Symantec Critical System Protection 5.2.9 Detection Policy ...

Symantec Critical SystemProtection 5.2.9 DetectionPolicy Reference Guide

Symantec Critical System Protection Detection PolicyReference Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 5.2.9

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Detection policy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About rulesets and rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12About policy options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About monitored files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About date and time restrictions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Using the management console to learn more about policy

options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Viewing the policy option settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2 Windows detection policy reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About the Windows detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17List of policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

CSP_Agent_Diagnostics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18CSP_Agent_Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21CSP_Server_Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Global_Watch_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Windows_Template_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Kill_Prevention_PSET .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Creating custom rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Host Intrusion Detection policies enhancements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Chapter 3 UNIX detection policy reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

About the UNIX detection policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45List of policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

UNIX_CSP_Agent_Diagnostics ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46UNIX_CSP_Agent_Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46UNIX_Template_Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 4 Policy examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

About Policy examples ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Forcing rollover of the agent event log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Contents

Creating a filewatch rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Chapter 5 Windows Baseline Detection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55File monitoring improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Windows-specific policy improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59About rule options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Chapter 6 Policy options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

System User and Group Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63System User Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63System Group Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

System Active Directory Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Active Directory Domain Trust Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . 83Active Directory FSMO Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Authentication and Encryption Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . 86

System Login Activity and Access Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93System Login Success Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93System Logoff Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98System Failed Login Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

System Hardening Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108System Autorun Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Network Comm Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111System File Protection Status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112System Security Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115System StartStop Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131System Audit Tampering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134System Hardening User Interactive ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

System File and Directory Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141System File Shares Configuration Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141System FileWatch Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

System Registry Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156System Registry Monitor - AutoStart Keys .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

System Symantec Software Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Symantec AntiVirus Client Communication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Symantec Endpoint Protection Client Communication .... . . . . . . . . . . . . 166

System External Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172USB Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172CD/DVD Burning Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172USB Device Activity ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

System Attack Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Generic Web Attack Detection Monitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Contents8

Chapter 7 UNIX Baseline Detection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Introduction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181File monitoring improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Advanced per-rule tuning improvements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Console changes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Unicode Log Monitoring for UNIX .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186How wildcard characters and recursion levels work in IDS file

monitoring .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Chapter 8 Policy options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

System User and Group Change Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Global User and Group Change Monitor Settings ... . . . . . . . . . . . . . . . . . . . . . 189System User Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190System Group Configuration Changes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Privileged User and Group Configuration Activity ... . . . . . . . . . . . . . . . . . . 198

System Login Activity and Access Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200System Login Success Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200System Logoff Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205System Failed Login Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

System Privileged Command and Bash History Monitor ... . . . . . . . . . . . . . . . . . . 219Sudo Monitoring Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219User Command History Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Superuser (Root Level) Command History Options .... . . . . . . . . . . . . . . . . . . 222

System Hardening Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223System File and Directory Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

System FileWatch Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225System Symantec Software Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239System External Device Activity Monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243System Attack Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Generic Web Attack Detection Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246UNIX Rootkit File / Directory Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249UNIX WormFile / Directory Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Malicious Module Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Suspicious Permission Change Detection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Appendix A Parameter reference syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Parameter reference syntax overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Simple policy parameter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Compound policy parameter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Process List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Process List without Arguments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

9Contents

Resource List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Network List with Processes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Network List ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Date/Time Value .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Operating system environment variable ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Windows registry value .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282Agent translator function .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Appendix B Translator function reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Generic functions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285%?LocalIPs()?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285%?LocalIPAddresses()?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?AgentParams(<param name>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?SplitPath(<path>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286%?ImportFileList(<filepath>)?% .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Contents10

Detection policy overview

This chapter includes the following topics:

■ About the detection policies

■ About rulesets and rules

■ About policy options

■ About monitored files

■ About date and time restrictions

■ Using the management console to learn more about policy options

■ Viewing the policy option settings

About the detection policiesSymantec™ Critical System Protection includes detection policies for computersthat run the following operating systems:

■ Microsoft® Windows®

■ IBM® AIX®

■ Sun™ Solaris™

■ Red Hat® Enterprise Linux

■ SUSE® Linux Enterprise

■ Hewlett-Packard® HP-UX®

■ Hewlett-Packard Tru64 UNIX®

A detection policy is a collection of rules that are configured to detect specificevents and take action. Detection policies define which system events or

1Chapter

user-defined criteria are selected, which criteria are ignored, and what actionsare performed after select and ignore criteria are met.

The Symantec Critical System Protection detection policies monitor events andsyslogs, and report anomalous behavior. Features include sophisticatedpolicy-based auditing andmonitoring; log consolidation for easy search, archival,and retrieval; advanced event analysis and response capabilities; and file andregistry protection and monitoring.

About rulesets and rulesEvery Symantec Critical System Protection detection policy contains exactly oneruleset, and each ruleset contains one ormore rules. Each rule is grouped by type.

The rule types are as follows:

■ NT event log

■ Filewatch

■ Prevention watch

■ Text log

■ Generic

■ C2 log

■ Syslog

■ UNIX activity log

Rule types are associatedwith collectors that gather data fromahost system. Thecollectors format data from events, system logs, application logs, file systems,the Windows registry, and other sources. The collectors compare events withrules to determine matches.

The detection policies use the following collectors:

Looks for matches in the Windows event log files. The event log filesare theMicrosoft standard format .evt files. In standard installations,three event log files exist: Security, System, and Application.

The filtered events appear in the Evt_filter.ini file on the agentcomputer.

Event log

Looks formatches in user-specified text logs. You can specify the pathto a log file, and a text pattern that determines how data from the logfile is parsed and recorded.

Text log

Detection policy overviewAbout rulesets and rules

12

Watches changes to user-specified registry keys. You can watchchanges tokey/value, operations (created,modified, deleted), operationresults (success, failure, either), and process.

The key/value string supportswildcard characters.Multiple key/valuestrings are allowed in a rule. The filteredkeys appear in theRegistry.inifile on the agent computer.

You can watch all operations or none (meaning any activity). You canfilter the result of the operation. The process can be specified onlyonce in the rule.

Registry

Determines how agents monitor files. Intruders often attempt toreplace critical system fileswithTrojanhorse versions, or alter systemfiles to create a back door for future intrusions. The file collectordetects changes to these system critical files.

The file collector is associatedwith the filewatch rule type,which logsactivity to files and directories. You can specify the file/directory towatch, the file operation, and the protection settings.

File

Watches for syslog daemon tampering on UNIX operating systems.The syslogd daemon must run for the syslog collector to work.Normally, syslogd runs at all times on a secured UNIX system. Uponinitialization, the syslog collector checks that syslogd is running andstarts it if it is not running.

Subsequently, if syslogd is killed while an agent is running, an errorevent is generated andmatched against a suitable SyslogdTamperingpolicy. No attempts are made to restart syslogd.

The syslog collector monitors and parses the following named pipe:

/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe

This pipe is specified in /etc/syslog.conf.

Syslog

Looks for matches in the C2 audit logs on agent computers that runSolaris, HP-UX, and AIX operating systems.

C2 log

13Detection policy overviewAbout rulesets and rules

Looks for matches in the WTMP file on UNIX operating systems (andBTMP file on some operating systems). This file collects userauthentication and account information. You can specify text patternsto parse.

The WTMP file captures successful login events. The WTMP file thatis watched varies, depending on the operating system. All UNIXoperating systems at one point used theWTMP format, butmanynowuse the newer WTMPX format. On some systems, this filename maybe WTMP, WTMPX, or WTMPS, even though the format internally isWTMPX.

BTMP/BTMPS (HP-UX only) is read to capture failed login attempts.If the WTMP or BTMP file does not exist when the agent is started,an error is reported, and events are not captured. If the file is createdwhile the agent is running, the agent captures the events without arestart. Also, onHP-UX, the collectorwatchesWTMP,WTMPS, BTMP,and BTMPS for events.

WTMP

Looks for matches from all collectors, as well as internal agent statusand error messages including Symantec Critical System Protectionagents. The status and errormessages are specified in status and errorrule types.

Generic

Looks formatches in Symantec Critical SystemProtection agent errormessages. You can specify text patterns to parse.

Error

The status collector looks for matches in Symantec Critical SystemProtection agent status messages. You can specify text patterns toparse.

Status

About policy optionsYou use policy options to configure a detection policy for assignment to a targetcomputer. Policy options comprise a simplified set of controls that you can useto enable or disable features in a policy. Someoptions have associated parameters,which let you customize the behavior of an option.

About monitored filesDetection policiesmonitor files that are listed under the FileMonitor Groups andFile Path Groups policy options.

For example, the Windows Baseline Detection policy for Windows contains thefollowing under Monitor System-Critical Files:

■ Monitor System-Critical Files

Detection policy overviewAbout policy options

14

Dll Cache Files■

■ Driver Cache Files

■ Security Database Files

■ Core System Files

To view theMonitor System-Critical Files in theWindowsBaseline Detection policy

1 In the management console, click Policies.

2 Under the Policies tab, click Detection.

3 On the Policies page, in the Workspace tree, click the Symantec folder.

4 Double-click Windows_Baseline_Detection policy.

5 In the Policy Editor dialog box, select System File and Directory Monitor.

About date and time restrictionsMany of the Symantec Critical System Protection detection policies include rulesfor date restrictions. You use date restrictions to select or ignore events that occurwithin a specified time frame. Date restrictions are active when a rule is enabled,and inactive when a rule is disabled.

When enabling a date restriction rule, you must specify the following:

■ Start of time interval

■ Duration of time interval

■ Frequency of time interval

Using the management console to learn more aboutpolicy options

To learnmore about a policy option, use the Symantec Critical SystemProtectionmanagement console in conjunction with this manual.

To use the management console to learn more about policy options

1 In the management console, on the Policies page, click Detection, and thenedit a policy.

2 In the Policy Editor dialog box, select any options to know more about thepolicy options.

See the SymantecCritical SystemProtectionAdministrationGuide for instructionson how to use the management console.

15Detection policy overviewAbout date and time restrictions

Viewing the policy option settingsYou use themanagement console to view a summary of the policy option settingsfor the detection policies.

To view the policy option settings


2 Under the Policies tab, clilck Detection.

3 On the Policies page, click the Symantec folder.

4 In the workspace pane, double-click a Symantec Critical System Protectiondetection policy.

5 In thepolicy dialog box, underPolicyChangesandSummary, clickSummary.

A summary of the policy options is shown in tree form.The tree includes onlythose options that are enabled (shown in bold text) and the parameters thathave values.

Note:TheWindows Baseline Detection policy does not support the SymIDS ISAPIfilter anymore. Older detection policies required the SymIDS ISAPI filter to beinstalled and they monitored the filter's log file. The new Windows BaselineDetection policymonitors IIS log files directly and it does not require the SymIDSISAPI filter to provide additional information.

Detection policy overviewViewing the policy option settings

16

Windows detection policyreference


■ About the Windows detection policies

■ List of policies

■ Host Intrusion Detection policies enhancements

About the Windows detection policiesSymantec Critical System Protection includes detection policies for computersthat run supported Windows operating system. Some policies require that youenableWindows features; these featuresmay also require a configuration change.In this manual, when an enabled Windows feature is required, the policydescription identifies the feature that you must enable.

For example, the System_User_Configuration policy detects changesmade to useraccounts. To enable this policy, you must enable the Windows Security Policyauditing system for user account management actions at the following location:

Settings >Control Panel >AdministrativeTools > Local Security Policy >SecuritySettings > Local Policies > Audit Policy > Audit account management

In this manual, features that you must enable are marked with the wordConfiguration. The policy descriptions also indicate if other types of configurationchanges are needed.

2Chapter

List of policiesThis sectiondescribes theSymantecCritical SystemProtectionWindowsdetectionpolicies.

CSP_Agent_DiagnosticsThis Windows detection policy includes options for the following:

■ Run the collect info script

■ Restart the IDS service

■ Restart the IPS service

■ Restart the UTIL service

■ Force log rollover of the agent event log file

■ Modify the management server list for an agent

■ Edit agent configuration files

By default, all the options in the policy are disabled. You must enable an optionfor the policy to work. The policy performs the enabled option immediately afterbeing applied to the agent. After confirming that the policy performed the enabledoption, you must clear the policy from the agent.

See “Enabling an option in the policy” on page 20..

The policy options are as follows:

Windows detection policy referenceList of policies

18

Performs the following diagnostic functions on an agent computer:

■ Take no action


■ Restart the IDS Service

■ Restart the IPS Service

■ Restart the UTIL Service

■ Force log rollover

You use the options to run diagnostic functions to troubleshootproblems with Symantec Critical System Protection. Generally, youwill not enable these options unless instructed by Symantec Support.

Default: Take no action

The collect info script collects information about an agent. The agentautomatically uploads the collect info output file to the managementserver. Log on to the management server to get the output file fromthe server directory:

C:\Program Files\Symantec\Critical SystemProtection\Server\logfiles\<hostname>\<date>\

The options to restart the IDS, IPS, and UTIL services restarts theseservices on the agent computer.

Forcing rollover (rotation) of the current agent event log file closesthe current log file and opens a new log file.

See the Symantec Critical SystemProtectionAdministrationGuide forinformation on collect info and log file rotation.

Diagnosticfunctions

Updates the management server list for an agent. The managementserver list is used in conjunction with simple failover. You can usethis option to change the primary and alternate servers in the list (forexample, if an alternate server is unavailable).

See the Symantec Critical SystemProtectionAdministrationGuide forinformation on simple failover.

Enable the option, and then specify the servers in a comma-separatedlist. You must specify the primary management server as the firstserver, followed by any optional alternate servers. Specify the IPaddress or fully qualified host name of each server in the list. All theservers in the listmust use the same server certificate and agent port.

Advanced agentsettings:

Modify themanagementserver list used bythe agent

You use this option to edit agent configuration files.

Note: Do not enable this option unless instructed by SymantecSupport.

Advanced agentsettings:

Edit configurationfile

19Windows detection policy referenceList of policies

Enabling an option in the policyThe following instructions enable an option in the CSP_Agent_Diagnostics policy,apply the policy to an agent, and clear the policy from the agent.

Note: Instead of applying the CSP_Agent_Diagnostics policy directly to an agent,you can create a group and then apply the policy to the group. When you need toperform an enabled option in the policy, simply add the agent to the group. Youmust delete the agent from the group after the policy has performed the enabledoption.

To enable an option in the policy

1 Log on to the management console as an administrator.

2 In themanagement console, on the Policies page, in the Symantec folder, editthe CSP_Agent_Diagnostics policy.

3 In the policy editor dialog box, under Policy Settings, click Diagnosticfunctions.

4 In the policy editor dialog box, check Select a function to run on the agentand click Edit.

5 In the Value list, select the option for a desired function.

For example, to run the collect info script, select Run the collect info scriptto enable the option.

6 Click OK.

7 Apply the policy to the agent.

The policy performs the enabled option immediately after being applied tothe agent.

8 In themanagement console, on the Monitors tab, under Events, monitor theevents to determine if the enabled option was performed.

For example, to determine if the collect info output file was uploaded to themanagement server, look for management events of type Agent Status. Theevent message contains the name of the collect info output file.

9 In the management console, on the Assets page, select the agent, and thenright-click Clear Policy to clear the policy from the agent.


20

CSP_Agent_StatusThis Windows detection policy detects changes to the Symantec Critical SystemProtection registry keys. The policy also detects if the SymIDSFilter.ddl, whichmonitors Microsoft Internet Information Services (IIS) activity, fails to load.


Detects changes to the Symantec Critical System Protection registrykeys.

CSP RegistrySettings Modified

Detects if the SymIDSFilter.ddl, which monitors IIS activity, fails toload.

SymIDSFilterLoadFailed

CSP_Server_MonitorThis Windows detection policy watches the CSP Server Tomcat logs and, if thebuilt-in SQL Server 2005 Express database is used, the SQL Server 2005 ExpressDB logs. The policy sends error messages to the management console when alisted error occurs.


Detects that an error occurred while sending an alert email.Failure to sendemail alert

Detects that an SQL Server 2005 Express database instance used byan evaluation installation of Symantec Critical System Protection isfull.

Depending on which portion of the database is full, the managementserver may not be able to store and display this error.

Evaluationdatabase is full

Detects that management server servlets started.Server startup

Detects that management server servlets stopped.Server shutdown

Detects that period database cleanup activities started.Database cleanupstarted

Global_Watch_PolicyThis Windows detection policy monitors alert text files. An alert text file is auser-specified text file that contains alert-captured events.

Administrators create alerts in the management console. Administrators usealerts to send email messages and SNMP traps when Symantec Critical SystemProtection observes specific events.


When creating an alert, administrators can set up an alert text file to save eventsof interest. The alert text file can contain text strings and event fields. The file iscreated when the alert captures an event; subsequent records are appended tothe file.

You can use the policy to analyze alert-captured events. The policy includes ruleoptions to define which records in the alert text file are selected and ignored, andhow to extract event data.

The policy includes rule options to aggregate events, which can potentiallyoriginate frommultiple agents. Events are aggregated based on event count, timeinterval, and optional field value.

When an event in an alert text filematches the criteria specified in the policy, thepolicy sends the event to the management console.

To use this policy effectively, you must understand how the alert text file isconstructed, including the following:

■ Name and path of the alert text file

■ Record content

■ Record format (fields and field order)

See the SymantecCritical SystemProtectionAdministrationGuide for informationon alerts and alert files.

Alert text files reside on the Symantec Critical System Protection managementserver computer. The default alerts directory is as follows:

C:\Program Files\Symantec\Critical System Protection\Server\alerts\

You apply the Global_Watch_Policy to the Symantec Critical System Protectionmanagement server computer.

The policy rules are as follows:


22

Specify the alert text file to monitor.

The rule options are as follows:

■ File path

Specify the complete file path of the alert text file. Wildcardcharacters are not permitted in the file path. Use the percent sign(%) to delimit variables.

■ Parse definitions

Select this check box to define the parse definitions in the alerttext file, and then specify the parse pattern.

Parse definitions define how to extract fields from the alert textfile and assign the fields to variables. You format variables as{variable}.

Example: *user_name={user name},*

This parse definition extracts user_name from the alert text fileand assigns it to the variable {user_name}.

Parse strings support wildcard characters. Type an asterisk (*) asthe wildcard character for zero or more characters.

File description

Select this check box to aggregate events.


■ Number of occurrences during time interval

■ Time interval

Thepolicy records an eventwhen the event count equals the specifiednumber of occurrences, during the specified time interval.

See also Grouped counting.

Event counting


Select this check box to count events in groups.

Events are grouped based on a field value. For example, suppose thealert text file contains events from multiple agents, and each recordcontains agent name. You can select the Grouped counting check boxto group event counting based on agent name.

When using grouped counting, use parse definitions to define thefields to extract from the alert text file.


■ Count repetition of the same field value

Select this check box to have the policy record an event based onthe number of repetitions of the same field value, during thespecified time interval.

Example: You specify that the policy record an event if threerecords during a one-minute interval contain the sameagentname.

■ Count number of different field values

Select this check box to have the policy record an event based onthe number of different field values, during the specified timeinterval.

Example: You specify that the policy record an event if threerecords during a one-minute interval contain different agentnames.

Event counting:Grouped counting

Select this check box to define which records in the alert text file thepolicy should select and ignore. The policy selects and ignores recordsbased on text patterns.


■ Patterns to match on

Specify a list of text patterns to match. The policy selects a recordif it contains a specified pattern.

■ Patterns to ignore

Select this check box to have the policy ignore records that containa specified text pattern. Specify the list of patterns to ignore.

Matching criteria

Windows_Template_PolicyThe Windows_Template_Policy is a reusable workspace container policy thatcreates custom rules.

The policy includes rule options for the following rule types:

■ NT event log

■ Filewatch


24

■ Registry watch


■ Text log

■ Generic

Each rule that you create in the policy is controlled by rule options that are enabledor disabled in the management console. You can customize the rule options byediting the rule parameters.

Management console functions are available to help you maintain custom rules.You can modify a custom rule name, description, and options. A special copycommand lets you reuse custom rules across multiple policies; you can copy theoptions for a custom rule that is defined in the template policy to anotherworkspace policy, without re-keying the options.

When importing and exportingworkspace policies, the options to control customrules are also imported and exported. When updating workspace policies, theoptions to control custom rules are also updated.

The template policy is intended for use as a container policy formanaging customrules. The policy contains only the rules that you define.

When creating a custom rule, you specify general rule options and rule-specificoptions.

See “About general rule options” on page 28..

See “About NT event log rules” on page 30..

See “About filewatch rules” on page 31..

See “About registry watch rules” on page 35..

See “About prevention watch rules” on page 36..

See “About text log rules” on page 37..

See “About generic rules” on page 39..

Kill_Prevention_PSETThisWindows detection policy attempts to kill any process that acts as an injecteeor an injector. The Kill_Prevention_PSET policy is used in combination with theprevention policies.When Kill_Prevention_PSET policy is applied to an agent, allprocesses routed to thread_injectee_nopriv_ps or thread_injector_nopriv_ps arekilled by using the taskkill.exe application.


Note: The processes are routed to thread_injectee_nopriv_ps orthread_injector_nopriv_psPSETsonlywhenyouapply the IPSpolicy andconfigurethe policy to detect thread injection. By default, the thread injection is enabled inthe core, strict, and limited execution prevention policies.

Following are the Kill_Prevention_PSET policy options:

The prevention policy applies this optiononly when it finds that the unauthorizedcode is injected into a specific process.

Kill all thread injectee processes

The prevention policy applies this optiononly when it finds that the process hasinjected the code into another processagainst the policy restrictions.

Kill all thread injector processes

It kills any process that is routed to it.

To enable this option, check Show advancedoptions.

Kill New Processes in a Specific PSET

Creating custom rulesYou can create as many custom rules as you need. You can create multiple rulesof different types and multiple rules of the same type. You can create the rules inthe original template policy or in a template copy.

Verify the rule order. Detection rules are ordered top to bottom. Changing therule order changes the meaning of the rules.

As an example, the following instructions create a text log rule.

To create custom rules



3 On the policies page, double-click Windows_Template_Policy.

4 In the policy editor dialog box, underPolicySettings, clickMyCustomRules,and then click Add a new Custom Control icon.


26

5 In theNewCustomRuleWizarddialog box, specify the following information.

Type a descriptive name for the custom rule.

This text appears in the policy editor, under My Custom Rules.

In the text log rule example, type Text Log Rule.

Display Name

Select a rule type.

In the text log rule example, select Text Log.

Category

Type aname that the policy uses internally to identify the customrule. The name must not include spaces or special characters.

In the text log rule example, type textlog.

