication andEncryption Configuration
Option Path
Quality Service Policy ChangesOption
Quality_Service_Policy_ChangedRule Name
NoticeSeverity
619, 4715Event IDs
Detects the changes to the quality of service policy.Description
System Login Activity and Access MonitorThis option group section of the policy monitors the system access activity thatmay indicate illegitimate activity. Portions of this section also monitor thesuccessful logonattempts of individuals throughvariousmeans. Thesemonitoringareas can be used for the following tasks:
■ To acquire a timeline of when an individual logon to a specific system hasoccurred.
■ To detect other suspicious system access activity.
■ To alert on brute force password attempts.
System Login Success MonitorThis option group subsection monitors for successful logons by using variousmeans of remote desktop, FTP, and logon attempts based on user-definednon-working hours. You can match these rules with System Logoff Monitoringto formulate a time line of individual logon activity.
Table 6-75 Description of the Account Used for Logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
Account Used for LogonOption
System_Logon_Success_Account_Used_for_LogonRule Name
93Policy optionsSystem Login Activity and Access Monitor
Table 6-75 Description of the Account Used for Logon parameters used(continued)
DescriptionParameter
NoticeSeverity
680, 4776Event IDs
Detects the account that was used for the logon. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the Windows Security Policy auditingsystem determines that an account has been used to log on, it reportsthis event.
Description
Table 6-76 Description of the by Admin to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by Admin to DesktopOption
System_Logon_Success_by_Admin_to_DesktopRule Name
NoticeSeverity
528, 4624Event IDs
Detects a successful administrator logon to a system's desktop,including local and terminal service logons. You can configure theWindows Security Policy auditing system to monitor the status oflogon attempts. When the Windows Security Policy auditing systemdetermines that an administrator successfully logged on, it reportsthis event.
Description
Table 6-77 Description of the by Admin via Remote Connection parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by Admin via Remote ConnectionOption
Successful_Login_Admin_via_Remote_ConnectionRule Name
NoticeSeverity
Policy optionsSystem Login Activity and Access Monitor
94
Table 6-77 Description of the by Admin via Remote Connection parametersused (continued)
DescriptionParameter
528, 540, 4624Event IDs
Detects a successful administrator logon from a shared networkresource, for example, IIS, FTP, or Telnet. You can configure theWindows Security Policy auditing system tomonitor the status of thelogon attempts. When the Windows Security Policy auditing systemdetermines that anadministrator successfully loggedon fromaremoteconnection, it reports this event.
Description
Table 6-78 Description of the by Anonymous to IIS or FTP parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by Anonymous to IIS or FTPOption
Successful_Login_Anon_to_IIS_or_FTPRule Name
NoticeSeverity
528, 540, 4624, 4636Event IDs
Detects a successful anonymous access by IIS or FTP. This rule triggersonly during the initial access to the Web site by any browser. If Webtraffic is sporadic, the inactive connection time expires the logon.
Description
Table 6-79 Description of the by Guest to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by Guest to DesktopOption
Successful_Login_Guest_to_DesktopRule Name
NoticeSeverity
528, 4624Event IDs
95Policy optionsSystem Login Activity and Access Monitor
Table 6-79 Description of thebyGuest toDesktopparameters used (continued)
DescriptionParameter
Detects a successful guest logon to a system's desktop. This detectionincludes local logons and terminal service logons. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the Windows Security Policy auditingsystem determines that a guest successfully logged on, it reports thisevent.
Description
Table 6-80 Description of the by Guest via Remote Connection parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by Guest via Remote ConnectionOption
Successful_Login_Guest_via_Remote_ConnectionRule Name
NoticeSeverity
528, 540, 4624, 4636Event IDs
Detects a successful guest logon by a shared network resource, forexample, IIS, FTP, or Telnet. You can configure theWindows SecurityPolicy auditing system to monitor the status of the logon attempts.When it determines that a guest successfully logged on by a remoteconnection, it reports this event
Description
Table 6-81 Description of the by User to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by User to DesktopOption
Successful_Login_User_to_DesktopRule Name
NoticeSeverity
528, 4624Event IDs
Policy optionsSystem Login Activity and Access Monitor
96
Table 6-81 Description of the by User to Desktop parameters used (continued)
DescriptionParameter
Detects a successful user logon to a system's Desktop, including locallogons and terminal service logons. You can configure the WindowsSecurity Policy auditing system to monitor the status of the logonattempts. When the Windows Security Policy auditing systemdetermines that a user successfully logged on, it reports this event.
Description
Table 6-82 Description of thebyUser via RemoteConnection parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
by User via Remote ConnectionOption
Successful_Login_User_via_Remote_ConnectionRule Name
NoticeSeverity
528, 540, 4624, 4636Event IDs
Detects a successful user logon by a shared network resource, forexample, IIS, FTP, or Telnet. You can configure theWindows SecurityPolicy auditing system to monitor the status of the logon attempts.When it determines that a user has logged on by a remote connection,it reports this event.
Description
Table 6-83 Description of the Non Working Hours Rules Login Successparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
Non Working Hours Rules Login SuccessOption
System_Unlocked_After_HoursRule Name
WarningSeverity
528, 4624Event IDs
97Policy optionsSystem Login Activity and Access Monitor
Table 6-83 Description of the Non Working Hours Rules Login Successparameters used (continued)
DescriptionParameter
Detects when a system desktop is unlocked after normal businesshours. By default, after business hours is defined as Monday throughFriday from 7:00 P.M. to 6:00 A.M. You can configure the WindowsSecurity Policy auditing system to monitor the status of unlockingevents.When theWindowsSecurityPolicy auditing systemdeterminesthat a user successfully unlocked the workstation outside of normalworking hours, it reports this event.
Description
Table 6-84 Description of theSystemUnlockedDuringWeekends parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor
Option Path
System Unlocked During WeekendsOption
System_Unlocked_During_WeekendsRule Name
WarningSeverity
528, 4624Event IDs
Detects when a system desktop is unlocked during weekends. Bydefault, weekend is defined as Friday 7:00 P.M. to Monday 6:00 A.M.You can configure the Windows Security Policy auditing system tomonitor the status of unlocking events. When the Windows SecurityPolicy auditing system determines that a user successfully unlockedtheworkstation outside of normalworkinghours, it reports this event.
Description
System Logoff MonitorThis portion of the policy detects all successful Windows logoff events. You canacquire individual user logon times from the events that this portion of the policygenerates. Acquire these times by comparing the logoff events with successfullogon events.
Table 6-85 Description of the by Admin parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff MonitorOption Path
Policy optionsSystem Login Activity and Access Monitor
98
Table 6-85 Description of the by Admin parameters used (continued)
DescriptionParameter
by AdminOption
Logoff_by_AdminRule Name
WarningSeverity
538, 4634, 4647Event IDs
Detects that an administrator has successfully logged off a systemfromaremote location.You canconfigure theWindowsSecurityPolicyauditing system to monitor the status of the logoff attempts. Whenthe auditing system determines that an administrator successfullylogged off the workstation from a local location or a remote location,it reports this event.
Description
Table 6-86 Description of the by Guest parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff MonitorOption Path
by GuestOption
Logoff_by_GuestRule Name
NoticeSeverity
538, 4634, 4647Event IDs
Detects that a guest has successfully logged off a system. You canconfigure the Windows Security Policy auditing system to monitorthe status of logoff attempts. When the auditing system determinesthat a guest has successfully logged off the workstation from a locallocation or a remote location, it reports this event.
Description
Table 6-87 Description of the by User parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff MonitorOption Path
by UserOption
Logoff_by_UserRule Name
NoticeSeverity
99Policy optionsSystem Login Activity and Access Monitor
Table 6-87 Description of the by User parameters used (continued)
DescriptionParameter
538, 4634, 4647Event IDs
Detects that a user has successfully logged off a system. You canconfigure the Windows Security Policy auditing system to monitorthe status of logoff attempts. When the auditing system determinesthat a user successfully loggedoff theworkstation froma local locationor a remote location, it reports this event.
Description
Table 6-88 Description of the by Specific User parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff MonitorOption Path
by Specific UserOption
System_Logoff_by_SpecificUserRule Name
NoticeSeverity
538, 4634, 4647Event IDs
Detects that a specific user-defined user or users have successfullylogged off a system. You can configure the Windows Security Policyauditing system to monitor the status of logoff attempts. When theauditing system determines that a user successfully logged off theworkstation from a local location or a remote location, it reports thisevent.
Description
System Failed Login MonitorThis option group subsection detects when a user has failed to authenticate. Thatis, has failed to log on to a Windows system either as a local user or as a memberof a domain. This activity most often indicates normal behavior, ranging fromexpired passwords to a userwho forgets a current password.However, itmay alsoindicate attempts by anunauthorizeduser to gain illegitimate access to the systemor the domain.
Policy optionsSystem Login Activity and Access Monitor
100
Note: The first option under System Failed Login Monitor, N Tries, allows theadministrator to set thresholds based alerting on all failed logon events. Forexample, an N Tries setting of 3 and an Interval of 1 minute only generates analert if a user makes more than three failed logon attempts within the intervaltime of 1 minute. You can use this option to detect brute force-based credentialattacks.
Table 6-89 Description of the Account Disabled parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Account DisabledOption
Account_DisabledRule Name
WarningSeverity
531, 4625Event IDs
Detects when a user has failed to access the client, due to a disabledaccount. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon failed because the account wasdisabled, it reports this event.
Description
Table 6-90 Description of the Account Expired parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Account ExpiredOption
Account_ExpiredRule Name
NoticeSeverity
532, 4625Event IDs
Detects when a user has failed to access the client, due to an expiredaccount. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon has failed because the account hasexpired, it reports this event.
Description
101Policy optionsSystem Login Activity and Access Monitor
Table 6-91 Description of the Account Locked Out parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Account Locked OutOption
Account_Locked_OutRule Name
WarningSeverity
539, 4740Event IDs
Detects when a user has failed to access the client, due to a lock onthe account. You can configure theWindows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon has failed because the account waslocked out, it reports this event.
Description
Table 6-92 Description of the By Admin to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
By Admin to DesktopOption
Login_Failed_Admin_to_DesktopRule Name
WarningSeverity
529, 4625Event IDs
Detects when an administrator has failed to log on to a system'sdesktop, either locally or by Terminal Services. You can configure theWindows Security Policy auditing system to monitor the status oflogon attempts. When the auditing system determines that anadministrator has failed to log on to the local desktop or through theTerminal Services, it reports this event.
Description
Table 6-93 Description of the By Admin via Remote Connection parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Policy optionsSystem Login Activity and Access Monitor
102
Table 6-93 Description of the By Admin via Remote Connection parametersused (continued)
DescriptionParameter
By Admin via Remote ConnectionOption
Login_Failed_Admin_via_Remote_ConnectionRule Name
WarningSeverity
529, 4625Event IDs
Detects when an administrator has failed to log on to a system or toa domain on the network. You can configure the Windows SecurityPolicy auditing system tomonitor the status of logon attempts.Whenthe auditing system determines that an administrator has failed tolog on through a remote connection, it reports this event.
Description
Table 6-94 Description of the By Guest to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
By Guest to DesktopOption
Login_Failed_Guest_to_DesktopRule Name
WarningSeverity
529, 4625Event IDs
Detects when a guest has failed to log on to a system's desktop, eitherlocally or by Terminal Services. You can configure the WindowsSecurity Policy auditing system to monitor the status of logonattempts.When the auditing systemdetermines that a guest has failedto log on, it reports this event.
Description
Table 6-95 Description of the By Guest via Remote Connection parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
By Guest via Remote ConnectionOption
103Policy optionsSystem Login Activity and Access Monitor
Table 6-95 Description of the By Guest via Remote Connection parametersused (continued)
DescriptionParameter
Login_Failed_Guest_via_Remote_ConnectionRule Name
WarningSeverity
529, 4625Event IDs
Detects when a guest has failed to log on to a system or domain onthe network. You can configure theWindows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a guest has failed to log on by a remoteconnection, it reports this event.
Description
Table 6-96 Description of the By User to Desktop parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
By User to DesktopOption
Login_Failed_User_to_DesktopRule Name
NoticeSeverity
529, 4625Event IDs
Detects when a user has failed to log on to a system's desktop, eitherlocally or by Terminal Services. You can configure the WindowsSecurity Policy auditing system to monitor the status of logonattempts.When the auditing systemdetermines that a user has failedto log on to the local desktop, it reports this event.
Description
Table 6-97 Description of the By User via Remote Connection parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
By User via Remote ConnectionOption
Login_Failed_User_via_Remote_ConnectionRule Name
Policy optionsSystem Login Activity and Access Monitor
104
Table 6-97 Description of the By User via Remote Connection parametersused (continued)
DescriptionParameter
NoticeSeverity
529, 4625Event IDs
Detects when a user has failed to log on to a system or domain on thenetwork. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a user has failed to log on by a remoteconnection, it reports this event.
Description
Table 6-98 Description of the Logon Failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Logon FailureOption
Login_Failed_GenericRule Name
NoticeSeverity
537Event IDs
Detectswhenanunexpected error has occurred during logon.A failedauthentication by a cleartext password, Windows NT Lan Manager,or Windows Kerberos security authentication system can cause thiserror. This detection may also indicate a failure to access the FileTransfer Protocol (FTP) services that are related to the MicrosoftInternet Information Server (IIS).
Description
Table 6-99 Description of the Logon to Account parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Logon to AccountOption
Logon_to_Account_FailedRule Name
NoticeSeverity
105Policy optionsSystem Login Activity and Access Monitor
Table 6-99 Description of the Logon to Account parameters used (continued)
DescriptionParameter
681Event IDs
Detects when a down-level client fails a logon attempt. Windowsgenerates an error message on the Windows domain controller. Youcan configure theWindowsSecurity Policy auditing system tomonitorthe status of logon attempts. When the auditing system determinesthat a domain logon failed, it reports this event.
Description
Table 6-100 Description of the Password Expired parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Password ExpiredOption
Password_ExpiredRule Name
NoticeSeverity
535, 4625Event IDs
Detects when a user has failed to access a client, due to an expiredaccount password. You can configure the Windows Security Policyauditing system to monitor the status of logon attempts. When theauditing system determines that a logon failed, due to an expiredaccount, it reports this event.
Description
Table 6-101 Description of the Unauthorized Access parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Unauthorized AccessOption
Unauthorized_AccessRule Name
WarningSeverity
534, 4625Event IDs
Policy optionsSystem Login Activity and Access Monitor
106
Table 6-101 Description of the Unauthorized Access parameters used(continued)
DescriptionParameter
Detects when a user has failed to access a client because the localaccess rights or the remote access rights have not been granted to theuser. You can configure theWindows Security Policy auditing systemtomonitor the status of the logon attempts.When the auditing systemdetermines that a logon failed due to a disabled account, it reportsthis event.
Description
Table 6-102 Description of the Unauthorized Location parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Unauthorized LocationOption
Unauthorized_LocationRule Name
WarningSeverity
533, 4625Event IDs
Detects when a user has failed to access to the domain because theclient is not authorized to participate in the domain. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the auditing system determines that alogon has failed because the logon was attempted from anunauthorized client, it reports this event.
Description
Table 6-103 Description of the Unauthorized Time parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor
Option Path
Unauthorized TimeOption
Unauthorized_TimeRule Name
WarningSeverity
530, 4625Event IDs
107Policy optionsSystem Login Activity and Access Monitor
Table 6-103 Description of theUnauthorized Time parameters used (continued)
DescriptionParameter
Detects when a domain user has failed to access a client, because theaccount is not authorized to access the domainduring this timeperiod.You can configure the Windows Security Policy auditing system tomonitor the status of logon attempts. When the auditing systemdetermines that the failure has occurred because the account was notallowed to log on during this time period, it reports this event.
Description
System Hardening MonitorThis option group section detects changes to the user-configurable registry keysthat are considered sensitive inmaintaining the security posture of the operatingsystem. Various areas are monitored to generate events for the administrator ifeither of the following entities changed any of the selected values:
■ Malware
■ A malicious individual attempting to lower the security posture of the hostsystem
System Autorun ConfigurationThis option group subsection detects modifications of the system configurationthat change whether it automatically runs code during system startup or fromnewly inserted CD-ROMs. This behavior is normal if an administrator needs tochange autorun behavior. If unexpected, it can indicate that the system is beingprepared to operate outside established security policy, or that it is about to becompromised. This policy should be applied on all Windows agents and noconfiguration changes are required for this policy to work.
Note:The final option set,UserDesktopLogonCheck, enables a function of theserules to only monitor and generate an event if a user is logged on.
Table 6-104 Description of the CDROM Value Changed parameters used
DescriptionParameter
System Hardening Monitor > System AutoRun ConfigurationOption Path
CDROM Value ChangedOption
CDROM_Value_ChangedRule Name
Policy optionsSystem Hardening Monitor
108
Table 6-104 Description of the CDROM Value Changed parameters used(continued)
DescriptionParameter
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Cdrom\AutorunRegistry Paths
Detects the changes to the CD-ROM AutoRun behavior, according tothe registry setting:HKLM\System\CurrentControlSet\Services\CD-ROM key Autorunvalue. This value determines whether the system automatically runscode from the newly inserted CD-ROMs.
Description
Table 6-105 Description of the Run Key Changed parameters used
DescriptionParameter
System Hardening Monitor > System AutoRun ConfigurationOption Path
Run Key ChangedOption
Run_Key_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
Registry Paths
Detects the changes to the Run registry key, according to the registrysetting: HKLM\Software\Microsoft\Windows\CurrentVersion\Runkey.
Description
Table 6-106 Description of the RunOnceEx Key Changed parameters used
DescriptionParameter
System Hardening Monitor > System AutoRun ConfigurationOption Path
RunOnceEx Key ChangedOption
RunOnceEx_Key_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Registry Paths
109Policy optionsSystem Hardening Monitor
Table 6-106 Description of the RunOnceEx Key Changed parameters used(continued)
DescriptionParameter
Detects the changes to the RunOnceEx registry key, according to theregistry setting:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceExkey. The system configuration has been modified to change thebehavior of the system the next time a user logs on. This key allowsa specified routine or a list of routines to execute once. It then clearsitself so that it does not run on the next logon.
Description
Table 6-107 Description of the Userinit Value Changed parameters used
DescriptionParameter
System Hardening Monitor > System AutoRun ConfigurationOption Path
Userinit Value ChangedOption
Userinit_Value_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit
Registry Paths
Detects the changing of theUserinit key, according to registry setting:HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonkeyUserinit value. This key specifies the program thatWinlogon runswhen a user logs on. This program is typically Userinit.exe. Thisbehavior is unusual, however. It would be expected if the system wasupdated to run the enterprise-unique routines first, then run theUserinit.exe or Explorer.exe.
Description
Table 6-108 Description of the User Desktop Logon Check parameters used
DescriptionParameter
System Hardening Monitor > System AutoRun ConfigurationOption Path
Detects a successful user logon and sets a flag. This setting ensuresthat the rules within this portion of the policy do not create falsepositiveswith a normal non-administrative user setting specific areasthat are otherwise monitored. It is recommended that this settingremain turned on to thwart false positives.
Description
Policy optionsSystem Hardening Monitor
110
Network Comm ConfigurationThis option group subsection detects changes to the various registry keys thatdeal with network and communication settings. This policy can be applied to anyWindows server. Unauthorized or unknown network changes as monitored inthis portion of the policy may indicate suspicious activity.
Table 6-109 Description of the Autodisconnect Changed parameters used
DescriptionParameter
System Hardening Monitor > Network Comm ConfigurationOption Path
Autodisconnect ChangedOption
Autodisconnect_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\autodisconnect
Registry Paths
Detects the changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\LanmanServer\Parameters\autodisconnectregistry key. This registry key determines the time that is allowed foran inactive connection before it is automatically disconnected.
Description
Table 6-110 Description of the TcpMaxDupAcks Changed parameters used
DescriptionParameter
System Hardening Monitor > Network Comm ConfigurationOption Path
TcpMaxDupAcks ChangedOption
TcpMaxDupAcks_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxDupAcks
Registry Paths
Detects the changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcksregistry key. This registry key determines the number of duplicateACKs, which must be received for the same sequence number of sentdata, before a fast retransmit is triggered to resend the segment thatwas dropped in transit.
Description
111Policy optionsSystem Hardening Monitor
System File Protection StatusThis option group subsection detects the events that theWindows File Protection(WFP) System reports. The WFP monitors the critical operating system files thatshould remain available, but should not change during the course of operation.If a monitored file is deleted or modified, or its attributes are changed, the WFPimmediately restores the file to its original configuration. These events can occurfor a number of reasons. The reasons include third-party software installation,system misconfiguration, or illegitimate manipulation. Activation of WFP filerestoration procedures may be a response to illegitimate activity.
Table 6-111 Description of the File Restoration Failed parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
File Restoration FailedOption
File_Restoration_FailedRule Name
CriticalSeverity
64004, 64007, 64006, 64021, 64005, 64008Event IDs
Detects when a file that theWindows File Protection System protectscannot be restored. The Windows File Protection System monitorsthe status of protected files and attempts to restore them to theiroriginal condition when it detects any changes. If the Windows FileProtection System determines that it cannot successfully restore thefile, it reports this error.
Description
Table 6-112 Description of the File Restoration Success parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
File Restoration SuccessOption
File_Restoration_SuccessRule Name
WarningSeverity
64000, 64003, 64019, 64020, 64001, 64002Event IDs
Policy optionsSystem Hardening Monitor
112
Table 6-112 Description of the File Restoration Success parameters used(continued)
DescriptionParameter
Detects when a file that theWindows File Protection System protectshas been restored. TheWindows File Protection Systemmonitors thestatus of protected files and restores them to their original conditionwhen it detects any changes. If the Windows File Protection Systemdetermines that it successfully restored a file, it reports this status.