Identifier

Type a full description of the custom rule.Description

6 Click Finish.

7 In the policy editor dialog box, click Edit to view the policy options.

8 In the policy editor dialog box, check Text log rule options and then clickEdit.

9 In the policy editor dialog box, enable or disable the rule options, andmodifythe rule parameters as needed.

10 If the rules need reordering, select a rule, and then click Move Up or MoveDown; repeat as needed.

11 Click OK.

Reusing custom rulesYou can copy a custom rule that is defined in the template policy to anotherworkspace policy. The options that control the custom rule are copied to theworkspace policy.

You can copy a rule using the following methods:

■ On the Policies page, select the template policy, and then right-click CopyCustom Controls.

■ Edit the template policy, select one or more custom rules, and then click CopyTo Other Policy.

If the customrule being copied does not exist in the target policy, the rule is addedto the target policy. If the custom rule being copied already exists in the targetpolicy, the rule is updated in the target policy.


TheCopy PolicyOptionsWizard prompts you to select one of the followingmergeoptions:

Ignores the target policy and uses the option settings in the templatepolicy.

Default

If the custom rule does not exist in the target policy, you will selectthis option.

Take the newoption settings

Merges the option settings in the target policywith the option settingsin the template policy.

Merge thechangedoptions

Note: Only the options for the selected custom rules are merged.

After copying a custom rule to a workspace policy, you should verify the ruleoptions. Verify that the custom rule appears in the policy; click Settings to viewthe options. Verify that the custom rule is enabled in the policy.

To reuse custom rules



3 On the policies page, selectWindows_Template_Policy, and then right-clickCopy Custom Controls.

4 In theCopyPolicyOptionsWizard dialog box, select a custom rule, and thenclick Next.

To select multiple custom rules, press and hold the Shift or Ctrl key whileselecting the rules.

5 In the Copy Policy Options Wizard dialog box, select one or more targetpolicies to receive the selected custom rules, and then click Next.

To select multiple target policies, press and hold the Shift or Ctrl key whileselecting the policies.

6 In the Copy Policy Options Wizard dialog box, select the merge option, andthen click Finish.

About general rule optionsThe following rule options apply to all rule types:


28

In the Value box, type the rule name. This value appears in themanagement console. Required.

In the Rule Name box, type a name to associate internally with therule. Rules names are carried throughout the systemandare recordedin each event that is generated by the policy. Rule names help provideinsight into why an event was recorded. Optional.

In the Comment box, type notes or comments about the rule. Optional.

Rule name

Select the severity number from the following range of rule severitynumbers:

■ Info: Events with a severity of 0-19 contain information aboutnormal system operation.

■ Notice: Events with a severity of 20-39 contain information aboutnormal system operation.

■ Warning: Events with a severity of 40-59 indicate unexpectedactivity or problems that have already been handled by SymantecCritical System Protection.

■ Major: Events with a severity of 60-79 imply more impact thanWarning and less impact than Critical.

■ Critical: Events with a severity of 80-99 indicate activity orproblems thatmight require administrator intervention to correct.

Rule severity

Specify additional patterns to match in an event.

If specifying multiple patterns, any matching pattern triggers therule.

Select the check box to enable the option, and then specify the eventpatterns to match.

To ignore events containing specific patterns, select the ignore checkbox, and then specify the event patterns to ignore.

When specifying a text pattern, you can use the following wildcardcharacters:

■ Use a question mark (?) to match a single character, including thequestion mark itself. Examples: ab?c matches abcxc or ab?c, butnot abc.

■ Use an asterisk (*) to match zero or more characters, includingasterisks embedded in a text pattern. Examples: *abc matchesa*b*cabc, where the initial asterisk is equivalent to a*b*c.

■ Use a backward slash (\) as an escape character. Use two backwardslashes (\\) for a backward slash embedded in a text pattern.

■ Use a percent sign (%) to delimit variables, including environmentvariables. Use one backward slash and one percent sign (\%) for apercent sign embedded in a text pattern.

Matching eventpatterns


Select this check box to send the event to the management consolewhen activity matches the conditions.

This rule option creates a record in the event log (.CSV) file.

Record event toSCSP console

Specify a command-line string, including path and arguments, toexecute when the rule to execute the specified command is triggered.

For an agent to properly execute a command, you should create thecommands.txt file on the agent computer, in the \IDS\Systemdirectory. List each command-line string, including path andarguments, on a separate line in the commands.txt file. Thecommands.txt file must not require user interaction at a commandline or with a graphical user interface.

Execute command

Add date restrictions that specify a time interval when a rule is activeor inactive. Date restrictions are active when the rule is enabled,inactive when the rule is disabled.

Select the check box to enable the option.

Specify whether to select or ignore events during the time interval.

Specify the start, duration, and frequency of the time interval.

Date and timerestrictions

Specify the full path and name of the file to be monitored. You canspecify multiple files. If the path refers to a directory, then only thechanges to the directory are monitored.

Click the Add button, and then in the Value box, type the path andname of the file. Repeat to specify another file.

Unless otherwise stated, you can use wildcard characters in path andfile name specifications. To monitor all files and subdirectories (upto two subdirectory levels), type an asterisk (*) for the file name.

Files to monitor

About NT event log rulesThis rule type monitors user-specified events in the Windows event log.

The NT event log rule type is associated with the NT event log collector. The NTevent log collector looks for matches in Windows event log files. These event logfiles are the Microsoft standard format .evt files. In standard installations, threeevent log files exist: Security, System, and Application.

The rule is created with the following rule options:

Select this check box to enable the rule.NT event log ruleoptions

See “About general rule options” on page 28..Rule name


30

See “About general rule options” on page 28..Rule severity

Type a comma-separated list of Windows event IDs to monitor.

You can specify event IDs as the following:

■ Unsigned integer (for example, 529)

■ Variable (for example, %EventID%)

■ Comma-separated list of unsigned integers (for example,617,618,619)

Windows event IDto monitor

Type thenameof theWindows event log tomonitor (System, Security,or Application).

Windowsevent logfile name

See “About general rule options” on page 28..Record event toSCSP console

See “About general rule options” on page 28..Execute command

See “About general rule options” on page 28..Event patterns

See “About general rule options” on page 28..Date and timerestrictions

About filewatch rulesThis rule type monitors changes to user-specified files, and ignores changes touser-specified files. These changes comprise creating, deleting, modifying, andaccessing user-specified files. You can enable or disable monitoring or ignoringspecific files, and you can adjust the list of files that are monitored or ignored.

The filewatch rule type is associatedwith the file collector, which determines howagents monitor files. Intruders often attempt to replace critical system files withTrojan horse versions, or alter system files to create a back door for futureintrusions. The file collector detects changes to these system critical files. Also,the FileWatch collector monitors all NTFS alternative data streams that areassociatedwith a file name for creations, deletion, and changes. Symantec CriticalSystem Protection does not support automatic file comparison of alternate datastreams. You can compare individual data streams by specifying the absolute pathfor alternate data streams in a policy. Use file_path:stream_name to specify theabsolute path.

The Windows filewatch implementation monitors files and directories onremovablemedia. Filewatch generates a singleMount orUnmount event for eachmonitoredpathwhenever awatched file ordirectory appears ordisappears becauseof amount, dismount, insertion or removal. Filewatchmonitors removablemediasuch as floppy drives, CD/DVD drives, USB drives, and firewire drives. The stateof a removable drive is maintained across IDS Service restarts. (If a removable


drive is beingmonitoredwhen the IDSService is stopped, and the drive is removedbefore the service is restarted, filewatch recognizes that the drive was removedand avoids generating FileDeleted events for the contents of the drive.) TheMountand Unmount events are generated directly into the CSV event log and do nothave tomatch a policy rule. If you are not interested in these events, you can filterthe events using log rules or real-time monitor filters.

The filewatch rule is created with the following rule options:

Select this check box to enable the rule.filewatch rule options



The frequency at which files are polled for changes. All fileslisted in a filewatch rule are monitored based on the pollinginterval.

A low polling interval valuemight impact system performance.

For high-priority files, polling interval is typically set to 60seconds.

Polling interval

The number of directory levels to monitor for file differences.

Select a value (1-10) from the list or type a value.

File differences include file creation, deletion,modification, andaccess.

Search depth

Select this check box tomonitor user-specified files for creation.Monitor file creation

Select this check box tomonitor user-specified files for deletion.Monitor file deletion

Select this check box to monitor user-specified files formodification.

Additionally, you can enable or disable the following options:

■ Use file checksum to check if files are modified

Select this check box to compare the current contents of afile with the previous version's contents. A file's checksumis calculated at agent startup to determine whether the filewasmodified since Symantec Critical SystemProtectionwaslast shut down.

■ Report file differences

Select this check box to report the file differences in theevent, and then select the differences algorithm (TXT forgeneric text files or INI forWindows .ini configuration files).

Monitor file modification


32

Select this check box to monitor user-specified files for fileaccess.

Monitor file access

See “About general rule options” on page 28..Additional patterns tomatch

Select this check box to monitor specific files, and then list thefiles to monitor.

Files to watch

Select this check box to ignore specific files, and then list thefiles to ignore.

Files to ignore

See “About general rule options” on page 28..Record event to SCSPconsole


See “About general rule options” on page 28..Date and time restrictions

The FileWatch feature monitors changes in the following file system attributes.

NotesOld andNewvaluesrecorded

Attribute

YesUnix Permissionbitmask

■ User

■ Group

■ Other

■ Setuid bit

■ Setgid bit

■ Sticky bit



Attribute

Changes to attributes marked with an asterisk (*) are onlyrecorded if changes to the file’s access time are beingmonitored.

YesWindows Permissionbitmask

■ Archive*

■ Directory

■ Encrypted

■ Hidden

■ Indexed*

■ Offline

■ Read Only

■ System

■ Temporary*

YesFile size

WindowsFAT file systemshave a two second resolution on theirtimestamps. If multiple changes happen within a two secondwindow, Symantec Critical System Protection may not recordthem as separate events.

YesModification Date

Symantec Critical System Protection monitors the access timeonly if the underlying file system supports recording accesstime. Following are the situations where file systems do notrecord access time:

■ Most current releases ofWindows (Windows2008andnewer,Windows Vista and newer) do not record access time bydefault. Itmust be explicitly enabled. For example, fsutil.exebehavior set disablelastaccess 0.

■ Windows FAT file systems do not record access time even ifthe operating system has it enabled.

YesAccess Date

YesCreation Date

UNIX and Linux onlyYes# of Hard Links

UNIX and Linux onlyYesSymlink value

YesOwner

Primary Group for WindowsYesGroup


34


Attribute

Flags indicating if the path or filename switched to or from afile, from or to a directory, or a symlink.

UNIX and Linux only

YesFile type

YesNTFS DiscretionaryACL

YesNTFS Extended FileAttributes

YesNTFS Alternate DataStream Size

YesFile Checksum Value(SHA-256)

RT-FIM platforms and events onlyN/AUser thatmade change

RT-FIM platforms and events onlyN/AProcess that madechange

RT-FIM platforms and events onlyN/AProcess ID that madechange

RT-FIM platforms and events onlyN/AUser Session # thatmade change

In addition to monitoring the file system attributes, Symantec Critical SystemProtection records detailed changesmade to the content of text files. The changesare recorded in a typical diff format with old and new lines from the file shown.

About registry watch rulesThis rule type monitors changes to user-specified registry keys, and ignoreschanges touser-specified registry keys. These changes comprise creating, deleting,andmodifying user-specified registry keys. You can enable or disablemonitoringor ignoring specific registry keys, and you can adjust the list of registry keys thatare monitored or ignored.

The registrywatch rule type is associatedwith the registry collector. The registrycollector watches for changes made to user-specified registry keys.



Select this check box to enable the rule.Registry watchrule options



Select this check box tomonitor the creation of user-specified registrykeys.

Monitor creationof registry keys

Select this check box tomonitor the deletion of user-specified registrykeys.

Monitor deletionof registry keys

Select this check box to monitor the modification of user-specifiedregistry keys.

Monitormodification ofregistry keys

See “About general rule options” on page 28..Additionalpatterns to match

Select this check box to monitor specific registry keys, and then listthe keys to monitor.

Registry keys towatch

Select this check box to ignore specific registry keys, and then list thekeys to ignore.

Registry keys toignore



See “About general rule options” on page 28..date and timerestrictions

About prevention watch rulesThis rule type monitors user-specified prevention events.


Select this check box to enable the rule.Prevention watchrule options




36

This option matches event fields. It is always enabled.

Select one of the following prevention event types:

■ All prevention events

■ Buffer overflow

■ File access

■ Mount

■ Network access

■ OS Call

■ Process assignment

■ Process create

■ Process destroy

■ Registry access

Specify the event variables to monitor, with values for each variable.

Specify any additonal patterns to match and patterns to ignore.

See “About general rule options” on page 28..

Prevention eventfields to match on




About text log rulesThis rule type monitors user-specified text patterns in user-specified text logs.The rule type is associated with the text log collector, which watches for matchesin user-specified text logs.

The text log rule type is also used with virtual agents. Symantec Critical SystemProtection recognizes and processes virtual event data indirectly via a text logrule, where you designate resulting events as originating from virtual agents. Inamanner similar to specifying a user-defined text string, you can identify a sourcesystem identification tag that indicates the events are from an agent other thanthe host machine that processed the events.

See the SymantecCritical SystemProtectionAdministrationGuide for informationon virtual agents.

The text log rule is created with the following rule options:

Select this check box to enable the text log rule.Text log ruleoptions




Specify the text log file to monitor. Specify the compete file path.Wildcard characters are not permitted in the path. Use the percentsign (%) to delimit variables.

Text log path

This rule option defines the text log file structure. It is always enabled.Log file structuredefinitions

Select this check box to indicate that the records in the text log fileare from a virtual agent, and then specify the virtual agent name.

You can specify the virtual agent nameas a text string.Use this formatwhen all the records in the text log file are from the samevirtual agent.

Example: Mainframe01

You can specify the virtual agent name as a variable. Youmust definethe variable using the parse definitions option. Use this format whenthe records in the text log file are from multiple virtual agents.

Example: {Virtual Agent Tag}

Log file containsevents comingfrom a virtualagent


38

Select this checkbox to indicate that the virtual agentname is specifiedin a parse string, and then specify the parse string.

Example: *agent name={Virtual Agent Tag},*

Use this option when the records in the text log file are frommultiplevirtual agents.

Parse strings support wildcard characters. Type an asterisk (*) as thewildcard character for zero or more characters.

When mixing literal text strings with wildcard characters, do notprecede the literal text stringwith a delimiter character (space or tab),unless the character is not found anywhere before the literal textstring. For example, if the space delimiter is foundbefore the followingliteral text string, then the text pattern will not match *user=*:

a string user=joe a string

The pattern parser algorithm works from left to right to match*<space>user=* with a<space>string user==joe a string.

When specifying a variable, include a literal delimiter/terminatorafter the variable. Otherwise, the pattern parser algorithm cannotdetermine where the variable data ends. For example:

user={User Name} *

Note the space after the variable. If it were defined as

*user={User Name}*

then the algorithm would fail to extract the {User Name} portion ofthe string.

Parse definitions

If the records in the text log file contain multiple lines, select thischeck box, and then specify the character used to use to delimit therecords.

Records in filecontain multiplelines





About generic rulesThis rule type monitors user-specified events from any of the Symantec CriticalSystem Protection event sources.


The generic rule is created with the following rule options:

Select this check box to enable the generic rule.Generic ruleoptions







Host Intrusion Detection policies enhancementsThe Host Intrusion Detection policies have been redesigned and rewritten toenhance stability, provide greater ease of use and detection accuracy, and addfunctionality.

Multiple policies have been reorganized into two baseline monitoring solutionsfor the Windows and the UNIX operating system environments.

The Windows Baseline policy includes the following improvements:

■ The IDS policy has been rewritten to improve functionality and accuracy inmonitoring security events.

■ The file monitoring area has been redesigned and rewritten to provide a largenumber of new file and directory monitoring functions.For example, you can now control and enable the access, delete, modify, andcreate change monitoring functions by group.

■ You cannowperformadvanced rule-by-rule tuningdirectly from theSymantecCritical System Protection console. These rules now also use ignore logic andselect logic methodology.

■ You can now configure and view all rule content from the Symantec CriticalSystem Protection console.

■ Policy option group naming conventions have been standardized for ease ofadministration. You can now enable and disable entire areas of the policieswith option check boxes.

Windows detection policy referenceHost Intrusion Detection policies enhancements

40

■ Automatic application detection has been updated to enable and disablemonitoring without the need for administrators to configure the policyindividually per host.

■ You can now configure many parameter options individually for each rule.For example, you can configure the Rule Name, Rule Severity, and Rulemonitoring content separately for each rule.

■ You can now select a severity level for each rule. You no longer need to knowspecific numerical values for the severity base types.

■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory traversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.

■ You can now mouse over parts of the user interface to display descriptions toassist in policy navigation and rule-by-rule overview.

Table 2-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2.6 top-level option groups.

Table 2-1 Detection options organization map

Detection option organization in release5.2.6

Options in previous releases, with newmaterial noted

System User and Group Change MonitorSystem_Group_Management_Change

System_User_Configuration

Enhanced_System_Group_Change (NEW)

System Active-Directory Change MonitorDomain_Trust_Configuration

MS_ActiveDirectory_FSMO_Changed

System_AuthEncrypt_Configuration

AD_Priviledged_Group/User_Change (NEW)

System Login Activity and Access MonitorSystem_Logoff

System_Logon_Success

System_Failed_Access_Status

Domain_Priviledged_User_Login (NEW)

41Windows detection policy referenceHost Intrusion Detection policies enhancements

Table 2-1 Detection options organization map (continued)



System Hardening MonitorSystem_Autorun_Configuration

Network_Comm_Configuration

System_File_Protection_Status

System_Security_Configuration

System_StartStop_Options

System_Audit_Tampering

System_ Hardening

System File and Directory MonitorSystem_Shares_ Configuration

Host_IDS_File_Tampering

Critical_System_File_Monitor (NEW)

System Registry MonitorCritical_ Registry_StartPath_Monitor

Critical_ System_Registry_Monitor (NEW)

Symantec Software MonitoringSymantec_AV_Client_Communication

SAV_Critical_Action_Monitor (NEW)

SEP_Critical_Action_Monitor (NEW)

External Device Activity MonitorUSB_Device_Activity

USB_Device_Vendor_Detection (NEW)

CD/DVD_Burning_Activity (NEW)

System Attack DetectionGeneric_Web_Attack_Detection

Web_Attack_Detection (NEW)

Thepolicies thatperformadministrativeor troubleshootingactivities forSymantecCritical System Protection agents and management server-specific policies werenot combined with the Windows Baseline policy.

The following policies were not combined because they serve an administrativepurpose outside of normal detection functionality or facilitate the Global Watchfunctionality:

■ CSP_Agent_Diagnostics

■ CSP_Agent_Status


42

■ CSP_Server_Monitor

■ Global_Watch_Policy

43Windows detection policy referenceHost Intrusion Detection policies enhancements


44

UNIX detection policyreference


■ About the UNIX detection policies

■ List of policies

About the UNIX detection policiesSymantec Critical System Protection includes UNIX detection policies forcomputers that run the following operating systems:

■ IBM AIX

■ Sun Solaris

■ Red Hat Enterprise Linux

■ SUSE Linux Enterprise

You can apply the UNIX detection policies to any Solaris, Linux, AIX, HP-UX, andTru64 agent or agent group.

The UNIX detection policies are as follows:

■ UNIX_CSP_Agent_Diagnostics

■ UNIX_CSP_Agent_Status

■ UNIX_Host_IDS_FIle_Tampering

■ UNIX_NetRecon_Scan_Detected

■ UNIX_Sendmail_BrokenPipe_Messages

■ UNIX_Stack_Execution_Denied (Solaris, HP-UX, Tru64)

3Chapter

■ UNIX_System_Logon_Failure

■ UNIX_System_Logon_Success

■ UNIX_System_Time_Change (Solaris, AIX, HP-UX, Tru64)

■ UNIX_System_User_Configuration

■ UNIX_Template_Policy

In addition to the UNIX policies, Symantec Critical System Protection includesOS-specific policies. A version of each OS-specific policy is provided for Solaris,Linux, AIX, HP-UX, and Tru64 agents.

The OS-specific policies are as follows:

■ Apache_Vulnerable_CGI_Scripts

■ SANS

List of policiesThe section describes the Symantec Critical System Protection UNIX detectionpolicies.

UNIX_CSP_Agent_DiagnosticsThis UNIX detection policy includes options to do the following:


■ Restart the IDS service

■ Restart the IPS service

■ Restart the UTIL service

■ Force log rollover of the agent event log file

■ Modify the management server list for an agent

■ Edit configuration files

For more information, see the Windows version of this policy.

See “CSP_Agent_Diagnostics” on page 18..

UNIX_CSP_Agent_StatusThis UNIX detection policy runs scripts that provide health checks on IPS agents.The health check scripts run based on user-configurable timers. The timers are

UNIX detection policy referenceList of policies

46

started when the policy is initially applied to an agent or when the agent isrestarted.


Periodically runs the IPS agent health check script. Specify the healthcheck frequency in days, hours, minutes, and seconds.

By default, the health check script runs every hour.

IPS Health Check

Periodically runs the IPS Util health check script on Solaris or Linuxagents. Specify theUtil health check frequency indays, hours,minutes,and seconds.

By default, the health check script runs every hour.

IPS Util HealthCheck

Monitors syslogs for detected sisipsagent core dump files.IPSCoreDetection

UNIX_Template_PolicyTheUNIX_Template_Policy is a reusableworkspace container policy formanagingcustom rules.

The UNIX_Template_Policy policy includes rule options for the following ruletypes:

■ Filewatch

■ Text log


■ Generic

■ C2 log

■ Syslog

■ UNIX activity log

TheUNIX_Template_Policy is intended for use as a container policy formanagingcustom rules. The policy contains only the rules that you define.

For more information on using the template policy, including how to create andreuse custom rules, see the Windows_Template_Policy.

See “Windows_Template_Policy” on page 24..

47UNIX detection policy referenceList of policies

About C2 log rulesThis rule type monitors the C2 audit logs on Solaris, HP-UX, and AIX agents. Therule type is associated with the C2 collector, which looks for matches in the C2audit logs.

Note: C2 logging must be turned on and configured on the agent computers.

The C2 log rule is created with the following rule options:

Select this check box to enable the C2 rule.C2 rule options

See the Windows_Template_Policy for details.Rule name

See the Windows_Template_Policy for details.Rule severity

See the Windows_Template_Policy for details.Record event toSCSP console

See the Windows_Template_Policy for details.Execute command

See the Windows_Template_Policy for details.Event patterns

See the Windows_Template_Policy for details.Date and timerestrictions

About syslog rulesThis rule type monitors user-specified events in the UNIX syslog. The rule typeis associatedwith the syslog collector,whichwatches for syslogdaemon tamperingon UNIX systems.