Description
Table 6-113 Description of the WFP Errors parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
WFP ErrorsOption
WFP_ErrorsRule Name
CriticalSeverity
64034, 64033, 64032Event IDs
Detects when the Windows File Protection System has detected aconfiguration error. The Windows File Protection System monitorsits ability to access a protected file cache. It also monitors the activestate or initialized state of the File Protection System. If theWindowsFile Protection System determines that it cannot access the cache, orthat its state is inactive or not initialized, it reports these errors.
Description
Table 6-114 Description of the Scanning Started parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
Scanning StartedOption
Scanning_StartedRule Name
NoticeSeverity
64016Event IDs
113Policy optionsSystem Hardening Monitor
Table 6-114 Description of the Scanning Started parameters used (continued)
DescriptionParameter
Detects when the Windows File Protection System has started a scanof critical system files. TheWindowsFile ProtectionSystemscans theprotected files to determine their condition. When the Windows FileProtection System determines that it successfully started a scan, itreports this status.
Description
Table 6-115 Description of the Scanning Completed parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
Scanning CompletedOption
Scanning_CompletedRule Name
NoticeSeverity
64017Event IDs
Detects when the Windows File Protection System has completed ascan of critical system files. The Windows File Protection Systemscans these protected files to determine their condition. When theWindows File Protection System determines that it successfullycompleted a scan, it reports this status.
Description
Table 6-116 Description of the Scanning Canceled parameters used
DescriptionParameter
System Hardening Monitor > System File Protection StatusOption Path
Scanning CanceledOption
Scanning_CanceledRule Name
WarningSeverity
64018Event IDs
Detects when a Windows File Protection System scan has beencanceled. The Windows File Protection System scans these protectedfiles to determine their condition.When theWindows File ProtectionSystem determines that a command has interrupted the scanningprocess, it reports this status.
Description
Policy optionsSystem Hardening Monitor
114
System Security ConfigurationThis option group subsection detects changes to the various registry keys thatdeal with the typical security settings of a host system. These settings range fromprotection mode changes to how legal captions are viewed upon logon. See theindividual rule description for more information.
Table 6-117 Description of the AllocateCdroms Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
AllocateCdroms ChangedOption
AllocateCdroms_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateCDRoms
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonkeyAllocateCdroms value. This value determineswhether data in theCD-ROM drive is accessible to other users.
Description
Table 6-118 Description of the AllocateFloppies Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
AllocateFloppies ChangedOption
AllocateFloppies_ChangedRule Name
WarningSeverity
Warning \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateFloppies
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey AllocateFloppies value. This value determines whether data inthe floppy disk drive is accessible to other users.
Description
115Policy optionsSystem Hardening Monitor
Table 6-119 Description of the AutoShareServer Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
AutoShareServer ChangedOption
AutoShareServer_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\AutoShareServer
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey AutoShareServer value. This value creates the administrativeshares (C, D, ADMIN) for the physical drives.
Description
Table 6-120 Description of the AutoShareWks Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
AutoShareWks ChangedOption
AutoShareWks_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\AutoShareWks
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey AutoShareWks value. This value is responsible for enabling anddisabling the automatic sharing of hidden shares.
Description
Table 6-121 Description of the ComSpec Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
ComSpec ChangedOption
ComSpec_ChangedRule Name
WarningSeverity
Policy optionsSystem Hardening Monitor
116
Table 6-121 Description of theComSpecChanged parameters used (continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Environment\ComSpec
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment key ComSpec value. This value is responsiblefor defining thepath to theDOScommand interpreter, Command.com.
Description
Table 6-122 Description of the Debugger Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Debugger ChangedOption
Debugger_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug\Debugger
Registry Keys
Detects any changes or attempted changes to theHKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebugkeyDebugger value. This value is responsible for determiningwhetherto automatically spawn the Win32 debugger during an applicationfault.
Description
Table 6-123 Description of the Directory Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Directory ChangedOption
Directory_ChangedRule Name
CriticalSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Windows\DirectoryRegistry Keys
117Policy optionsSystem Hardening Monitor
Table 6-123 Description of theDirectory Changedparameters used (continued)
DescriptionParameter
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Windows key Directoryvalue. This value contains the information that helps to define thesystem directories for the Win32 subsystem.
Description
Table 6-124 Description of the DisableTaskMgr Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
DisableTaskMgr ChangedOption
DisableTaskMgr_ChangedRule Name
WarningSeverity
\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Registry Keys
Detects any changes or attempted changes to theHKU\Software\Microsoft\Windows\CurrentVersion\Policies\Systemkey DisableTaskMgr value. This value controls the ability of users tostart TaskManager andviewprocesses andview running applications.It also controls the ability of users to make changes to the priority orstate of the individual processes.
Description
Table 6-125 Description of theDontDisplayLastUserNameChangedparametersused
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
DontDisplayLastUserName ChangedOption
DontDisplayLastUserName_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername
Registry Keys
Policy optionsSystem Hardening Monitor
118
Table 6-125 Description of theDontDisplayLastUserNameChangedparametersused (continued)
DescriptionParameter
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkey DontDisplayLastUserName value. If you enable this value, theuser name box on the logon screen is blank . This behavior preventsthe people that log on fromknowing the last user to access the system.
Description
Table 6-126 Description of the Hidden Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Hidden ChangedOption
Hidden_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\hidden
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey hidden value. This value is responsible for hiding a server fromthe Network Browser.
Description
Table 6-127 Description of the LegalNoticeCaption Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
LegalNoticeCaption ChangedOption
LegalNoticeCaption_ChangedRule Name
InfoSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption
Registry Keys
119Policy optionsSystem Hardening Monitor
Table 6-127 Description of the LegalNoticeCaption Changed parameters used(continued)
DescriptionParameter
Detects any changes or attempted changes to\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption value or to\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionvalue. This value creates a dialog box that is presented to any usersbefore they log onto the system.
Description
Table 6-128 Description of the LegalNoticeText Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
LegalNoticeText ChangedOption
LegalNoticeText_ChangedRule Name
InfoSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeText\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LegalNoticeText
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey LegalNoticeCaption value or toHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkey LegalNoticeText value. This value creates a dialog box that ispresented to any users before they log onto the system.
Description
Table 6-129 Description of the PasswordExpiryWarning Changed parametersused
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
PasswordExpiryWarning ChangedOption
PasswordExpiryWarning_ChangedRule Name
InfoSeverity
Policy optionsSystem Hardening Monitor
120
Table 6-129 Description of the PasswordExpiryWarning Changed parametersused (continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\software\Microsoft\WindowsNT\CurrentVersion\Winlogon\PasswordExpiryWarning
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey PasswordExpiryWarning value. This value is responsible forinformingusers of howmanydays are left until their password expires.
Description
Table 6-130 Description of the Path Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Path ChangedOption
Path_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Environment\Path
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment key Path value. This value determines thedirectory search order for all open applications on your target system.
Description
Table 6-131 Description of the SubmitControl Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
SubmitControl ChangedOption
SubmitControl_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\SubmitControlRegistry Keys
121Policy optionsSystem Hardening Monitor
Table 6-131 Description of the SubmitControl Changed parameters used(continued)
DescriptionParameter
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Lsa key SubmitControlvalue. This value gives other users (e.g., ServerOperators) permissionto issue AT commands.
Description
Table 6-132 Description of the SystemDirectory Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
SystemDirectory ChangedOption
SystemDirectory_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Windows\SystemDirectory
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Windows keySystemDirectory value. This value contains the entries that definethe system directories for the Win32 subsystem.
Description
Table 6-133 Description of theUsersConnect Count Changedparameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Users Connect Count ChangedOption
Users_Connect_Count_ChangedRule Name
InfoSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\Users
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey Users value for changes. This value is responsible for allowingmore than 10 clients to connect to a computer.
Description
Policy optionsSystem Hardening Monitor
122
Table 6-134 Description of the VDD Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
VDD ChangedOption
VDD_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\\VirtualDeviceDrivers\VDD
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\VirtualDeviceDriverskeyVDDvalue. This value is responsible for determiningwhich virtualdevice drivers are used on program install.
Description
Table 6-135 Description of the AddPrintDrivers Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
AddPrintDrivers ChangedOption
AddPrintDrivers_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanManPrint Services\Servers key AddPrinterDrivers value. This valuerestricts the installation of printer drivers to onlyAdministrators andPrint Operators.
Description
Table 6-136 Description of the RestrictAnonymous Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
RestrictAnonymous ChangedOption
RestrictAnonymnus_ChangedRule Name
123Policy optionsSystem Hardening Monitor
Table 6-136 Description of the RestrictAnonymous Changed parameters used(continued)
DescriptionParameter
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\RestrictAnonymous
Registry Keys
Detects any changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous key. This value is responsible for restrictingwho has access to the registry.
Description
Table 6-137 Description of the Driver Signing Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Driver Signing ChangedOption
Driver_Signing_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DriverSigning\Policy
Registry Keys
Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DriverSigningkeyPolicy value. This value is responsible for determining what to dowhen an attempt is made to install a driver without a valid Catalogfile.
Description
Table 6-138 Description of the Non Driver Signing Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Non Driver Signing ChangedOption
Non_Driver_Signing_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-DriverSigning\PolicyRegistry Keys
Policy optionsSystem Hardening Monitor
124
Table 6-138 Description of the Non Driver Signing Changed parameters used(continued)
DescriptionParameter
Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-DriverSigningkey Policy value. This value is responsible for allowing unsigneddrivers to be installed.
Description
Table 6-139 Description of the Local Auto Logoff Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Local Auto Logoff ChangedOption
Local_Auto_Logoff_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\lanmanserver\parameters\enableforcedlogoff
Registry Keys
Detects any changes or attempted changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\enableforcedlogoff key. This key isresponsible for automatically loggingoff userswhen logon timeexpires(local).
Description
Table 6-140 Description of the FullPrivilegeAuditing Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
FullPrivilegeAuditing ChangedOption
FullPrivilegeAuditing_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\fullprivilegeauditing
Registry Keys
Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsakey fullprivilegeauditingvalue. This value is responsible for theBackupand Restore privileges in the user rights audit class.
Description
125Policy optionsSystem Hardening Monitor
Table 6-141 Description of the SmartCard Behavior Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
SmartCard Behavior ChangedOption
SmartCard_Behavior_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\scremoveoption
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey scremoveoptionvalue. This value locks the computerwhena smartcard is removed.
Description
Table 6-142 Description of the Recovery Console Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Recovery Console ChangedOption
Recovery_Console_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole\*
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel and SetCommand keys. These keysdetermine if theRecoveryConsole is to beusedwhenWindowscrashes.
Description
Table 6-143 Description of the NTFS MediaEject Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
NTFS MediaEject ChangedOption
NTFS_MediaEject_ChangedRule Name
WarningSeverity
Policy optionsSystem Hardening Monitor
126
Table 6-143 Description of the NTFS MediaEject Changed parameters used(continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\allocatedasd
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\allocatedasdkey.Thisvaluedetermineswhether the ability to access removable drives is available to otherusers.
Description
Table 6-144 Description of the CTRL ALT DEL for Logon Changed parametersused
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
CTRL ALT DEL for Logon ChangedOption
CTRL_ALT_DEL_for_Logon_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\disablecad
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkeydisablecad. This value controlswhether users are required to pressCtrl + Alt + Delete before logging into the system.
Description
Table 6-145 Description of the Protection Mode Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Protection Mode ChangedOption
Protection_Mode_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control \SessionManager\ProtectionMode
Registry Keys
127Policy optionsSystem Hardening Monitor
Table 6-145 Description of the Protection Mode Changed parameters used(continued)
DescriptionParameter
Detects any changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Control\Session Manager\ProtectionMode key.This key is responsible for strengthening default permissions of globalsystem objects.
Description
Table 6-146 Description of the Plaintext Password Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Plaintext Password ChangedOption
Plaintext_Password_ChangedRule Name
WarningSeverity
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\lanmanworkstation\parameters\enableplaintextpassword
Registry Keys
Detects any changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\lanmanworkstation\parametersenableplaintextpasswordkey.Thiskeyenablesunencryptedpasswords to connect to third-party SMB servers.
Description
Table 6-147 Description of the CrashOnAuditFail Changed parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
CrashOnAuditFail ChangedOption
CrashOnAuditFail_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\crashonauditfail
Registry Keys
Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsakey crashonauditfail value. This value determines system behaviorwhen the Security log (Event Viewer) is full.
Description
Policy optionsSystem Hardening Monitor
128
Table 6-148 Description of the Sys Maintenance RegKey Changed parametersused
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Sys Maintenance RegKey ChangedOption
Sys_Maintenance_RegKey_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\DisablePasswordChange
Registry Keys
Detects any changes to the HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange key. This key enables systemmaintenance of account passwords.
Description
Table 6-149 Description of the Secure Channel Sign RegKey Changedparameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Secure Channel Sign RegKey ChangedOption
Secure_Ch_Sign_Regkey_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\signsecurechannel
Registry Keys
Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel key. This key determineswhether ornot you require Secure Channel to digitally sign secure channel data,when possible.
Description
Table 6-150 Description of the Secure Channel Always RegKey Changedparameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
129Policy optionsSystem Hardening Monitor
Table 6-150 Description of the Secure Channel Always RegKey Changedparameters used (continued)
DescriptionParameter
Secure Channel Always RegKey ChangedOption
Secure_Ch_Always_Regkey_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\requiresignorsealRegistry Keys
Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal key. This key determines whether ornot you always require Secure Channel to digitally encrypt or signsecure channel data.
Description
Table 6-151 Description of the Secure Channel Strong RegKey Changedparameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
Secure Channel Strong RegKey ChangedOption
Secure_Ch_Strong_Regkey_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\requirestrongkey
Registry Keys
Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey key. This key determines whether ornot you require Secure Channel to require strong session key.
Description
Table 6-152 Description of the Secure Channel Encrypt Required RegKeyChanged parameters used
DescriptionParameter
System Hardening Monitor > System Security ConfigurationOption Path
SecureChannel Encrypt Required RegKey ChangedOption
SecureCh_Encrypt_RegKey_ChangedRule Name
Policy optionsSystem Hardening Monitor
130
Table 6-152 Description of the Secure Channel Encrypt Required RegKeyChanged parameters used (continued)
DescriptionParameter
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\sealsecurechannel
Registry Keys
Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel key. This key determines whether ornot you require Secure Channel to digitally encrypt secure channeldata, when possible.
Description
System StartStop OptionsThis option group subsection detects changes to the various registry keys thatdeal with typical startup and shutdown settings. See the rule descriptions forfurther information on rule function.
Table 6-153 Description of the BootExecute Changed parameters used
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
BootExecute ChangedOption
BootExecute_ChangedRule Name
CriticalSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\BootExecute
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager keyBootExecute value. This value contains the names and arguments ofprograms that the Session Manager executes.
Description
Table 6-154 Description of the CacheLogonsCount Changed parameters used
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
CacheLogonsCount ChangedOption
131Policy optionsSystem Hardening Monitor
Table 6-154 Description of the CacheLogonsCount Changed parameters used(continued)
DescriptionParameter
CacheLogonsCount_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\cachedlogonscount
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey CachedLogonsCount value. This value controls the number ofallowable cached logon attempts when the domain controller isunavailable.
Description
Table 6-155 Description of theClearPageFileAtShutdownChanged parametersused
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
ClearPageFileAtShutdown ChangedOption
ClearPageFileAtShutdown_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Memory Management\ClearPageFileAtShutdown
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement key ClearPageFileAtShutdown value. This valuedetermines whether Windows should clear the page file when thesystem is shut down.
Description
Table 6-156 Description of thePendingFileRenamesChanged parameters used
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
PendingFileRenames ChangedOption
PendingFileRenames_ChangedRule Name
Policy optionsSystem Hardening Monitor
132
Table 6-156 Description of thePendingFileRenamesChanged parameters used(continued)
DescriptionParameter
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\FileRenameOperations\PendingFileRenameOperations
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\FileRenameOperations key and the PendingFileRenameOperationsvalue. This value determines which operations are run at systemshutdown.
Description
Table 6-157 Description of the ReportBootOK Changed parameters used
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
ReportBootOK ChangedOption
ReportBootOK_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportBootOk
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey ReportBootOK value. This value helps to determine the meaningof the ControlSet.
Description
Table 6-158 Description of the ShutdownWithoutLogon Changed parametersused
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
ShutdownWithoutLogon ChangedOption
ShutdownWithoutLogon_ChangedRule Name
WarningSeverity
133Policy optionsSystem Hardening Monitor
Table 6-158 Description of the ShutdownWithoutLogon Changed parametersused (continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShutdownWithoutLogon
Registry Keys
Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey ShutdownWithoutLogon value. This value determines whetheryou can shut down a system without logging on.
Description
Table 6-159 Description of the SystemStartOptions Changed parameters used
DescriptionParameter
System Hardening Monitor > System StartStop OptionsOption Path
SystemStartOptions ChangedOption
SystemStartOptions_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SystemStartOptions
Registry Keys
Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control key SystemStartOptionsvalue. This value contains the text of systemarguments that arepassedto the system by the firmware. These values can be used to determinewhether the debugger is enabled, the options that are set for portsand speed, and other configuration parameters.
Description
System Audit TamperingThis option group subsection detects system auditing changes and the clearingof audit logs, which may be indicative of malicious activity or internal policyviolation. The clearing of audit logs without legitimate intent is usually a sign ofa malicious user or program attempting to hide its behavior.
Policy optionsSystem Hardening Monitor
134
Note: The first option, Enable Date Restriction in Rule(s), provides the ability toonly generate events in this section of the policy during a specific time window.This option provides tuning capabilities to monitor at specific times of the daythat would make an administrator more suspicious of audit log mismanagement.For example, you would be more suspicious of such activity during non-businesshours.
Table 6-160 Description of the Audit Policy Changed parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Audit Policy ChangedOption
Audit_Policy_ChangedRule Name
WarningSeverity
Detects the changes to the system audit policy. See User Manager >Policies >Audit. TheWindows operating systemdetermineswhen thestatus of the auditing systemhas changed.WhenWindowsdeterminesthe Audit Policy has changed, it reports the event.
Description
Table 6-161 Description of the Auditing Turned Off parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Auditing Turned OffOption
Auditing_Turned_OffRule Name
CriticalSeverity
Detects Windows auditing being turned off. The Windows operatingsystem determines when the status of the auditing system haschanged. When Windows determines the auditing system has beenturned off, it reports this event.
Description
Table 6-162 Description of the Auditing Turned On parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Auditing Turned OnOption
135Policy optionsSystem Hardening Monitor
Table 6-162 Description of theAuditing TurnedOn parameters used (continued)
DescriptionParameter
Auditing_Turned_OnRule Name
WarningSeverity
Detects Windows when the auditing system has been turned on. TheWindowsoperating systemdetermineswhen the status of the auditingsystem has changed. When Windows determines that the auditingsystem has been turned on, it reports this event.
Description
Table 6-163 Description of the Data Retention Changed parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Data Retention ChangedOption
Data_Retention_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\Retention
Registry Keys
Detects the changes or attempted changes to the Retention value oftheHKLM\System\CurrentControlSet\Services\EventLog\Applicationor Systemor Security" key. This value determines the number of daysfor which audit logs are retained.
Description
Table 6-164 Description of the Security Log Events Deleted parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Security Log Events DeletedOption
Security_Log_Events_DeletedRule Name
CriticalSeverity
517, 1102Event IDs
Policy optionsSystem Hardening Monitor
136
Table 6-164 Description of the Security Log Events Deleted parameters used(continued)
DescriptionParameter
Detects the clearing of security events from the Windows EventViewer. The Windows operating system determines when the statusof the auditing system has changed. When Windows determines thatthe security events log has been cleared, it reports this event.
Description
Table 6-165 Description of the Log File Size Changed parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Log File Size ChangedOption
Log_File_Size_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\MaxSize
Registry Keys
Detects the changes or attempted changes to theMaxSize value of theHKLM\System\CurrentControlSet\Services\EventLog\Application orSystem or Security key. This value determines the maximum size ofthe audit log.
Description
Table 6-166 Description of the Log File Location Changed parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Log File Location ChangedOption
Log_File_Location_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\FileRegistry Keys
Detects the changes or attempted changes to the File value of theHKLM\System\CurrentControlSet\Services\EventLog\Application orSystem or Security key. This value determines to which file the eventlog is written.
Description
137Policy optionsSystem Hardening Monitor
Table 6-167 Description of theAudit Changed thruHiddenKey parameters used
DescriptionParameter
System Hardening Monitor > System Audit TamperingOption Path
Audit Changed thru HiddenKeyOption
Audit_Changed_thru_HiddenKeyRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv\*Registry Keys
Detects the changes or attempted changes toHKLM\Security\Policy\PolAdtEv key. This value controls the auditingpolicy of the OS when it is read on an interval timeline.
Description
System Hardening User InteractiveThis option group subsection detects changes to the user-configured registry keysthat affect theway the operating systemhandles various forms of network traffic.Changes to these areas may lower the security posture of the host system.
Table 6-168 Description of the EnableICMPRedirect Changed parameters used
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
EnableICMPRedirect ChangedOption
EnableICMPRedirect_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\EnableICMPRedirect
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\EnableICMPRedirects
Registry Keys
Detects the changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key EnableICMPRedirect value. This value controlswhether Windows alters its route table in response to ICMP redirectmessages.
Description
Policy optionsSystem Hardening Monitor
138
Table 6-169 Description of the KeepAliveTime Changed parameters used
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
KeepAliveTime ChangedOption
KeepAliveTime_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\KeepAliveTime
Registry Keys
Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters keyKeepAliveTime value. This value specifies theidle time of the connection in milliseconds, before the TCP beginssending the keepalives, if keepalives are enabled on the connection.
Description
Table 6-170 Description of the PerformRouterDiscover Changed parametersused
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
PerformRouterDiscover ChangedOption
PerformRouterDiscover_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\PerformRouterDiscovery
Registry Keys
Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key PerformRouterDiscovery value. This valuedetermines whether the ICMP Router Discovery Protocol is enabled,disabled, or enabled only if the DHCP sends the router discoveryoption.
Description
Table 6-171 Description of the SynAttackProtect Changed parameters used
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
139Policy optionsSystem Hardening Monitor
Table 6-171 Description of the SynAttackProtect Changed parameters used(continued)
DescriptionParameter
SynAttackProtect ChangedOption
SynAttackProtect_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\SynAttackProtect
Registry Keys
Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key SynAttackProtect value. This value controls theprotection level for your computer against any SYN attacks.
Description
Table 6-172 Description of the TcpMaxHalfOpen Changed parameters used
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
TcpMaxHalfOpen ChangedOption
TcpMaxHalfOpen_ChangedRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxHalfOpen
Registry Keys
Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key TcpMaxHalfOpen value. This value controlsthe number of connections in the SYN-RCVD state that are allowedbefore the SYN-ATTACK protection begins to operate.
Description
Table 6-173 Description of the TcpMaxHalfOpenRetried parameters used
DescriptionParameter
System Hardening Monitor > System Hardening User InteractiveOption Path
TcpMaxHalfOpenRetried ChangedOption
TcpMaxHalfOpenRetried_ChangedRule Name
Policy optionsSystem Hardening Monitor
140
Table 6-173 Description of the TcpMaxHalfOpenRetried parameters used(continued)
DescriptionParameter
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
Registry Keys
Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key TcpMaxHalfOpenRetried value. This valuecontrols the number of connections in the SYN-RCVD state for whichthere has been at least one retransmission of the SYN, before theSYN-ATTACK attack protection begins to operate.
Description
System File and Directory MonitorThis option group section of the policymonitors for file and directory changes aswell as for Windows share volume creation and deletion. It also includes acompletely rewritten file monitoring area that was renamed System FileWatchMonitor. This new area provides enhanced configuration options to enable moreprecise monitoring of file and directory additions, deletions, modifications, andaccess attempts.
System File Shares Configuration MonitorThis option group section of the policy monitors file share creation and deletion.Unauthorized file share creation and deletion can indicate malicious activity orpossible malware activity. In addition, the creation of unauthorized or unknownfile shares on host systems may lower their security posture.
Table 6-174 Description of the System Share Creation parameters used
DescriptionParameter
System Hardening Monitor > System File Shares ConfigurationMonitor
Option Path
System Share CreationOption
Share_CreationRule Name
WarningSeverity
141Policy optionsSystem File and Directory Monitor
Table 6-174 Description of the System Share Creation parameters used(continued)
DescriptionParameter
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Shares\*
Registry Keys
Detects the creation of values under theHKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shareskey. This value determineswhether a shared drive or folder is createdon the system.
Description
Table 6-175 Description of the System Share Deletion parameters used
DescriptionParameter
System Hardening Monitor > System File Shares ConfigurationMonitor
Option Path
System Share DeletionOption
Share_deletionRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Shares\*
Registry Keys
Detects the deletion of values under theHKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shareskey. This value determineswhether a shared drive or folder is deletedon the system.
Description
System FileWatch MonitorThis optiongroup sectionof thepolicymonitors additions, deletions,modifications,and access attempts to the system critical files that are listed as monitored files.If you use a default security posture, then Symantec Critical System Protectionautomatically sets up the filewatch monitor for you. If you use your own securityposture, you must select the files that you want to monitor so that the filewatchmonitor functions correctly.
Awide range of options that enable very specific tuning of how the file or directoryis monitored are available for each rule. A global settings area sets the followingparameters for all rules in the filewatch monitor area:
Policy optionsSystem File and Directory Monitor
142
■ Polling Interval: The interval inwhich the filewatch engine polls or checks thefiles that are configured for change monitoring. This option is available toenable tuning of how frequently files are polled for changes. You may want toadjust the default polling rate if your environment has a large number of filesto bemonitored. This adjustment helps to ensure that resources are not overlyused for the filewatch engine. A drop-down selection criteria area is providedto easily switch polling interval frequency.
■ Search Depth: The search depth is a configurable parameter. It specifies therecursion level, or number of directories and subdirectories that aremonitoredwhen you apply a wildcard path. For more information on recursion level andsearch depth, see the path to the existing definition.
AMonitorFileChecksumsoption is availableunder theMonitorFileModificationoption for each type of file watched. This option enables themonitoring of a file'schecksumduring a filemodification event. It reports the real-time SHA-256 hashcomparison to the Symantec Critical System Protection console under the Eventdetails. This option also enables the monitoring of file checksums as calculatedat agent startup. It determines whether the file was modified since SymantecCritical System Protection was last shut down. This option provides detectionability even if the Symantec Critical System Protection service or daemon is shutdown. If amonitored file is changed, once the Symantec Critical SystemProtectionservice or daemon is started, it compares the files in its monitored list to when itwas shut down. Any differences are reported to the console.
Formore information, see the filemonitoring enhancements section of theReleaseNotes for Symantec Critical System Protection Version 5.2.6.
Table 6-176 Description of the Dll Cache Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Dll Cache FilesOption
Baseline_FileWatch_Sys_Dll_Cache_FilesRule Name
WarningSeverity
%SystemRoot%\System32\dllcache\*.cpl
%SystemRoot%\System32\dllcache\*.dll
%SystemRoot%\System32\dllcache\*.exe
%SystemRoot%\System32\dllcache\*.ocx
%SystemRoot%\System32\dllcache\*.sys
Monitor Paths
143Policy optionsSystem File and Directory Monitor
Table 6-176 Description of the Dll Cache Files parameters used (continued)
DescriptionParameter
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor the DLL cache files that the system maintains.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-177 Description of the Driver Cache Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Driver Cache FilesOption
Baseline_Filewatch_Sys_DriverCache_FilesRule Name
WarningSeverity
%SystemRoot%\Driver Cache\*Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor the driver cache files that the system maintains.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Policy optionsSystem File and Directory Monitor
144
Table 6-178 Description of the Security Database Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Security Database FilesOption
Baseline_FileWatch_Sys_SecurityDB_FilesRule Name
WarningSeverity
%SystemRoot%\security\templates\*.inf
%SystemRoot%\security\database\*.sdb
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets youmonitor the security database files that the systemmaintains.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-179 Description of the Core System Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Core System FilesOption
Baseline_FileWatch_Sys_SecurityDB_FilesRule Name
WarningSeverity
145Policy optionsSystem File and Directory Monitor
Table 6-179 Description of the Core System Files parameters used (continued)
DescriptionParameter
%ProgramFiles%\windows nt\*.dll
%ProgramFiles%\windows nt\*.exe
%ProgramFiles%\windows nt\accessories\*.exe
%SystemRoot%\*.dll
%SystemRoot%\*.exe
%SystemRoot%\System32\*.acm
%SystemRoot%\System32\*.ax
%SystemRoot%\System32\*.com
%SystemRoot%\System32\*.cpl
%SystemRoot%\System32\*.dll
%SystemRoot%\System32\*.drv
%SystemRoot%\System32\*.exe
%SystemRoot%\System32\*.ocx
%SystemRoot%\System32\*.scr
%SystemRoot%\System32\*.sys
%SystemRoot%\System32\drivers\*.dll
%SystemRoot%\System32\drivers\*.sys
%SystemRoot%\System32\dsound.vxd
%SystemRoot%\system\*.dll
%SystemRoot%\system\*.drv
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Policy optionsSystem File and Directory Monitor
146
Table 6-179 Description of the Core System Files parameters used (continued)
DescriptionParameter
Lets you monitor Core System Executable Files.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-180 Description of the Core System Configuration Files parametersused
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Core System Configuration FilesOption
Baseline_FileWatch_Sys_Core_Configuration_FilesRule Name
WarningSeverity
%SystemRoot%\System32\AUTOEXEC.NT
%SystemRoot%\System32\CONFIG.NT
%SystemRoot%\System32\desktop.ini
%SystemRoot%\desktop.ini
%SystemRoot%\system.ini
%SystemRoot%\win.ini
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Core System Configuration Files.
Note: You enable the Report File Differences option in this portionof the filewatch rule set. This option provides a good example ofspecific ini files. In them, reporting differences, such as strings thatare removed or added, let you determine if the event should beescalated for investigation.
Description
147Policy optionsSystem File and Directory Monitor
Table 6-181 Description of the Setup Dlls & Binaries parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Setup Dlls & BinariesOption
Baseline_FileWatch_Sys_Setup_FilesRule Name
WarningSeverity
%SystemRoot%\System32\Setup\*.dll
%SystemRoot%\System32\Setup\*.exe
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor setup DLLs & binaries.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-182 Description of the System WBEM Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
System WBEM FilesOption
Baseline_FileWatch_Sys_WBEM_FilesRule Name
WarningSeverity
%SystemRoot%\System32\wbem\*.dll
%SystemRoot%\System32\wbem\*.exe
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Policy optionsSystem File and Directory Monitor
148
Table 6-182 Description of theSystemWBEMFiles parameters used (continued)
DescriptionParameter
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor System WBEM Files.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-183 Description of the System Export Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
System Export FilesOption
Baseline_FileWatch_Sys_Export_FilesRule Name
WarningSeverity
%SystemRoot%\System32\export\*.dll
%SystemRoot%\System32\export\*.exe
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor System Export Files.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
149Policy optionsSystem File and Directory Monitor
Table 6-184 Description of the System OLE Support files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
System OLE Support filesOption
Baseline_FileWatch_Sys_OLESupport_FilesRule Name
WarningSeverity
%CommonProgramFiles%\system\ado\*.dll
%CommonProgramFiles%\system\ole db\*.dll
%CommonProgramFiles%\system\msadc\*.dll
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor OLE Support Files.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-185 Description of the Common Program Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Common Program FilesOption
Baseline_FileWatch_Sys_Common_Program_FilesRule Name
WarningSeverity
%CommonProgramFiles%\system\*.dllMonitor Paths
Deleted, Created, ModifiedMonitor Ops
Policy optionsSystem File and Directory Monitor
150
Table 6-185 Description of the Common Program Files parameters used(continued)
DescriptionParameter
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Common Program Files.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 6-186 Description of the Group Policy Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Group Policy FilesOption
Baseline_FileWatch_Sys_Group_Policy_FilesRule Name
WarningSeverity
%SystemRoot%\System32\GroupPolicy\gpt.ini
%SystemRoot%\System32\GroupPolicy\Machine\Scripts\*
%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol
%SystemRoot%\System32\GroupPolicy\User\Scripts\*
Monitor Paths
Created, Accessed, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
151Policy optionsSystem File and Directory Monitor
Table 6-186 Description of the Group Policy Files parameters used (continued)
DescriptionParameter
Lets you monitor Group Policy Files.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
Table 6-187 Description of the System IME Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
System IME FilesOption
Baseline_FileWatch_Sys_IME_FilesRule Name
WarningSeverity
%SystemRoot%\ime\*.dll
%SystemRoot%\ime\*.exe
%SystemRoot%\ime\chsime\applets\*.dll
%SystemRoot%\ime\chtime\applets\*.dll
%SystemRoot%\ime\shared\*.dll
%SystemRoot%\ime\shared\*.exe
%SystemRoot%\ime\shared\res\*.dll
Monitor Paths
Created, Delete, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Policy optionsSystem File and Directory Monitor
152
Table 6-187 Description of the System IME Files parameters used (continued)
DescriptionParameter
Lets you monitor system IME Files.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
Table 6-188 Description of the Monitor Script Files in System Foldersparameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Monitor Script Files in System FoldersOption
Baseline_FileWatch_Sys_Script_FilesRule Name
WarningSeverity
%SystemRoot%\*.js %SystemRoot%\*.vbs
%SystemRoot%\System32\*.js %SystemRoot%\System32\*.vbs
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Script Files, for example, JavaScript and VBScriptfiles.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
153Policy optionsSystem File and Directory Monitor
Table 6-189 Description of the Other Files (All Windows) parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Other Files (All Windows)Option
Baseline_FileWatch_Sys_Other_Files_All_WindowsRule Name
WarningSeverity
%SystemRoot%\apppatch\*.dll
%SystemRoot%\System32\os2\dll\*.dll
%SystemRoot%\System32\CertSrv\cafixweb.exe
%SystemRoot%\System32\spool\drivers\w32x86\*
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Other Critical System Files that are not included inany of the previous groups.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
Table 6-190 Description of the Other Files (Not in NT) parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Other Files (Not in NT)Option
Baseline_FileWatch_Sys_Other_Files_Not_NTRule Name
WarningSeverity
Policy optionsSystem File and Directory Monitor
154
Table 6-190 Description of the Other Files (Not in NT) parameters used(continued)
DescriptionParameter
%SystemRoot%\msagent\*.dll
%SystemRoot%\msagent\*.exe
%SystemRoot%\msagent\intl\*.dll
%SystemRoot%\srchasst\msgr3en.dll
%SystemRoot%\srchasst\srchctls.dll
%SystemRoot%\pchealth\helpctr\binaries\*.dll
%SystemRoot%\pchealth\helpctr\binaries\*.exe
%SystemRoot%\pchealth\uploadlb\binaries\*.exe
%SystemRoot%\System32\ShellExt\*
%SystemRoot%\System32\Microsoft\Crypto\*
%SystemRoot%\System32\Microsoft\Protect\*
%SystemRoot%\System32\rpcproxy
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Other Critical System Files that are not present inNT and that are not included in any of the previous groups.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
Table 6-191 Description of the Other Files (NT Only) parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch MonitorOption Path
Other Files (NT Only)Option
155Policy optionsSystem File and Directory Monitor
Table 6-191 Description of the Other Files (NT Only) parameters used(continued)
DescriptionParameter
Baseline_FileWatch_Sys_Other_Files_NT_OnlyRule Name
WarningSeverity
%SystemRoot%\System32\viewers\*.dll
%SystemRoot%\System32\viewers\*.exe
Monitor Paths
Deleted, Created, ModifiedMonitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor Other Critical System Files that are not present inNT and that are not included in any of the previous groups.
Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.
Description
System Registry MonitorThis option group sectionmonitors addition, deletion, andmodification attemptsto critical Windows registry locations that are listed as monitored areas withinthis option group. If you use a default security posture, Symantec Critical SystemProtection automatically sets up the registrymonitor for you. If you use your ownsecurity posture, you must select the registry paths that you want to monitor sothat the registry monitor functions correctly.
A wide range of options are available for each rule to enable very specific tuningof how the registry entries are monitored.
System Registry Monitor - AutoStart KeysThis subsection area of the policy monitors critical system auto start locations.Auto start registry key locations specify howspecific software is started.Malware
Policy optionsSystem Registry Monitor
156
may also use this location to add malicious entries to auto start applicationswithout an administrator’s knowledge.
Table 6-192 Description of the AutoStart System Keys parameters used
DescriptionParameter
SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path
AutoStart System KeysOption
Sys_AutoStart_KeysRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\Software\Classes\*\shell\*\command\
\HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\*
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run*
\HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts\
\HKEY_USERS\*\Software\Classes\*\shell\*\command\
\HKEY_USERS\*\Software\Microsoft\WindowsNT\CurrentVersion\Windows\
\HKEY_USERS\*\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\*
\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\
\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run*
\HKEY_USERS\*\Software\Policies\Microsoft\Windows\System\Scripts\
Monitor Paths
Created, ModifiedMonitor Ops
Available, Not EnabledDate and TimeRestriction
Lets you monitor default auto start registry key locations.
Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.
Description
157Policy optionsSystem Registry Monitor
Table 6-193 Description of the AutoStart Service Keys parameters used
DescriptionParameter
SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path
AutoStart Service KeysOption
Sys_AutoStart_Service_KeysRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*
Monitor Paths
Created, ModifiedMonitor Ops
Available, Not EnabledDate and TimeRestriction
Lets you monitor service-specific auto start registry key locations.
Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.
Description
Table 6-194 Description of the AutoStart System CMD Keys parameters used
DescriptionParameter
SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path
AutoStart System CMD KeysOption
Sys_AutoStart_Injection_KeysRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
\HKEY_USERS\*\Software\Microsoft\Command Processor\*
Monitor Paths
Created, Modified, DeletedMonitor Ops
Available, Not EnabledDate and TimeRestriction
Lets you monitor system command processor auto start registry keylocations.
Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.
Description
Policy optionsSystem Registry Monitor
158
Table 6-195 Description of the AutoStart Explorer Keys parameters used
DescriptionParameter
SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path
AutoStart Explorer KeysOption
Sys_AutoStart_Explorer_KeysRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\Control\Session Manager\Environment\
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\HKEY_USERS\.Default\Environment\
\HKEY_USERS\S-*-????\Environment\
\HKEY_USERS\S-*-???\Environment\
\HKEY_USERS\S-*-??\Environment\
\HKEY_USERS\S-*-?\Environment\
Monitor Paths
Created, ModifiedMonitor Ops
Available, Not EnabledDate and TimeRestriction
Lets you monitor explorer environment-specific auto start registrykey locations.
Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.
Description
Table 6-196 Description of the AutoStart System Injection Keys parametersused
DescriptionParameter
SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path
AutoStart System Injection KeysOption
159Policy optionsSystem Registry Monitor
Table 6-196 Description of the AutoStart System Injection Keys parametersused (continued)
DescriptionParameter
Sys_AutoStart_Injection_KeysRule Name
MajorSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs\*
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\*
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Registry Paths
Created, Modified, DeletedMonitor Ops
Available, Not EnabledDate and TimeRestriction
Lets you monitor system injection auto start registry key locations.
Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.
Description
System Symantec Software MonitorThis option group area of the policy contains monitoring functions for Symantecsoftware. Currently themonitored ancillary applications are SymantecAntiVirusand Symantec Endpoint Security. The policy automatically detects if the hostmachine has Symantec AntiVirus and Symantec Endpoint Security installed.Therefore, even if both areas of monitoring are enabled, only one area detectsand generates events. This behavior is to thwart double event generation, whichcould confuse an administrator.
Policy optionsSystem Symantec Software Monitor
160
Symantec AntiVirus Client CommunicationThis portion of the policy detects alerts from Symantec AntiVirus clientinstallations. This policy can be applied to all Windows hosts with SymantecAntiVirus client installations.
Table 6-197 Description of the Virus Detected parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus DetectedOption
Virus_DetectionRule Name
CriticalSeverity
5Event IDs
Detects thediscoveryof a virus orTrojanhorsebySymantecAntiVirus.This detection indicates that malicious software has arrived at theclient side by email, download, document macro, or by disk-to-disktransfer. Immediate action is usually warranted.
Description
Table 6-198 Description of the AntiVirus Service Stopped parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Service StoppedOption
Antivirus_Service_StoppedRule Name
WarningSeverity
13Event IDs
Detects the stopping of the Symantec AntiVirus service. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.When Symantec AntiVirus determines that the SymantecAntiVirus service has stopped, it reports this status.
Description
161Policy optionsSystem Symantec Software Monitor
Table 6-199 Description of the AntiVirus Service Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Service StartedOption
Antivirus_Service_StartedRule Name
NoticeSeverity
14Event IDs
Detects the starting of the Symantec AntiVirus service. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.When Symantec AntiVirus determines that the SymantecAntiVirus service has started, it reports this status.
Description
Table 6-200 Description of the AntiVirus Scan Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Scan StartedOption
AntiVirus_Scan_StartedRule Name
NoticeSeverity
3Event IDs
Detects the starting of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has initiated a manual scan of the host, it reportsthis status.
Description
Table 6-201 Description of the AntiVirus Scan Canceled parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Scan CanceledOption
Policy optionsSystem Symantec Software Monitor
162
Table 6-201 Description of the AntiVirus Scan Canceled parameters used(continued)
DescriptionParameter
AntiVirus_Scan_CanceledRule Name
WarningSeverity
21Event IDs
Detects the canceling of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions. When Symantec AntiVirus determines that ithas been commanded to cancel a manual scan, it reports this status.
Description
Table 6-202 Description of the AntiVirus Scan Complete parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Scan CompleteOption
AntiVirus_Scan_CompleteRule Name
NoticeSeverity
2Event IDs
Detects the completion of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has successfully completed amanual scan, it reportsthis status.
Description
Table 6-203 Description of the New Virus Definition Loaded parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
New Virus Definition LoadedOption
New_Virus_Defintion_LoadedRule Name
NoticeSeverity
163Policy optionsSystem Symantec Software Monitor
Table 6-203 Description of the New Virus Definition Loaded parameters used(continued)
DescriptionParameter
7Event IDs
Detects the updating of Symantec Antivirus with the latest virusdefinitions. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has loaded anewvirus definition file, it reports thisstatus.
Description
Table 6-204 Description of the Virus Definitions are Current parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus Definitions are CurrentOption
Virus_Definitions_are_CurrentRule Name
NoticeSeverity
16Event IDs
Detects that the installed virus definitions are current. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.WhenSymantecAntiVirus determines that the definitionsare current, it reports this status.
Description
Table 6-205 Description of the AntiVirus Realtime Protection Loadedparameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Realtime Protection LoadedOption
AntiVirus_Realtime_Protection_LoadedRule Name
NoticeSeverity
23Event IDs
Policy optionsSystem Symantec Software Monitor
164
Table 6-205 Description of the AntiVirus Realtime Protection Loadedparameters used (continued)
DescriptionParameter
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
Detects the enabling of the Symantec AntiVirus real-time systemprotection option. SymantecAntiVirus issues the statusmessages forvarious application conditions and errors.When SymantecAntiVirusdetermines that the real-time protection option has been enabled, itreports this status.