The syslog rule is created with the following rule options:

Select this check box to enable the syslog rule.Syslog rule options







48


About UNIX activity log rulesThis rule type monitors user-specified events in the WTMP and BTMP files. Therule type is associated with the WTMP collector, which watches for matches inthe WTMP and BTMP files.

The UNIX activity log rule is created with the following rule options:

Select this check box to enable the UNIX activity log rule.UNIX activity logrule options







49UNIX detection policy referenceList of policies


50

Policy examples


■ About Policy examples

■ Forcing rollover of the agent event log file

■ Creating a filewatch rule

About Policy examplesThis chapter includes the following topics:

■ Forcing rollover of the agent event log file

■ Creating a filewatch rule

Forcing rollover of the agent event log fileForcing rollover of the agent event log file closes the current log file and opens anew log file.

The agent event log file is stored in the following directories:

C:\ProgramFiles\Symantec\Critical SystemProtection\Agent\scsplog\Windows

/var/log/scsplog/UNIX

The policy forces rollover of the log file immediately after being applied to theagent.

4Chapter

To force rollover of the agent event log file

1 Log on to the management console as an administrator.

2 In themanagement console, on the Policies page, in the Symantec folder, editthe CSP_Agent_Diagnostics policy.

3 In the policy editor dialog, enable Select a function to run on the agent.

4 In the policy editor dialog, click Select a function, and then select Force LogRollover.

5 Click OK to save the policy changes.

6 Apply the policy to the agent.

7 In the management console, monitor the events on the Monitors page todetermine if the agent event log file rolled over.

8 Check the log file directory to confirm that rollover occurred.

9 On theAssets page, select the agent, and then right-clickClearPolicy to clearthe policy from the agent.

Creating a filewatch ruleCreate a filewatch rule to monitor changes to user-specified files.

To create a filewatch rule



3 On the Policies page, double-click Windows_Template_Policy orUNIX_Template_Policy.

4 In the policy editor dialog box, underPolicySettings, clickMyCustomRules,and then click Add a new Custom Control icon.

5 In theNewCustomRuleWizarddialog box, specify the following information:

Type a descriptive name for the filewatch rule.

Example: My Filewatch Rule

Display Name

Select the filewatch rule type.Category

Type a name that the policy uses internally to identify thefilewatch rule.

Example: myfw

Identifier

Type a full description of the filewatch rule.Description

Policy examplesCreating a filewatch rule

52

6 Click Finish.

7 In the policy editor dialog box, click Edit to display the rule options.

8 In the policy editor dialog box, click Edit before FilewatchRuleOptions, andthen select the check box to enable the filewatch rule.

9 In the policy editor dialog box, enable the rule options tomonitor file creation,deletion, modification, and access.

10 In the policy editor dialog box, enable Additional patterns to match on, andthen specify the list of patterns.

11 In the policy editor dialog box, enable Files to watch, and then specify thelist of files to watch.

12 Click OK.

53Policy examplesCreating a filewatch rule

Policy examplesCreating a filewatch rule

54

Windows BaselineDetection policy


■ Introduction

■ File monitoring improvements

■ Windows-specific policy improvements

■ About rule options

IntroductionThe Symantec Critical System Protection Host Intrusion Detection policies havebeen redesigned and rewritten.Multiple policies were reorganized into a baselinemonitoring solution for the Windows operating system environment. The newpolicy provides enhanced stability, greater ease of use and detection accuracy,and added functionality.

The Windows policy includes the following improvements:

■ The IDS policy was rewritten to improve functionality and accuracy inmonitoring security events.

■ The file monitoring area was redesigned and rewritten to provide a largenumber of new file and directory monitoring functions. For example, you cancontrol and enable the access, delete, modify, and create change monitoringfunctions by group.

■ You can perform advanced rule-by-rule tuning directly from the SymantecCritical SystemProtection console. These rules also use ignore logic and selectlogic methodology.

5Chapter

■ You can configure and view all rule content from the Symantec Critical SystemProtection console, which removes the need to use the Authoring Tool.

■ Policy option group naming conventions have been standardized for ease ofadministration. You can enable and disable entire areas of the policies withoption check boxes.


■ You can configure many parameter options individually for each rule. Forexample, you can configure theRuleName, Rule Severity, andRulemonitoringcontent separately for each rule.

■ You can select a severity level for each rule. Youno longer need to knowspecificnumerical values for the severity base types.

■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory transversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.

■ You canmouse over parts of the user interface to display descriptions to assistin policy navigation and rule-by-rule overview.

Table 5-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2.6 top level option groups.




System User and Group Change MonitorSystem_Group_Management_Change

System_User_Configuration

Enhanced_System_Group_Change (NEW)

System Active-Directory Change MonitorDomain_Trust_Configuration

MS_ActiveDirectory_FSMO_Changed

System_AuthEncrypt_Configuration

AD_Priviledged_Group/User_Change (NEW)

Windows Baseline Detection policyIntroduction

56




System Login Activity and Access MonitorSystem_Logoff

System_Logon_Success


Domain_Priviledged_User_Login (NEW)

System Hardening MonitorSystem_Autorun_Configuration

Network_Comm_Configuration

System_File_Protection_Status

System_Security_Configuration

System_StartStop_Options

System_Audit_Tampering

System_ Hardening

System File and Directory MonitorSystem_Shares_ Configuration

Host_IDS_File_Tampering

Critical_System_File_Monitor (NEW)

System Registry MonitorCritical_ Registry_StartPath_Monitor

Critical_ System_Registry_Monitor (NEW)

Symantec Software MonitoringSymantec_AV_Client_Communication

SAV_Critical_Action_Monitor (NEW)

SEP_Critical_Action_Monitor (NEW)

External Device Activity MonitorUSB_Device_Activity

USB_Device_Vendor_Detection (NEW)

CD/DVD_Burning_Activity (NEW)


Web_Attack_Detection (NEW)

Thepolicies thatperformadministrativeor troubleshootingactivities forSymantecCritical System Protection agents and management server-specific policies werenot combined with the Windows Baseline policy.

57Windows Baseline Detection policyIntroduction

The following policies were not combined because they serve an administrativepurpose outside of normal detection functionality or facilitate the Global Watchfunctionality:

■ CSP_Agent_Diagnostics

■ CSP_Agent_Status

■ CSP_Server_Monitor

■ Global_Watch_Policy

File monitoring improvementsSymantec Critical System Protection has some file monitoring improvements.

Specific file monitoring changes include the following improvements:

■ You can control and enable the access, delete, modify, and create changemonitoring functions on a group-by-group basis.

■ You can control modification differentiating, including algorithm selectionon a group-by-group basis.

■ You can set date and time restrictions within each specific file monitoringgroup.

■ You can tune the filemonitormodified detection operation for specific criteria,such as only for permission changes, size changes, bitmask changes, and soon.

■ You can use specific ignore logic criteria and select logic criteria in each filemonitoring group.For example, you can independently configure each file monitoring group toignore file paths or strings.

Symantec Critical System Protection includes the following enhancements formonitoring files:

■ Symantec Critical System Protection monitors Access Control Lists (ACLs) infile attributes.Table 1-8 describes the Access Control List strings that Symantec CriticalSystem Protection returns.

■ To provide granular control over Windows file change monitoring, SymantecCritical SystemProtectionmonitorsnear real-timechangeson local file systemsand fixed file systems. It does not monitor changes on removable media orremote network drives.It no longer uses polling intervals. Symantec Critical System Protection usesthe FIPS 180-2-compliant Secure Hash Algorithm (SHA-256) to calculate file

Windows Baseline Detection policyFile monitoring improvements

58

hashes or checksums at runtime. The MD5 algorithm is no longer used oravailable.For performance efficiency, you can enable or disable the checksumcalculationfor each filewatch list. A single hash algorithm is used on all the files in awatched list.

Note:Symantec Critical SystemProtection continues to poll remote files, suchas files on network drives or removable media, every specified interval todetect changes.

■ Symantec Critical System Protection tracks the user names and processesassociated with file modifications within Windows Host-based IntrusionDetectionSystems.Modifications that are tracked include file opens, filewrites,file creations, and file deletions. This feature lets you determine who hasaccessed and who changed the local files that were accessed through a fileshare.Symantec Critical System Protection captures the local user names or remoteusernames of theusers that access a file. This feature doesnot rely onWindowsEvent Monitoring, Windows Audit Object Access logging, or UNIX EventMonitoring. Local user names are resolved locally. Remote users' names areobtainedbyusingActiveDirectory queries. If nonames are provided, SymantecCritical System Protection captures the Windows Security IDentifier (SID).The Symantec Critical System Protection detection agent service must berunning for the user name and process tracking functionality to work. If theSymantec Critical System Protection detection agent service is stopped, thenthemoment that it is restarted it reports the filemodification events that tookplace during the time that it was stopped. However, the user names andprocesses that are associated with the modifications that took place while theservice was stopped are not included for those modifications.

Note: This feature makes use of a file filter driver to capture user name andprocesses for filemodifications. If you use only IDS, you do not need to restartafter installation. If you enable IPS features during installation, you do needto restart.

Windows-specific policy improvementsWindows-specific policy changes include the following improvements:

59Windows Baseline Detection policyWindows-specific policy improvements

■ Product-specific monitoring areas for key Symantec applications such asSymantecAntiVirus andSymantec Endpoint Protection. Improvedmonitoringof endpoint security products provides administratorsmore finite events thatare tailored for compatibility.

■ Improved external device detection now includes event generation for CD andDVD burning activity.

■ CriticalWindows registry change detection has been added. Critical auto startareas of the Windows operating system are monitored to ensure that the hostsystem security is maintained. New registry paths for Auto Start Keys havebeen added.

Note: Registry monitoring has the same options as the rewritten file anddirectory monitoring.

About rule optionsSymantec Critical System Protection provides specific content control per rulefrom the console. Each rule in the Baseline policy has required parameters. Theserules can be viewed and customized from the console.

The options in Table 5-2 are available for each rule that is displayed in the PolicySettings pane.

Table 5-2 Rule options

DescriptionOption

Thename that is associatedwith the rule that generates the specificevent. A single string value is allowed in the string field.

Rule Name

The severity of event. Available for each rule of the policy. You canonly select one severity level, Info, Notice, Warning, Major, orCritical, for each rule.

Severity

Parameter options for Windows event log watch rules. Separatemultiple event IDs with a comma (,) in this string list. You can add,edit, and remove event IDs.

Event IDs

Parameter options for filewatch rules. You can use multiple filepaths with associated wildcard entries in this string list. You canadd, edit, and remove file paths.

File Paths

Windows Baseline Detection policyAbout rule options

60

Table 5-2 Rule options (continued)

DescriptionOption

Parameter options for registry watch rules. You can use multipleWindows registry paths with associated wildcard entries in thisstring list. You can add, edit, and remove registry paths.

Registry Paths

Used in rule select logic. Symantec Critical System Protection usesprimary logic or initial sifting method for rule event generation.Use an asterisk (*) to select all the events that the criteria that youentered previously generate.

For example, criteria such as event IDs, file paths, registry paths,or log strings previously defined. With this option you canspecifically tune rules for administrator needs.

For example, if you change the select string on a filewatch rule from* to *Permission*, then that rule only generates a filewatch event ifthat event contains the string “Permission.” You can have multipleselect strings in this string list. All strings are case insensitive. Youcan add, edit, and remove select strings.

Select Strings

Used in rule ignore logic. Symantec Critical SystemProtection usessecondary ignore logic or ignore sifting method for rule eventgeneration. Almost all rule parameter options contain a blank value,which signifies that a null value or no value is associated with theignore logic statement. SymantecCritical SystemProtection ignoresany string in this field other thanblankvalueuponpatternmatchingon the final event generation. Ignore strings also provide you withthe ability to perform advanced rule-by-rule tuning. You can havemultiple ignore strings in this string list. All strings are caseinsensitive. You can add, edit, and remove ignore strings.

The ignore criteria ignores items that have a tendency to changefrequently or items that are not a part of the core system andconfiguration. These ignore items are items such as logs, tempdirectory and so on.

Ignore Strings

Note: Each parameter is preconfigured with default values to ensure thefunctionality of the rule. Changes to rule name and severity do not affect theoverall operation of the rule.

61Windows Baseline Detection policyAbout rule options

Windows Baseline Detection policyAbout rule options

62

Policy options


■ System User and Group Change Monitor

■ System Active Directory Change Monitor

■ System Login Activity and Access Monitor

■ System Hardening Monitor

■ System File and Directory Monitor

■ System Registry Monitor

■ System Symantec Software Monitor

■ System External Device Activity

■ System Attack Detection

System User and Group Change MonitorThis option group section of the policy monitors for specific user and groupchange-based events.

System User Configuration ChangesThis option group subsection monitors user changes from local accountmanipulation to the user activity thatwarrants event detection inActiveDirectoryenvironments.

6Chapter

Table 6-1 Description of the Account Changed parameters used

DescriptionParameter

SystemUser andGroupChangeMonitor > SystemUser ConfigurationChanges

Option Path

Account ChangedOption

ZZ_Account_ChangedRule Name

WarningSeverity

642, 4738, 685Event IDs

Detects the changes that aremade touser accounts on the local system.Description

Table 6-2 Description of the Account Created parameters used



Option Path

Account CreatedOption

AA_Account_CreatedRule Name

WarningSeverity

629, 4720Event IDs

Detects the creation of user accounts on the local system.Description

Table 6-3 Description of the Account Deleted parameters used



Option Path

Account DeletedOption

Account_DeletedRule Name

WarningSeverity

630, 4726Event IDs

Detects the deletion of user accounts on the local system.Description

Policy optionsSystem User and Group Change Monitor

64

Table 6-4 Description of the Account Disabled parameters used



Option Path

Account DisabledOption

Account_DisabledRule Name

WarningSeverity

629, 4725Event IDs

Detects the disabling of user accounts on the local system.Description

Table 6-5 Description of the Account Enabled parameters used



Option Path

Account EnabledOption

Account_EnabledRule Name

WarningSeverity

626, 4722Event IDs

Detects the enabling of user accounts on the local system.Description

Table 6-6 Description of the Local Account Locked Out parameters used



Option Path

Local Account Locked OutOption

System_User_Configuration_Local_Account_Locked_OutRule Name

WarningSeverity

644, 4740Event IDs

Detects the locking of a user account on the local system.Description

65Policy optionsSystem User and Group Change Monitor

Table 6-7 Description of the Local Account Lock Out Threshold, TimeInterval, and Severity parameters used



Option Path

Local Account Lock Out Threshold, Time Interval, and SeverityOption

CriticalSeverity

10Count

3Interval

Detects the locking of a user account on the local system thengenerates a higher severity event based on user-defined thresholdvalues.

Description

Table 6-8 Description of the Local Account Unlocked parameters used



Option Path

Local Account UnlockedOption

Local_Account_UnlockedRule Name

WarningSeverity

671, 4767Event IDs

Detects the unlocking of a user account on the local system.Description

Table 6-9 Description of the Admin Passwd Change Failed parameters used



Option Path

Admin Passwd Change FailedOption

Admin_Passwd_Change_FailedRule Name

CriticalSeverity

627, 4723Event IDs


66

Table 6-9 Description of the Admin Passwd Change Failed parameters used(continued)


Detects the failed attempts to change the administrator password.Description

Table 6-10 Description of the User Added to Global Group parameters used



Option Path

User Added to Global GroupOption

User_Added_to_Global_GroupRule Name

WarningSeverity

632, 4728Event IDs

Detects the addition of a user to a global group. This rule applies toWindows servers that act as domain controllers.

Description

Table 6-11 Description of the User Removed from Global Group parametersused



Option Path

User Removed from Global GroupOption

User_Removed_from_Global_GroupRule Name

WarningSeverity

633, 4729Event IDs

Detects the addition of a user to a global group. This rule applies toWindows servers that act as domain controllers.

Description

Table 6-12 Description of theGuest PasswordChange Failed parameters used



Option Path


Table 6-12 Description of theGuest PasswordChange Failed parameters used(continued)


Guest Password Change FailedOption

Guest_Passwd_Change_FailedRule Name

CriticalSeverity

627, 4723Event IDs

Detects a failed attempt to change the guest's password.Description

Table 6-13 Description of the User Added to Local Group parameters used



Option Path

User Added to Local GroupOption

User_Added_to_Local_GroupRule Name

WarningSeverity

636, 4732Event IDs

Detects the addition of a user to a local group.Description

Table 6-14 Description of the User Removed from Global Group parametersused



Option Path

User Removed from Global GroupOption

User_Removed_from_Global_GroupRule Name

WarningSeverity

637, 4733Event IDs

Detects the removal of a user from a global group. This rule appliesto the Windows servers that act as domain controllers.

Description


68

Table 6-15 Description of the Right Assigned parameters used



Option Path

Right AssignedOption

Right_AssignedRule Name

WarningSeverity

608, 4704, 4717Event IDs

Detects that an access right has been assigned to a user.Description

Table 6-16 Description of the Right Removed parameters used



Option Path

Right RemovedOption

Right_RemovedRule Name

WarningSeverity

609, 4705, 4718Event IDs

Detects that an access right has been removed from a user.Description

Table 6-17 Description of the User Password Change Failed parameters used



Option Path

User Password Change FailedOption

User_Password_Change_FailedRule Name

WarningSeverity

627, 4723Event IDs

Detects the failed attempt to change a user's password.Description


Table 6-18 Description of theUser Added toUniversal Group parameters used



Option Path

User Added to Universal GroupOption

User_Added_to_Universal_GroupRule Name

WarningSeverity

660, 4756Event IDs

Detects the addition of a user to a universal group. This rule appliesto the Windows servers that act as domain controllers.

Description

Table 6-19 Description of the User Removed from Universal Grp parametersused



Option Path

User Removed from to Universal GrpOption

User_Removed_from_Universal_GrpRule Name

WarningSeverity

661, 4757Event IDs

Detects the removal of a user fromauniversal group. This rule appliesto the Windows servers that act as domain controllers.

Description

Table 6-20 Description of the User Added to Local Distribution Groupparameters used



Option Path

User Added to Local Distribution GroupOption

User_Add_Local_Distribution_GrpRule Name

WarningSeverity


70

Table 6-20 Description of the User Added to Local Distribution Groupparameters used (continued)


650, 4746Event IDs

Detects the addition of a user to a local distribution group.Description

Table 6-21 Description of the User Added to Global Distribution Groupparameters used



Option Path

User Added to Global Distribution GroupOption

User_Add_Global _Distribution_GrpRule Name

WarningSeverity

655, 4751Event IDs

Detects the addition of a user to a global distribution group.Description

Table 6-22 Description of the User Added to Universal Distribution Groupparameters used



Option Path

User Added to Universal Distribution GroupOption

User_Add_Univ_Distribution_GrpRule Name

WarningSeverity

665, 4761Event IDs

Detects the addition of a user to a universal distribution group.Description


Table 6-23 Description of the Administrator Changed Admin Passwordparameters used



Option Path

Administrator Changed Admin PasswordOption

Admin_Changed_Admin_PasswdRule Name

WarningSeverity

627, 628, 4723, 4724Event IDs

Detects that the administrator changed the administrator's ownpassword.

Description

Table 6-24 Description of the Guest Changed Admin Password parametersused



Option Path

Guest Changed Admin PasswordOption

Guest_Changed_Admin_PasswdRule Name

CriticalSeverity

627, 628, 4723, 4724Event IDs

Detects that a guest changed the administrator password.Description

Table 6-25 Description of theUser ChangedAdminPasswordparameters used



Option Path

User Changed Admin PasswordOption

User_Changed_Admin_PasswdRule Name

MajorSeverity

627, 628, 4723, 4724Event IDs


72

Table 6-25 Description of theUser ChangedAdminPasswordparameters used(continued)


Detects that a user changed the administrator password.Description

Table 6-26 Description of the Administrator Changed Guest Passwordparameters used



Option Path

Administrator Changed Guest PasswordOption

Admin_Changed_Guest_PasswdRule Name

WarningSeverity

627, 628, 4723, 4724Event IDs

Detects that the administrator changed the guest password.Description

Table 6-27 Description of the Guest Changed Guest Password parametersused



Option Path

Guest Changed Guest PasswordOption

Guest_Changed_Guest_PasswdRule Name

NoticeSeverity

627, 628, 4723, 4724Event IDs

Detects that the guest changed the guest password.Description

Table 6-28 Description of theUser ChangedGuest Password parameters used



Option Path


Table 6-28 Description of theUser ChangedGuest Password parameters used(continued)


User Changed Guest PasswordOption

User_Changed_Guest_PasswdRule Name

NoticeSeverity

627, 628, 4723, 4724Event IDs

Detects that a user changed the guest password.Description

Table 6-29 Description of the Administrator Changed User Passwordparameters used



Option Path

Administrator Changed User PasswordOption

Admin_Changed_User_PasswdRule Name

NoticeSeverity

627, 628, 4723, 4724Event IDs

Detects that the administrator changed a user's password.Description

Table 6-30 Description of theGuest ChangedUser Password parameters used



Option Path

Guest Changed User PasswordOption

Guest_Changed_User_PasswdRule Name

WarningSeverity

627, 628, 4723, 4724Event IDs

Detects that the guest changed the user's password.Description


74

Table 6-31 Description of the User Changed User Password parameters used



Option Path

User Changed User PasswordOption

User_Changed_User_PasswdRule Name

NoticeSeverity

627, 628, 4723, 4724Event IDs

Detects that the user changed another user's password.Description

Table 6-32 Description of the Administrator Changed Guest Passwordparameters used



Option Path

Administrator Changed Guest PasswordOption

Admin_Changed_Guest_PasswdRule Name

NoticeSeverity

627, 628, 4723, 4724Event IDs

Detects that the administrator changed the guest password.Description

System Group ChangesThis option group subsection detects group changes by monitoring themanipulation of the following groups:

■ Global groups

■ Local groups

■ Universal groups

■ Local distribution groups

■ Global distribution groups

■ Universal distribution groups


It monitors the security-relevant changes that warrant event detection.

Eventdetection includes administrator actions suchas creation, change, or deletionof security-enabled local, global, or universal groups. Security groups allow thesystem administrator or domain administrator to establish a standard set of userpermissions for application groups of users. Changes, additions, or deletions tothe security groups are normal behavior in an extended enterprise if the systemadministrator actively manipulates these groups. If the system administrator ordomain administrator does not activelymanipulate security groups, these eventscan indicate illegitimate activity.