Description
Table 6-206 Description of the AntiVirus Realtime Protection Disabledparameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
AntiVirus Realtime Protection DisabledOption
AntiVirus_Realtime_Protection_DisabledRule Name
CriticalSeverity
24Event IDs
Detects the disabling of the Symantec AntiVirus real-time systemprotection option. SymantecAntiVirus issues the statusmessages forvarious application conditions and errors.When SymantecAntiVirusdetermines that the real-time protection option has been disabled, itreports this status.
Description
Table 6-207 Description of the Virus Detected - Cleaned Failed parametersused
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus Detected - Cleaned FailedOption
Virus_Detected_Cleaned_FailedRule Name
CriticalSeverity
165Policy optionsSystem Symantec Software Monitor
Table 6-207 Description of the Virus Detected - Cleaned Failed parametersused (continued)
DescriptionParameter
5, 46, 51Event IDs
Detects thediscoveryof a virus orTrojanhorsebySymantecAntiVirus.This detection indicates that malicious software has arrived at theclient side by email, download, document macro, or by disk-to-disktransfer. This event indicates Symantec AntiVirus client was unableto clean, remove, or quarantine the identified malware and the riskis still present on the system. Immediate investigation is required.
Description
Symantec Endpoint Protection Client CommunicationThis portion of the policy detects alerts fromSymantec Endpoint Protection clientinstallations. This policy can be applied to all Windows hosts with SymantecEndpoint Protection client installations.
Note: This policy auto-detects if the client is running either Symantec EndpointProtection or previous versions of Symantec AntiVirus.
Table 6-208 Description of the Virus Detected parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus DetectedOption
Virus_DetectionRule Name
CriticalSeverity
5, 46, 51Event IDs
Detects the discovery of a virus or Trojanhorse by Symantec EndpointProtection.This detection indicates thatmalicious softwarehas arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. Immediate action is usually warranted.
Description
Policy optionsSystem Symantec Software Monitor
166
Table 6-209 Description of the SEP Service Stopped parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Service StoppedOption
SEP_Service_StoppedRule Name
WarningSeverity
13Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Symantec?Endpoint?Protection?Services
Select Strings
Detects the stopping of the Symantec Endpoint Protection service.Symantec Endpoint Protection issues the statusmessages for variousapplicationconditionsanderrors.WhenSymantecEndpointProtectiondetermines that SAV service has stopped, it reports this status.
Description
Table 6-210 Description of the SEP Service Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Service StartedOption
SEP_Service_StartedRule Name
NoticeSeverity
14Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Symantec?Endpoint?Protection?Services
Detects the starting of the Symantec Endpoint Protection service.Symantec Endpoint Protection issues the statusmessages for variousapplicationconditionsanderrors.WhenSymantecEndpointProtectiondetermines that the SymantecAntiVirus service has started, it reportsthis status.
Description
167Policy optionsSystem Symantec Software Monitor
Table 6-211 Description of the SEP Scan Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Scan StartedOption
SEP_Scan_StartedRule Name
NoticeSeverity
3Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
Detects the startingof amanual scanof ahostwithSymantecEndpointProtection. Symantec Endpoint Protection issues the statusmessagesfor various application conditions and errors. When SymantecEndpoint Protection determines that it has initiated amanual scan ofthe host, it reports this status.
Description
Table 6-212 Description of the Scan Canceled parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Scan CanceledOption
SEP_Scan_CanceledRule Name
WarningSeverity
21Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
Detects the canceling of a manual scan of a host with SymantecEndpoint Protection. Symantec Endpoint Protection issues the statusmessages for variousapplicationconditions.WhenSymantecEndpointProtection determines that it has been commanded to cancel amanualscan, it reports this status.
Description
Policy optionsSystem Symantec Software Monitor
168
Table 6-213 Description of the SEP Scan Complete parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Scan CompleteOption
SEP_Scan_CompleteRule Name
NoticeSeverity
2Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
Detects the completion of a manual scan of a host with SymantecEndpoint Protection. Symantec Endpoint Protection issues the statusmessages for various application conditions and errors. WhenSymantec Endpoint Protection determines that it has successfullycompleted a manual scan, it reports this status.
Description
Table 6-214 Description of the New Virus Definition Loaded parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
New Virus Definition LoadedOption
New_Virus_Defintion_LoadedRule Name
NoticeSeverity
7Event IDs
Detects the updating of Symantec Endpoint Protectionwith the latestvirus definitions. Symantec Endpoint Protection issues the statusmessages for various application conditions and errors. WhenSymantec Endpoint Protection determines that it has loaded a newvirus definition file, it reports this status.
Description
169Policy optionsSystem Symantec Software Monitor
Table 6-215 Description of the Virus Definitions are Current parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus Definitions are CurrentOption
Virus_Definitions_are_CurrentRule Name
NoticeSeverity
16Event IDs
Detects that the installed virus definitions are current. SymantecEndpoint Protection issues the statusmessages for various applicationconditionsanderrors.WhenSymantecEndpointProtectiondeterminesthat the definitions are current, it reports this status.
Description
Table 6-216 Description of the SEP Realtime Protection Loaded parametersused
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Realtime Protection LoadedOption
SEP_Realtime_Protection_LoadedRule Name
NoticeSeverity
23Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
This rule detects the enabling of the Symantec AntiVirus real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been enabled, it reports this status.
Description
Policy optionsSystem Symantec Software Monitor
170
Table 6-217 Description of the SEP Realtime Protection Disabled parametersused
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
SEP Realtime Protection DisabledOption
SEP_Realtime_Protection_DisabledRule Name
CriticalSeverity
24Event IDs
:?Norton AntiVirus
Source:*Symantec AntiVirus
Select Strings
Detects the disabling of the Symantec Endpoint Protection real-timesystem protection option. Symantec Endpoint Protection issues thestatus messages for various application conditions and errors. WhenSymantec Endpoint Protection determines that the real-timeprotection option has been disabled, it reports this status.
Description
Table 6-218 Description of the Virus Detected - Cleaned Failed parametersused
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus ClientCommunication
Option Path
Virus Detected - Cleaned FailedOption
Virus_Detected_Cleaned_FailedRule Name
CriticalSeverity
5, 46, 51Event IDs
Detects the discovery of a virus or Trojanhorse by Symantec EndpointProtection.This detection indicates thatmalicious softwarehas arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. This event indicates that the Symantec EndpointProtection client was unable to clean, remove, or quarantine theidentified malware. It also indicates that the risk is still present onthe system. Immediate investigation is required.
Description
171Policy optionsSystem Symantec Software Monitor
System External Device ActivityThis option group subsection monitors for specific external device activity suchas the various activities that are associated with USB devices and CD and DVDburning. This activity should be monitored on an enterprise network, as suchdevices may pose the threat of data loss.
USB Device ActivityThis portion of the policy detects activity that is associated with USB devices.
Table 6-219 Description of theUSBRegistry Connect Activity parameters used
DescriptionParameter
System External Device Activity > USB Device ActivityOption Path
USB Registry Connect ActivityOption
USB_Registry_Connect_ActivityRule Name
WarningSeverity
1 Minute. Suppress reporting of events from this rule for specifiedduration after the rule has triggered once.
Noise Suppress
\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\ENUM\USB\*Registry Paths
Detects theUSB device connection activity that is associatedwith theWindows registry. This rule provides a noise suppression durationvalue to tune out the unnecessary noise that this rule may cause.
Description
CD/DVD Burning ActivityThis portion of the policy detects the various activities that are associated withCD and DVD burning.
Note: These rules function only in Windows 2000/2003 environments.
Table 6-220 Description of the CD/DVD Burning Services Enabled parametersused
DescriptionParameter
System External Device Activity > CD/DVD Burning ActivityOption Path
Policy optionsSystem External Device Activity
172
Table 6-220 Description of the CD/DVD Burning Services Enabled parametersused (continued)
DescriptionParameter
CD/DVD Burning Services EnabledOption
CD_DVD_Burning_Activity_EnabledRule Name
WarningSeverity
7040Event IDs
Detects when the CD/DVD service enters a running state from theWindows Event Log.
Description
Table 6-221 Description of the CD/DVD Burning Services Started parametersused
DescriptionParameter
System External Device Activity > CD/DVD Burning ActivityOption Path
CD/DVD Burning Services StartedOption
CD_DVD_Burning_Activity_StartedRule Name
WarningSeverity
7036Event IDs
Detects a CD/DVD service auto start configuration event from theWindows Event Log.
Description
Table 6-222 Description of the CD/DVD Burning Services Stopped parametersused
DescriptionParameter
System External Device Activity > CD/DVD Burning ActivityOption Path
CD/DVD Burning Services StoppedOption
CD_DVD_Burning_Activity_StoppedRule Name
WarningSeverity
7035Event IDs
Detects when the CD/DVD service enters a stopped state from theWindows Event Log.
Description
173Policy optionsSystem External Device Activity
USB Device Activity
Table 6-223 Description of theUSBRegistry Connect Activity parameters used
DescriptionParameter
System External Device Activity > USB Device ActivityOption Path
USB Registry Connect ActivityOption
USB_Registry_Connect_ActivityRule Name
WarningSeverity
\HKEY_LOCAL_MACHINE\SYSTEM\*Controlset*\ENUM\USB*Registry Path
Detects a USB device connection activity associated with Windowsregistry.
Description
Table 6-224 Description of the USB Device Disconnected parameters used
DescriptionParameter
System External Device Activity > USB Device ActivityOption Path
USB Device DisconnectedOption
USB_Device_DisconnectedRule Name
WarningSeverity
135Event IDs
Detects a USB device disconnection event from the Windows EventLog.
Description
System Attack DetectionThis option group subsection contains basic Web attack monitoring criteria tothwart basic attacks on any Web server that produces any kind of access log.
Note: The access log must follow W3C guidelines. The majority of Web serverapplications on Windows servers are Internet Information Services (IIS). Bydefault, System Attack Detection is set up for IIS. You can set up this area for anyWeb hosting application. Within this option group subsection there is a globalsettings area to set several unique properties for the rest of the system attackmonitor.
Policy optionsSystem Attack Detection
174
The global settings area consists of the following:
■ Alert only on Success Attack Attempt (Code 200): This area configures all theattack detection rules to look for the trailing code 200when a suspicious stringis found in the access log. Trailing code 200means a successful process request.This setting dramatically decreases the amount of false positives andprovidesadministrators with events that are considered processed by the hostingsystem.
■ WebAccess Log File Path: This area configures theWeb access log path,whichthe rules in this policy subsection sift through to findmalicious request strings.Symantec Critical System Protection provides a default IIS 7 location.
■ Whitelisted IPAddresses: This area configures the IP addresses that are allowedor otherwise ignored in this monitoring subsection. These IP addresses arefor tools like automatedvulnerability scanning systemsonenterprisenetworks,where you know that at regular intervals Web attack tests occur.
■ Blacklisted IP Addresses: This area configures the IP addresses that are notallowed access to the host system. Blacklisted IP addresses may be anyaddresses outside an internal network range if this areamonitored an intranetWeb host. Blacklisted IP addresses may also be known bad IP addresses fromany of the blacklists available on the Internet.
■ IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP codeon all requests that signifies that the request has been successfully processedon thehostWeb system.A success code that is pairedwith amaliciously craftedURI string would indicate a possible compromised system.
■ IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code thatsignifies a bad HTTP request. A high frequency repeating number of thesefound in the access log signifies that a possible Web vulnerability scan isoccurring.
Generic Web Attack Detection Monitoring
Table 6-225 Description of the Generic VA scan Attempt parameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic VA scan AttemptOption
WebAttackDetection_Generic_VAScanRule Name
WarningSeverity
175Policy optionsSystem Attack Detection
Table 6-225 Description of the Generic VA scan Attempt parameters used(continued)
DescriptionParameter
20
Times in which a 404 or unknown request is received.
Invalid Count
2 minutes
Time frequency inwhich invalid count needs to occur to trigger event.
Interval
Detects a possible VA scan by triggering an event within a specificadministrator-defined threshold. If Symantec Critical SystemProtection receives a specified number of 404 error codes by auser-defined frequency, then this rule generates an alert on a possibleVA scan attempt.
Description
Table 6-226 Description of the Generic Blacklisted IP Request Attemptsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Blacklisted IP Request AttemptsOption
WebAttackDetection_Generic_BlackListedIPRule Name
WarningSeverity
A simple rule that detects the access attempt by a blacklisted IPaddress that is found in the HTTP access log. You configure theblacklisted IP address in the Global Settings area. If you enable thisrule, any attempt by the predefined blacklisted IP address generatesan event.
Description
Table 6-227 Description of the Generic SQL Injection Attack Attemptsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic SQL Injection Attack AttemptsOption
WebAttackDetection_Generic_SQLInjectionRule Name
WarningSeverity
Policy optionsSystem Attack Detection
176
Table 6-227 Description of the Generic SQL Injection Attack Attemptsparameters used (continued)
DescriptionParameter
Detects the very simple and generic SQL injection-type attacks whenit monitors the HTTP access log file. Primary and secondary selectlogic is used to ensure that accurate rule tuning can occur. You cancustomize this area to your needs to add further SQL injectionmeasures.
Description
Table 6-228 Description of the Generic Directory Transversal Attemptsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Directory Transversal AttemptsOption
WebAttackDetection_Generic_DirTransversalRule Name
WarningSeverity
Detects possible directory transversal attempts in HTTP requeststrings. The generic strings for directory transversal attempts areprovided. An individual or script attempting to transverse directoriesby HTTP request may be considered a malicious action.
Description
Table 6-229 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Malicious User Agent Request AttemptsOption
WebAttackDetection_Generic_MaliciousUserAgentRule Name
WarningSeverity
Detects themalicious user agent strings inHTTP requests. Automatedscripts commonly use bad user agents in large-scale attacks.Pre-scripted suites of programs also use them to attack a Web server.The presence of these known-bad user agent strings may indicate amalicious attempt to access your host Web system.
Description
177Policy optionsSystem Attack Detection
Table 6-230 Description of the Generic Unwanted Extension Requestsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Unwanted Extension RequestsOption
WebAttackDetection_Unwanted_Extension_RequestRule Name
WarningSeverity
Detects the unwanted or suspicious extension requests. Files that arerequested with the extensions configured in this rule may indicate amalicious script or user. You can add or remove extensions in thisarea to customize this event per host system environment.
Description
Table 6-231 Description of the Generic Unwanted Directory Requestsparameters used
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Unwanted Directory RequestsOption
WebAttackDetection_Unwanted_Directory_RequestRule Name
WarningSeverity
Detects the unwanted or suspicious directory requests. Directoryrequests as configured in this rule may indicate a malicious script oruser. You can add or remove sensitive directory paths in this area tocustomize this event per host system environment.
Description
Table 6-232 Description of the Generic Vulnerable CGI Requests parametersused
DescriptionParameter
System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path
Generic Vulnerable CGI RequestsOption
WebAttackDetection_Generic_VulnerableCGIRequestRule Name
WarningSeverity
Policy optionsSystem Attack Detection
178
Table 6-232 Description of the Generic Vulnerable CGI Requests parametersused (continued)
DescriptionParameter
Detects the unwanted or suspicious CGI and script requests. CGI andscript requests as configured in this rule may indicate a maliciousscript or user. You can add or remove sensitive directory paths in thisarea to customize this event per host system environment.
Description
179Policy optionsSystem Attack Detection
UNIX Baseline Detectionpolicy
This chapter includes the following topics:
■ Introduction
■ File monitoring improvements
■ Advanced per-rule tuning improvements
■ Console changes
■ Unicode Log Monitoring for UNIX
■ How wildcard characters and recursion levels work in IDS file monitoring
IntroductionThe Host Intrusion Detection policies have been redesigned and rewritten toenhance stability, provide greater ease of use and detection accuracy, and addfunctionality.Multiple policieshavebeen reorganized into twobaselinemonitoringsolutions for the Windows and the UNIX operating system environments.
■ The Windows Baseline Detection Policy became available in release 5.2.6 (5.2RU6).
■ The UNIX Baseline Detection Policy became available in release 5.2 RU7.
The UNIX Baseline Detection policy includes the following improvements:
■ The IDS policy has been rewritten to improve functionality and accuracy inmonitoring security events.
■ The file monitoring area has been redesigned and rewritten to provide a largenumber of new file and directory monitoring functions. For example, you can
7Chapter
now control and enable the access, delete, modify, and create changemonitoring functions by group.
■ You cannowperformadvanced rule-by-rule tuningdirectly from theSymantecCritical System Protection console. These rules now also use ignore logic andselect logic methodology.
■ You can now configure and view all rule content from the Symantec CriticalSystemProtection console, which removes the need to use theAuthoringTool.
■ Policy option group naming conventions have been standardized for ease ofadministration. You can now enable and disable entire areas of the policieswith option check boxes.
■ Automatic application detection has been updated to enable and disablemonitoring without the need for administrators to configure the policyindividually per host.
■ You can now configure many parameter options individually for each rule.For example, you can configure the Rule Name, Rule Severity, and Rulemonitoring content separately for each rule.
■ You can now select a severity level for each rule. You no longer need to knowspecific numerical values for the severity base types.
■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory traversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.
■ You can now mouse over parts of the user interface to display descriptions toassist in policy navigation and rule-by-rule overview.
UNIX-specific policy changes include the following improvements:
■ Monitoring of individuals who log off of host systems.
■ NewcompatibilitywithSymantecAntiVirus for Linux formonitoringSymantecsoftware.
■ New command monitoring that is accomplished by configuring the text logmonitoring of user-defined or root bash or ksh history files. Superuser DO(sudo) commandsare specificallymonitored forprivileged command inspectionand retention. This new functionality provides the ID of the userwhoperformsthe command, the exact commandperformed, andadatestampand timestamp.This functionality helps tomeet various regulatory compliance requirements.
UNIX Baseline Detection policyIntroduction
182
■ Monitoring of suspicious binary file permission changes. This change helpsto ensure that critical command-line executables are not subject to themalicious permissions changes that malware typically performs.
■ Monitoring ofmalicious Loadable KernelModules (LKMs) to detect the loadingof known malware-related LKM modules.
■ Addition of a new System Hardening Monitor, which generates events whennew auto start daemons or programs, such as the rc.d script, are added. It alsomonitors specific changes to inittab, a critical system configuration file.
■ New UNIX malware detection that tracks file and directory creation activitiesfrom known UNIX forms of malware. Malware detection variants includerootkit detection and worm detection.
Table 7-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2 RU7 top-level option groups.
Table 7-1 Detection options organization map
Detection option organization in release5.2 RU7
Options in previous releases
System User and Group Change MonitorUser/Group_Configuration
Privileged_User/Group_Configuration
System Login Activity and Access MonitorSystem_Logon_Failure
System_Logoff_Success
System_Failed_Access_Status
SystemPrivilegeCommandandBashHistoryMonitor
System_SUDO_Monitor
System_Root_Command_Monitor
System_User_Command_Monitor
System Hardening MonitorSystem_AutoStart_Change (rc*.d)
System_Service_Config_Monitor
System_Xserver_Configuration
System_RunLevel_Monitor (Inittab)
System_Sysconfig_Monitor (Sysconfig)
System File and Directory MonitorHost_IDS_File_Tampering
Critical_System_File_Monitor
183UNIX Baseline Detection policyIntroduction
Table 7-1 Detection options organization map (continued)
Detection option organization in release5.2 RU7
Options in previous releases
System Symantec Software MonitorSymantec_AV_Linux_Client_Comms
Symantec_AV_Unix_Client_Comms
System External Device Activity MonitorUSB_Connectivity_Activity
CD/DVD_Burning_Activity
System Attack DetectionGeneric_Web_Attack_Detection
Malicious_LKM_Detection
Unix_Generic_ Malware_and_Rootkit_Detection
File monitoring improvementsTo provide granular control overUNIX file changemonitoring, Symantec CriticalSystemProtectionmonitors near real-time changes on local file systems and fixedfile systems. It does notmonitor changes on removablemedia or remote networkdrives.
It no longer uses polling intervals. Symantec Critical System Protection uses theFIPS 180-2-compliant Secure Hash Algorithm (SHA-256) to calculate file hashesor checksums at runtime. The MD5 algorithm is no longer used or available.
For performance efficiency, you can enable or disable the checksum calculationfor each filewatch list. A single hash algorithm is used on all the files in awatchedlist.
Specific file monitoring changes include the following improvements:
■ You can control and enable the access, delete, modify, and create changemonitoring functions on a group-by-group basis.
■ You can control modification diff'ing, including algorithm selection on agroup-by-group basis.
■ You can set date and time restrictions within each specific file monitoringgroup.
■ You can tune the filemonitormodified detection operation for specific criteria,such as only for permission changes, size changes, bitmask changes, and soon.
UNIX Baseline Detection policyFile monitoring improvements
184
■ You can use specific ignore logic criteria and select logic criteria in each filemonitoring group. For example, you can independently configure each filemonitoring group to ignore file paths or strings.
Note: Symantec Critical System Protection continues to poll remote files, such asfiles on network drives or removable media, every specified interval to detectchanges.
See “How wildcard characters and recursion levels work in IDS file monitoring”on page 187.
Advanced per-rule tuning improvementsAdvanced per-rule tuning includes the following options for configuration:
■ Rule Name
■ Rule Severity
■ Rulemonitoring content, such as file paths, log file strings, select criteria, andignore criteria
■ Select logic, in the form of strings
■ Ignore logic, in the form of strings
■ Date and time restrictions, as applicable
Console changesSymantec Critical System Protection provides specific content control per rulefrom the console. Each rule in the Baseline policy has required parameters. Theserules are now viewable and customizable from the console.
The options in are available for each rule that is displayed in the Policy Settingspane.
Table 7-2 Rule options
DescriptionOption
The name that is associated with the rule that generates the specific event. A singlestring value is allowed in the string field.
Rule Name
The severity of event. Available for each rule of the policy. You can only select oneseverity level, Info, Notice, Warning, Major, or Critical, for each rule.
Severity
185UNIX Baseline Detection policyAdvanced per-rule tuning improvements
Table 7-2 Rule options (continued)
DescriptionOption
Parameter options for filewatch rules. You can usemultiple file pathswith associatedwildcard entries in this string list. You can add, edit, and remove file paths.
File Paths
Used in rule select logic. Symantec Critical System Protection uses primary logic orinitial sifting method for rule event generation. Use an asterisk (*) to select all theevents that the criteria that you entered previously generate. For example, criteriasuch as (event IDs, file paths, or log strings previously defined. With this option youcan specifically tune rules for administrator needs.
For example, if you change the select string on a filewatch rule from * to *Permission*,then that rule only generates a filewatch event if that event contains the string“Permission.” You can have multiple select strings in this string list. All strings arecase insensitive. You can add, edit, and remove select strings.
Select Strings
Used in rule ignore logic. Symantec Critical SystemProtection uses secondary ignorelogic or ignore sifting method for rule event generation. Almost all rule parameteroptions contain a blankvalue,which signifies that anull value ornovalue is associatedwith the ignore logic statement.
Symantec Critical SystemProtection ignores any string in this field other than blankvalueuponpatternmatching on the final event generation. Ignore strings also provideyou with the ability to perform advanced rule-by-rule tuning. You can have multipleignore strings in this string list. All strings are case insensitive. You can add, edit,and remove ignore strings.
The ignore criteria ignores items that have a tendency to change frequently or itemsthat are not a part of the core systemand configuration. These ignore items are itemssuch as logs, temp directory and so on.
Ignore Strings
Note: Each parameter is preconfigured with default values to ensure thefunctionality of the rule. Changes to rule name and severity do not affect theoverall operation of the rule.
Unicode Log Monitoring for UNIXThe IDS agent logwatch collector reads Unicode text log files, so that you canmonitor the applications that output to Unicode log files or to Unicode format.
UNIX Baseline Detection policyUnicode Log Monitoring for UNIX
186
How wildcard characters and recursion levels workin IDS file monitoring
When you use wildcard characters in IDS file monitoring, the following rulesapply:
■ Only the asterisk (*) and question mark (?) wildcard characters are allowed.
■ The asterisk (*) stands for one or more characters.
■ The question mark (?) stands for a single character only.
■ Wildcard characters are allowed only in the last element of file path. You canonly place a wildcard character after the last slash in a file path.
The following are examples of valid uses of wildcard characters in a file path:
■ /tmp/*
■ /tmp/L1/*.txt
■ /tmp/L2/*file*.ini
■ /tmp/L1/file?.ini
■ /tmp/L1/file?.*
The following are examples of invalid uses of wildcard characters in a file path:
■ /tmp/*/L3/*.txt
■ /tmp/L2/*/file?.txt
Recursion levels only work with the use of one or more wildcard characters. If afile path specification contains no wildcard character, then the recursion levelhas no effect. Rulesmayhave a specified recursion level and file pathswithmixedentries, where only some of the file paths contain wildcard characters. Recursionworks only with the file paths that contain one or more wildcard characters.
When both recursion and wildcard characters are specified, the folder path andfile name are considered separately.Afile name that is specified with one or morewildcard characters is searched for in the givenpath and in anumber of subfolders.The number of subfolders that are searched is equal to the recursion level minus1.
For example, if you configure a file path of /tmp/*.dll and a recursion level of 3,that requests tomonitor all DLL files in the /tmp folder three levels deep, including/tmp.
The following DLL files are monitored for changes:
■ /tmp/my.dll
187UNIX Baseline Detection policyHow wildcard characters and recursion levels work in IDS file monitoring
■ /tmp/L1/your.dll
■ /tmp/D1/ours.dll
■ /tmp/L1/L2/his.dll
■ /tmp/D1/D2/her.dll
In this example, the /tmp/D1/D2/D3/bad.dll file would not be monitored.
See “File monitoring improvements” on page 184.
UNIX Baseline Detection policyHow wildcard characters and recursion levels work in IDS file monitoring
188
Policy options
This chapter includes the following topics:
■ System User and Group Change Monitor
■ System Login Activity and Access Monitor
■ System Privileged Command and Bash History Monitor
■ System Hardening Monitor
■ System File and Directory Monitor
■ System Symantec Software Monitor
■ System External Device Activity Monitor
■ System Attack Detection
System User and Group Change MonitorThis option group section of the policy monitors for specific user and groupchange-based events.
Global User and Group Change Monitor SettingsMonitors user and group events such as when a user is added or deleted. Changesaredetectedby theuser_monitor.sh script thatmonitorsuser configuration systemfiles.
8Chapter
Table 8-1 Description of the Monitor User and Group File(s) Checksumparameters used
DescriptionParameter
System User and Group Change Monitor > Global User and GroupChange Monitor Settings
Option Path
Monitor User and Group File(s) ChecksumOption
Detects the changes that are made to global user and group accountson the local system. The checksum is calculated at agent startup todetermine whether the files were modified since Symantec CriticalSystem Protection was last shut down.
Description
Table 8-2 Description of the User and Group Monitor Polling Intervalparameters used
DescriptionParameter
System User and Group Change Monitor > Global User and GroupChange Monitor Settings
Option Path
User and Group Monitor Polling IntervalOption
Sets how often files are polled for changes in status. A short pollinginterval could possibly impact system performance.
Description
Table 8-3 Description of the User and Group Configuration File Pathsparameters used
DescriptionParameter
System User and Group Change Monitor > Global User and GroupChange Monitor Settings
Option Path
User and Group Configuration File PathsOption
Sets the configuration files to be monitored.Description
System User Configuration ChangesDetects changes in user accounts, such as the creation or deletion of a user, andchanges in parameters such as user name, home directory, login shell, and so on.
Policy optionsSystem User and Group Change Monitor
190
Table 8-4 Description of the User Created parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User CreatedOption
User_CreatedRule Name
WarningSeverity
Detects the creation of user accounts on the local system.
Note: If this rule is unchecked, you cannotmonitor user namechangeevents.
Description
Table 8-5 Description of the User Deleted parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User DeletedOption
User_DeletedRule Name
WarningSeverity
Detects the deletion of user accounts on the local system.Description
Table 8-6 Description of the User's Password Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Password ChangedOption
User_Password_ChangedRule Name
NoticeSeverity
Detects the changes to users' passwords in user accounts on the localsystem.
Description
191Policy optionsSystem User and Group Change Monitor
Table 8-7 Description of the User's Name Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Name ChangedOption
User_Name_ChangedRule Name
NoticeSeverity
Detects the changes to users' names in user accounts on the localsystem.
Description
Table 8-8 Description of the User's ID Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's ID ChangedOption
User_ID_ChangedRule Name
NoticeSeverity
Detects the changes that are made to users' IDs in system useraccounts on the local system.
Description
Table 8-9 Description of theUser's PrimaryGroupChanged parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Primary Group ChangedOption
User_Primary_Group_ID_ChangedRule Name
NoticeSeverity
Sets user-defined groups. Default value is all groups.Specific PrimaryGroups
Detects the changes that aremade to users' primary group IDnumbersin system user accounts on the local system.
Description
Policy optionsSystem User and Group Change Monitor
192
Table 8-10 Description of the User's Full Name Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Full Name ChangedOption
User_Full_Name_ChangedRule Name
NoticeSeverity
Detects the changes that aremade to users' full names in system useraccounts on the local system.
Description
Table 8-11 Description of the User's Home Directory Changed parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Home Directory ChangedOption
User_Home_Directory_ChangedRule Name
WarningSeverity
Detects the changes that aremade to users' homedirectories in systemuser accounts on the local system.
Description
Table 8-12 Description of the User's Login Shell Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Login Shell ChangedOption
User_Login_Shell_ChangedRule Name
WarningSeverity
Detects the changes that aremade to users' login shells in systemuseraccounts on the local system.
Description
193Policy optionsSystem User and Group Change Monitor
Table 8-13 Description of the User's Minimum Password Age Changedparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Minimum Password Age ChangedOption
User_Minimum_Password_ Age_ChangedRule Name
WarningSeverity
Detects the changes that are made to users' minimum password ageparameter in system user accounts on the local system.
Description
Table 8-14 Description of the User's Maximum Password Age Changedparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Maximum Password Age ChangedOption
User_Maximum_Password_ Age_ChangedRule Name
WarningSeverity
Detects changes in users' maximum days between password changesparameter in system user accounts on the local system.
Description
Table 8-15 Description of the User's Maximum Days of Account InactivityChanged parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Maximum Days of Account Inactivity ChangedOption
User_Passwd_ Inactivity_Days_ChangedRule Name
WarningSeverity
Policy optionsSystem User and Group Change Monitor
194
Table 8-15 Description of the User's Maximum Days of Account InactivityChanged parameters used (continued)
DescriptionParameter
Detects changes in the parameter that sets the maximum number ofdays that users can go without logging into their accounts before theaccount is made inactive.
Description
Table 8-16 Description of theUser's Account ExpiryDateChanged parametersused
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Account Expiry Date ChangedOption
User_Account_Expiry_Date_ChangedRule Name
WarningSeverity
Detects changes in the date when users' logins automatically expire.Description
Table 8-17 Description of theUser's Password ExpireWarning Date Changedparameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Password Expire Warning Date ChangedOption
User_Password_Expire_Warning_Date_ChangedRule Name
WarningSeverity
Detects changes in thedatewhenusers arewarned that their passwordis about to expire.
Description
Table 8-18 Description of the User's Attribute Changed parameters used
DescriptionParameter
SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges
Option Path
User's Attribute ChangedOption
195Policy optionsSystem User and Group Change Monitor
Table 8-18 Description of the User's Attribute Changed parameters used(continued)
DescriptionParameter
User_Attributes_ChangedRule Name
WarningSeverity
Detects changes in users' attributes that are located in the/etc/user_attr file on the local system.
Description
System Group Configuration ChangesThis option subgroup section of the policy monitors for specific groupconfiguration change-based events, such as the creation and deletion of groups.
Table 8-19 Description of the Group Created parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
Group CreatedOption
Group_CreatedRule Name
WarningSeverity
Detects the creation of a group.
Note: If this rule in unchecked, you cannot monitor changes in agroup's name.
Description
Table 8-20 Description of the Group Deleted parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
Group DeletedOption
Group_DeletedRule Name
WarningSeverity
Policy optionsSystem User and Group Change Monitor
196
Table 8-20 Description of the Group Deleted parameters used (continued)
DescriptionParameter
Detects the deletion of a group.
Note: If this rule in unchecked, you cannot monitor changes in agroup's name.
Description
Table 8-21 Description of the Group Membership Changed parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
Group Membership ChangedOption
Group_Membership_ChangeRule Name
WarningSeverity
Sets user-defined membership groups. Default value is all groups.SpecificMembershipGroups
Detects the addition or deletion of a user from a group.Description
Table 8-22 Description of the Group Name Change parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
Group Name ChangeOption
Group_Name_ChangedRule Name
WarningSeverity
Detects a change in the name of a group. Group created and groupdeleted events are generated for group name changes.
Description
Table 8-23 Description of the Group Lock Flag Changed parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
197Policy optionsSystem User and Group Change Monitor
Table 8-23 Description of the Group Lock Flag Changed parameters used(continued)
DescriptionParameter
Group Lock Flag ChangedOption
Group_LockFlag_ChangedRule Name
WarningSeverity
Detects the changes to a group's lock flag.Description
Table 8-24 Description of the Group ID Changed parameters used
DescriptionParameter
SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges
Option Path
Group ID ChangedOption
Group_ID_ChangedRule Name
WarningSeverity
Detects the changes to a group's ID.Description
Privileged User and Group Configuration ActivityThis option subgroup section of the policymonitors for privileged user and groupconfiguration change-based events, such as the creation of superusers andsuperuser groups.
Table 8-25 Description of theSuperuser (root level) User Created parametersused
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
Superuser (root level) User CreatedOption
Superuser_Account_CreatedRule Name
MajorSeverity
Detects the creation of a superuser account.Description
Policy optionsSystem User and Group Change Monitor
198
Table 8-26 Description of theSuperuser (root level) GroupCreatedparametersused
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
Superuser (root level) Group CreatedOption
Superuser_Group_CreatedRule Name
MajorSeverity
Detects the creation of a superuser group.Description
Table 8-27 Description of the User's Global ID Changed to Superuserparameters used
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
User's Global ID Changed to SuperuserOption
User_ID_Changed_to_SuperuserRule Name
CriticalSeverity
Detects when a user's ID is changed to be a member of a superuserglobal group.
Description
Table 8-28 Description of the Group's Global ID Changed to Superuserparameters used
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
Group's Global ID Changed to SuperuserOption
Group_ID_Changed_to_SuperuserRule Name
CriticalSeverity
Detects when a group's ID is changed to be a member of a superuserglobal group.
Description
199Policy optionsSystem User and Group Change Monitor
Table 8-29 Description of theUser's Primary Group ID Changed to Superuserparameters used
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
User's Primary Group ID Changed to SuperuserOption
User_PrimaryID_Added_SuperuserID_ChangeRule Name
CriticalSeverity
Detects when a user's primary group ID is changed to be a member ofa root group.
Description
Table 8-30 Description of theGroupMembership ChangedUser to Superuserparameters used
DescriptionParameter
SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity
Option Path
Group Membership Changed User to SuperuserOption
Root_Group_Added_SuperuserID_ChangeRule Name
CriticalSeverity
Detectswhenauser is added as amember of the root superuser group.Description
System Login Activity and Access Monitor
System Login Success MonitorThis option group section of the policymonitors specific logon and access events,including those that use FTP, telnet, rlogin, SSH, the local console, and the suutility.
FTP logon OptionsThis option group section of the policy monitors logons that occur over FTP.
Policy optionsSystem Login Activity and Access Monitor
200
FTP server reports to syslog
Set this option if your FTP servers report to syslog. OnHP-UX operating systems,the wtmp file is also used to identify successful logons.
Table 8-31 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to Syslog
Option Path
Root logonOption
Root_FTP_Logon_Success_syslogRule Names
WarningSeverity
Detects users who use FTP to log on as root.Description
Table 8-32 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to Syslog
Option Path
Non-root logonOption
User_FTP_Logon_Success_syslogRule Names
WarningSeverity
Detects non-root users who use FTP to log on.Description
Server reports to a log file
Set this option if your FTP servers report to a log file. You must specify the ptheto the FTP log file.
Table 8-33 Description of the Log Location parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to a log file
Option Path
Log LocationOption
/var/log/vsftpd.logPath
201Policy optionsSystem Login Activity and Access Monitor
Table 8-33 Description of the Log Location parameters used (continued)
DescriptionParameter
Sets the path to the FTP log file.Description
Table 8-34 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to a log file
Option Path
Root logonOption
Root_FTP_Logon_Success_Text_LogRule Name
NoticeSeverity
Detects root logon events that occur over FTP.Description
Table 8-35 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to a log file
Option Path
Non-root logonOption
User_FTP_Logon_Success_Text_LogRule Name
NoticeSeverity
Detects non-root user logon events that occur over FTP.Description
Telnet and Rlogin logon OptionsThis option group section of the policy monitors logons that occur over Telnetand rlogin. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.
Table 8-36 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > Telnet and Rlogin logon Options
Option Path
Policy optionsSystem Login Activity and Access Monitor
202
Table 8-36 Description of the Root logon parameters used (continued)
DescriptionParameter
Root logonOption
Root_Telnet_Rlogin_Logon_SuccessRule Name
WarningSeverity
Detects root logon events that occur over Telnet and rlogin.Description
Table 8-37 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > Telnet and Rlogin logon Options
Option Path
Non-root logonOption
User_Telnet_Rlogin_Logon_SuccessRule Name
WarningSeverity
Detects non-root users that log on over Telnet and rlogin.Description
SU Operation OptionsThis option group section of the policymonitors logons that involve the su utility.The events are identified using the UNIX syslog.
Table 8-38 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SU Operation Options
Option Path
SU to rootOption
SU_ToRoot_SuccessRule Name
WarningSeverity
Detects the successful logons as root, monitored in the UNIX syslog.Description
203Policy optionsSystem Login Activity and Access Monitor
Table 8-39 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SU Operation Options
Option Path
SU to non-rootOption
SU_ToUser_SuccessRule Name
NoticeSeverity
Detects the successful logons of non-root users.Description
SSH Remote logon OptionsThis option group section of the policy monitors logons that occur over SSH. Theevents are identified using the UNIX syslog. On HP-UX operating systems, thewtmp file is also used.
Table 8-40 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logon Options
Option Path
Root logonOption
Root_SSH_Logon_SuccessRule Name
WarningSeverity
Detects logons as root that occur over SSH.Description
Table 8-41 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logon Options
Option Path
Non-root logonOption
User_SSH_Logon_SuccessRule Name
NoticeSeverity
Detects non-root user logons that occur over SSH.Description
Policy optionsSystem Login Activity and Access Monitor
204
Local Console logon OptionsThis option group section of the policy monitors successful logons from the localconsole. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.
Table 8-42 Description of the Root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > Local Console logon Options
Option Path
Root logonOption
Root_Local_Logon_SuccessRule Name
WarningSeverity
Detects root user logon events that occur over the console.Description
Table 8-43 Description of the Non-root logon parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > Local Console logon Options
Option Path
Non-root logonOption
User_Local_Logon_SuccessRule Name
WarningSeverity
Detects non-root user logon events that occur over the console.Description
System Logoff MonitorThis option group section of the policy monitors successful root and user log offsfrom the local console and from remote access.
SU Operation Optionssu command events are monitored from the UNIX syslog.
205Policy optionsSystem Login Activity and Access Monitor
Table 8-44 Description of the SU to root Logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff Monitor> SU Operation Options
Option Path
SU to root LogoffOption
SU_ToRoot_LogoffRule Name
WarningSeverity
Detects the successful logoff by user from SU to root.Description
Table 8-45 Description of the SU to non-root Logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Logoff Monitor> SU Operation Options
Option Path
SU to non-root LogoffOption
SU_ToUser_LogoffRule Name
WarningSeverity
Detects the successful logoff by user from SU to a non-root user.Description
SSH Remote Logoff OptionsThis option group section of the policy monitors successful logoffs from remoteconsoles. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.
Table 8-46 Description of the Root logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logoff Options
Option Path
Root logoffOption
Root_SSH_LogoffRule Name
WarningSeverity
Policy optionsSystem Login Activity and Access Monitor
206
Table 8-46 Description of the Root logoff parameters used (continued)
DescriptionParameter
Detects root user logoff events that occur over SSH from a remoteconsole.
Description
Table 8-47 Description of the Non-root logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logoff Options
Option Path
Non-root logoffOption
User_SSH_LogoffRule Name
WarningSeverity
Detects non-root user logoff events that occur over SSH froma remoteconsole.
Description
Local Console Logoff OptionsThis option group section of the policy monitors successful logoffs from localconsoles. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.
Table 8-48 Description of the Root Logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logoff Options
Option Path
Root LogoffOption
Root_Local_LogoffRule Name
WarningSeverity
Detects root user logoff events that occur on the local console.Description
207Policy optionsSystem Login Activity and Access Monitor
Table 8-49 Description of the Non-Root Logoff parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logoff Options
Option Path
Non-Root_LogoffOption
User_Local_LogoffRule Name
WarningSeverity
Detects non-root user logoff events that occur on the local console.Description
System Failed Login MonitorThis option group section of the policy monitors user and root failed logonattempts from the local console and by remote access. They report attempts tolog on to services that include local console sessions, telnet, Xwin, rsh, rlogin, andFTP. They also report failed attempts to change identification by using the suutility.
FTP logon failureSet this option to detect failed logons over FTP.
Repeated FTP logon failures
Set this option to detect users' repeated failures to log on. You can set the numberof failures that have to occur and the time interval within which the failures haveto occur.
Table 8-50 Description of the Number of logon failures in time intervalparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure>Repeated FTP logon failures
Option Path
Number of logon failures in time intervalOption
blank value
The user specifies this value.
Value
Policy optionsSystem Login Activity and Access Monitor
208
Table 8-50 Description of the Number of logon failures in time intervalparameters used (continued)
DescriptionParameter
Detects repeated failed logon attempts. Set the number of times a usercan fail to log on in a specific time interval before an event isgenerated.
Description
Table 8-51 Description of the Time interval parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure>Repeated FTP logon failures
Option Path
Time intervalOption
In days, hours, minutes, and seconds.Duration
Sets a specific time interval during which the failed logon attemptshave to take place to generate an event.
Description
Table 8-52 Description of the FTP Repeated Failed Severity parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure>Repeated FTP logon failures
Option Path
FTP Repeated Failed SeverityOption
MajorSeverity
Sets the severity of failed logon attempts.Description
FTP server reports to Syslog or WTMP
Set this option to detect logon failures that are reported in the UNIX syslog or,on HP-UX operating systems, in the wtmp file.
Table 8-53 Description of the Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP server reports to Syslog or WTMP
Option Path
Root logon failureOption
209Policy optionsSystem Login Activity and Access Monitor
Table 8-53 Description of the Root logon failure parameters used (continued)
DescriptionParameter
Root_FTP_Logon_FailureRule Name
NoticeSeverity
Detects failed attempts to log on over FTP as a root user that arereported in the syslog or wtmp file.