Table 6-33 Description of the Global Group Changed parameters used


System User and Group Change Monitor > System Group ChangesOption Path

Global Group ChangedOption

Global_Group_ChangedRule Name

InformationSeverity

641, 4737Event IDs

Detects that a global group was changed.Description

Table 6-34 Description of the Global Group Created parameters used



Global Group CreatedOption

Global_Group_CreatedRule Name

WarningSeverity

631, 4727Event IDs

Detects that a global group was created.Description

Table 6-35 Description of the Global Group Deleted parameters used



Global Group DeletedOption


76

Table 6-35 Description of the Global Group Deleted parameters used(continued)


Global_Group_DeletedRule Name

WarningSeverity

634, 4730Event IDs

Detects that a global group was deleted.Description

Table 6-36 Description of the Local Group Changed parameters used



Local Group ChangedOption

Local_Group_ChangedRule Name

InfoSeverity

639, 4735Event IDs

Detects that a local group was changed.Description

Table 6-37 Description of the Local Group Created parameters used



Local Group CreatedOption

Local_Group_CreatedRule Name

WarningSeverity

635, 4731Event IDs

Detects that a local group was created.Description

Table 6-38 Description of the Local Group Deleted parameters used




Table 6-38 Description of the Local GroupDeletedparameters used (continued)


Local Group DeletedOption

Local_Group_DeletedRule Name

WarningSeverity

638, 4734Event IDs

Detects that a local group was deleted.Description

Table 6-39 Description of the Universal Group Changed parameters used



Universal Group ChangedOption

Universal_Group_ChangedRule Name

InfoSeverity

659, 4755Event IDs

Detects that a universal group was changed.Description

Table 6-40 Description of the Universal Group Created parameters used



Universal Group CreatedOption

Universal_Group_CreatedRule Name

WarningSeverity

658 4754Event IDs

Detects that a universal group was created.Description

Table 6-41 Description of the Universal Group Deleted parameters used




78

Table 6-41 Description of the Universal Group Deleted parameters used(continued)


Universal Group DeletedOption

Universal_Group_DeletedRule Name

WarningSeverity

662, 4758Event IDs

Detects that a universal group was deleted.Description

Table 6-42 Description of the Local Distribution Group Created parametersused



Local Distribution Group CreatedOption

Local_Distribution_Grp_CreatedRule Name

WarningSeverity

648, 4744Event IDs

Detects when a local distribution group was created. The distributionlists canbe created andmanaged throughActiveDirectoryMMC. Localdistribution groups can include other groups and accounts fromWindows Server 2003, Windows 2000, or Windows NT domains, andcan be granted permissions only within a domain.

Description

Table 6-43 Description of the Local Distribution Group Changed parametersused



Local Distribution Group ChangedOption

Local_Distribution_Grp_ChangedRule Name

WarningSeverity

649, 4745Event IDs


Table 6-43 Description of the Local Distribution Group Changed parametersused (continued)


Detects when a local distribution group was changed.Description

Table 6-44 Description of the Local Distribution Group Deleted parametersused



Local Distribution Group DeletedOption

Local_Distribution_Grp_DeleteRule Name

WarningSeverity

652, 4748Event IDs

Detects when a local distribution group was deleted.Description

Table 6-45 Description of the Global Distribution Group Created parametersused



Global Distribution Group CreatedOption

Global_Distribution_Grp_CreatedRule Name

WarningSeverity

653, 4749Event IDs

Detectswhen a global distribution groupwas created. The distributionlists canbe created andmanaged throughActiveDirectoryMMC. Localdistribution groups can include other groups and accounts only fromthe domain in which the group is defined. They can be grantedpermissions in any domain in the forest.

Description


80

Table 6-46 Description of theGlobal Distribution Group Changed parametersused



Global Distribution Group ChangedOption

Global_Distribution_Grp_ChangedRule Name

WarningSeverity

654, 4750Event IDs

Detects when a global distribution group was changed.Description

Table 6-47 Description of the Global Distribution Group Deleted parametersused



Global Distribution Group DeletedOption

Global_Distribution_Grp_DeletedRule Name

WarningSeverity

657, 4753Event IDs

Detects when a global distribution group was deleted.Description

Table 6-48 Description of theUniversalDistributionGroupCreatedparametersused



Universal Distribution Group CreatedOption

Univ_Distribution_Grp_CreatedRule Name

WarningSeverity

663, 4759Event IDs


Table 6-48 Description of theUniversalDistributionGroupCreatedparametersused (continued)


Detects when a universal distribution group was created. Thedistribution lists canbe created andmanaged throughActiveDirectoryMMC. Universal distribution groups can include other groups andaccounts from any domain in the domain tree or forest. They can begranted permissions in any domain in the domain tree or forest.

Description

Table 6-49 Description of the Universal Distribution Group Changedparameters used



Universal Distribution Group ChangedOption

Univ_Distribution_Grp_ChangedRule Name

WarningSeverity

664, 4760Event IDs

Detects when a universal distribution group was changed.Description

Table 6-50 Description of theUniversalDistributionGroupDeletedparametersused



Universal Distribution Group DeletedOption

Univ_Distribution_Grp_DeletedRule Name

WarningSeverity

667, 4763Event IDs

Detects when a universal distribution group was deleted.Description

System Active Directory Change MonitorThis option group section of the policy monitors specific Active Directory-basedevents. These events include potentially suspicious domain trust events, FSMO

Policy optionsSystem Active Directory Change Monitor

82

changes, and authentication or encryption configuration changes. These eventsmaybe indicative ofmalicious configuration,whichmayaffect theActiveDirectorysystem itself, as well as downstream systems.

Active Directory Domain Trust ConfigurationThis portion of the policy detects the creation or removal of a trusted domainrelationship and changes to the Windows Domain Policy. Domain Trustrelationships allowmultipleWindowsdomains to share resources. They also allowusers fromone domain to log on and interact as trusted users in a foreign domain.Creation or removal of trusted domain relationships is expected behavior inextended enterprises. If this behavior is unexpected, it could indicate a serioussecurity compromise at the domain level. Configuration: Settings > Control Panel>Administrative Tools > Local Security Policy > Security Settings > Local Policies> Audit Policy > Audit account management for success and failure, Audit policychange for success or failure.

Table 6-51 Description of the Trusted Domain Created parameters used


System Active Directory Change Monitor > Active Directory DomainTrust Configuration

Option Path

Trusted Domain CreatedOption

Trusteded_Domain_CreatedRule Name

WarningSeverity

610, 4706Event IDs

Detects the creation of a trusted domain relationshipwith the primarydomain controller.

Description

Table 6-52 Description of the Domain Policy Changed parameters used



Option Path

Domain Policy ChangedOption

Domain_Policy_ChangedRule Name

WarningSeverity

83Policy optionsSystem Active Directory Change Monitor

Table 6-52 Description of the Domain Policy Changed parameters used(continued)


643, 4739Event IDs

Detects all Windows Domain Policy changes.Description

Table 6-53 Description of the Trusted Domain Changed parameters used



Option Path

Trusted Domain ChangedOption

Trusted_Domain_ChangedRule Name

WarningSeverity

620, 4716Event IDs

Detects the modification of the trusted domain information.Description

Table 6-54 Description of the Trusted Domain Removed parameters used



Option Path

Trusted Domain RemovedOption

Trusted_Domain_RemovedRule Name

WarningSeverity

611, 4707Event IDs

Detects the removal of a trusted domain relationship from theprimarydomain controller.

Description

Active Directory FSMO ChangesThis option group sub-section monitors changes to Active Directory’s FlexibleSingle Master of Operation (FSMO). Changes to Schema Master, Domain Master,RID Master, PDCEmulator, and Infrastructure Master are critical functions of


84

Active Directory that should be monitored. Changes to these settings outsidenormal administrative tasks can indicate illegitimate activity.

Table 6-55 Description of the Schema Master Changed parameters used


System Active Directory Change Monitor > Active Directory FSMOChanges

Option Path

Schema Master ChangedOption

Schema_Master_ChangedRule Name

WarningSeverity

565, 566, 4661, 4662Event IDs

Detects a change to the Active Directory FSMO schema master role.Description

Table 6-56 Description of the Domain Master Changed parameters used



Option Path

Domain Master ChangedOption

Domain_Master_ChangedRule Name

WarningSeverity

565, 566, 4661, 4662Event IDs

Detects a change to the Active Directory FSMO domain master role.Description

Table 6-57 Description of the RID Master Changed parameters used



Option Path

RID Master ChangedOption

RID_Master_ChangedRule Name

WarningSeverity

565, 566, 4661, 4662Event IDs


Table 6-57 Description of theRIDMasterChangedparameters used (continued)


Detects a change to the Active Directory FSMO RID master role.Description

Table 6-58 Description of the PDCEmulator Changed parameters used



Option Path

PDCEmulator ChangedOption

PDCEmulator_ChangedRule Name

WarningSeverity

565, 566, 4661, 4662Event IDs

Detects a change to the Active Directory FSMO PDCEmulator.Description

Table 6-59 Description of the InfrastructureMaster Changedparameters used



Option Path

Infrastructure Master ChangedOption

Infrastructure_ChangedRule Name

WarningSeverity

565, 566, 4661, 4662Event IDs

Detects a change to theActiveDirectory FSMO InfrastructureMaster.Description

Authentication and Encryption ConfigurationThis option group sub-section detects normal Active Directory authenticationactivity as well as changes to Windows Active Directory authentication andencryption settings. Changes to these settings are normally necessary to allownon-Windows clients to access the domain. Windows writes the events to eventlogs, and Symantec Critical SystemProtectionmonitors the registry keys or EventIDs.


86

Table 6-60 Description of the Authentication Packages Changed parametersused


System Active Directory Change Monitor > Authentication andEncryption Configuration

Option Path

Authentication Packages ChangedOption

Authentication_Packages_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\Authentication Packages

Registry Paths

Detects the changes to the Windows authentication packages,according to the registry settings monitored.

Description

Table 6-61 Description of the Auth Ticket Request Failure parameters used



Option Path

Auth Ticket Request FailureOption

Auth_Ticket_Request_FailureRule Name

NoticeSeverity

676, 672, 4772, 4768Event IDs

Detects the failure of Windows to receive an authentication ticket onrequest by Active Directory.

Description

Table 6-62 Description of the EnableSecuritySignature Changed parametersused



Option Path

EnableSecuritySignature ChangedOption

EnableSecuritySignature_ChangedRule Name

WarningSeverity


Table 6-62 Description of the EnableSecuritySignature Changed parametersused (continued)


\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanMan*\Parameters\EnableSecuritySignature

Registry Paths

Detects the changes to the Windows Security Signature state.Description

Table 6-63 Description of theKerberos Ticket Request Failedparameters used



Option Path

Kerberos Ticket Request FailedOption

Kerberos_Service_Ticket_Request_FailedRule Name

NoticeSeverity

677, 673, 4773, 4769Event IDs

Detects the failure of Windows to be granted with a Kerberos serviceticket on request by an Active Directory server. This failure mayhappenwhile satisfactory security credentials are negotiated betweenthe clients and the Active Directory server. This failure can alsoindicate that anuntrusted client has attempted to access the resourcesin this Active Directory domain.

Description

Table 6-64 Description of the LMCompatibilityLevel Changedparameters used



Option Path

LMCompatibilityLevel ChangedOption

LMCompatibilityLevel_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel

Registry Paths


88

Table 6-64 Description of the LMCompatibilityLevel Changedparameters used(continued)


Detects the failure of Windows to be granted with a Kerberos serviceticket on request by an Active Directory server. This failure mayhappenwhile satisfactory security credentials are negotiated betweenthe clients and the Active Directory server. This failure can alsoindicate that anuntrusted client has attempted to access the resourcesin this Active Directory domain.

Description

Table 6-65 Description of theNotificationPackagesChanged parameters used



Option Path

NotificationPackages ChangedOption

NotificationPackages_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\NotificationPackages

Registry Paths

Detects the changes in the state of the Windows Local SecurityAuthority Notification Packages.

Description

Table 6-66 Description of the Pre Authentication Failure parameters used



Option Path

Pre Authentication FailureOption

Pre_Authentication_FailureRule Name

WarningSeverity

675, 4771Event IDs


Table 6-66 Description of the Pre Authentication Failure parameters used(continued)


Detects the failure of Windows to pre-authenticate with ActiveDirectory. This event happens while satisfactory security credentialsare negotiated between the clients and Active Directory server. Thisdetection can also indicate that an untrusted client has attempted toaccess the resources in this Active Directory domain.

Description

Table 6-67 Description of the RequireSecureSign Changed parameters used



Option Path

RequireSecureSign ChangedOption

RequireSecureSign_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanMan*\Parameters\RequireSecuritySignature

Registry Paths

Detects the changes in theWindows LanManager Security Signaturerequirement.

Description

Table 6-68 Description of the RestrictNullSessAccess Changed parametersused



Option Path

RestrictNullSessAccess ChangedOption

RestrictNullSessAccess_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\RestrictNullSessAccess

Registry Paths

Detects the changes in theWindows Null Session Access restrictions.Description


90

Table 6-69 Description of theAuthentication Ticket Granted parameters used



Option Path

Authentication Ticket GrantedOption

Authentication_Ticket_GrantedRule Name

NoticeSeverity

672, 4768Event IDs

Detects when an Active Directory server grants an authenticationticket to a computer that runs Windows. This behavior is normal andoften indicates that a domain user has logged on to aWindows client.

Description

Table 6-70 Description of the Kerberos Policy Changed parameters used



Option Path

Kerberos Policy ChangedOption

Kerberos_Policy_ChangedRule Name

NoticeSeverity

617, 4713Event IDs

Detects theupdates to theKerberos authenticationpolicy. This normalactivity occurs at 5-minute intervals when the domain group policyobject is updated every 16 hours, regardless of the following items:

■ Policy object status

■ When the group policies are manually propagated

Description

Table 6-71 Description of the Kerberos Service Ticket Granted parametersused



Option Path

Kerberos Service Ticket GrantedOption


Table 6-71 Description of the Kerberos Service Ticket Granted parametersused (continued)


Kerberos_Service_Ticket_GrantedRule Name

NoticeSeverity

673, 4769Event IDs

Detects the grant of a Kerberos service ticket to Windows by ActiveDirectory. This event indicates that a client has been grantedpermission to interact in this Active Directory domain.

Description

Table 6-72 Description of the Trusted Logon Process Register parametersused



Option Path

Trusted Logon Process RegisterOption

Trusted_Logon_Process_RegisterRule Name

NoticeSeverity

515, 4611Event IDs

Detects the Windows registration of a trusted logon process to theLocal Security Authority.

Description

Table 6-73 Description of the Encrypted Data Policy Change parameters used



Option Path

Encrypted Data Policy ChangeOption

Encrypted_Data_Policy_ChangeRule Name

NoticeSeverity

618, 4714Event IDs

Detects the changes to the encrypted data recovery policy.Description


92

Table 6-74 Description of theQuality Service Policy Changes parameters used



Option Path

Quality Service Policy ChangesOption

Quality_Service_Policy_ChangedRule Name

NoticeSeverity

619, 4715Event IDs

Detects the changes to the quality of service policy.Description

System Login Activity and Access MonitorThis option group section of the policy monitors the system access activity thatmay indicate illegitimate activity. Portions of this section also monitor thesuccessful logonattempts of individuals throughvariousmeans. Thesemonitoringareas can be used for the following tasks:

■ To acquire a timeline of when an individual logon to a specific system hasoccurred.

■ To detect other suspicious system access activity.

■ To alert on brute force password attempts.

System Login Success MonitorThis option group subsection monitors for successful logons by using variousmeans of remote desktop, FTP, and logon attempts based on user-definednon-working hours. You can match these rules with System Logoff Monitoringto formulate a time line of individual logon activity.

Table 6-75 Description of the Account Used for Logon parameters used


System Login Activity and Access Monitor > System Login SuccessMonitor

Option Path

Account Used for LogonOption

System_Logon_Success_Account_Used_for_LogonRule Name

93Policy optionsSystem Login Activity and Access Monitor

Table 6-75 Description of the Account Used for Logon parameters used(continued)


NoticeSeverity

680, 4776Event IDs

Detects the account that was used for the logon. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the Windows Security Policy auditingsystem determines that an account has been used to log on, it reportsthis event.

Description

Table 6-76 Description of the by Admin to Desktop parameters used



Option Path

by Admin to DesktopOption

System_Logon_Success_by_Admin_to_DesktopRule Name

NoticeSeverity

528, 4624Event IDs

Detects a successful administrator logon to a system's desktop,including local and terminal service logons. You can configure theWindows Security Policy auditing system to monitor the status oflogon attempts. When the Windows Security Policy auditing systemdetermines that an administrator successfully logged on, it reportsthis event.

Description

Table 6-77 Description of the by Admin via Remote Connection parametersused



Option Path

by Admin via Remote ConnectionOption

Successful_Login_Admin_via_Remote_ConnectionRule Name

NoticeSeverity

Policy optionsSystem Login Activity and Access Monitor

94

Table 6-77 Description of the by Admin via Remote Connection parametersused (continued)


528, 540, 4624Event IDs

Detects a successful administrator logon from a shared networkresource, for example, IIS, FTP, or Telnet. You can configure theWindows Security Policy auditing system tomonitor the status of thelogon attempts. When the Windows Security Policy auditing systemdetermines that anadministrator successfully loggedon fromaremoteconnection, it reports this event.

Description

Table 6-78 Description of the by Anonymous to IIS or FTP parameters used



Option Path

by Anonymous to IIS or FTPOption

Successful_Login_Anon_to_IIS_or_FTPRule Name

NoticeSeverity

528, 540, 4624, 4636Event IDs

Detects a successful anonymous access by IIS or FTP. This rule triggersonly during the initial access to the Web site by any browser. If Webtraffic is sporadic, the inactive connection time expires the logon.

Description

Table 6-79 Description of the by Guest to Desktop parameters used



Option Path

by Guest to DesktopOption

Successful_Login_Guest_to_DesktopRule Name

NoticeSeverity

528, 4624Event IDs


Table 6-79 Description of thebyGuest toDesktopparameters used (continued)


Detects a successful guest logon to a system's desktop. This detectionincludes local logons and terminal service logons. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the Windows Security Policy auditingsystem determines that a guest successfully logged on, it reports thisevent.

Description

Table 6-80 Description of the by Guest via Remote Connection parametersused



Option Path

by Guest via Remote ConnectionOption

Successful_Login_Guest_via_Remote_ConnectionRule Name

NoticeSeverity

528, 540, 4624, 4636Event IDs

Detects a successful guest logon by a shared network resource, forexample, IIS, FTP, or Telnet. You can configure theWindows SecurityPolicy auditing system to monitor the status of the logon attempts.When it determines that a guest successfully logged on by a remoteconnection, it reports this event

Description

Table 6-81 Description of the by User to Desktop parameters used



Option Path

by User to DesktopOption

Successful_Login_User_to_DesktopRule Name

NoticeSeverity

528, 4624Event IDs


96

Table 6-81 Description of the by User to Desktop parameters used (continued)


Detects a successful user logon to a system's Desktop, including locallogons and terminal service logons. You can configure the WindowsSecurity Policy auditing system to monitor the status of the logonattempts. When the Windows Security Policy auditing systemdetermines that a user successfully logged on, it reports this event.

Description

Table 6-82 Description of thebyUser via RemoteConnection parameters used



Option Path

by User via Remote ConnectionOption

Successful_Login_User_via_Remote_ConnectionRule Name

NoticeSeverity

528, 540, 4624, 4636Event IDs

Detects a successful user logon by a shared network resource, forexample, IIS, FTP, or Telnet. You can configure theWindows SecurityPolicy auditing system to monitor the status of the logon attempts.When it determines that a user has logged on by a remote connection,it reports this event.

Description

Table 6-83 Description of the Non Working Hours Rules Login Successparameters used



Option Path

Non Working Hours Rules Login SuccessOption

System_Unlocked_After_HoursRule Name

WarningSeverity

528, 4624Event IDs


Table 6-83 Description of the Non Working Hours Rules Login Successparameters used (continued)


Detects when a system desktop is unlocked after normal businesshours. By default, after business hours is defined as Monday throughFriday from 7:00 P.M. to 6:00 A.M. You can configure the WindowsSecurity Policy auditing system to monitor the status of unlockingevents.When theWindowsSecurityPolicy auditing systemdeterminesthat a user successfully unlocked the workstation outside of normalworking hours, it reports this event.

Description

Table 6-84 Description of theSystemUnlockedDuringWeekends parametersused



Option Path

System Unlocked During WeekendsOption

System_Unlocked_During_WeekendsRule Name

WarningSeverity

528, 4624Event IDs

Detects when a system desktop is unlocked during weekends. Bydefault, weekend is defined as Friday 7:00 P.M. to Monday 6:00 A.M.You can configure the Windows Security Policy auditing system tomonitor the status of unlocking events. When the Windows SecurityPolicy auditing system determines that a user successfully unlockedtheworkstation outside of normalworkinghours, it reports this event.

Description

System Logoff MonitorThis portion of the policy detects all successful Windows logoff events. You canacquire individual user logon times from the events that this portion of the policygenerates. Acquire these times by comparing the logoff events with successfullogon events.

Table 6-85 Description of the by Admin parameters used


System Login Activity and Access Monitor > System Logoff MonitorOption Path


98

Table 6-85 Description of the by Admin parameters used (continued)


by AdminOption

Logoff_by_AdminRule Name

WarningSeverity

538, 4634, 4647Event IDs

Detects that an administrator has successfully logged off a systemfromaremote location.You canconfigure theWindowsSecurityPolicyauditing system to monitor the status of the logoff attempts. Whenthe auditing system determines that an administrator successfullylogged off the workstation from a local location or a remote location,it reports this event.

Description

Table 6-86 Description of the by Guest parameters used



by GuestOption

Logoff_by_GuestRule Name

NoticeSeverity

538, 4634, 4647Event IDs

Detects that a guest has successfully logged off a system. You canconfigure the Windows Security Policy auditing system to monitorthe status of logoff attempts. When the auditing system determinesthat a guest has successfully logged off the workstation from a locallocation or a remote location, it reports this event.

Description

Table 6-87 Description of the by User parameters used



by UserOption

Logoff_by_UserRule Name

NoticeSeverity


Table 6-87 Description of the by User parameters used (continued)


538, 4634, 4647Event IDs

Detects that a user has successfully logged off a system. You canconfigure the Windows Security Policy auditing system to monitorthe status of logoff attempts. When the auditing system determinesthat a user successfully loggedoff theworkstation froma local locationor a remote location, it reports this event.

Description

Table 6-88 Description of the by Specific User parameters used



by Specific UserOption

System_Logoff_by_SpecificUserRule Name

NoticeSeverity

538, 4634, 4647Event IDs

Detects that a specific user-defined user or users have successfullylogged off a system. You can configure the Windows Security Policyauditing system to monitor the status of logoff attempts. When theauditing system determines that a user successfully logged off theworkstation from a local location or a remote location, it reports thisevent.

Description

System Failed Login MonitorThis option group subsection detects when a user has failed to authenticate. Thatis, has failed to log on to a Windows system either as a local user or as a memberof a domain. This activity most often indicates normal behavior, ranging fromexpired passwords to a userwho forgets a current password.However, itmay alsoindicate attempts by anunauthorizeduser to gain illegitimate access to the systemor the domain.


100

Note: The first option under System Failed Login Monitor, N Tries, allows theadministrator to set thresholds based alerting on all failed logon events. Forexample, an N Tries setting of 3 and an Interval of 1 minute only generates analert if a user makes more than three failed logon attempts within the intervaltime of 1 minute. You can use this option to detect brute force-based credentialattacks.

Table 6-89 Description of the Account Disabled parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor

Option Path

Account DisabledOption

Account_DisabledRule Name

WarningSeverity

531, 4625Event IDs

Detects when a user has failed to access the client, due to a disabledaccount. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon failed because the account wasdisabled, it reports this event.

Description

Table 6-90 Description of the Account Expired parameters used



Option Path

Account ExpiredOption

Account_ExpiredRule Name

NoticeSeverity

532, 4625Event IDs

Detects when a user has failed to access the client, due to an expiredaccount. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon has failed because the account hasexpired, it reports this event.

Description


Table 6-91 Description of the Account Locked Out parameters used



Option Path

Account Locked OutOption

Account_Locked_OutRule Name

WarningSeverity

539, 4740Event IDs

Detects when a user has failed to access the client, due to a lock onthe account. You can configure theWindows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a logon has failed because the account waslocked out, it reports this event.

Description

Table 6-92 Description of the By Admin to Desktop parameters used



Option Path

By Admin to DesktopOption

Login_Failed_Admin_to_DesktopRule Name

WarningSeverity

529, 4625Event IDs

Detects when an administrator has failed to log on to a system'sdesktop, either locally or by Terminal Services. You can configure theWindows Security Policy auditing system to monitor the status oflogon attempts. When the auditing system determines that anadministrator has failed to log on to the local desktop or through theTerminal Services, it reports this event.

Description

Table 6-93 Description of the By Admin via Remote Connection parametersused



Option Path


102

Table 6-93 Description of the By Admin via Remote Connection parametersused (continued)


By Admin via Remote ConnectionOption

Login_Failed_Admin_via_Remote_ConnectionRule Name

WarningSeverity

529, 4625Event IDs

Detects when an administrator has failed to log on to a system or toa domain on the network. You can configure the Windows SecurityPolicy auditing system tomonitor the status of logon attempts.Whenthe auditing system determines that an administrator has failed tolog on through a remote connection, it reports this event.

Description

Table 6-94 Description of the By Guest to Desktop parameters used



Option Path

By Guest to DesktopOption

Login_Failed_Guest_to_DesktopRule Name

WarningSeverity

529, 4625Event IDs

Detects when a guest has failed to log on to a system's desktop, eitherlocally or by Terminal Services. You can configure the WindowsSecurity Policy auditing system to monitor the status of logonattempts.When the auditing systemdetermines that a guest has failedto log on, it reports this event.

Description

Table 6-95 Description of the By Guest via Remote Connection parametersused



Option Path

By Guest via Remote ConnectionOption


Table 6-95 Description of the By Guest via Remote Connection parametersused (continued)


Login_Failed_Guest_via_Remote_ConnectionRule Name

WarningSeverity

529, 4625Event IDs

Detects when a guest has failed to log on to a system or domain onthe network. You can configure theWindows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a guest has failed to log on by a remoteconnection, it reports this event.

Description

Table 6-96 Description of the By User to Desktop parameters used



Option Path

By User to DesktopOption

Login_Failed_User_to_DesktopRule Name

NoticeSeverity

529, 4625Event IDs

Detects when a user has failed to log on to a system's desktop, eitherlocally or by Terminal Services. You can configure the WindowsSecurity Policy auditing system to monitor the status of logonattempts.When the auditing systemdetermines that a user has failedto log on to the local desktop, it reports this event.

Description

Table 6-97 Description of the By User via Remote Connection parametersused



Option Path

By User via Remote ConnectionOption

Login_Failed_User_via_Remote_ConnectionRule Name


104

Table 6-97 Description of the By User via Remote Connection parametersused (continued)


NoticeSeverity

529, 4625Event IDs

Detects when a user has failed to log on to a system or domain on thenetwork. You can configure the Windows Security Policy auditingsystem to monitor the status of logon attempts. When the auditingsystem determines that a user has failed to log on by a remoteconnection, it reports this event.

Description

Table 6-98 Description of the Logon Failure parameters used



Option Path

Logon FailureOption

Login_Failed_GenericRule Name

NoticeSeverity

537Event IDs

Detectswhenanunexpected error has occurred during logon.A failedauthentication by a cleartext password, Windows NT Lan Manager,or Windows Kerberos security authentication system can cause thiserror. This detection may also indicate a failure to access the FileTransfer Protocol (FTP) services that are related to the MicrosoftInternet Information Server (IIS).

Description

Table 6-99 Description of the Logon to Account parameters used



Option Path

Logon to AccountOption

Logon_to_Account_FailedRule Name

NoticeSeverity


Table 6-99 Description of the Logon to Account parameters used (continued)


681Event IDs

Detects when a down-level client fails a logon attempt. Windowsgenerates an error message on the Windows domain controller. Youcan configure theWindowsSecurity Policy auditing system tomonitorthe status of logon attempts. When the auditing system determinesthat a domain logon failed, it reports this event.

Description

Table 6-100 Description of the Password Expired parameters used



Option Path

Password ExpiredOption

Password_ExpiredRule Name

NoticeSeverity

535, 4625Event IDs

Detects when a user has failed to access a client, due to an expiredaccount password. You can configure the Windows Security Policyauditing system to monitor the status of logon attempts. When theauditing system determines that a logon failed, due to an expiredaccount, it reports this event.

Description

Table 6-101 Description of the Unauthorized Access parameters used



Option Path

Unauthorized AccessOption

Unauthorized_AccessRule Name

WarningSeverity

534, 4625Event IDs


106

Table 6-101 Description of the Unauthorized Access parameters used(continued)


Detects when a user has failed to access a client because the localaccess rights or the remote access rights have not been granted to theuser. You can configure theWindows Security Policy auditing systemtomonitor the status of the logon attempts.When the auditing systemdetermines that a logon failed due to a disabled account, it reportsthis event.

Description

Table 6-102 Description of the Unauthorized Location parameters used



Option Path

Unauthorized LocationOption

Unauthorized_LocationRule Name

WarningSeverity

533, 4625Event IDs

Detects when a user has failed to access to the domain because theclient is not authorized to participate in the domain. You can configurethe Windows Security Policy auditing system to monitor the statusof the logon attempts. When the auditing system determines that alogon has failed because the logon was attempted from anunauthorized client, it reports this event.

Description

Table 6-103 Description of the Unauthorized Time parameters used



Option Path

Unauthorized TimeOption

Unauthorized_TimeRule Name

WarningSeverity

530, 4625Event IDs


Table 6-103 Description of theUnauthorized Time parameters used (continued)


Detects when a domain user has failed to access a client, because theaccount is not authorized to access the domainduring this timeperiod.You can configure the Windows Security Policy auditing system tomonitor the status of logon attempts. When the auditing systemdetermines that the failure has occurred because the account was notallowed to log on during this time period, it reports this event.

Description

System Hardening MonitorThis option group section detects changes to the user-configurable registry keysthat are considered sensitive inmaintaining the security posture of the operatingsystem. Various areas are monitored to generate events for the administrator ifeither of the following entities changed any of the selected values:

■ Malware

■ A malicious individual attempting to lower the security posture of the hostsystem

System Autorun ConfigurationThis option group subsection detects modifications of the system configurationthat change whether it automatically runs code during system startup or fromnewly inserted CD-ROMs. This behavior is normal if an administrator needs tochange autorun behavior. If unexpected, it can indicate that the system is beingprepared to operate outside established security policy, or that it is about to becompromised. This policy should be applied on all Windows agents and noconfiguration changes are required for this policy to work.

Note:The final option set,UserDesktopLogonCheck, enables a function of theserules to only monitor and generate an event if a user is logged on.

Table 6-104 Description of the CDROM Value Changed parameters used


System Hardening Monitor > System AutoRun ConfigurationOption Path

CDROM Value ChangedOption

CDROM_Value_ChangedRule Name

Policy optionsSystem Hardening Monitor

108

Table 6-104 Description of the CDROM Value Changed parameters used(continued)


WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Cdrom\AutorunRegistry Paths

Detects the changes to the CD-ROM AutoRun behavior, according tothe registry setting:HKLM\System\CurrentControlSet\Services\CD-ROM key Autorunvalue. This value determines whether the system automatically runscode from the newly inserted CD-ROMs.

Description

Table 6-105 Description of the Run Key Changed parameters used



Run Key ChangedOption

Run_Key_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*

Registry Paths

Detects the changes to the Run registry key, according to the registrysetting: HKLM\Software\Microsoft\Windows\CurrentVersion\Runkey.

Description

Table 6-106 Description of the RunOnceEx Key Changed parameters used



RunOnceEx Key ChangedOption

RunOnceEx_Key_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\*

Registry Paths

109Policy optionsSystem Hardening Monitor

Table 6-106 Description of the RunOnceEx Key Changed parameters used(continued)


Detects the changes to the RunOnceEx registry key, according to theregistry setting:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceExkey. The system configuration has been modified to change thebehavior of the system the next time a user logs on. This key allowsa specified routine or a list of routines to execute once. It then clearsitself so that it does not run on the next logon.

Description

Table 6-107 Description of the Userinit Value Changed parameters used



Userinit Value ChangedOption

Userinit_Value_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit

Registry Paths

Detects the changing of theUserinit key, according to registry setting:HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonkeyUserinit value. This key specifies the program thatWinlogon runswhen a user logs on. This program is typically Userinit.exe. Thisbehavior is unusual, however. It would be expected if the system wasupdated to run the enterprise-unique routines first, then run theUserinit.exe or Explorer.exe.

Description

Table 6-108 Description of the User Desktop Logon Check parameters used



Detects a successful user logon and sets a flag. This setting ensuresthat the rules within this portion of the policy do not create falsepositiveswith a normal non-administrative user setting specific areasthat are otherwise monitored. It is recommended that this settingremain turned on to thwart false positives.

Description


110

Network Comm ConfigurationThis option group subsection detects changes to the various registry keys thatdeal with network and communication settings. This policy can be applied to anyWindows server. Unauthorized or unknown network changes as monitored inthis portion of the policy may indicate suspicious activity.

Table 6-109 Description of the Autodisconnect Changed parameters used


System Hardening Monitor > Network Comm ConfigurationOption Path

Autodisconnect ChangedOption

Autodisconnect_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\autodisconnect

Registry Paths

Detects the changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\LanmanServer\Parameters\autodisconnectregistry key. This registry key determines the time that is allowed foran inactive connection before it is automatically disconnected.

Description

Table 6-110 Description of the TcpMaxDupAcks Changed parameters used


System Hardening Monitor > Network Comm ConfigurationOption Path

TcpMaxDupAcks ChangedOption

TcpMaxDupAcks_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxDupAcks

Registry Paths

Detects the changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcksregistry key. This registry key determines the number of duplicateACKs, which must be received for the same sequence number of sentdata, before a fast retransmit is triggered to resend the segment thatwas dropped in transit.

Description


System File Protection StatusThis option group subsection detects the events that theWindows File Protection(WFP) System reports. The WFP monitors the critical operating system files thatshould remain available, but should not change during the course of operation.If a monitored file is deleted or modified, or its attributes are changed, the WFPimmediately restores the file to its original configuration. These events can occurfor a number of reasons. The reasons include third-party software installation,system misconfiguration, or illegitimate manipulation. Activation of WFP filerestoration procedures may be a response to illegitimate activity.

Table 6-111 Description of the File Restoration Failed parameters used


System Hardening Monitor > System File Protection StatusOption Path

File Restoration FailedOption

File_Restoration_FailedRule Name

CriticalSeverity

64004, 64007, 64006, 64021, 64005, 64008Event IDs

Detects when a file that theWindows File Protection System protectscannot be restored. The Windows File Protection System monitorsthe status of protected files and attempts to restore them to theiroriginal condition when it detects any changes. If the Windows FileProtection System determines that it cannot successfully restore thefile, it reports this error.

Description

Table 6-112 Description of the File Restoration Success parameters used



File Restoration SuccessOption

File_Restoration_SuccessRule Name

WarningSeverity

64000, 64003, 64019, 64020, 64001, 64002Event IDs


112

Table 6-112 Description of the File Restoration Success parameters used(continued)


Detects when a file that theWindows File Protection System protectshas been restored. TheWindows File Protection Systemmonitors thestatus of protected files and restores them to their original conditionwhen it detects any changes. If the Windows File Protection Systemdetermines that it successfully restored a file, it reports this status.

Description

Table 6-113 Description of the WFP Errors parameters used



WFP ErrorsOption

WFP_ErrorsRule Name

CriticalSeverity

64034, 64033, 64032Event IDs

Detects when the Windows File Protection System has detected aconfiguration error. The Windows File Protection System monitorsits ability to access a protected file cache. It also monitors the activestate or initialized state of the File Protection System. If theWindowsFile Protection System determines that it cannot access the cache, orthat its state is inactive or not initialized, it reports these errors.

Description

Table 6-114 Description of the Scanning Started parameters used



Scanning StartedOption

Scanning_StartedRule Name

NoticeSeverity

64016Event IDs


Table 6-114 Description of the Scanning Started parameters used (continued)


Detects when the Windows File Protection System has started a scanof critical system files. TheWindowsFile ProtectionSystemscans theprotected files to determine their condition. When the Windows FileProtection System determines that it successfully started a scan, itreports this status.

Description

Table 6-115 Description of the Scanning Completed parameters used



Scanning CompletedOption

Scanning_CompletedRule Name

NoticeSeverity

64017Event IDs

Detects when the Windows File Protection System has completed ascan of critical system files. The Windows File Protection Systemscans these protected files to determine their condition. When theWindows File Protection System determines that it successfullycompleted a scan, it reports this status.

Description

Table 6-116 Description of the Scanning Canceled parameters used



Scanning CanceledOption

Scanning_CanceledRule Name

WarningSeverity

64018Event IDs

Detects when a Windows File Protection System scan has beencanceled. The Windows File Protection System scans these protectedfiles to determine their condition.When theWindows File ProtectionSystem determines that a command has interrupted the scanningprocess, it reports this status.

Description


114

System Security ConfigurationThis option group subsection detects changes to the various registry keys thatdeal with the typical security settings of a host system. These settings range fromprotection mode changes to how legal captions are viewed upon logon. See theindividual rule description for more information.

Table 6-117 Description of the AllocateCdroms Changed parameters used


System Hardening Monitor > System Security ConfigurationOption Path

AllocateCdroms ChangedOption

AllocateCdroms_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateCDRoms

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonkeyAllocateCdroms value. This value determineswhether data in theCD-ROM drive is accessible to other users.

Description

Table 6-118 Description of the AllocateFloppies Changed parameters used



AllocateFloppies ChangedOption

AllocateFloppies_ChangedRule Name

WarningSeverity

Warning \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\AllocateFloppies

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey AllocateFloppies value. This value determines whether data inthe floppy disk drive is accessible to other users.

Description


Table 6-119 Description of the AutoShareServer Changed parameters used



AutoShareServer ChangedOption

AutoShareServer_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\AutoShareServer

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey AutoShareServer value. This value creates the administrativeshares (C, D, ADMIN) for the physical drives.

Description

Table 6-120 Description of the AutoShareWks Changed parameters used



AutoShareWks ChangedOption

AutoShareWks_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\AutoShareWks

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey AutoShareWks value. This value is responsible for enabling anddisabling the automatic sharing of hidden shares.

Description

Table 6-121 Description of the ComSpec Changed parameters used



ComSpec ChangedOption

ComSpec_ChangedRule Name

WarningSeverity


116

Table 6-121 Description of theComSpecChanged parameters used (continued)


\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Environment\ComSpec

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment key ComSpec value. This value is responsiblefor defining thepath to theDOScommand interpreter, Command.com.

Description

Table 6-122 Description of the Debugger Changed parameters used



Debugger ChangedOption

Debugger_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug\Debugger

Registry Keys

Detects any changes or attempted changes to theHKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebugkeyDebugger value. This value is responsible for determiningwhetherto automatically spawn the Win32 debugger during an applicationfault.

Description

Table 6-123 Description of the Directory Changed parameters used



Directory ChangedOption

Directory_ChangedRule Name

CriticalSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Windows\DirectoryRegistry Keys


Table 6-123 Description of theDirectory Changedparameters used (continued)


Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Windows key Directoryvalue. This value contains the information that helps to define thesystem directories for the Win32 subsystem.

Description

Table 6-124 Description of the DisableTaskMgr Changed parameters used



DisableTaskMgr ChangedOption

DisableTaskMgr_ChangedRule Name

WarningSeverity

\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Registry Keys

Detects any changes or attempted changes to theHKU\Software\Microsoft\Windows\CurrentVersion\Policies\Systemkey DisableTaskMgr value. This value controls the ability of users tostart TaskManager andviewprocesses andview running applications.It also controls the ability of users to make changes to the priority orstate of the individual processes.

Description

Table 6-125 Description of theDontDisplayLastUserNameChangedparametersused



DontDisplayLastUserName ChangedOption

DontDisplayLastUserName_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername

Registry Keys


118

Table 6-125 Description of theDontDisplayLastUserNameChangedparametersused (continued)


Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkey DontDisplayLastUserName value. If you enable this value, theuser name box on the logon screen is blank . This behavior preventsthe people that log on fromknowing the last user to access the system.

Description

Table 6-126 Description of the Hidden Changed parameters used



Hidden ChangedOption

Hidden_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\hidden

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey hidden value. This value is responsible for hiding a server fromthe Network Browser.

Description

Table 6-127 Description of the LegalNoticeCaption Changed parameters used



LegalNoticeCaption ChangedOption

LegalNoticeCaption_ChangedRule Name

InfoSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption

Registry Keys


Table 6-127 Description of the LegalNoticeCaption Changed parameters used(continued)


Detects any changes or attempted changes to\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption value or to\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionvalue. This value creates a dialog box that is presented to any usersbefore they log onto the system.

Description

Table 6-128 Description of the LegalNoticeText Changed parameters used



LegalNoticeText ChangedOption

LegalNoticeText_ChangedRule Name

InfoSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeText\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LegalNoticeText

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey LegalNoticeCaption value or toHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkey LegalNoticeText value. This value creates a dialog box that ispresented to any users before they log onto the system.

Description

Table 6-129 Description of the PasswordExpiryWarning Changed parametersused



PasswordExpiryWarning ChangedOption

PasswordExpiryWarning_ChangedRule Name

InfoSeverity


120

Table 6-129 Description of the PasswordExpiryWarning Changed parametersused (continued)


\HKEY_LOCAL_MACHINE\software\Microsoft\WindowsNT\CurrentVersion\Winlogon\PasswordExpiryWarning

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey PasswordExpiryWarning value. This value is responsible forinformingusers of howmanydays are left until their password expires.

Description

Table 6-130 Description of the Path Changed parameters used



Path ChangedOption

Path_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Environment\Path

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment key Path value. This value determines thedirectory search order for all open applications on your target system.

Description

Table 6-131 Description of the SubmitControl Changed parameters used



SubmitControl ChangedOption

SubmitControl_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\SubmitControlRegistry Keys


Table 6-131 Description of the SubmitControl Changed parameters used(continued)


Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Lsa key SubmitControlvalue. This value gives other users (e.g., ServerOperators) permissionto issue AT commands.

Description

Table 6-132 Description of the SystemDirectory Changed parameters used



SystemDirectory ChangedOption

SystemDirectory_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Windows\SystemDirectory

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Windows keySystemDirectory value. This value contains the entries that definethe system directories for the Win32 subsystem.

Description

Table 6-133 Description of theUsersConnect Count Changedparameters used



Users Connect Count ChangedOption

Users_Connect_Count_ChangedRule Name

InfoSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Parameters\Users

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameterskey Users value for changes. This value is responsible for allowingmore than 10 clients to connect to a computer.

Description


122

Table 6-134 Description of the VDD Changed parameters used



VDD ChangedOption

VDD_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\\VirtualDeviceDrivers\VDD

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\VirtualDeviceDriverskeyVDDvalue. This value is responsible for determiningwhich virtualdevice drivers are used on program install.

Description

Table 6-135 Description of the AddPrintDrivers Changed parameters used



AddPrintDrivers ChangedOption

AddPrintDrivers_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanManPrint Services\Servers key AddPrinterDrivers value. This valuerestricts the installation of printer drivers to onlyAdministrators andPrint Operators.

Description

Table 6-136 Description of the RestrictAnonymous Changed parameters used



RestrictAnonymous ChangedOption

RestrictAnonymnus_ChangedRule Name


Table 6-136 Description of the RestrictAnonymous Changed parameters used(continued)


WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\RestrictAnonymous

Registry Keys

Detects any changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous key. This value is responsible for restrictingwho has access to the registry.

Description

Table 6-137 Description of the Driver Signing Changed parameters used



Driver Signing ChangedOption

Driver_Signing_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DriverSigning\Policy

Registry Keys

Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DriverSigningkeyPolicy value. This value is responsible for determining what to dowhen an attempt is made to install a driver without a valid Catalogfile.

Description

Table 6-138 Description of the Non Driver Signing Changed parameters used



Non Driver Signing ChangedOption

Non_Driver_Signing_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-DriverSigning\PolicyRegistry Keys


124

Table 6-138 Description of the Non Driver Signing Changed parameters used(continued)


Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-DriverSigningkey Policy value. This value is responsible for allowing unsigneddrivers to be installed.

Description

Table 6-139 Description of the Local Auto Logoff Changed parameters used



Local Auto Logoff ChangedOption

Local_Auto_Logoff_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\lanmanserver\parameters\enableforcedlogoff

Registry Keys

Detects any changes or attempted changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\enableforcedlogoff key. This key isresponsible for automatically loggingoff userswhen logon timeexpires(local).