Description
Table 8-54 Description of the Non-root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP server reports to Syslog or WTMP
Option Path
Non-root logon failureOption
User_FTP_Logon_FailureRule Name
WarningSeverity
Detects failed attempts to log on as a non-root user over FTP that arereported in the syslog or wtmp file.
Description
FTP server reports to a log file
Set this option if your FTP servers report to a log file. You must specify the ptheto the FTP log file.
Table 8-55 Description of the Path to FTP server log file parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure > FTP server reports to a log file
Option Path
Path to FTP server log fileOption
/var/log/vsftpd.logPath
Sets the path to the FTP server log file.Description
Policy optionsSystem Login Activity and Access Monitor
210
Table 8-56 Description of the Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure > FTP server reports to a log file
Option Path
Root logon failureOption
Root_FTP_Logon_Failure_Text_LogRule Name
NoticeSeverity
Detects failed attempts to log on over FTP as a root user.Description
Table 8-57 Description of the Non-root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure > FTP server reports to a log file
Option Path
Non-root logon failureOption
User_FTP_Logon_Failure_Text_LogRule Name
NoticeSeverity
Detects failed attempts to log on over FTP as a regular user.Description
Telnet and Rlogin logon failureThis option group section of the policy monitors user and root failed logonattempts over Telnet and rlogin. The events are identified using the UNIX syslog.On HP-UX operating systems, the btmp file is also used.
Repeated Telnet or Rlogin logon failures
Set this option to detect users' repeated failures to log on over Telnet and rlogin.You can set the number of failures that have to occur and the time interval withinwhich the failures have to occur.
211Policy optionsSystem Login Activity and Access Monitor
Table 8-58 Description of the Number of Logon Failures in Time Intervalparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure>Repeated Telnet or Rloginlogon failures
Option Path
Number of Logon Failures in Time IntervalOption
blank value
The user specifies this value.
Value
Detects repeated failed logon attempts. Set the number of times a usercan fail to log on in a specific time interval before an event isgenerated.
Description
Table 8-59 Description of the Time interval parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Repeated Telnet or Rlogin logon failures
Option Path
Time IntervalOption
In days, hours, minutes, and seconds.Duration
Sets a specific time interval during which the failed logon attemptstake place.
Description
Table 8-60 Description of the Telnet Repeated Failed Severity parametersused
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure>Repeated Telnet or Rloginlogon failures
Option Path
Telnet Repeated Failed SeverityOption
MajorSeverity
Sets the severity of the Telnet or rlogin failed logon attempts.Description
Policy optionsSystem Login Activity and Access Monitor
212
Table 8-61 Description of the Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure
Option Path
Root logon failureOption
Root_Telnet_Rlogin_Logon_FailureRule Name
WarningSeverity
Detects failed attempts to log on over Telnet or rlogin as a root user.Description
Table 8-62 Description of the Non-root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure
Option Path
Non-root logon failureOption
User_Telnet_Rlogin_Logon_FailureRule Name
blank value
The user specifies this value.
Severity
Detects failed attempts to log on over Telnet or rlogin as a regularuser.
Description
SU failureSet this option to detect failures that involve the su utility. The events areidentified using the UNIX syslog. OnHP-UX operating systems, the btmp file andbtmps file are also used.
Repeated SU failures
Set this option to detect users' repeated failures to use the su utility. You can setthe number of failures that have to occur and the time interval within which thefailures have to occur.
213Policy optionsSystem Login Activity and Access Monitor
Table 8-63 Description of the Number of Logon Failures in Time Intervalparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure>Repeated SU failures
Option Path
Number of Logon Failures in Time IntervalOption
blank value
The user specifies this value.
Value
Detects repeated failed logon attempts that use theSUcommand. Youcan set the number of times a user can fail to log on in a specific timeinterval before an event is generated.
Description
Table 8-64 Description of the Time interval parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure>Repeated SU failures
Option Path
Time IntervalOption
In days, hours, minutes, and seconds.Duration
Sets a specific time interval during which the failed logon attemptstake place.
Description
Table 8-65 Description of the SU Repeated Failed Severity parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure>Repeated SU failures
Option Path
SU Repeated Failed SeverityOption
MajorSeverity
Sets the severity of the SU failed logon attempts.Description
Policy optionsSystem Login Activity and Access Monitor
214
Table 8-66 Description of the SU to root failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure
Option Path
SU to root failureOption
SU_ToRoot_FailureRule Name
WarningSeverity
Detects repeated failed attempts to log on as a root user.Description
Table 8-67 Description of the SU to non-root failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure
Option Path
SU to non-root failureOption
SU_ToUser_FailureRule Name
NoticeSeverity
Detects repeated failed attempts to log on as a regular user.Description
SSH logon failureSet this option to detect failures to log on over SSH. The events are identifiedusing the UNIX syslog. On HP-UX operating systems, the btmp file is also used.
Repeated SSH logon failures
Set this option to detect users' repeated failures to log on over SSH. You can setthe number of failures that have to occur and the time interval within which thefailures have to occur.
Table 8-68 Description of the Number of Logon Failures in Time Intervalparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure>Repeated SSH logon failures
Option Path
Number of Logon Failures in Time IntervalOption
215Policy optionsSystem Login Activity and Access Monitor
Table 8-68 Description of the Number of Logon Failures in Time Intervalparameters used (continued)
DescriptionParameter
blank value
The user specifies this value.
Value
Detects repeated failed logon attempts that are tracked using syslogor the btmp file (HP-UX). Set the number of times a user can fail tolog on in a specific time interval before an event is generated.
Description
Table 8-69 Description of the Time interval parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure>Repeated SSH logon failures
Option Path
Time IntervalOption
In days, hours, minutes, and seconds.Duration
Sets a specific time interval during which the failed logon attemptstake place.
Description
Table 8-70 Description of the SSH Repeated Failed Severity parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure>Repeated SSH logon failures
Option Path
SSH Repeated Failed SeverityOption
MajorSeverity
Sets the severity of the SSH failed logon attempts.Description
Table 8-71 Description of the Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure
Option Path
Root logon failureOption
Root_SSH_Logon_FailureRule Name
Policy optionsSystem Login Activity and Access Monitor
216
Table 8-71 Description of the Root logon failure parameters used (continued)
DescriptionParameter
WarningSeverity
Detects repeated failed attempts to log on as a root user.Description
Table 8-72 Description of the Non-Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure
Option Path
Non-Root logon failureOption
User_SSH_Logon_FailureRule Name
NoticeSeverity
Detects repeated failed attempts to log on as a regular user.Description
Local logon failureThis option group section of the policy monitors user and root failed logonattempts from the local console. The events are identified using the UNIX syslog.On HP-UX operating systems, the btmp file is also used.
Repeated local logon failures
Set this option to detect users' repeated failures to log on from the local console.You can set the number of failures that have to occur and the time interval withinwhich the failures have to occur.
Table 8-73 Description of the Number of Logon Failures in Time Intervalparameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure>Repeated local logon failures
Option Path
Number of Logon Failures in Time IntervalOption
blank value
The user specifies this value.
Value
217Policy optionsSystem Login Activity and Access Monitor
Table 8-73 Description of the Number of Logon Failures in Time Intervalparameters used (continued)
DescriptionParameter
Detects repeated local failed logon attempts that are tracked usingsyslog or the btmp file (HP-UX). Set the number of times a user canfail to log on in a specific time interval before an event is generated.
Description
Table 8-74 Description of the Time interval parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure>Repeated local logon failures
Option Path
Time IntervalOption
In days, hours, minutes, and seconds.Duration
Sets a specific time interval during which the failed logon attemptstake place.
Description
Table 8-75 Description of the Local Repeated Failed Severity parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure>Repeated local logon failures
Option Path
Local Repeated Failed SeverityOption
MajorSeverity
Sets the severity of the failed logon attempts from the local console.Description
Table 8-76 Description of the Root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure
Option Path
Root logon failureOption
Root_Local_Login_FailureRule Name
WarningSeverity
Detects repeated failed attempts to log on as a root user.Description
Policy optionsSystem Login Activity and Access Monitor
218
Table 8-77 Description of the Non-root logon failure parameters used
DescriptionParameter
System Login Activity and Access Monitor > System Failed LoginMonitor >Local logon failure
Option Path
Non-root logon failureOption
User_Local_Login_FailureRule Name
NoticeSeverity
Detects repeated failed attempts to log on as a regular user.Description
System Privileged Command and Bash HistoryMonitor
This option group section of the policymonitors for specific privileged commandand bash events.
Sudo Monitoring Options
Global Sudo Monitoring Settings
Table 8-78 Description of the Authorized Sudo Users, Strings, or Commands(whitelisted) parameters used
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options > Global Sudo Monitoring Settings
Option Path
Authorized Sudo Users, Strings, or Commands (whitelisted)Option
blank value
The user specifies this value.
Value
Use to set up a user-defined list of users, strings, and commands thatare monitored for use with the sudo command.
Description
219Policy optionsSystem Privileged Command and Bash History Monitor
Table 8-79 Description of the Banned Sudo Commands (blacklisted)parameters used
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options > Global Sudo Monitoring Settings
Option Path
Banned Sudo Commands (blacklisted)Option
*rm -rf /*Value
Use to set up auser-defined list of commands that aremonitoredwhenused with the sudo command.
Description
Sudo Command Monitor
Table 8-80 Description of the Sudo Command Monitor parameters used
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options
Option Path
Sudo Command MonitorOption
Baseline_Sudo_Command_WatchRule Name
NoticeSeverity
Detects use of the sudo command.Description
Sudo Command Failure Monitor
Table 8-81 Description of the Sudo Command Failure Monitor parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options
Option Path
Sudo Command Failure MonitorOption
Baseline_Sudo_Command_FailureRule Name
Detects the failures of sudo command use.Description
Policy optionsSystem Privileged Command and Bash History Monitor
220
Sudo Authorization Failure Monitor
Table 8-82 Description of the SudoAuthorization FailureMonitor parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options
Option Path
Sudo Authorization Failure MonitorOption
Baseline_Sudo_Authentication_FailureRule Name
WarningSeverity
Detects failures in the authorization of the sudo command.Description
Additional Sudo Monitoring Options
Table 8-83 Description of theAdditional SudoMonitoringOptions parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > SudoMonitoring Options
Option Path
Additional Sudo Monitoring OptionsOption
System_PrivCmd_BashHist_Sudo_AddContentRule Name
InfoSeverity
Detects use of the sudo command.Description
User Command History Options
Table 8-84 Description of the User 1 Command History Monitor parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > UserCommand History Options
Option Path
User 1 Command History MonitorOption
221Policy optionsSystem Privileged Command and Bash History Monitor
Table 8-84 Description of the User 1 Command History Monitor parametersused (continued)
DescriptionParameter
Baseline_User_Command_WatchRule Name
NoticeSeverity
/home/user1/.bash_historyUser's BashHistory Log FilePath
Monitors the commands used by a specific user.Description
Table 8-85 Description of the User 2 Command History Monitor parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > UserCommand History Options
Option Path
User 2 Command History MonitorOption
Baseline_User2_Command_WatchRule Name
NoticeSeverity
/home/user2/.bash_historyUser's BashHistory Log FilePath
Monitors the commands used by a second specific user.Description
Superuser (Root Level) Command History Options
Table 8-86 Description of the Root Command History Monitor parametersused
DescriptionParameter
System Privileged Command and Bash History Monitor > Superuser(Root Level) Command History Options
Option Path
Root Command History MonitorOption
Baseline_Root_Command_WatchRule Name
Policy optionsSystem Privileged Command and Bash History Monitor
222
Table 8-86 Description of the Root Command History Monitor parametersused (continued)
DescriptionParameter
NoticeSeverity
/root/.bash_historyRoot's BashHistory Log FilePath
Monitors the commands used by users who are logged in as root.Description
Table 8-87 Description of the Superuser Command History Monitorparameters used
DescriptionParameter
System Privileged Command and Bash History Monitor > Superuser(Root Level) Command History Options
Option Path
Superuser Command History MonitorOption
Baseline_Superuser_Command_WatchRule Name
NoticeSeverity
/home/superuser/.bash_historySuperuser's BashHistory Log FilePath
Monitors the commands used by userswho are logged in as superuser.Description
System Hardening MonitorThis option group section detects changes to the user-configurable files that areconsidered sensitive inmaintaining the security posture of the operating system.It detects modifications of the system configuration that change whether itautomatically runs code during system startup. This behavior is normal if anadministrator needs to change autorun behavior. If unexpected, it can indicatethat the system is being prepared to operate outside established security policy,or that it is about to be compromised.
Various areas are monitored to generate events for the administrator if either ofthe following entities changed any of the selected values:
■ Malware
223Policy optionsSystem Hardening Monitor
■ A malicious individual attempting to lower the security posture of the hostsystem
Table 8-88 Description of the Daemon Run Level RC.D Monitor parametersused
DescriptionParameter
System Hardening Monitor > System Auto Start Change OptionsOption Path
Daemon Run Level RC.D MonitorOption
AutoStart_RC.D_MonitorRule Name
WarningSeverity
/etc/rc.*
/etc/rc.d/*
/etc/init.d/*
File Paths
You can also monitor the following events:
■ Monitor Value Addition to Run Level Files
■ Monitor Value Removal to Run Level Files
■ Monitor File Modification
■ Monitor File Creation
■ Monitor File Removal
AdditionalSettings
Detects changes to the daemon rc files on the computer.Description
Table 8-89 Description of the System Run Level INITTABMonitor parametersused
DescriptionParameter
System Hardening Monitor > System Auto Start Change OptionsOption Path
System Run Level INITTAB MonitorOption
AutoStart_Inittab_MonitorRule Name
WarningSeverity
/etc/inittabFile Paths
Policy optionsSystem Hardening Monitor
224
Table 8-89 Description of the System Run Level INITTABMonitor parametersused (continued)
DescriptionParameter
You can also monitor the following events:
■ Monitor Value Additions to the Inittab File
■ Monitor Value Removal to the Inittab File
■ Monitor File Modification
■ Monitor File Creation
■ Monitor File Removal
AdditionalSettings
Detects changes to the inittab file on the computer.Description
System File and Directory MonitorThis option group section of the policy monitors for file and directory changes.It also includes a completely rewritten file monitoring area that was renamedSystemFileWatchMonitor.Thisnewareaprovides enhancedconfigurationoptionsto enable more precise monitoring of file and directory additions, deletions,modifications, and access attempts.
System FileWatch MonitorThis optiongroup sectionof thepolicymonitors additions, deletions,modifications,and access attempts to the system critical files that are listed as monitored files.If you use a default security posture, then Symantec Critical System Protectionautomatically sets up the filewatch monitor for you. If you use your own securityposture, you must select the files that you want to monitor so that the filewatchmonitor functions correctly.
Awide range of options that enable very specific tuning of how the file or directoryis monitored are available for each rule. A global settings area sets the followingparameters for all rules in the filewatch monitor area:
■ Polling Interval: The interval inwhich the filewatch engine polls or checks thefiles that are configured for change monitoring. This option is available toenable tuning of how frequently files are polled for changes. You may want toadjust the default polling rate if your environment has a large number of filesto bemonitored. This adjustment helps to ensure that resources are not overlyused for the filewatch engine. A drop-down selection criteria area is providedto easily switch polling interval frequency.
225Policy optionsSystem File and Directory Monitor
■ Search Depth: The search depth is a configurable parameter. It specifies therecursion level, or number of directories and subdirectories that aremonitoredwhen you apply a wildcard path. For more information on recursion level andsearch depth, see the path to the existing definition.
Monitor System-Critical Files
Table 8-90 Description of the Core System Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Core System FilesOption
FileWatch_Sys_Core_FilesRule Name
WarningSeverity
/bin/*
/lib/*
/sbin/*
/stand/vmunix
/unix
/usr/bin/*
/usr/lib/*
/usr/sbin/*
/usr/spool/cron/*
/var/adm/cron/*
/var/lib/*
/var/spool/cron/*
Monitor Paths
Policy optionsSystem File and Directory Monitor
226
Table 8-90 Description of the Core System Files parameters used (continued)
DescriptionParameter
/usr/lib/cron/log
/usr/lib/objrepos
/usr/spool/cron/tmp
/var/adm/cron/FIFO
/var/adm/cron/log
/var/lib/objrepos
/var/log
/var/spool/cron/tmp
Ignore Strings
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor the core system files that the operating systemmaintains. If you check this option, youmust specify at least one pathin the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-91 Description of the Core System Configuration Files parametersused
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Core System Configuration FilesOption
FileWatch_Sys_Core_Configuration_FilesRule Name
WarningSeverity
227Policy optionsSystem File and Directory Monitor
Table 8-91 Description of the Core System Configuration Files parametersused (continued)
DescriptionParameter
/etc/*.conf
/etc/*.config
/etc/*_conf
/etc/*_config
/etc/sudoers
Monitor Paths
/etc/*.log
/etc/*.pid
/etc/btmp
/etc/btmps
/etc/cron.d/FIFO
/etc/security/*log
/etc/sisips
/etc/sisips/*
/etc/sulogin
/etc/symantec/*
/etc/utmp
/etc/utmppipe
/etc/utmps
/etc/utmpx
/etc/wtmps
/etc/wtmpx
Ignore Strings
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Policy optionsSystem File and Directory Monitor
228
Table 8-91 Description of the Core System Configuration Files parametersused (continued)
DescriptionParameter
Lets youmonitor the core systemconfiguration files that the operatingsystem maintains. If you check this option, you must specify at leastone path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-92 Description of theSetupProgramsandPackagesparameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Setup Programs and PackagesOption
FileWatch_Sys_Setup_FilesRule Name
WarningSeverity
/usr/sbin/pkg*
/var/lib/rpm/*
/var/sadm/install/admin/*
Monitor Paths
*.log*Ignore Strings
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
229Policy optionsSystem File and Directory Monitor
Table 8-92 Description of theSetupProgramsandPackagesparameters used(continued)
DescriptionParameter
Lets youmonitor the setup programs andpackages that the operatingsystem maintains. If you check this option, you must specify at leastone path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-93 Description of the Common Daemon Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Common Daemon FilesOption
FileWatch_Sys_Common_Program_FilesRule Name
WarningSeverity
Policy optionsSystem File and Directory Monitor
230
Table 8-93 Description of the Common Daemon Files parameters used(continued)
DescriptionParameter
Monitor Paths
231Policy optionsSystem File and Directory Monitor
Table 8-93 Description of the Common Daemon Files parameters used(continued)
DescriptionParameter
/etc/cron.d/logchecker
/etc/fs/*/mount
/lib/svc/nfs/lockd
/lib/svc/nfs/statd
/opt/sbin/in.named
/opt/sbin/lwresd
/opt/sbin/name
/sbin/auditd
/sbin/klogd
/sbin/syslogd
/usr/lib/cups/daemon/cups-lpd
/usr/lib/fs/*/moun
/usr/lib/sendmail
/usr/lib/ssh/sshd
/usr/lib/zones/zoneadmd
/usr/local/sbin/in.named
/usr/local/sbin/in.tnamed
/usr/local/sbin/lwresd
/usr/local/sbin/named
/usr/local/sbin/sshd
/usr/sbin/atd
/usr/sbin/automount
/usr/sbin/cron
/usr/sbin/crond
/usr/sbin/cupsd
/usr/sbin/in.named
/usr/sbin/in.tnamed
/usr/sbin/inetd
/usr/sbin/lwresd
Policy optionsSystem File and Directory Monitor
232
Table 8-93 Description of the Common Daemon Files parameters used(continued)
DescriptionParameter
/usr/sbin/named
/usr/sbin/nmbd
/usr/sbin/rpc.mountd
/usr/sbin/smbd
/usr/sbin/sshd
/usr/sbin/syslogd
/usr/sbin/xinetd
/usr/sfw/sbin/nmbd
/usr/sfw/sbin/smbd
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets youmonitor the commondaemon files that the operating systemmaintains. If you check this option, youmust specify at least one pathin the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-94 Description of the Monitor Script Files and Cron Files parametersused
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Monitor Script Files and Cron FilesOption
233Policy optionsSystem File and Directory Monitor
Table 8-94 Description of the Monitor Script Files and Cron Files parametersused (continued)
DescriptionParameter
FileWatch_Sys_Script_FilesRule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets you monitor the user-defined script files and cron files that areused on the computer. If you check this option, you must specify atleast one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-95 Description of the Solaris Specific Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Solaris Specific FilesOption
FileWatch_Sys_Other_Files_SolarisRule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Policy optionsSystem File and Directory Monitor
234
Table 8-95 Description of the Solaris Specific Files parameters used(continued)
DescriptionParameter
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Lets youmonitor the critical user-defined files that are specific to theSolaris operating system. If you check this option, you must specifyat least one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-96 Description of the AIX Specific Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
AIX Specific FilesOption
FileWatch_Sys_Other_Files_AIXRule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
235Policy optionsSystem File and Directory Monitor
Table 8-96 Description of the AIX Specific Files parameters used (continued)
DescriptionParameter
Lets youmonitor the critical user-defined files that are specific to theAIX operating system. If you check this option, you must specify atleast one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-97 Description of the Linux Specific Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Linux Specific FilesOption
FileWatch_Sys_Other_Files_LinuxRule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Policy optionsSystem File and Directory Monitor
236
Table 8-97 Description of the Linux Specific Files parameters used (continued)
DescriptionParameter
Lets you monitor the critical user-defined files that are specific toLinux operating systems. If you check this option, you must specifyat least one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-98 Description of the HPUX Specific Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
HPUX Specific FilesOption
FileWatch_Sys_Other_Files_HPUXRule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
237Policy optionsSystem File and Directory Monitor
Table 8-98 Description of theHPUXSpecific Files parameters used (continued)
DescriptionParameter
Lets youmonitor the critical user-defined files that are specific to theHP-UX operating system. If you check this option, you must specifyat least one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
Table 8-99 Description of the Tru64 Specific Files parameters used
DescriptionParameter
System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files
Option Path
Tru64 Specific FilesOption
FileWatch_Sys_Other_Files_Tru64Rule Name
WarningSeverity
blank value
The user specifies this value.