Description

Table 6-140 Description of the FullPrivilegeAuditing Changed parameters used



FullPrivilegeAuditing ChangedOption

FullPrivilegeAuditing_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\fullprivilegeauditing

Registry Keys

Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsakey fullprivilegeauditingvalue. This value is responsible for theBackupand Restore privileges in the user rights audit class.

Description


Table 6-141 Description of the SmartCard Behavior Changed parameters used



SmartCard Behavior ChangedOption

SmartCard_Behavior_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\scremoveoption

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey scremoveoptionvalue. This value locks the computerwhena smartcard is removed.

Description

Table 6-142 Description of the Recovery Console Changed parameters used



Recovery Console ChangedOption

Recovery_Console_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole\*

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel and SetCommand keys. These keysdetermine if theRecoveryConsole is to beusedwhenWindowscrashes.

Description

Table 6-143 Description of the NTFS MediaEject Changed parameters used



NTFS MediaEject ChangedOption

NTFS_MediaEject_ChangedRule Name

WarningSeverity


126

Table 6-143 Description of the NTFS MediaEject Changed parameters used(continued)


\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\allocatedasd

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\allocatedasdkey.Thisvaluedetermineswhether the ability to access removable drives is available to otherusers.

Description

Table 6-144 Description of the CTRL ALT DEL for Logon Changed parametersused



CTRL ALT DEL for Logon ChangedOption

CTRL_ALT_DEL_for_Logon_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\disablecad

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemkeydisablecad. This value controlswhether users are required to pressCtrl + Alt + Delete before logging into the system.

Description

Table 6-145 Description of the Protection Mode Changed parameters used



Protection Mode ChangedOption

Protection_Mode_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control \SessionManager\ProtectionMode

Registry Keys


Table 6-145 Description of the Protection Mode Changed parameters used(continued)


Detects any changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Control\Session Manager\ProtectionMode key.This key is responsible for strengthening default permissions of globalsystem objects.

Description

Table 6-146 Description of the Plaintext Password Changed parameters used



Plaintext Password ChangedOption

Plaintext_Password_ChangedRule Name

WarningSeverity

HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\lanmanworkstation\parameters\enableplaintextpassword

Registry Keys

Detects any changes to the HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\lanmanworkstation\parametersenableplaintextpasswordkey.Thiskeyenablesunencryptedpasswords to connect to third-party SMB servers.

Description

Table 6-147 Description of the CrashOnAuditFail Changed parameters used



CrashOnAuditFail ChangedOption

CrashOnAuditFail_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\crashonauditfail

Registry Keys

Detects any changes or attempted changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsakey crashonauditfail value. This value determines system behaviorwhen the Security log (Event Viewer) is full.

Description


128

Table 6-148 Description of the Sys Maintenance RegKey Changed parametersused



Sys Maintenance RegKey ChangedOption

Sys_Maintenance_RegKey_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\DisablePasswordChange

Registry Keys

Detects any changes to the HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Netlogon\ParametersDisablePasswordChange key. This key enables systemmaintenance of account passwords.

Description

Table 6-149 Description of the Secure Channel Sign RegKey Changedparameters used



Secure Channel Sign RegKey ChangedOption

Secure_Ch_Sign_Regkey_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\signsecurechannel

Registry Keys

Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel key. This key determineswhether ornot you require Secure Channel to digitally sign secure channel data,when possible.

Description

Table 6-150 Description of the Secure Channel Always RegKey Changedparameters used




Table 6-150 Description of the Secure Channel Always RegKey Changedparameters used (continued)


Secure Channel Always RegKey ChangedOption

Secure_Ch_Always_Regkey_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\requiresignorsealRegistry Keys

Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal key. This key determines whether ornot you always require Secure Channel to digitally encrypt or signsecure channel data.

Description

Table 6-151 Description of the Secure Channel Strong RegKey Changedparameters used



Secure Channel Strong RegKey ChangedOption

Secure_Ch_Strong_Regkey_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\requirestrongkey

Registry Keys

Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey key. This key determines whether ornot you require Secure Channel to require strong session key.

Description

Table 6-152 Description of the Secure Channel Encrypt Required RegKeyChanged parameters used



SecureChannel Encrypt Required RegKey ChangedOption

SecureCh_Encrypt_RegKey_ChangedRule Name


130

Table 6-152 Description of the Secure Channel Encrypt Required RegKeyChanged parameters used (continued)


WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Netlogon\Parameters\sealsecurechannel

Registry Keys

Detects any changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel key. This key determines whether ornot you require Secure Channel to digitally encrypt secure channeldata, when possible.

Description

System StartStop OptionsThis option group subsection detects changes to the various registry keys thatdeal with typical startup and shutdown settings. See the rule descriptions forfurther information on rule function.

Table 6-153 Description of the BootExecute Changed parameters used


System Hardening Monitor > System StartStop OptionsOption Path

BootExecute ChangedOption

BootExecute_ChangedRule Name

CriticalSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\BootExecute

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager keyBootExecute value. This value contains the names and arguments ofprograms that the Session Manager executes.

Description

Table 6-154 Description of the CacheLogonsCount Changed parameters used



CacheLogonsCount ChangedOption


Table 6-154 Description of the CacheLogonsCount Changed parameters used(continued)


CacheLogonsCount_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\cachedlogonscount

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey CachedLogonsCount value. This value controls the number ofallowable cached logon attempts when the domain controller isunavailable.

Description

Table 6-155 Description of theClearPageFileAtShutdownChanged parametersused



ClearPageFileAtShutdown ChangedOption

ClearPageFileAtShutdown_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\Memory Management\ClearPageFileAtShutdown

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement key ClearPageFileAtShutdown value. This valuedetermines whether Windows should clear the page file when thesystem is shut down.

Description

Table 6-156 Description of thePendingFileRenamesChanged parameters used



PendingFileRenames ChangedOption

PendingFileRenames_ChangedRule Name


132

Table 6-156 Description of thePendingFileRenamesChanged parameters used(continued)


WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SessionManager\FileRenameOperations\PendingFileRenameOperations

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\FileRenameOperations key and the PendingFileRenameOperationsvalue. This value determines which operations are run at systemshutdown.

Description

Table 6-157 Description of the ReportBootOK Changed parameters used



ReportBootOK ChangedOption

ReportBootOK_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportBootOk

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey ReportBootOK value. This value helps to determine the meaningof the ControlSet.

Description

Table 6-158 Description of the ShutdownWithoutLogon Changed parametersused



ShutdownWithoutLogon ChangedOption

ShutdownWithoutLogon_ChangedRule Name

WarningSeverity


Table 6-158 Description of the ShutdownWithoutLogon Changed parametersused (continued)


\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShutdownWithoutLogon

Registry Keys

Detects any changes or attempted changes to theHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogonkey ShutdownWithoutLogon value. This value determines whetheryou can shut down a system without logging on.

Description

Table 6-159 Description of the SystemStartOptions Changed parameters used



SystemStartOptions ChangedOption

SystemStartOptions_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SystemStartOptions

Registry Keys

Detects any changes or attempted changes to theHKLM\SYSTEM\CurrentControlSet\Control key SystemStartOptionsvalue. This value contains the text of systemarguments that arepassedto the system by the firmware. These values can be used to determinewhether the debugger is enabled, the options that are set for portsand speed, and other configuration parameters.

Description

System Audit TamperingThis option group subsection detects system auditing changes and the clearingof audit logs, which may be indicative of malicious activity or internal policyviolation. The clearing of audit logs without legitimate intent is usually a sign ofa malicious user or program attempting to hide its behavior.


134

Note: The first option, Enable Date Restriction in Rule(s), provides the ability toonly generate events in this section of the policy during a specific time window.This option provides tuning capabilities to monitor at specific times of the daythat would make an administrator more suspicious of audit log mismanagement.For example, you would be more suspicious of such activity during non-businesshours.

Table 6-160 Description of the Audit Policy Changed parameters used


System Hardening Monitor > System Audit TamperingOption Path

Audit Policy ChangedOption

Audit_Policy_ChangedRule Name

WarningSeverity

Detects the changes to the system audit policy. See User Manager >Policies >Audit. TheWindows operating systemdetermineswhen thestatus of the auditing systemhas changed.WhenWindowsdeterminesthe Audit Policy has changed, it reports the event.

Description

Table 6-161 Description of the Auditing Turned Off parameters used



Auditing Turned OffOption

Auditing_Turned_OffRule Name

CriticalSeverity

Detects Windows auditing being turned off. The Windows operatingsystem determines when the status of the auditing system haschanged. When Windows determines the auditing system has beenturned off, it reports this event.

Description

Table 6-162 Description of the Auditing Turned On parameters used



Auditing Turned OnOption


Table 6-162 Description of theAuditing TurnedOn parameters used (continued)


Auditing_Turned_OnRule Name

WarningSeverity

Detects Windows when the auditing system has been turned on. TheWindowsoperating systemdetermineswhen the status of the auditingsystem has changed. When Windows determines that the auditingsystem has been turned on, it reports this event.

Description

Table 6-163 Description of the Data Retention Changed parameters used



Data Retention ChangedOption

Data_Retention_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\Retention

Registry Keys

Detects the changes or attempted changes to the Retention value oftheHKLM\System\CurrentControlSet\Services\EventLog\Applicationor Systemor Security" key. This value determines the number of daysfor which audit logs are retained.

Description

Table 6-164 Description of the Security Log Events Deleted parameters used



Security Log Events DeletedOption

Security_Log_Events_DeletedRule Name

CriticalSeverity

517, 1102Event IDs


136

Table 6-164 Description of the Security Log Events Deleted parameters used(continued)


Detects the clearing of security events from the Windows EventViewer. The Windows operating system determines when the statusof the auditing system has changed. When Windows determines thatthe security events log has been cleared, it reports this event.

Description

Table 6-165 Description of the Log File Size Changed parameters used



Log File Size ChangedOption

Log_File_Size_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\MaxSize

Registry Keys

Detects the changes or attempted changes to theMaxSize value of theHKLM\System\CurrentControlSet\Services\EventLog\Application orSystem or Security key. This value determines the maximum size ofthe audit log.

Description

Table 6-166 Description of the Log File Location Changed parameters used



Log File Location ChangedOption

Log_File_Location_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\EventLog\*\FileRegistry Keys

Detects the changes or attempted changes to the File value of theHKLM\System\CurrentControlSet\Services\EventLog\Application orSystem or Security key. This value determines to which file the eventlog is written.

Description


Table 6-167 Description of theAudit Changed thruHiddenKey parameters used



Audit Changed thru HiddenKeyOption

Audit_Changed_thru_HiddenKeyRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv\*Registry Keys

Detects the changes or attempted changes toHKLM\Security\Policy\PolAdtEv key. This value controls the auditingpolicy of the OS when it is read on an interval timeline.

Description

System Hardening User InteractiveThis option group subsection detects changes to the user-configured registry keysthat affect theway the operating systemhandles various forms of network traffic.Changes to these areas may lower the security posture of the host system.

Table 6-168 Description of the EnableICMPRedirect Changed parameters used


System Hardening Monitor > System Hardening User InteractiveOption Path

EnableICMPRedirect ChangedOption

EnableICMPRedirect_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\EnableICMPRedirect

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\EnableICMPRedirects

Registry Keys

Detects the changes to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key EnableICMPRedirect value. This value controlswhether Windows alters its route table in response to ICMP redirectmessages.

Description


138

Table 6-169 Description of the KeepAliveTime Changed parameters used



KeepAliveTime ChangedOption

KeepAliveTime_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\KeepAliveTime

Registry Keys

Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters keyKeepAliveTime value. This value specifies theidle time of the connection in milliseconds, before the TCP beginssending the keepalives, if keepalives are enabled on the connection.

Description

Table 6-170 Description of the PerformRouterDiscover Changed parametersused



PerformRouterDiscover ChangedOption

PerformRouterDiscover_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\PerformRouterDiscovery

Registry Keys

Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key PerformRouterDiscovery value. This valuedetermines whether the ICMP Router Discovery Protocol is enabled,disabled, or enabled only if the DHCP sends the router discoveryoption.

Description

Table 6-171 Description of the SynAttackProtect Changed parameters used




Table 6-171 Description of the SynAttackProtect Changed parameters used(continued)


SynAttackProtect ChangedOption

SynAttackProtect_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\SynAttackProtect

Registry Keys

Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key SynAttackProtect value. This value controls theprotection level for your computer against any SYN attacks.

Description

Table 6-172 Description of the TcpMaxHalfOpen Changed parameters used



TcpMaxHalfOpen ChangedOption

TcpMaxHalfOpen_ChangedRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxHalfOpen

Registry Keys

Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key TcpMaxHalfOpen value. This value controlsthe number of connections in the SYN-RCVD state that are allowedbefore the SYN-ATTACK protection begins to operate.

Description

Table 6-173 Description of the TcpMaxHalfOpenRetried parameters used



TcpMaxHalfOpenRetried ChangedOption

TcpMaxHalfOpenRetried_ChangedRule Name


140

Table 6-173 Description of the TcpMaxHalfOpenRetried parameters used(continued)


WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried

Registry Keys

Detects the changes to the\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key TcpMaxHalfOpenRetried value. This valuecontrols the number of connections in the SYN-RCVD state for whichthere has been at least one retransmission of the SYN, before theSYN-ATTACK attack protection begins to operate.

Description

System File and Directory MonitorThis option group section of the policymonitors for file and directory changes aswell as for Windows share volume creation and deletion. It also includes acompletely rewritten file monitoring area that was renamed System FileWatchMonitor. This new area provides enhanced configuration options to enable moreprecise monitoring of file and directory additions, deletions, modifications, andaccess attempts.

System File Shares Configuration MonitorThis option group section of the policy monitors file share creation and deletion.Unauthorized file share creation and deletion can indicate malicious activity orpossible malware activity. In addition, the creation of unauthorized or unknownfile shares on host systems may lower their security posture.

Table 6-174 Description of the System Share Creation parameters used


System Hardening Monitor > System File Shares ConfigurationMonitor

Option Path

System Share CreationOption

Share_CreationRule Name

WarningSeverity

141Policy optionsSystem File and Directory Monitor

Table 6-174 Description of the System Share Creation parameters used(continued)


\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Shares\*

Registry Keys

Detects the creation of values under theHKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shareskey. This value determineswhether a shared drive or folder is createdon the system.

Description

Table 6-175 Description of the System Share Deletion parameters used


System Hardening Monitor > System File Shares ConfigurationMonitor

Option Path

System Share DeletionOption

Share_deletionRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\LanmanServer\Shares\*

Registry Keys

Detects the deletion of values under theHKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shareskey. This value determineswhether a shared drive or folder is deletedon the system.

Description

System FileWatch MonitorThis optiongroup sectionof thepolicymonitors additions, deletions,modifications,and access attempts to the system critical files that are listed as monitored files.If you use a default security posture, then Symantec Critical System Protectionautomatically sets up the filewatch monitor for you. If you use your own securityposture, you must select the files that you want to monitor so that the filewatchmonitor functions correctly.

Awide range of options that enable very specific tuning of how the file or directoryis monitored are available for each rule. A global settings area sets the followingparameters for all rules in the filewatch monitor area:

Policy optionsSystem File and Directory Monitor

142

■ Polling Interval: The interval inwhich the filewatch engine polls or checks thefiles that are configured for change monitoring. This option is available toenable tuning of how frequently files are polled for changes. You may want toadjust the default polling rate if your environment has a large number of filesto bemonitored. This adjustment helps to ensure that resources are not overlyused for the filewatch engine. A drop-down selection criteria area is providedto easily switch polling interval frequency.

■ Search Depth: The search depth is a configurable parameter. It specifies therecursion level, or number of directories and subdirectories that aremonitoredwhen you apply a wildcard path. For more information on recursion level andsearch depth, see the path to the existing definition.

AMonitorFileChecksumsoption is availableunder theMonitorFileModificationoption for each type of file watched. This option enables themonitoring of a file'schecksumduring a filemodification event. It reports the real-time SHA-256 hashcomparison to the Symantec Critical System Protection console under the Eventdetails. This option also enables the monitoring of file checksums as calculatedat agent startup. It determines whether the file was modified since SymantecCritical System Protection was last shut down. This option provides detectionability even if the Symantec Critical System Protection service or daemon is shutdown. If amonitored file is changed, once the Symantec Critical SystemProtectionservice or daemon is started, it compares the files in its monitored list to when itwas shut down. Any differences are reported to the console.

Formore information, see the filemonitoring enhancements section of theReleaseNotes for Symantec Critical System Protection Version 5.2.6.

Table 6-176 Description of the Dll Cache Files parameters used


System File and Directory Monitor > System FileWatch MonitorOption Path

Dll Cache FilesOption

Baseline_FileWatch_Sys_Dll_Cache_FilesRule Name

WarningSeverity

%SystemRoot%\System32\dllcache\*.cpl

%SystemRoot%\System32\dllcache\*.dll

%SystemRoot%\System32\dllcache\*.exe

%SystemRoot%\System32\dllcache\*.ocx

%SystemRoot%\System32\dllcache\*.sys

Monitor Paths


Table 6-176 Description of the Dll Cache Files parameters used (continued)


Deleted, Created, ModifiedMonitor Ops

Available, Not EnabledReport FileDifferences

Available, Not EnabledDate and TimeRestriction

Lets you monitor the DLL cache files that the system maintains.

Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. If you enable thereporting of file differences for a large number of files, that is, morethan 1000, it may affect system resources. Symantec recommendsthat you test scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.

Description

Table 6-177 Description of the Driver Cache Files parameters used



Driver Cache FilesOption

Baseline_Filewatch_Sys_DriverCache_FilesRule Name

WarningSeverity

%SystemRoot%\Driver Cache\*Monitor Paths




Lets you monitor the driver cache files that the system maintains.

Note: Symantec recommends that you only use the Report FileDifferences option on a select number of files. Enabling the reportingof file differences for a very large number of files, that is, more than1000, may affect system resources. Symantec recommends that youtest scenarios if large numbers of files require this detectionfunctionality or if wildcard paths are used with this feature.

Description


144

Table 6-178 Description of the Security Database Files parameters used



Security Database FilesOption

Baseline_FileWatch_Sys_SecurityDB_FilesRule Name

WarningSeverity

%SystemRoot%\security\templates\*.inf

%SystemRoot%\security\database\*.sdb

Monitor Paths




Lets youmonitor the security database files that the systemmaintains.


Description

Table 6-179 Description of the Core System Files parameters used



Core System FilesOption

Baseline_FileWatch_Sys_SecurityDB_FilesRule Name

WarningSeverity


Table 6-179 Description of the Core System Files parameters used (continued)


%ProgramFiles%\windows nt\*.dll

%ProgramFiles%\windows nt\*.exe

%ProgramFiles%\windows nt\accessories\*.exe

%SystemRoot%\*.dll

%SystemRoot%\*.exe

%SystemRoot%\System32\*.acm

%SystemRoot%\System32\*.ax

%SystemRoot%\System32\*.com

%SystemRoot%\System32\*.cpl

%SystemRoot%\System32\*.dll

%SystemRoot%\System32\*.drv

%SystemRoot%\System32\*.exe

%SystemRoot%\System32\*.ocx

%SystemRoot%\System32\*.scr

%SystemRoot%\System32\*.sys

%SystemRoot%\System32\drivers\*.dll

%SystemRoot%\System32\drivers\*.sys

%SystemRoot%\System32\dsound.vxd

%SystemRoot%\system\*.dll

%SystemRoot%\system\*.drv

Monitor Paths





146



Lets you monitor Core System Executable Files.


Description

Table 6-180 Description of the Core System Configuration Files parametersused



Core System Configuration FilesOption

Baseline_FileWatch_Sys_Core_Configuration_FilesRule Name

WarningSeverity

%SystemRoot%\System32\AUTOEXEC.NT

%SystemRoot%\System32\CONFIG.NT

%SystemRoot%\System32\desktop.ini

%SystemRoot%\desktop.ini

%SystemRoot%\system.ini

%SystemRoot%\win.ini

Monitor Paths


EnabledReport FileDifferences


Lets you monitor Core System Configuration Files.

Note: You enable the Report File Differences option in this portionof the filewatch rule set. This option provides a good example ofspecific ini files. In them, reporting differences, such as strings thatare removed or added, let you determine if the event should beescalated for investigation.

Description


Table 6-181 Description of the Setup Dlls & Binaries parameters used



Setup Dlls & BinariesOption

Baseline_FileWatch_Sys_Setup_FilesRule Name

WarningSeverity

%SystemRoot%\System32\Setup\*.dll

%SystemRoot%\System32\Setup\*.exe

Monitor Paths




Lets you monitor setup DLLs & binaries.


Description

Table 6-182 Description of the System WBEM Files parameters used



System WBEM FilesOption

Baseline_FileWatch_Sys_WBEM_FilesRule Name

WarningSeverity

%SystemRoot%\System32\wbem\*.dll

%SystemRoot%\System32\wbem\*.exe

Monitor Paths



148

Table 6-182 Description of theSystemWBEMFiles parameters used (continued)




Lets you monitor System WBEM Files.


Description

Table 6-183 Description of the System Export Files parameters used



System Export FilesOption

Baseline_FileWatch_Sys_Export_FilesRule Name

WarningSeverity

%SystemRoot%\System32\export\*.dll

%SystemRoot%\System32\export\*.exe

Monitor Paths




Lets you monitor System Export Files.


Description


Table 6-184 Description of the System OLE Support files parameters used



System OLE Support filesOption

Baseline_FileWatch_Sys_OLESupport_FilesRule Name

WarningSeverity

%CommonProgramFiles%\system\ado\*.dll

%CommonProgramFiles%\system\ole db\*.dll

%CommonProgramFiles%\system\msadc\*.dll

Monitor Paths




Lets you monitor OLE Support Files.


Description

Table 6-185 Description of the Common Program Files parameters used



Common Program FilesOption

Baseline_FileWatch_Sys_Common_Program_FilesRule Name

WarningSeverity

%CommonProgramFiles%\system\*.dllMonitor Paths



150

Table 6-185 Description of the Common Program Files parameters used(continued)




Lets you monitor Common Program Files.


Description

Table 6-186 Description of the Group Policy Files parameters used



Group Policy FilesOption

Baseline_FileWatch_Sys_Group_Policy_FilesRule Name

WarningSeverity

%SystemRoot%\System32\GroupPolicy\gpt.ini

%SystemRoot%\System32\GroupPolicy\Machine\Scripts\*

%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol

%SystemRoot%\System32\GroupPolicy\User\Scripts\*

Monitor Paths

Created, Accessed, ModifiedMonitor Ops




Table 6-186 Description of the Group Policy Files parameters used (continued)


Lets you monitor Group Policy Files.

Symantec recommends that you only use the Report File Differencesoption on a select number of files. Enabling the reporting of filedifferences for a very large number of files, that is, more than 1000,may affect system resources. Symantec recommends that you testscenarios if large numbers of files require this detection functionalityor if wildcard paths are used with this feature.

Description

Table 6-187 Description of the System IME Files parameters used



System IME FilesOption

Baseline_FileWatch_Sys_IME_FilesRule Name

WarningSeverity

%SystemRoot%\ime\*.dll

%SystemRoot%\ime\*.exe

%SystemRoot%\ime\chsime\applets\*.dll

%SystemRoot%\ime\chtime\applets\*.dll

%SystemRoot%\ime\shared\*.dll

%SystemRoot%\ime\shared\*.exe

%SystemRoot%\ime\shared\res\*.dll

Monitor Paths

Created, Delete, ModifiedMonitor Ops




152

Table 6-187 Description of the System IME Files parameters used (continued)


Lets you monitor system IME Files.


Description

Table 6-188 Description of the Monitor Script Files in System Foldersparameters used



Monitor Script Files in System FoldersOption

Baseline_FileWatch_Sys_Script_FilesRule Name

WarningSeverity

%SystemRoot%\*.js %SystemRoot%\*.vbs

%SystemRoot%\System32\*.js %SystemRoot%\System32\*.vbs

Monitor Paths




Lets you monitor Script Files, for example, JavaScript and VBScriptfiles.


Description


Table 6-189 Description of the Other Files (All Windows) parameters used



Other Files (All Windows)Option

Baseline_FileWatch_Sys_Other_Files_All_WindowsRule Name

WarningSeverity

%SystemRoot%\apppatch\*.dll

%SystemRoot%\System32\os2\dll\*.dll

%SystemRoot%\System32\CertSrv\cafixweb.exe

%SystemRoot%\System32\spool\drivers\w32x86\*

Monitor Paths




Lets you monitor Other Critical System Files that are not included inany of the previous groups.


Description

Table 6-190 Description of the Other Files (Not in NT) parameters used



Other Files (Not in NT)Option

Baseline_FileWatch_Sys_Other_Files_Not_NTRule Name

WarningSeverity


154

Table 6-190 Description of the Other Files (Not in NT) parameters used(continued)


%SystemRoot%\msagent\*.dll

%SystemRoot%\msagent\*.exe

%SystemRoot%\msagent\intl\*.dll

%SystemRoot%\srchasst\msgr3en.dll

%SystemRoot%\srchasst\srchctls.dll

%SystemRoot%\pchealth\helpctr\binaries\*.dll

%SystemRoot%\pchealth\helpctr\binaries\*.exe

%SystemRoot%\pchealth\uploadlb\binaries\*.exe

%SystemRoot%\System32\ShellExt\*

%SystemRoot%\System32\Microsoft\Crypto\*

%SystemRoot%\System32\Microsoft\Protect\*

%SystemRoot%\System32\rpcproxy

Monitor Paths




Lets you monitor Other Critical System Files that are not present inNT and that are not included in any of the previous groups.


Description

Table 6-191 Description of the Other Files (NT Only) parameters used



Other Files (NT Only)Option


Table 6-191 Description of the Other Files (NT Only) parameters used(continued)


Baseline_FileWatch_Sys_Other_Files_NT_OnlyRule Name

WarningSeverity

%SystemRoot%\System32\viewers\*.dll

%SystemRoot%\System32\viewers\*.exe

Monitor Paths




Lets you monitor Other Critical System Files that are not present inNT and that are not included in any of the previous groups.


Description

System Registry MonitorThis option group sectionmonitors addition, deletion, andmodification attemptsto critical Windows registry locations that are listed as monitored areas withinthis option group. If you use a default security posture, Symantec Critical SystemProtection automatically sets up the registrymonitor for you. If you use your ownsecurity posture, you must select the registry paths that you want to monitor sothat the registry monitor functions correctly.

A wide range of options are available for each rule to enable very specific tuningof how the registry entries are monitored.

System Registry Monitor - AutoStart KeysThis subsection area of the policy monitors critical system auto start locations.Auto start registry key locations specify howspecific software is started.Malware

Policy optionsSystem Registry Monitor

156

may also use this location to add malicious entries to auto start applicationswithout an administrator’s knowledge.

Table 6-192 Description of the AutoStart System Keys parameters used


SystemRegistryMonitor > SystemRegistryMonitor - AutoStart KeysOption Path

AutoStart System KeysOption

Sys_AutoStart_KeysRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\Software\Classes\*\shell\*\command\

\HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\*

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run*

\HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts\

\HKEY_USERS\*\Software\Classes\*\shell\*\command\

\HKEY_USERS\*\Software\Microsoft\WindowsNT\CurrentVersion\Windows\

\HKEY_USERS\*\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\*

\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\

\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run*

\HKEY_USERS\*\Software\Policies\Microsoft\Windows\System\Scripts\

Monitor Paths

Created, ModifiedMonitor Ops


Lets you monitor default auto start registry key locations.

Note: This option group is set up to be very similar to the functionsavailable in the System FileWatch Monitor.

Description

157Policy optionsSystem Registry Monitor

Table 6-193 Description of the AutoStart Service Keys parameters used



AutoStart Service KeysOption

Sys_AutoStart_Service_KeysRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*

Monitor Paths



Lets you monitor service-specific auto start registry key locations.


Description

Table 6-194 Description of the AutoStart System CMD Keys parameters used



AutoStart System CMD KeysOption

Sys_AutoStart_Injection_KeysRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor

\HKEY_USERS\*\Software\Microsoft\Command Processor\*

Monitor Paths

Created, Modified, DeletedMonitor Ops


Lets you monitor system command processor auto start registry keylocations.


Description

Policy optionsSystem Registry Monitor

158

Table 6-195 Description of the AutoStart Explorer Keys parameters used



AutoStart Explorer KeysOption

Sys_AutoStart_Explorer_KeysRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\Control\Session Manager\Environment\

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

\HKEY_USERS\.Default\Environment\

\HKEY_USERS\S-*-????\Environment\

\HKEY_USERS\S-*-???\Environment\

\HKEY_USERS\S-*-??\Environment\

\HKEY_USERS\S-*-?\Environment\

Monitor Paths



Lets you monitor explorer environment-specific auto start registrykey locations.


Description

Table 6-196 Description of the AutoStart System Injection Keys parametersused



AutoStart System Injection KeysOption

159Policy optionsSystem Registry Monitor

Table 6-196 Description of the AutoStart System Injection Keys parametersused (continued)


Sys_AutoStart_Injection_KeysRule Name

MajorSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs\*

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\*

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*

Registry Paths

Created, Modified, DeletedMonitor Ops


Lets you monitor system injection auto start registry key locations.


Description

System Symantec Software MonitorThis option group area of the policy contains monitoring functions for Symantecsoftware. Currently themonitored ancillary applications are SymantecAntiVirusand Symantec Endpoint Security. The policy automatically detects if the hostmachine has Symantec AntiVirus and Symantec Endpoint Security installed.Therefore, even if both areas of monitoring are enabled, only one area detectsand generates events. This behavior is to thwart double event generation, whichcould confuse an administrator.

Policy optionsSystem Symantec Software Monitor

160

Symantec AntiVirus Client CommunicationThis portion of the policy detects alerts from Symantec AntiVirus clientinstallations. This policy can be applied to all Windows hosts with SymantecAntiVirus client installations.

Table 6-197 Description of the Virus Detected parameters used


System Symantec Software Monitor > Symantec AntiVirus ClientCommunication

Option Path

Virus DetectedOption

Virus_DetectionRule Name

CriticalSeverity

5Event IDs

Detects thediscoveryof a virus orTrojanhorsebySymantecAntiVirus.This detection indicates that malicious software has arrived at theclient side by email, download, document macro, or by disk-to-disktransfer. Immediate action is usually warranted.

Description

Table 6-198 Description of the AntiVirus Service Stopped parameters used



Option Path

AntiVirus Service StoppedOption

Antivirus_Service_StoppedRule Name

WarningSeverity

13Event IDs

Detects the stopping of the Symantec AntiVirus service. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.When Symantec AntiVirus determines that the SymantecAntiVirus service has stopped, it reports this status.

Description

161Policy optionsSystem Symantec Software Monitor

Table 6-199 Description of the AntiVirus Service Started parameters used



Option Path

AntiVirus Service StartedOption

Antivirus_Service_StartedRule Name

NoticeSeverity

14Event IDs

Detects the starting of the Symantec AntiVirus service. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.When Symantec AntiVirus determines that the SymantecAntiVirus service has started, it reports this status.

Description

Table 6-200 Description of the AntiVirus Scan Started parameters used



Option Path

AntiVirus Scan StartedOption

AntiVirus_Scan_StartedRule Name

NoticeSeverity

3Event IDs

Detects the starting of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has initiated a manual scan of the host, it reportsthis status.

Description

Table 6-201 Description of the AntiVirus Scan Canceled parameters used



Option Path

AntiVirus Scan CanceledOption


162

Table 6-201 Description of the AntiVirus Scan Canceled parameters used(continued)


AntiVirus_Scan_CanceledRule Name

WarningSeverity

21Event IDs

Detects the canceling of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions. When Symantec AntiVirus determines that ithas been commanded to cancel a manual scan, it reports this status.

Description

Table 6-202 Description of the AntiVirus Scan Complete parameters used



Option Path

AntiVirus Scan CompleteOption

AntiVirus_Scan_CompleteRule Name

NoticeSeverity

2Event IDs

Detects the completion of a manual scan of a host with SymantecAntivirus. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has successfully completed amanual scan, it reportsthis status.

Description

Table 6-203 Description of the New Virus Definition Loaded parameters used



Option Path

New Virus Definition LoadedOption

New_Virus_Defintion_LoadedRule Name

NoticeSeverity


Table 6-203 Description of the New Virus Definition Loaded parameters used(continued)


7Event IDs

Detects the updating of Symantec Antivirus with the latest virusdefinitions. SymantecAntiVirus issues the statusmessages for variousapplication conditions and errors. When Symantec AntiVirusdetermines that it has loaded anewvirus definition file, it reports thisstatus.

Description

Table 6-204 Description of the Virus Definitions are Current parameters used



Option Path

Virus Definitions are CurrentOption

Virus_Definitions_are_CurrentRule Name

NoticeSeverity

16Event IDs

Detects that the installed virus definitions are current. SymantecAntiVirus issues the statusmessages for various application conditionsand errors.WhenSymantecAntiVirus determines that the definitionsare current, it reports this status.

Description

Table 6-205 Description of the AntiVirus Realtime Protection Loadedparameters used



Option Path

AntiVirus Realtime Protection LoadedOption

AntiVirus_Realtime_Protection_LoadedRule Name

NoticeSeverity

23Event IDs


164

Table 6-205 Description of the AntiVirus Realtime Protection Loadedparameters used (continued)


:?Norton AntiVirus

Source:*Symantec AntiVirus

Select Strings

Detects the enabling of the Symantec AntiVirus real-time systemprotection option. SymantecAntiVirus issues the statusmessages forvarious application conditions and errors.When SymantecAntiVirusdetermines that the real-time protection option has been enabled, itreports this status.

Description

Table 6-206 Description of the AntiVirus Realtime Protection Disabledparameters used



Option Path

AntiVirus Realtime Protection DisabledOption

AntiVirus_Realtime_Protection_DisabledRule Name

CriticalSeverity

24Event IDs

Detects the disabling of the Symantec AntiVirus real-time systemprotection option. SymantecAntiVirus issues the statusmessages forvarious application conditions and errors.When SymantecAntiVirusdetermines that the real-time protection option has been disabled, itreports this status.

Description

Table 6-207 Description of the Virus Detected - Cleaned Failed parametersused



Option Path

Virus Detected - Cleaned FailedOption

Virus_Detected_Cleaned_FailedRule Name

CriticalSeverity


Table 6-207 Description of the Virus Detected - Cleaned Failed parametersused (continued)


5, 46, 51Event IDs

Detects thediscoveryof a virus orTrojanhorsebySymantecAntiVirus.This detection indicates that malicious software has arrived at theclient side by email, download, document macro, or by disk-to-disktransfer. This event indicates Symantec AntiVirus client was unableto clean, remove, or quarantine the identified malware and the riskis still present on the system. Immediate investigation is required.

Description

Symantec Endpoint Protection Client CommunicationThis portion of the policy detects alerts fromSymantec Endpoint Protection clientinstallations. This policy can be applied to all Windows hosts with SymantecEndpoint Protection client installations.

Note: This policy auto-detects if the client is running either Symantec EndpointProtection or previous versions of Symantec AntiVirus.




Option Path


Virus_DetectionRule Name

CriticalSeverity

5, 46, 51Event IDs

Detects the discovery of a virus or Trojanhorse by Symantec EndpointProtection.This detection indicates thatmalicious softwarehas arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. Immediate action is usually warranted.

Description


166

Table 6-209 Description of the SEP Service Stopped parameters used



Option Path

SEP Service StoppedOption

SEP_Service_StoppedRule Name

WarningSeverity

13Event IDs

:?Norton AntiVirus


Symantec?Endpoint?Protection?Services

Select Strings

Detects the stopping of the Symantec Endpoint Protection service.Symantec Endpoint Protection issues the statusmessages for variousapplicationconditionsanderrors.WhenSymantecEndpointProtectiondetermines that SAV service has stopped, it reports this status.

Description

Table 6-210 Description of the SEP Service Started parameters used



Option Path

SEP Service StartedOption

SEP_Service_StartedRule Name

NoticeSeverity

14Event IDs

:?Norton AntiVirus


Symantec?Endpoint?Protection?Services

Detects the starting of the Symantec Endpoint Protection service.Symantec Endpoint Protection issues the statusmessages for variousapplicationconditionsanderrors.WhenSymantecEndpointProtectiondetermines that the SymantecAntiVirus service has started, it reportsthis status.

Description


Table 6-211 Description of the SEP Scan Started parameters used



Option Path

SEP Scan StartedOption

SEP_Scan_StartedRule Name

NoticeSeverity

3Event IDs

:?Norton AntiVirus


Select Strings

Detects the startingof amanual scanof ahostwithSymantecEndpointProtection. Symantec Endpoint Protection issues the statusmessagesfor various application conditions and errors. When SymantecEndpoint Protection determines that it has initiated amanual scan ofthe host, it reports this status.

Description

Table 6-212 Description of the Scan Canceled parameters used



Option Path

Scan CanceledOption

SEP_Scan_CanceledRule Name

WarningSeverity

21Event IDs

:?Norton AntiVirus


Select Strings

Detects the canceling of a manual scan of a host with SymantecEndpoint Protection. Symantec Endpoint Protection issues the statusmessages for variousapplicationconditions.WhenSymantecEndpointProtection determines that it has been commanded to cancel amanualscan, it reports this status.

Description


168

Table 6-213 Description of the SEP Scan Complete parameters used



Option Path

SEP Scan CompleteOption

SEP_Scan_CompleteRule Name

NoticeSeverity

2Event IDs

:?Norton AntiVirus


Select Strings

Detects the completion of a manual scan of a host with SymantecEndpoint Protection. Symantec Endpoint Protection issues the statusmessages for various application conditions and errors. WhenSymantec Endpoint Protection determines that it has successfullycompleted a manual scan, it reports this status.

Description




Option Path



NoticeSeverity

7Event IDs

Detects the updating of Symantec Endpoint Protectionwith the latestvirus definitions. Symantec Endpoint Protection issues the statusmessages for various application conditions and errors. WhenSymantec Endpoint Protection determines that it has loaded a newvirus definition file, it reports this status.

Description





Option Path



NoticeSeverity

16Event IDs

Detects that the installed virus definitions are current. SymantecEndpoint Protection issues the statusmessages for various applicationconditionsanderrors.WhenSymantecEndpointProtectiondeterminesthat the definitions are current, it reports this status.

Description

Table 6-216 Description of the SEP Realtime Protection Loaded parametersused



Option Path

SEP Realtime Protection LoadedOption

SEP_Realtime_Protection_LoadedRule Name

NoticeSeverity

23Event IDs

:?Norton AntiVirus


Select Strings

This rule detects the enabling of the Symantec AntiVirus real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been enabled, it reports this status.

Description


170

Table 6-217 Description of the SEP Realtime Protection Disabled parametersused



Option Path

SEP Realtime Protection DisabledOption

SEP_Realtime_Protection_DisabledRule Name

CriticalSeverity

24Event IDs

:?Norton AntiVirus


Select Strings

Detects the disabling of the Symantec Endpoint Protection real-timesystem protection option. Symantec Endpoint Protection issues thestatus messages for various application conditions and errors. WhenSymantec Endpoint Protection determines that the real-timeprotection option has been disabled, it reports this status.

Description




Option Path



CriticalSeverity

5, 46, 51Event IDs

Detects the discovery of a virus or Trojanhorse by Symantec EndpointProtection.This detection indicates thatmalicious softwarehas arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. This event indicates that the Symantec EndpointProtection client was unable to clean, remove, or quarantine theidentified malware. It also indicates that the risk is still present onthe system. Immediate investigation is required.

Description


System External Device ActivityThis option group subsection monitors for specific external device activity suchas the various activities that are associated with USB devices and CD and DVDburning. This activity should be monitored on an enterprise network, as suchdevices may pose the threat of data loss.

USB Device ActivityThis portion of the policy detects activity that is associated with USB devices.

Table 6-219 Description of theUSBRegistry Connect Activity parameters used


System External Device Activity > USB Device ActivityOption Path

USB Registry Connect ActivityOption

USB_Registry_Connect_ActivityRule Name

WarningSeverity

1 Minute. Suppress reporting of events from this rule for specifiedduration after the rule has triggered once.

Noise Suppress

\HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\ENUM\USB\*Registry Paths

Detects theUSB device connection activity that is associatedwith theWindows registry. This rule provides a noise suppression durationvalue to tune out the unnecessary noise that this rule may cause.

Description

CD/DVD Burning ActivityThis portion of the policy detects the various activities that are associated withCD and DVD burning.

Note: These rules function only in Windows 2000/2003 environments.

Table 6-220 Description of the CD/DVD Burning Services Enabled parametersused


System External Device Activity > CD/DVD Burning ActivityOption Path

Policy optionsSystem External Device Activity

172

Table 6-220 Description of the CD/DVD Burning Services Enabled parametersused (continued)


CD/DVD Burning Services EnabledOption

CD_DVD_Burning_Activity_EnabledRule Name

WarningSeverity

7040Event IDs

Detects when the CD/DVD service enters a running state from theWindows Event Log.

Description

Table 6-221 Description of the CD/DVD Burning Services Started parametersused



CD/DVD Burning Services StartedOption

CD_DVD_Burning_Activity_StartedRule Name

WarningSeverity

7036Event IDs

Detects a CD/DVD service auto start configuration event from theWindows Event Log.

Description

Table 6-222 Description of the CD/DVD Burning Services Stopped parametersused



CD/DVD Burning Services StoppedOption

CD_DVD_Burning_Activity_StoppedRule Name

WarningSeverity

7035Event IDs

Detects when the CD/DVD service enters a stopped state from theWindows Event Log.

Description

173Policy optionsSystem External Device Activity

USB Device Activity

Table 6-223 Description of theUSBRegistry Connect Activity parameters used



USB Registry Connect ActivityOption

USB_Registry_Connect_ActivityRule Name

WarningSeverity

\HKEY_LOCAL_MACHINE\SYSTEM\*Controlset*\ENUM\USB*Registry Path

Detects a USB device connection activity associated with Windowsregistry.

Description

Table 6-224 Description of the USB Device Disconnected parameters used



USB Device DisconnectedOption

USB_Device_DisconnectedRule Name

WarningSeverity

135Event IDs

Detects a USB device disconnection event from the Windows EventLog.

Description

System Attack DetectionThis option group subsection contains basic Web attack monitoring criteria tothwart basic attacks on any Web server that produces any kind of access log.

Note: The access log must follow W3C guidelines. The majority of Web serverapplications on Windows servers are Internet Information Services (IIS). Bydefault, System Attack Detection is set up for IIS. You can set up this area for anyWeb hosting application. Within this option group subsection there is a globalsettings area to set several unique properties for the rest of the system attackmonitor.

Policy optionsSystem Attack Detection

174

The global settings area consists of the following:

■ Alert only on Success Attack Attempt (Code 200): This area configures all theattack detection rules to look for the trailing code 200when a suspicious stringis found in the access log. Trailing code 200means a successful process request.This setting dramatically decreases the amount of false positives andprovidesadministrators with events that are considered processed by the hostingsystem.

■ WebAccess Log File Path: This area configures theWeb access log path,whichthe rules in this policy subsection sift through to findmalicious request strings.Symantec Critical System Protection provides a default IIS 7 location.

■ Whitelisted IPAddresses: This area configures the IP addresses that are allowedor otherwise ignored in this monitoring subsection. These IP addresses arefor tools like automatedvulnerability scanning systemsonenterprisenetworks,where you know that at regular intervals Web attack tests occur.

■ Blacklisted IP Addresses: This area configures the IP addresses that are notallowed access to the host system. Blacklisted IP addresses may be anyaddresses outside an internal network range if this areamonitored an intranetWeb host. Blacklisted IP addresses may also be known bad IP addresses fromany of the blacklists available on the Internet.

■ IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP codeon all requests that signifies that the request has been successfully processedon thehostWeb system.A success code that is pairedwith amaliciously craftedURI string would indicate a possible compromised system.

■ IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code thatsignifies a bad HTTP request. A high frequency repeating number of thesefound in the access log signifies that a possible Web vulnerability scan isoccurring.

Generic Web Attack Detection Monitoring

Table 6-225 Description of the Generic VA scan Attempt parameters used


System Web Attack Detection Monitor > Generic VA Scan AttemptOption Path

Generic VA scan AttemptOption

WebAttackDetection_Generic_VAScanRule Name

WarningSeverity

175Policy optionsSystem Attack Detection

Table 6-225 Description of the Generic VA scan Attempt parameters used(continued)


20

Times in which a 404 or unknown request is received.

Invalid Count

2 minutes

Time frequency inwhich invalid count needs to occur to trigger event.

Interval

Detects a possible VA scan by triggering an event within a specificadministrator-defined threshold. If Symantec Critical SystemProtection receives a specified number of 404 error codes by auser-defined frequency, then this rule generates an alert on a possibleVA scan attempt.

Description

Table 6-226 Description of the Generic Blacklisted IP Request Attemptsparameters used



Generic Blacklisted IP Request AttemptsOption

WebAttackDetection_Generic_BlackListedIPRule Name

WarningSeverity

A simple rule that detects the access attempt by a blacklisted IPaddress that is found in the HTTP access log. You configure theblacklisted IP address in the Global Settings area. If you enable thisrule, any attempt by the predefined blacklisted IP address generatesan event.