Monitor Paths
Deleted, Created, Modified
Accessed (not enabled by default)
Monitor Ops
Available, Not EnabledReport FileDifferences
Available, Not EnabledDate and TimeRestriction
Policy optionsSystem File and Directory Monitor
238
Table 8-99 Description of the Tru64Specific Files parameters used (continued)
DescriptionParameter
Lets youmonitor the critical user-defined files that are specific to theTru64 operating system. If you check this option, you must specify atleast one path in the subsequent list.
Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.
Description
System Symantec Software MonitorThis option group area of the policy contains monitoring functions for Symantecsoftware. Currently the monitored ancillary application is Symantec AntiVirusfor Linux. The policy automatically detects if the host machine has SymantecAntiVirus for Linux installed.
Table 8-100 Description of the Virus Detected parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Virus DetectedOption
Virus_DetectedRule Name
CriticalSeverity
Detects the discovery of a virus orTrojanhorse bySymantecAntiVirusfor Linux. This detection indicates thatmalicious software has arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. Immediate action is usually warranted.
Description
Table 8-101 Description of the Service Stopped parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Service StoppedOption
239Policy optionsSystem Symantec Software Monitor
Table 8-101 Description of the Service Stopped parameters used (continued)
DescriptionParameter
Service_StoppedRule Name
WarningSeverity
Detects the stopping of the Symantec AntiVirus for Linux service.SymantecAntiVirus issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that theSymantec AntiVirus service has stopped, it reports this status.
Description
Table 8-102 Description of the Service Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Service StartedOption
Service_StartedRule Name
NoticeSeverity
Detects the starting of the Symantec AntiVirus for Linux service.SymantecAntiVirus issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that theSymantec AntiVirus service has started, it reports this status.
Description
Table 8-103 Description of the Scan Started parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Scan StartedOption
Scan_StartedRule Name
NoticeSeverity
Detects the starting of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions and errors. When SymantecAntiVirus determines that it has initiated a manual scan of the host,it reports this status.
Description
Policy optionsSystem Symantec Software Monitor
240
Table 8-104 Description of the Scan Canceled parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Scan CanceledOption
Scan_CanceledRule Name
WarningSeverity
Detects the canceling of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions. When Symantec AntiVirusdetermines that it has been commanded to cancel a manual scan, itreports this status.
Description
Table 8-105 Description of the Scan Complete parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Scan CompleteOption
Scan_CompleteRule Name
NoticeSeverity
Detects the completion of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions and errors. When SymantecAntiVirus determines that it has successfully completed a manualscan, it reports this status.
Description
Table 8-106 Description of the New Virus Definition Loaded parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
New Virus Definition LoadedOption
New_Virus_Defintion_LoadedRule Name
NoticeSeverity
241Policy optionsSystem Symantec Software Monitor
Table 8-106 Description of the New Virus Definition Loaded parameters used(continued)
DescriptionParameter
Detects the updating of Symantec AntiVirus for Linux with the latestvirus definitions. Symantec AntiVirus issues the status messages forvarious application conditions and errors.When SymantecAntiVirusdetermines that it has loaded anewvirus definition file, it reports thisstatus.
Description
Table 8-107 Description of the Virus Definitions are Current parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Virus Definitions are CurrentOption
Virus_Definitions_are_CurrentRule Name
NoticeSeverity
Detects that the installed virus definitions are current. SymantecAntiVirus for Linux issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that thedefinitions are current, it reports this status.
Description
Table 8-108 Description of the Realtime Protection Loaded parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Realtime Protection LoadedOption
Realtime_Protection_LoadedRule Name
NoticeSeverity
Detects the disabling of the Symantec AntiVirus for Linux real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been disabled, it reports this status.
Description
Policy optionsSystem Symantec Software Monitor
242
Table 8-109 Description of the Realtime Protection Disabled parameters used
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Realtime Protection DisabledOption
Realtime_Protection_DisabledRule Name
CriticalSeverity
Detects the disabling of the Symantec AntiVirus for Linux real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been disabled, it reports this status.
Description
Table 8-110 Description of the Virus Detected - Cleaned Failed parametersused
DescriptionParameter
System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication
Option Path
Virus Detected - Cleaned FailedOption
Virus_Detected_Cleaned_FailedRule Name
CriticalSeverity
Detects the discovery of a virus orTrojanhorse bySymantecAntiVirusfor Linux. This detection indicates thatmalicious software has arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. This event indicates Symantec AntiVirus clientwas unable to clean, remove, or quarantine the identified malwareand the risk is still present on the system. Immediate investigation isrequired.
Description
System External Device Activity MonitorThis option group subsection monitors for specific external device activity suchas the various activities that are associatedwithUSBdevices. This activity shouldbe monitored on an enterprise network, as such devices may pose the threat ofdata loss.
243Policy optionsSystem External Device Activity Monitor
Table 8-111 Description of the USB Device Connected parameters used
DescriptionParameter
System External Device Activity Monitor > USB Device ActivityOption Path
USB Device ConnectedOption
USB_Device_ConnectedRule Name
WarningSeverity
Detects a USB device connection event from the UNIX syslog.Description
Table 8-112 Description of the USB Device Disconnected parameters used
DescriptionParameter
System External Device Activity Monitor > USB Device ActivityOption Path
USB Device DisconnectedOption
USB_Device_DisconnectedRule Name
WarningSeverity
Detects a USB device disconnection event from the UNIX syslog.Description
Table 8-113 Description of theUSBDevice Additional Activity parameters used
DescriptionParameter
System External Device Activity Monitor > USB Device ActivityOption Path
USB Device Additional ActivityOption
USB_Device_AdditionalRule Name
WarningSeverity
Detects user-defined USB device-related activities from the UNIXsyslog.
Description
System Attack DetectionThis option group subsection contains basic Web attack monitoring criteria tothwart basic attacks on any Web server that produces any kind of access log.
The global settings area consists of the following:
Policy optionsSystem Attack Detection
244
■ Alert only on Success Attack Attempt (Code 200): This area configures all theattack detection rules to look for the trailing code 200when a suspicious stringis found in the access log. Trailing code 200means a successful process request.This setting dramatically decreases the amount of false positives andprovidesadministrators with events that are considered processed by the hostingsystem.
■ WebAccess Log File Path: This area configures theWeb access log path,whichthe rules in this policy subsection sift through to findmalicious request strings.SymantecCritical SystemProtectionprovides a default location for theApacheWeb server HTTP access log. Symantec recommends that you research whichpath location is best for this portion of the policy, since other Web serverpackages may be configured with different HTTP access log paths..
Note: The log format must follow W3C guidelines.
■ Whitelisted IPAddresses: This area configures the IP addresses that are allowedor otherwise ignored in this monitoring subsection. These IP addresses arefor tools like automatedvulnerability scanning systemsonenterprisenetworks,where you know that at regular intervals Web attack tests occur.
■ Blacklisted IP Addresses: This area configures the IP addresses that are notallowed access to the host system. Blacklisted IP addresses may be anyaddresses outside an internal network range if this areamonitored an intranetWeb host. Blacklisted IP addresses may also be known bad IP addresses fromany of the blacklists available on the Internet.
■ IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP codeon all requests that signifies that the request has been successfully processedon thehostWeb system.A success code that is pairedwith amaliciously craftedURI string would indicate a possible compromised system.
■ IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code thatsignifies a bad HTTP request. A high frequency repeating number of thesefound in the access log signifies that a possible Web vulnerability scan isoccurring.
245Policy optionsSystem Attack Detection
Generic Web Attack Detection Options
Table 8-114 Description of the Generic VA Scan Attempt parameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic VA Scan AttemptOption
WebAttackDetection_Generic_VAScanRule Name
WarningSeverity
20
Times in which a 404 or unknown request is received.
Invalid Count
2 minutes
Time frequency inwhich invalid count needs to occur to trigger event.
Invalid Interval
Detects a possible VA scan by triggering an event within a specificadministrator-defined threshold. If Symantec Critical SystemProtection receives a specified number of 404 error codes by auser-defined frequency, then this rule generates an alert on a possibleVA scan attempt.
Description
Table 8-115 Description of the Generic Blacklisted IP Request Attemptsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Blacklisted IP Request AttemptsOption
Baseline_WebAttackDetection_Generic_BlackListedIPRule Name
WarningSeverity
A simple rule that detects the access attempt by a blacklisted IPaddress that is found in the HTTP access log. You configure theblacklisted IP address in the Global Settings area. If you enable thisrule, any attempt by the predefined blacklisted IP address generatesan event.
Description
Policy optionsSystem Attack Detection
246
Table 8-116 Description of the Generic SQL Injection Attack Attemptsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic SQL Injection Attack AttemptsOption
Baseline_WebAttackDetection_Generic_SQLInjectionRule Name
WarningSeverity
Detects the very simple and generic SQL injection-type attacks whenit monitors the HTTP access log file. Primary and secondary selectlogic is used to ensure that accurate rule tuning can occur. You cancustomize this area to your needs to add further SQL injectionmeasures.
Description
Table 8-117 Description of the Generic Directory Transversal Attemptsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Directory Transversal AttemptsOption
Baseline_WebAttackDetection_Generic_DirTransversalRule Name
WarningSeverity
Detects possible directory transversal attempts in HTTP requeststrings. The generic strings for directory transversal attempts areprovided. An individual or script attempting to transverse directoriesby HTTP request may be considered a malicious action.
Description
Table 8-118 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Malicious User Agent Request AttemptsOption
Baseline_WebAttackDetection_Generic_MaliciousUserAgentRule Name
247Policy optionsSystem Attack Detection
Table 8-118 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used (continued)
DescriptionParameter
WarningSeverity
Detects themalicious user agent strings inHTTP requests. Automatedscripts commonly use bad user agents in large-scale attacks.Pre-scripted suites of programs also use them to attack a Web server.The presence of these known-bad user agent strings may indicate amalicious attempt to access your host Web system.
Description
Table 8-119 Description of the Generic Unwanted Extension Requestsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Unwanted Extension RequestsOption
Baseline_WebAttackDetection_Unwanted_Extension_RequestRule Name
WarningSeverity
Detects the unwanted or suspicious extension requests. Files that arerequested with the extensions configured in this rule may indicate amalicious script or user. You can add or remove extensions in thisarea to customize this event per host system environment.
Description
Table 8-120 Description of the Generic Unwanted Directory Requestsparameters used
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Unwanted Directory RequestsOption
Baseline_WebAttackDetection_Unwanted_Directory_RequestRule Name
WarningSeverity
Detects the unwanted or suspicious directory requests. Directoryrequests as configured in this rule may indicate a malicious script oruser. You can add or remove sensitive directory paths in this area tocustomize this event per host system environment.
Description
Policy optionsSystem Attack Detection
248
Table 8-121 Description of the Generic Vulnerable CGI Requests parametersused
DescriptionParameter
System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options
Option Path
Generic Vulnerable CGI RequestsOption
WebAttackDetection_Generic_VulnerableCGIRequestRule Name
WarningSeverity
Detects the unwanted or suspicious CGI and script requests. CGI andscript requests as configured in this rule may indicate a maliciousscript or user. You can add or remove sensitive directory paths in thisarea to customize this event per host system environment.
Description
UNIX Rootkit File / Directory DetectionA global settings area sets the following parameters for all rules in the UNIXRootkit File / Directory Detection area:
■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.A drop-down selection criteria area is provided to easily switch polling intervalfrequency.
■ A Monitor Checksums option is available to enable the monitoring of a file'schecksum during a file modification event. It reports the real-time SHA-256hash comparison to the Symantec Critical System Protection console underthe Event details. This option also enables the monitoring of file checksumsas calculated at agent startup. It determines whether the file was modifiedsince Symantec Critical System Protection was last shut down. This optionprovides detection ability even if the Symantec Critical System Protectionservice or daemon is shut down. If a monitored file is changed, once theSymantec Critical SystemProtection service or daemon is started, it comparesthe files in its monitored list to when it was shut down. Any differences arereported to the console.
249Policy optionsSystem Attack Detection
Table 8-122 Description of the Bash Door parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Bash DoorOption
Rootkit_Detection_BashDoorRule Name
CriticalSeverity
/tmp/mcliZokhb
/tmp/mclzaKmfa
Monitor Paths
Detects rootkit activity.Description
Table 8-123 Description of the VOLC Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
VOLC RootkitOption
Rootkit_Detection_VOLCRule Name
CriticalSeverity
/usr/lib/volcMonitor Paths
Detects rootkit activity.Description
Table 8-124 Description of the Illogic Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Illogic RootkitOption
Rootkit_Detection_IllogicRule Name
CriticalSeverity
/etc/ld.so.hash
/lib/security/.config
/usr/bin/sia
Monitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
250
Table 8-125 Description of the T0rn Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
T0rn RootkitOption
Rootkit_Detection_T0rnRule Name
CriticalSeverity
/etc/ttyhash
/lib/ldlib.tk
/sbin/xlogin
/usr/info/.T0rn
/usr/src/.puta
/var/run/...dica
Monitor Paths
Detects rootkit activity.Description
Table 8-126 Description of the RK17 Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
RK17 RootkitOption
Rootkit_Detection_RK17Rule Name
CriticalSeverity
/bin/rtty
/bin/squit
/sbin/pback
/usr/src/linux/modules/autod.o
/usr/src/linux/modules/soundx.o
Monitor Paths
Detects rootkit activity.Description
Table 8-127 Description of the RSHA Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
251Policy optionsSystem Attack Detection
Table 8-127 Description of the RSHA Rootkit parameters used (continued)
DescriptionParameter
RSHA RootkitOption
Rootkit_Detection_RSHARule Name
CriticalSeverity
/etc/rc.d/arch/alpha/lib/.lib/*
/etc/rc.d/rsha/*
/usr/bin/chsh2
/usr/bin/kr4p
/usr/bin/n3tstat
/usr/bin/slice2
Monitor Paths
Detects rootkit activity.Description
Table 8-128 Description of the RH-Sharpe Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
RH-Sharpe RootkitOption
Rootkit_Detection_RHSharpeRule Name
CriticalSeverity
Policy optionsSystem Attack Detection
252
Table 8-128 Description of theRH-Sharpe Rootkit parameters used (continued)
DescriptionParameter
/bin/.lpstree
/bin/.ps
/bin/ldu
/bin/lkillall
/bin/lnetstat
/usr/bin/.lpstree
/usr/bin/.ps
/usr/bin/cleaner
/usr/bin/ldu
/usr/bin/lkillall
/usr/bin/lnetstat
/usr/bin/slice
/usr/bin/vadim
Monitor Paths
Detects rootkit activity.Description
Table 8-129 Description of the Showtee Romaniam Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Showtee Romaniam RootkitOption
Rootkit_Detection_ShowteeromaniamRule Name
CriticalSeverity
/usr/lib/.egcs
/usr/lib/.kinetic
/usr/lib/.wormie
/usr/lib/libfl.so
/usr/lib/liblog.o
/usr/sbin/xntps
Monitor Paths
Detects rootkit activity.Description
253Policy optionsSystem Attack Detection
Table 8-130 Description of the Optickit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Optickit RootkitOption
Rootkit_Detection_OptickitRule Name
CriticalSeverity
/usr/bin/xchk
/usr/bin/xsf
Monitor Paths
Detects rootkit activity.Description
Table 8-131 Description of the Tele Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Tele RootkitOption
Rootkit_Detection_TelekitRule Name
CriticalSeverity
/dev/hda06
/usr/info/libc1.so
Monitor Paths
Detects rootkit activity.Description
Table 8-132 Description of the LRK Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
LRK RootkitOption
Rootkit_Detection_LRKRule Name
CriticalSeverity
/dev/ida/.inet
/usr/lib/liblog.o
Monitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
254
Table 8-133 Description of the ADORE Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
ADORE RootkitOption
Rootkit_Detection_AdoreRule Name
CriticalSeverity
/etc/bin/ava
/etc/sbin/ava
Monitor Paths
Detects rootkit activity.Description
Table 8-134 Description of the KNARK Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
KNARK RootkitOption
Rootkit_Detection_KnarkRule Name
CriticalSeverity
/dev/.pizda
/dev/.pula
/proc/knark
Monitor Paths
Detects rootkit activity.Description
Table 8-135 Description of the BOBkit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
BOBkit RootkitOption
Rootkit_Detection_BobkitRule Name
CriticalSeverity
255Policy optionsSystem Attack Detection
Table 8-135 Description of the BOBkit Rootkit parameters used (continued)
DescriptionParameter
/tmp/.bkp/*
/usr/include/.../*
/usr/lib/.../*
/usr/lib/.bkit-/*
Monitor Paths
Detects rootkit activity.Description
Table 8-136 Description of the HID Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
HID RootkitOption
Rootkit_Detection_HidRule Name
CriticalSeverity
/var/lib/games/.kMonitor Paths
Detects rootkit activity.Description
Table 8-137 Description of the ARK Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
ARK RootkitOption
Rootkit_Detection_ARKRule Name
CriticalSeverity
/dev/ptyxx
/usr/lib/.ark?
Monitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
256
Table 8-138 Description of the Mithra Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Mithra RootkitOption
Rootkit_Detection_MithraRule Name
CriticalSeverity
/usr/sbin/ubootMonitor Paths
Detects rootkit activity.Description
Table 8-139 Description of the LOC Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
LOC RootkitOption
Rootkit_Detection_LOCRule Name
CriticalSeverity
/tmp/kidd0
/tmp/kidd0.c
/tmp/xp
/usr/lib/libmen.oo/.LJK2
Monitor Paths
Detects rootkit activity.Description
Table 8-140 Description of the Anonoiyng Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Anonoiyng RootkitOption
Rootkit_Detection_AnonoiyngRule Name
CriticalSeverity
/usr/sbin/kswapd
/usr/sbin/mech
Monitor Paths
257Policy optionsSystem Attack Detection
Table 8-140 Description of theAnonoiyngRootkit parameters used (continued)
DescriptionParameter
Detects rootkit activity.Description
Table 8-141 Description of the ZK Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
ZK RootkitOption
Rootkit_Detection_ZKRule Name
CriticalSeverity
/etc/sysconfig/console/load.zkMonitor Paths
Detects rootkit activity.Description
Table 8-142 Description of the S-it Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
S-it RootkitOption
Rootkit_Detection_SitRule Name
CriticalSeverity
/dev/sdhu0/tehdrakg/*
/etc/rc.d/rc?.d/S23kmdac
/lib/.x
/lib/sk
Monitor Paths
Detects rootkit activity.Description
Table 8-143 Description of the F-it Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
F-it RootkitOption
Policy optionsSystem Attack Detection
258
Table 8-143 Description of the F-it Rootkit parameters used (continued)
DescriptionParameter
Rootkit_Detection_FitRule Name
CriticalSeverity
/dev/proc/fuckit/*
/dev/proc/system-bins/init
Monitor Paths
Detects rootkit activity.Description
Table 8-144 Description of the Beastkit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Beastkit RootkitOption
Rootkit_Detection_BeastkitRule Name
CriticalSeverity
/lib/ldd.so/bktools
/usr/l/bin/idrun
/usr/local/bin/.../bktd
/usr/sbin/arobia/*
Monitor Paths
Detects rootkit activity.Description
Table 8-145 Description of the Tuxkit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Tuxkit RootkitOption
Rootkit_Detection_TuxkitRule Name
CriticalSeverity
/dev/tuxMonitor Paths
Detects rootkit activity.Description
259Policy optionsSystem Attack Detection
Table 8-146 Description of the Kenga3 Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Kenga3 RootkitOption
Rootkit_Detection_Kenga3Rule Name
CriticalSeverity
/usr/include/..Monitor Paths
Detects rootkit activity.Description
Table 8-147 Description of the ESRK Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
ESRK RootkitOption
Rootkit_Detection_ESRKRule Name
CriticalSeverity
/usr/lib/tcl5.3Monitor Paths
Detects rootkit activity.Description
Table 8-148 Description of the FU Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
FU RootkitOption
Rootkit_Detection_FURule Name
CriticalSeverity
/sbin/xc
/usr/include/ivtype.h
Monitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
260
Table 8-149 Description of the SHKit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
SHKit RootkitOption
Rootkit_Detection_ShkitRule Name
CriticalSeverity
/etc/ld.so.hash
/lib/security/.config
Monitor Paths
Detects rootkit activity.Description
Table 8-150 Description of the Ajakit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Ajakit RootkitOption
Rootkit_Detection_AjakitRule Name
CriticalSeverity
/lib/.libgh-ghMonitor Paths
Detects rootkit activity.Description
Table 8-151 Description of the zaRwT Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
zaRwT RootkitOption
Rootkit_Detection_zaRwTRule Name
CriticalSeverity
/bin/imin
/bin/imout
Monitor Paths
Detects rootkit activity.Description
261Policy optionsSystem Attack Detection
Table 8-152 Description of the Madalin Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Madalin RootkitOption
Rootkit_Detection_MadalinRule Name
CriticalSeverity
/usr/include/iceconf.h
/usr/include/icekey.h
/usr/include/iceseed.h
Monitor Paths
Detects rootkit activity.Description
Table 8-153 Description of the BMBL Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
BMBL RootkitOption
Rootkit_Detection_BMBLRule Name
CriticalSeverity
/etc/.bmbl
/etc/.bmbl/sk
Monitor Paths
Detects rootkit activity.Description
Table 8-154 Description of the aPa Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
aPa RootkitOption
Rootkit_Detection_aPaRule Name
CriticalSeverity
/usr/share/.aPaMonitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
262
Table 8-155 Description of the Enye-Sec Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Enye-Sec RootkitOption
Rootkit_Detection_EnyeSecRule Name
CriticalSeverity
/etc/.enyelkmHIDE^IT.koMonitor Paths
Detects rootkit activity.Description
Table 8-156 Description of the Override Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Override RootkitOption
Rootkit_Detection_OverrideRule Name
CriticalSeverity
/dev/grid-hide-pid-
/dev/grid-hide-port-
/dev/grid-show-pids
/dev/grid-show-port-
/dev/grid-unhide-pid-
Monitor Paths
Detects rootkit activity.Description
Table 8-157 Description of the PHALANX Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
PHALANX RootkitOption
Rootkit_Detection_PHALANXRule Name
CriticalSeverity
263Policy optionsSystem Attack Detection
Table 8-157 Description of the PHALANX Rootkit parameters used (continued)
DescriptionParameter
/bin/host.ph1
/etc/host.ph1
/usr/share/.home/ph1
Monitor Paths
Detects rootkit activity.Description
Table 8-158 Description of the Monkit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Monkit RootkitOption
Rootkit_Detection_MonkitRule Name
CriticalSeverity
/lib/defs
/usr/lib/libpikapp.a
Monitor Paths
Detects rootkit activity.Description
Table 8-159 Description of the Balaur Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Balaur RootkitOption
Rootkit_Detection_BalaurRule Name
CriticalSeverity
/usr/lib/.egcs
/usr/lib/.kinetic
/usr/lib/.wormie
Monitor Paths
Detects rootkit activity.Description
Policy optionsSystem Attack Detection
264
Table 8-160 Description of the Bex2 Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Bex2 RootkitOption
Rootkit_Detection_Bex2Rule Name
CriticalSeverity
/usr/include/bexMonitor Paths
Detects rootkit activity.Description
Table 8-161 Description of the Dreams Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Dreams RootkitOption
Rootkit_Detection_DreamsRule Name
CriticalSeverity
/dev/ida/.hpd
/dev/ttyoa
/dev/ttyof
/dev/ttyop
/usr/bin/logclear
/usr/bin/sense
/usr/bin/sl2
/usr/lib/libsss
Monitor Paths
Detects rootkit activity.Description
Table 8-162 Description of the HJC Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
HJC RootkitOption
265Policy optionsSystem Attack Detection
Table 8-162 Description of the HJC Rootkit parameters used (continued)
DescriptionParameter
Rootkit_Detection_hjcRule Name
CriticalSeverity
/dev/hijackerzMonitor Paths
Detects rootkit activity.Description
Table 8-163 Description of the Duarawkz Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Duarawkz RootkitOption
Rootkit_Detection_DuarawkzRule Name
CriticalSeverity
/usr/bin/duarawkzMonitor Paths
Detects rootkit activity.Description
Table 8-164 Description of the Oz Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Oz RootkitOption
Rootkit_Detection_OzRule Name
CriticalSeverity
/dev/.oz/.nap/rkit/terrorMonitor Paths
Detects rootkit activity.Description
Table 8-165 Description of the Portacelo Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Portacelo RootkitOption
Policy optionsSystem Attack Detection
266
Table 8-165 Description of the Portacelo Rootkit parameters used (continued)
DescriptionParameter
Rootkit_Detection_PortaceloRule Name
CriticalSeverity
/var/lib/.../.ak
/var/lib/.../.getty
/var/lib/.../.hk
/var/lib/.../.p
/var/lib/.../.rs
/var/lib/.../sssh_known_hosts
Monitor Paths
Detects rootkit activity.Description
Table 8-166 Description of the Slapper Bot Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Slapper Bot RootkitOption
Rootkit_Detection_SlapperBotRule Name
CriticalSeverity
/tmp/.b
/tmp/.cinik
/tmp/.font-unix-cinik
Monitor Paths
Detects rootkit activity.Description
Table 8-167 Description of the Scalper Bot Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Scalper Bot RootkitOption
Rootkit_Detection_ScalperBotRule Name
CriticalSeverity
267Policy optionsSystem Attack Detection
Table 8-167 Description of theScalper Bot Rootkit parameters used (continued)
DescriptionParameter
/tmp/.a
/tmp/.uua
Monitor Paths
Detects rootkit activity.Description
Table 8-168 Description of the Flea Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Flea RootkitOption
Rootkit_Detection_FleaRule Name
CriticalSeverity
/usr/lib/ldlibct.so
/usr/lib/ldlibdu.so
/usr/lib/ldlibns.so
/usr/lib/ldlibpst.so
Monitor Paths
Detects rootkit activity.Description
Table 8-169 Description of the Ignokit Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Ignokit RootkitOption
Rootkit_Detection_IgnokitRule Name
CriticalSeverity
/lib/defs/p
/lib/defs/q
/lib/defs/r
/lib/defs/s
/lib/defs/t
/usr/lib/.libigno/pkunsec
Monitor Paths
Policy optionsSystem Attack Detection
268
Table 8-169 Description of the Ignokit Rootkit parameters used (continued)
DescriptionParameter
Detects rootkit activity.Description
Table 8-170 Description of the Ni0 Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Ni0 RootkitOption
Rootkit_Detection_Ni0Rule Name
CriticalSeverity
/tmp/waza
/var/lock/subsys/...datafile.../*
Monitor Paths
Detects rootkit activity.Description
Table 8-171 Description of the Devil Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
DevilRootkitOption
Rootkit_Detection_DevilRule Name
CriticalSeverity
/dev/caca
/dev/dsx
/var/lib/games/.src
Monitor Paths
Detects rootkit activity.Description
Table 8-172 Description of the Redstorm Rootkit parameters used
DescriptionParameter
System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path
Redstorm RootkitOption
269Policy optionsSystem Attack Detection
Table 8-172 Description of the Redstorm Rootkit parameters used (continued)
DescriptionParameter
Rootkit_Detection_RedstormRule Name
CriticalSeverity
/bin/...
/var/log/tk02/see_all
Monitor Paths
Detects rootkit activity.Description
UNIX WormFile / Directory DetectionA global settings area sets the following parameters for all rules in the UNIXWormFile / Directory Detection area:
■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.A drop-down selection criteria area is provided to easily switch polling intervalfrequency.
■ A Monitor Checksums option is available to enable the monitoring of a file'schecksum during a file modification event. It reports the real-time SHA-256hash comparison to the Symantec Critical System Protection console underthe Event details. This option also enables the monitoring of file checksumsas calculated at agent startup. It determines whether the file was modifiedsince Symantec Critical System Protection was last shut down. This optionprovides detection ability even if the Symantec Critical System Protectionservice or daemon is shut down. If a monitored file is changed, once theSymantec Critical SystemProtection service or daemon is started, it comparesthe files in its monitored list to when it was shut down. Any differences arereported to the console.
Table 8-173 Description of the Adore Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
Adore WormOption
Policy optionsSystem Attack Detection
270
Table 8-173 Description of the Adore Worm parameters used (continued)
DescriptionParameter
Worm_Detection_AdoreWormRule Name
CriticalSeverity
/dev/.*/red.tgz
/usr/bin/adore
/usr/lib/libt
/usr/sbin/adore
Monitor Paths
Detects worm activity.Description
Table 8-174 Description of the 55808_A Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
55808_A WormOption
Worm_Detection_55808aWormRule Name
CriticalSeverity
/tmp/.../a
/tmp/.../r
Monitor Paths
Detects worm activity.Description
Table 8-175 Description of the Sadmind Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
Sadmind WormOption
Worm_Detection_SadmindRule Name
CriticalSeverity
/dev/cucMonitor Paths
Detects worm activity.Description
271Policy optionsSystem Attack Detection
Table 8-176 Description of the Omega Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
Omega WormOption
Worm_Detection_OmegaRule Name
CriticalSeverity
/dev/chrMonitor Paths
Detects worm activity.Description
Table 8-177 Description of the LDP Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
LDP WormOption
Worm_Detection_LDPRule Name
CriticalSeverity
/bin/.login
/bin/.ps
/dev/.kork
Monitor Paths
Detects worm activity.Description
Table 8-178 Description of the Lion Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
Lion WormOption
Worm_Detection_LionWormRule Name
CriticalSeverity
Policy optionsSystem Attack Detection
272
Table 8-178 Description of the Lion Worm parameters used (continued)
DescriptionParameter
/bin/mjy
/dev/.lib
/dev/.lib/lib/1i0n.sh
/dev/.lib/lib/lib/dev/*
/dev/.lib/lib/lib/netstat
/dev/.lib/lib/scan/*
/usr/man/man1/man1/lib/.lib/.x
/usr/man/man1/man1/lib/.lib/in.telnetd
/usr/man/man1/man1/lib/.lib/mjy
Monitor Paths
Detects worm activity.Description
Table 8-179 Description of the Cback Worm parameters used
DescriptionParameter
System Attack Detection > UNIX WormFile / Directory DetectionOption Path
Cback WormOption
Worm_Detection_CbackWormRule Name
CriticalSeverity
/tmp/cback
/tmp/derfiq
Monitor Paths
Detects worm activity.Description
Malicious Module DetectionA global settings area sets the following parameters for all rules in the UNIXMalicious Module Detection area / Directory Detection area:
■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.
273Policy optionsSystem Attack Detection
Adrop-down selection criteria area is provided to easily switch polling intervalfrequency.
■ A Monitor Checksums option is available to enable the monitoring of a file'schecksum during a file modification event. It reports the real-time SHA-256hash comparison to the Symantec Critical System Protection console underthe Event details. This option also enables the monitoring of file checksumsas calculated at agent startup. It determines whether the file was modifiedsince Symantec Critical System Protection was last shut down. This optionprovides detection ability even if the Symantec Critical System Protectionservice or daemon is shut down. If a monitored file is changed, once theSymantec Critical SystemProtection service or daemon is started, it comparesthe files in its monitored list to when it was shut down. Any differences arereported to the console.
Table 8-180 Description of the Suspicious Loadable Kernel Module (LKM)Detection parameters used
DescriptionParameter
System Attack Detection > Malicious Module DetectionOption Path
Suspicious Loadable Kernel Module (LKM) DetectionOption
LKM_Suspicious_Module_DetectionRule Name
CriticalSeverity
/lib/adore_so
/lib/cleaner_o
/lib/flkm_o
/lib/modules/adore_so
/lib/phide_mod_o
Monitor Paths
Detects suspicious activity related to Loadable Kernel Modules.Description
Suspicious Permission Change Detection
Table 8-181 Description of the Suspicious Permission Change Detectionparameters used
DescriptionParameter
System Attack DetectionOption Path
Suspicious Permission Change DetectionOption
Policy optionsSystem Attack Detection
274
Table 8-181 Description of the Suspicious Permission Change Detectionparameters used (continued)
DescriptionParameter
Suspicious_Perm_Change_Critical_FilesRule Name
CriticalSeverity
/bin/*
/usr/bin/*
/usr/local/bin*
Monitor Paths
Detects suspicious changes in permissions in critical files anddirectories.
Description
275Policy optionsSystem Attack Detection
Parameter reference syntax
This appendix includes the following topics:
■ Parameter reference syntax overview
■ Simple policy parameter
■ Compound policy parameter
■ Operating system environment variable
■ Windows registry value
■ Agent translator function
Parameter reference syntax overviewTable A-1 lists the types of references that Symantec Critical System Protectionsupports in parameter values. These can be references to parameters definedelsewhere in the policy or data on the operating system.
Table A-1 Types of references with syntax
SyntaxType
%parameter%Simple policy parameter
%parameter:field%Compound policyparameter
%environmentvariable%OSEnvironment variable
%%registrypath%%Windows Registry value
%?function(parameters)?%Agent TranslatorFunction
AAppendix
Inside the reference delimiters, you must escape any special characters that areused in strings by using a forward slash (/) on Windows and a backslash (\) onUNIX.
Note:The syntax is the same for policy parameters andOS environment variables.The Symantec Critical System Protection agent looks for a policy parameter withthe given name first. If the policy parameter is not found, it looks for an OSenvironment variable.
See “Simple policy parameter” on page 278.
See “Compound policy parameter” on page 278.
See “Operating system environment variable” on page 282.
See “Windows registry value” on page 282.
See “Agent translator function” on page 283.
Simple policy parameterA simple parameter is a list of single values. You reference the parameter by itsname – no field names are necessary since a simple parameter is a list of singlevalues. The agent replaces the parameter reference with the values. Parameternames are case sensitive.
The simple policy parameter types are mentioned as follows:
A single string value.String
A list of string values.String List
A single duration value, e.g 30 minutes.Date/Time Duration
A single repetition interval, e.g. hourly, daily.Date/Time Interval
See “Parameter reference syntax overview” on page 277.
Compound policy parameterAcompoundpolicy parameter is a list of sets of values. In the console, a compoundparameter is displayed as a table, where each row is one parameter value and thecolumns are the fields in the value. For each compound parameter type, there isa specific set of fields in the list. When referencing a compound parameter, youmust use the parameter name followed by a colon and a field name. You must
Parameter reference syntaxSimple policy parameter
278
always refer to a specific field. For example, youmightuse%myparameter:prog%.Parameter and field names are case sensitive.
The compoundpolicy parameter types alongwith their field names arementionedas follows:
DescriptionCompoundpolicyparameter
A list of processes, each element in the list consisting of one or moreprocess attributes.
See “Process List” on page 279.
Process List
A list of processes, each element in the list consisting of one or moreprocess attributes that excludes the command line arguments attribute.
See “Process List without Arguments” on page 280.
Process ListwithoutArguments
A list of resources such as file paths and registry paths, where eachelement consists of a resourcenameand zero ormore process attributes.
See “Resource List” on page 280.
Resource List
A list of network rules, where each element consists of networkconnection attributes, process attributes, and action attributes.
See “Network List with Processes” on page 281.
Network Listwith Processes
A list of network rules, where each element consists of networkconnection attributes and action attributes.
See “Network List” on page 281.
Network List
A single date/time value with a timezone.
See “Date/Time Value” on page 282.
Date/TimeValue
See “Parameter reference syntax overview” on page 277.
Process ListProcess List is a list of processes, where each element in the list consists of oneor more process attributes.
■ The prog field is the Program Path column and is required in each row. Itspecifies the program running in the process.
■ The cmdline field is the Arguments column, specifying the command lineparameters for the process. This field is optional.
279Parameter reference syntaxCompound policy parameter
■ The id field is the User Name column, specifying the username that for theprocess. This field is optional.
■ o The groupid field is the User Name column, specifying the group name forthe process. This field is optional.
Note: If you want to specify all processes for a specific user, you must still fill inthe Program Path column, but you can use a * to specify all programs and thenfill in the User Name column to specify the desired user account.
Process List without ArgumentsProcess List without Arguments is a list of processes, where each element in thelist consists of one or more process attributes that excludes the command linearguments attribute.
■ The column and field names are identical to the Process List parameter typeexcept the Arguments field is not included.
Resource ListResource List is a list of resources such as file paths and registry paths), whereeach element consists of a resource name and zero or more process attributes.
■ The value field is the Resource Path column and is required in each row. Itspecifies the file or registry path you are controlling.
■ The prog field is the Program Path column. This field is required if you wantto specify other process attributes. Otherwise it is optional.
■ The cmdline field is the Arguments column, specifying the command lineparameters for the process. This field is optional.
■ The id field is the User Name column, specifying the username that for theprocess. This field is optional.
■ The groupid field is the User Name column, specifying the group name forthe process. This field is optional.
Note: If you want to specify all processes for a specific user, you must still fill inthe Program Path column, but you can use a * to specify all programs and thenfill in the User Name column to specify the desired user account.
Parameter reference syntaxCompound policy parameter
280
Network List with ProcessesNetwork Listwith Processes is a list of network rules, where each element consistsof network connection attributes, process attributes, and action attributes.
■ Connection information:
■ The protocol field is the Protocol column.
■ One or more additional connection elements are required:
■ RPort field is the Remote Port column and specifies the remote portor port range.
■ LPort field is the LocalPort column and specifies the local port or portrange.
■ RIP field is the Remote IP column and specifies the remote IP addressor address range.
■ Action information:
■ The action field is the Action column.
■ The log field is the Logging column.
■ Process information:
■ The prog field is the Program Path column. This field is required if youwant to specify other process attributes. Otherwise it is optional.
■ The cmdline field is the Arguments column, specifying the command lineparameters for the process. This field is optional.
■ The id field is the User Name column, specifying the username that forthe process. This field is optional.
■ The groupid field is the User Name column, specifying the group namefor the process. This field is optional.
Note: If you want to specify all processes for a specific user, you must still fillin the Program Path column, but you can use a * to specify all programs andthen fill in the User Name column to specify the desired user account.
Network ListNetwork List is a list of network rules, where each element consists of networkconnection attributes and action attributes.
281Parameter reference syntaxCompound policy parameter
■ The column and field names are identical to the Network List parameter type,except the process-related fields are not included.
Date/Time ValueDate/Time Value is a single date/time value with a timezone.
■ This compound parameter type is not displayed as a table because it cannotbe a list.
■ The field name for the Date and Timezone fields in the Console are value andtimezone, respectively.
Operating system environment variableYou can use an operating system environment variable as a variable in a policy.Environment variable names follow the operating system’s normal conventionsfor case sensitivity, so they are case sensitive on UNIX and case insensitive onWindows.
Note: The environment variables are evaluated in the context of the SCSP agentIPS Service or daemon. Therefore, you should only reference the environmentvariables that have system-wide values. If you reference a variable with auser-specific value, you get the value for the IPS Service or daemon user, whichis probably not the desired value.
See “Parameter reference syntax overview” on page 277.
Windows registry valueFor registry references, the agent looks up the given value in the registry andreplaces the reference with the data that the value contains.
The data must be one of the following types:
■ REG_SZ (string)
■ REG_EXPAND_SZ (stringwith environment variables that should be expanded)
■ REG_MULTI_SZ (list of strings)
■ REG_DWORD (32-bit integer)
■ REG_QWORD (64-bit integer)
Parameter reference syntaxOperating system environment variable
282
The agent expands an environment variable's REG_EXPAND_SZ valuesimmediately, before it processes the resulting string. For REG_MULTI_SZ values,the reference expands to the list of strings.
On 64-bit versions of Windows, you can prefix registry paths with an optionalredirection specification. This redirection specification specifies how registryredirection should be used when looking up the path.
The valid redirection specifications are as follows:
■ 32: redirection is turned off or on to give a 32-bit program’s view of the registry
■ 64: redirection is turned off or on to give a 64-bit program’s view of the registry
■ 6432: looks in the 64-bit view of the registry first, and then if that fails, looksin the 32-bit view
■ 3264: looks in the 32-bit view of the registry first, and then if that fails, looksin the 64-bit view
See “Parameter reference syntax overview” on page 277.
Agent translator functionA function reference provides a way to call an extension function from within apolicy. The agent replaces the function reference with the return value or list ofreturn values of the function.
In a function reference such as %?function(parameters)?%, the parametersmaycontain any characters, even special characters, except that you must escape aclose parenthesis ")" . The functionparameters arenot processed, so if they containa reference themselves, the text of the reference is passed to the function. Forexample, %myvar% is passed rather thanmyvar's value after evaluation. However,if a function’s return value contains a reference, the reference is subsequentlyevaluated.
See “Translator function reference” on page 285.
283Parameter reference syntaxAgent translator function
Translator functionreference
This appendix includes the following topics:
■ Generic functions
Generic functionsThe following functions can be used in both Prevention and Detection policiesand can be used on all operating systems:
■ %?LocalIPs()?%See “%?LocalIPs()?%” on page 285.
■ %?LocalIPAddresses()?%See “%?LocalIPAddresses()?%” on page 286.
■ %?AgentParams(<param name>)?%See “%?AgentParams(<param name>)?%” on page 286.
■ %?SplitPath(<path>)?%See “%?SplitPath(<path>)?%” on page 286.
■ %?ImportFileList(<filepath>)?%See “%?ImportFileList(<filepath>)?%” on page 286.
%?LocalIPs()?%Returns the list of IP addresses for the system. Includes only IPv4 addresses.
BAppendix
%?LocalIPAddresses()?%Returns the list of IP addresses for the system. Includes both IPv4 and IPv6addresses.
%?AgentParams(<param name>)?%Looks in the IPS agent.ini file and returns the requested parameter. The followingstrings are valid as "param name":
■ Notification Port: returns the port the agent listens on for notifications
■ Server IP: returns the list of IP addresses for management servers this agentcan connect to
■ Server Port: returns the management server port this agent connects to
For example: %?AgentParams(Notification Port)?%
%?SplitPath(<path>)?%Takes a pathname and puts out a list consisting of the original pathname plus allthe directory names on the pathname leading up to it.
For example, if you call %?SplitPath(C:\a\b\c)?% you get:
■ C:\a
■ C:\a\b
■ C:\a\b\c
%?ImportFileList(<filepath>)?%Takes a filepath and imports the data from the file into the policy as if a user hadtyped that data into the console. This data can be filepaths, registry keys,usernames, groupnames or any other strings that make sense at the point in thepolicy where the function is called.
By default, the file being imported is limited to 100 lines. This limit is defined inthe ips.importfile.maxlines setting in the IPS/agent.ini file and can be adjusted iflarger files are required.
Note: This function can be made optional by using in the following way :%?-ImportFileList(<path>)?% In this case, the translatorwill translate successfullyeven if the file to be imported is not available.
Translator function referenceGeneric functions
286
Note: To make the data inside the file to be optional, add a "-" in front of eachoptional line. For example, if the file youwant to import has usernames in the fileand certain user names are to be made optional then the file data should be:
admin
test1
-test2 (For optional an user)
287Translator function referenceGeneric functions