Description

Table 6-227 Description of the Generic SQL Injection Attack Attemptsparameters used



Generic SQL Injection Attack AttemptsOption

WebAttackDetection_Generic_SQLInjectionRule Name

WarningSeverity


176

Table 6-227 Description of the Generic SQL Injection Attack Attemptsparameters used (continued)


Detects the very simple and generic SQL injection-type attacks whenit monitors the HTTP access log file. Primary and secondary selectlogic is used to ensure that accurate rule tuning can occur. You cancustomize this area to your needs to add further SQL injectionmeasures.

Description

Table 6-228 Description of the Generic Directory Transversal Attemptsparameters used



Generic Directory Transversal AttemptsOption

WebAttackDetection_Generic_DirTransversalRule Name

WarningSeverity

Detects possible directory transversal attempts in HTTP requeststrings. The generic strings for directory transversal attempts areprovided. An individual or script attempting to transverse directoriesby HTTP request may be considered a malicious action.

Description

Table 6-229 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used



Generic Malicious User Agent Request AttemptsOption

WebAttackDetection_Generic_MaliciousUserAgentRule Name

WarningSeverity

Detects themalicious user agent strings inHTTP requests. Automatedscripts commonly use bad user agents in large-scale attacks.Pre-scripted suites of programs also use them to attack a Web server.The presence of these known-bad user agent strings may indicate amalicious attempt to access your host Web system.

Description


Table 6-230 Description of the Generic Unwanted Extension Requestsparameters used



Generic Unwanted Extension RequestsOption

WebAttackDetection_Unwanted_Extension_RequestRule Name

WarningSeverity

Detects the unwanted or suspicious extension requests. Files that arerequested with the extensions configured in this rule may indicate amalicious script or user. You can add or remove extensions in thisarea to customize this event per host system environment.

Description

Table 6-231 Description of the Generic Unwanted Directory Requestsparameters used



Generic Unwanted Directory RequestsOption

WebAttackDetection_Unwanted_Directory_RequestRule Name

WarningSeverity

Detects the unwanted or suspicious directory requests. Directoryrequests as configured in this rule may indicate a malicious script oruser. You can add or remove sensitive directory paths in this area tocustomize this event per host system environment.

Description

Table 6-232 Description of the Generic Vulnerable CGI Requests parametersused



Generic Vulnerable CGI RequestsOption

WebAttackDetection_Generic_VulnerableCGIRequestRule Name

WarningSeverity


178

Table 6-232 Description of the Generic Vulnerable CGI Requests parametersused (continued)


Detects the unwanted or suspicious CGI and script requests. CGI andscript requests as configured in this rule may indicate a maliciousscript or user. You can add or remove sensitive directory paths in thisarea to customize this event per host system environment.

Description



180

UNIX Baseline Detectionpolicy


■ Introduction

■ File monitoring improvements

■ Advanced per-rule tuning improvements

■ Console changes

■ Unicode Log Monitoring for UNIX

■ How wildcard characters and recursion levels work in IDS file monitoring

IntroductionThe Host Intrusion Detection policies have been redesigned and rewritten toenhance stability, provide greater ease of use and detection accuracy, and addfunctionality.Multiple policieshavebeen reorganized into twobaselinemonitoringsolutions for the Windows and the UNIX operating system environments.

■ The Windows Baseline Detection Policy became available in release 5.2.6 (5.2RU6).

■ The UNIX Baseline Detection Policy became available in release 5.2 RU7.

The UNIX Baseline Detection policy includes the following improvements:

■ The IDS policy has been rewritten to improve functionality and accuracy inmonitoring security events.

■ The file monitoring area has been redesigned and rewritten to provide a largenumber of new file and directory monitoring functions. For example, you can

7Chapter

now control and enable the access, delete, modify, and create changemonitoring functions by group.

■ You cannowperformadvanced rule-by-rule tuningdirectly from theSymantecCritical System Protection console. These rules now also use ignore logic andselect logic methodology.

■ You can now configure and view all rule content from the Symantec CriticalSystemProtection console, which removes the need to use theAuthoringTool.

■ Policy option group naming conventions have been standardized for ease ofadministration. You can now enable and disable entire areas of the policieswith option check boxes.


■ You can now configure many parameter options individually for each rule.For example, you can configure the Rule Name, Rule Severity, and Rulemonitoring content separately for each rule.

■ You can now select a severity level for each rule. You no longer need to knowspecific numerical values for the severity base types.

■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory traversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.

■ You can now mouse over parts of the user interface to display descriptions toassist in policy navigation and rule-by-rule overview.

UNIX-specific policy changes include the following improvements:

■ Monitoring of individuals who log off of host systems.

■ NewcompatibilitywithSymantecAntiVirus for Linux formonitoringSymantecsoftware.

■ New command monitoring that is accomplished by configuring the text logmonitoring of user-defined or root bash or ksh history files. Superuser DO(sudo) commandsare specificallymonitored forprivileged command inspectionand retention. This new functionality provides the ID of the userwhoperformsthe command, the exact commandperformed, andadatestampand timestamp.This functionality helps tomeet various regulatory compliance requirements.

UNIX Baseline Detection policyIntroduction

182

■ Monitoring of suspicious binary file permission changes. This change helpsto ensure that critical command-line executables are not subject to themalicious permissions changes that malware typically performs.

■ Monitoring ofmalicious Loadable KernelModules (LKMs) to detect the loadingof known malware-related LKM modules.

■ Addition of a new System Hardening Monitor, which generates events whennew auto start daemons or programs, such as the rc.d script, are added. It alsomonitors specific changes to inittab, a critical system configuration file.

■ New UNIX malware detection that tracks file and directory creation activitiesfrom known UNIX forms of malware. Malware detection variants includerootkit detection and worm detection.

Table 7-1 illustrates how the existing policies from previous releases werecombined with new options into the 5.2 RU7 top-level option groups.


Detection option organization in release5.2 RU7

Options in previous releases

System User and Group Change MonitorUser/Group_Configuration

Privileged_User/Group_Configuration

System Login Activity and Access MonitorSystem_Logon_Failure

System_Logoff_Success


SystemPrivilegeCommandandBashHistoryMonitor

System_SUDO_Monitor

System_Root_Command_Monitor

System_User_Command_Monitor

System Hardening MonitorSystem_AutoStart_Change (rc*.d)

System_Service_Config_Monitor

System_Xserver_Configuration

System_RunLevel_Monitor (Inittab)

System_Sysconfig_Monitor (Sysconfig)

System File and Directory MonitorHost_IDS_File_Tampering

Critical_System_File_Monitor

183UNIX Baseline Detection policyIntroduction


Detection option organization in release5.2 RU7

Options in previous releases

System Symantec Software MonitorSymantec_AV_Linux_Client_Comms

Symantec_AV_Unix_Client_Comms

System External Device Activity MonitorUSB_Connectivity_Activity

CD/DVD_Burning_Activity


Malicious_LKM_Detection

Unix_Generic_ Malware_and_Rootkit_Detection

File monitoring improvementsTo provide granular control overUNIX file changemonitoring, Symantec CriticalSystemProtectionmonitors near real-time changes on local file systems and fixedfile systems. It does notmonitor changes on removablemedia or remote networkdrives.

It no longer uses polling intervals. Symantec Critical System Protection uses theFIPS 180-2-compliant Secure Hash Algorithm (SHA-256) to calculate file hashesor checksums at runtime. The MD5 algorithm is no longer used or available.

For performance efficiency, you can enable or disable the checksum calculationfor each filewatch list. A single hash algorithm is used on all the files in awatchedlist.

Specific file monitoring changes include the following improvements:

■ You can control and enable the access, delete, modify, and create changemonitoring functions on a group-by-group basis.

■ You can control modification diff'ing, including algorithm selection on agroup-by-group basis.

■ You can set date and time restrictions within each specific file monitoringgroup.

■ You can tune the filemonitormodified detection operation for specific criteria,such as only for permission changes, size changes, bitmask changes, and soon.

UNIX Baseline Detection policyFile monitoring improvements

184

■ You can use specific ignore logic criteria and select logic criteria in each filemonitoring group. For example, you can independently configure each filemonitoring group to ignore file paths or strings.

Note: Symantec Critical System Protection continues to poll remote files, such asfiles on network drives or removable media, every specified interval to detectchanges.

See “How wildcard characters and recursion levels work in IDS file monitoring”on page 187.

Advanced per-rule tuning improvementsAdvanced per-rule tuning includes the following options for configuration:

■ Rule Name

■ Rule Severity

■ Rulemonitoring content, such as file paths, log file strings, select criteria, andignore criteria

■ Select logic, in the form of strings

■ Ignore logic, in the form of strings

■ Date and time restrictions, as applicable

Console changesSymantec Critical System Protection provides specific content control per rulefrom the console. Each rule in the Baseline policy has required parameters. Theserules are now viewable and customizable from the console.

The options in are available for each rule that is displayed in the Policy Settingspane.

Table 7-2 Rule options

DescriptionOption

The name that is associated with the rule that generates the specific event. A singlestring value is allowed in the string field.

Rule Name

The severity of event. Available for each rule of the policy. You can only select oneseverity level, Info, Notice, Warning, Major, or Critical, for each rule.

Severity

185UNIX Baseline Detection policyAdvanced per-rule tuning improvements

Table 7-2 Rule options (continued)

DescriptionOption

Parameter options for filewatch rules. You can usemultiple file pathswith associatedwildcard entries in this string list. You can add, edit, and remove file paths.

File Paths

Used in rule select logic. Symantec Critical System Protection uses primary logic orinitial sifting method for rule event generation. Use an asterisk (*) to select all theevents that the criteria that you entered previously generate. For example, criteriasuch as (event IDs, file paths, or log strings previously defined. With this option youcan specifically tune rules for administrator needs.

For example, if you change the select string on a filewatch rule from * to *Permission*,then that rule only generates a filewatch event if that event contains the string“Permission.” You can have multiple select strings in this string list. All strings arecase insensitive. You can add, edit, and remove select strings.

Select Strings

Used in rule ignore logic. Symantec Critical SystemProtection uses secondary ignorelogic or ignore sifting method for rule event generation. Almost all rule parameteroptions contain a blankvalue,which signifies that anull value ornovalue is associatedwith the ignore logic statement.

Symantec Critical SystemProtection ignores any string in this field other than blankvalueuponpatternmatching on the final event generation. Ignore strings also provideyou with the ability to perform advanced rule-by-rule tuning. You can have multipleignore strings in this string list. All strings are case insensitive. You can add, edit,and remove ignore strings.

The ignore criteria ignores items that have a tendency to change frequently or itemsthat are not a part of the core systemand configuration. These ignore items are itemssuch as logs, temp directory and so on.

Ignore Strings

Note: Each parameter is preconfigured with default values to ensure thefunctionality of the rule. Changes to rule name and severity do not affect theoverall operation of the rule.

Unicode Log Monitoring for UNIXThe IDS agent logwatch collector reads Unicode text log files, so that you canmonitor the applications that output to Unicode log files or to Unicode format.

UNIX Baseline Detection policyUnicode Log Monitoring for UNIX

186

How wildcard characters and recursion levels workin IDS file monitoring

When you use wildcard characters in IDS file monitoring, the following rulesapply:

■ Only the asterisk (*) and question mark (?) wildcard characters are allowed.

■ The asterisk (*) stands for one or more characters.

■ The question mark (?) stands for a single character only.

■ Wildcard characters are allowed only in the last element of file path. You canonly place a wildcard character after the last slash in a file path.

The following are examples of valid uses of wildcard characters in a file path:

■ /tmp/*

■ /tmp/L1/*.txt

■ /tmp/L2/*file*.ini

■ /tmp/L1/file?.ini

■ /tmp/L1/file?.*

The following are examples of invalid uses of wildcard characters in a file path:

■ /tmp/*/L3/*.txt

■ /tmp/L2/*/file?.txt

Recursion levels only work with the use of one or more wildcard characters. If afile path specification contains no wildcard character, then the recursion levelhas no effect. Rulesmayhave a specified recursion level and file pathswithmixedentries, where only some of the file paths contain wildcard characters. Recursionworks only with the file paths that contain one or more wildcard characters.

When both recursion and wildcard characters are specified, the folder path andfile name are considered separately.Afile name that is specified with one or morewildcard characters is searched for in the givenpath and in anumber of subfolders.The number of subfolders that are searched is equal to the recursion level minus1.

For example, if you configure a file path of /tmp/*.dll and a recursion level of 3,that requests tomonitor all DLL files in the /tmp folder three levels deep, including/tmp.

The following DLL files are monitored for changes:

■ /tmp/my.dll

187UNIX Baseline Detection policyHow wildcard characters and recursion levels work in IDS file monitoring

■ /tmp/L1/your.dll

■ /tmp/D1/ours.dll

■ /tmp/L1/L2/his.dll

■ /tmp/D1/D2/her.dll

In this example, the /tmp/D1/D2/D3/bad.dll file would not be monitored.

See “File monitoring improvements” on page 184.

UNIX Baseline Detection policyHow wildcard characters and recursion levels work in IDS file monitoring

188

Policy options


■ System User and Group Change Monitor

■ System Login Activity and Access Monitor

■ System Privileged Command and Bash History Monitor

■ System Hardening Monitor

■ System File and Directory Monitor

■ System Symantec Software Monitor

■ System External Device Activity Monitor

■ System Attack Detection

System User and Group Change MonitorThis option group section of the policy monitors for specific user and groupchange-based events.

Global User and Group Change Monitor SettingsMonitors user and group events such as when a user is added or deleted. Changesaredetectedby theuser_monitor.sh script thatmonitorsuser configuration systemfiles.

8Chapter

Table 8-1 Description of the Monitor User and Group File(s) Checksumparameters used


System User and Group Change Monitor > Global User and GroupChange Monitor Settings

Option Path

Monitor User and Group File(s) ChecksumOption

Detects the changes that are made to global user and group accountson the local system. The checksum is calculated at agent startup todetermine whether the files were modified since Symantec CriticalSystem Protection was last shut down.

Description

Table 8-2 Description of the User and Group Monitor Polling Intervalparameters used



Option Path

User and Group Monitor Polling IntervalOption

Sets how often files are polled for changes in status. A short pollinginterval could possibly impact system performance.

Description

Table 8-3 Description of the User and Group Configuration File Pathsparameters used



Option Path

User and Group Configuration File PathsOption

Sets the configuration files to be monitored.Description

System User Configuration ChangesDetects changes in user accounts, such as the creation or deletion of a user, andchanges in parameters such as user name, home directory, login shell, and so on.


190

Table 8-4 Description of the User Created parameters used



Option Path

User CreatedOption

User_CreatedRule Name

WarningSeverity

Detects the creation of user accounts on the local system.

Note: If this rule is unchecked, you cannotmonitor user namechangeevents.

Description

Table 8-5 Description of the User Deleted parameters used



Option Path

User DeletedOption

User_DeletedRule Name

WarningSeverity

Detects the deletion of user accounts on the local system.Description

Table 8-6 Description of the User's Password Changed parameters used



Option Path

User's Password ChangedOption

User_Password_ChangedRule Name

NoticeSeverity

Detects the changes to users' passwords in user accounts on the localsystem.

Description


Table 8-7 Description of the User's Name Changed parameters used



Option Path

User's Name ChangedOption

User_Name_ChangedRule Name

NoticeSeverity

Detects the changes to users' names in user accounts on the localsystem.

Description

Table 8-8 Description of the User's ID Changed parameters used



Option Path

User's ID ChangedOption

User_ID_ChangedRule Name

NoticeSeverity

Detects the changes that are made to users' IDs in system useraccounts on the local system.

Description

Table 8-9 Description of theUser's PrimaryGroupChanged parameters used



Option Path

User's Primary Group ChangedOption

User_Primary_Group_ID_ChangedRule Name

NoticeSeverity

Sets user-defined groups. Default value is all groups.Specific PrimaryGroups

Detects the changes that aremade to users' primary group IDnumbersin system user accounts on the local system.

Description


192

Table 8-10 Description of the User's Full Name Changed parameters used



Option Path

User's Full Name ChangedOption

User_Full_Name_ChangedRule Name

NoticeSeverity

Detects the changes that aremade to users' full names in system useraccounts on the local system.

Description

Table 8-11 Description of the User's Home Directory Changed parametersused



Option Path

User's Home Directory ChangedOption

User_Home_Directory_ChangedRule Name

WarningSeverity

Detects the changes that aremade to users' homedirectories in systemuser accounts on the local system.

Description

Table 8-12 Description of the User's Login Shell Changed parameters used



Option Path

User's Login Shell ChangedOption

User_Login_Shell_ChangedRule Name

WarningSeverity

Detects the changes that aremade to users' login shells in systemuseraccounts on the local system.

Description


Table 8-13 Description of the User's Minimum Password Age Changedparameters used



Option Path

User's Minimum Password Age ChangedOption

User_Minimum_Password_ Age_ChangedRule Name

WarningSeverity

Detects the changes that are made to users' minimum password ageparameter in system user accounts on the local system.

Description

Table 8-14 Description of the User's Maximum Password Age Changedparameters used



Option Path

User's Maximum Password Age ChangedOption

User_Maximum_Password_ Age_ChangedRule Name

WarningSeverity

Detects changes in users' maximum days between password changesparameter in system user accounts on the local system.

Description

Table 8-15 Description of the User's Maximum Days of Account InactivityChanged parameters used



Option Path

User's Maximum Days of Account Inactivity ChangedOption

User_Passwd_ Inactivity_Days_ChangedRule Name

WarningSeverity


194

Table 8-15 Description of the User's Maximum Days of Account InactivityChanged parameters used (continued)


Detects changes in the parameter that sets the maximum number ofdays that users can go without logging into their accounts before theaccount is made inactive.

Description

Table 8-16 Description of theUser's Account ExpiryDateChanged parametersused



Option Path

User's Account Expiry Date ChangedOption

User_Account_Expiry_Date_ChangedRule Name

WarningSeverity

Detects changes in the date when users' logins automatically expire.Description

Table 8-17 Description of theUser's Password ExpireWarning Date Changedparameters used



Option Path

User's Password Expire Warning Date ChangedOption

User_Password_Expire_Warning_Date_ChangedRule Name

WarningSeverity

Detects changes in thedatewhenusers arewarned that their passwordis about to expire.

Description

Table 8-18 Description of the User's Attribute Changed parameters used



Option Path

User's Attribute ChangedOption


Table 8-18 Description of the User's Attribute Changed parameters used(continued)


User_Attributes_ChangedRule Name

WarningSeverity

Detects changes in users' attributes that are located in the/etc/user_attr file on the local system.

Description

System Group Configuration ChangesThis option subgroup section of the policy monitors for specific groupconfiguration change-based events, such as the creation and deletion of groups.

Table 8-19 Description of the Group Created parameters used


SystemUserandGroupChangeMonitor>SystemGroupConfigurationChanges

Option Path

Group CreatedOption

Group_CreatedRule Name

WarningSeverity

Detects the creation of a group.

Note: If this rule in unchecked, you cannot monitor changes in agroup's name.

Description

Table 8-20 Description of the Group Deleted parameters used



Option Path

Group DeletedOption

Group_DeletedRule Name

WarningSeverity


196

Table 8-20 Description of the Group Deleted parameters used (continued)


Detects the deletion of a group.

Note: If this rule in unchecked, you cannot monitor changes in agroup's name.

Description

Table 8-21 Description of the Group Membership Changed parameters used



Option Path

Group Membership ChangedOption

Group_Membership_ChangeRule Name

WarningSeverity

Sets user-defined membership groups. Default value is all groups.SpecificMembershipGroups

Detects the addition or deletion of a user from a group.Description

Table 8-22 Description of the Group Name Change parameters used



Option Path

Group Name ChangeOption

Group_Name_ChangedRule Name

WarningSeverity

Detects a change in the name of a group. Group created and groupdeleted events are generated for group name changes.

Description

Table 8-23 Description of the Group Lock Flag Changed parameters used



Option Path


Table 8-23 Description of the Group Lock Flag Changed parameters used(continued)


Group Lock Flag ChangedOption

Group_LockFlag_ChangedRule Name

WarningSeverity

Detects the changes to a group's lock flag.Description

Table 8-24 Description of the Group ID Changed parameters used



Option Path

Group ID ChangedOption

Group_ID_ChangedRule Name

WarningSeverity

Detects the changes to a group's ID.Description

Privileged User and Group Configuration ActivityThis option subgroup section of the policymonitors for privileged user and groupconfiguration change-based events, such as the creation of superusers andsuperuser groups.

Table 8-25 Description of theSuperuser (root level) User Created parametersused


SystemUser and Group ChangeMonitor > PrivilegedUser and GroupConfiguration Activity

Option Path

Superuser (root level) User CreatedOption

Superuser_Account_CreatedRule Name

MajorSeverity

Detects the creation of a superuser account.Description


198

Table 8-26 Description of theSuperuser (root level) GroupCreatedparametersused



Option Path

Superuser (root level) Group CreatedOption

Superuser_Group_CreatedRule Name

MajorSeverity

Detects the creation of a superuser group.Description

Table 8-27 Description of the User's Global ID Changed to Superuserparameters used



Option Path

User's Global ID Changed to SuperuserOption

User_ID_Changed_to_SuperuserRule Name

CriticalSeverity

Detects when a user's ID is changed to be a member of a superuserglobal group.

Description

Table 8-28 Description of the Group's Global ID Changed to Superuserparameters used



Option Path

Group's Global ID Changed to SuperuserOption

Group_ID_Changed_to_SuperuserRule Name

CriticalSeverity

Detects when a group's ID is changed to be a member of a superuserglobal group.

Description


Table 8-29 Description of theUser's Primary Group ID Changed to Superuserparameters used



Option Path

User's Primary Group ID Changed to SuperuserOption

User_PrimaryID_Added_SuperuserID_ChangeRule Name

CriticalSeverity

Detects when a user's primary group ID is changed to be a member ofa root group.

Description

Table 8-30 Description of theGroupMembership ChangedUser to Superuserparameters used



Option Path

Group Membership Changed User to SuperuserOption

Root_Group_Added_SuperuserID_ChangeRule Name

CriticalSeverity

Detectswhenauser is added as amember of the root superuser group.Description

System Login Activity and Access Monitor

System Login Success MonitorThis option group section of the policymonitors specific logon and access events,including those that use FTP, telnet, rlogin, SSH, the local console, and the suutility.

FTP logon OptionsThis option group section of the policy monitors logons that occur over FTP.


200

FTP server reports to syslog

Set this option if your FTP servers report to syslog. OnHP-UX operating systems,the wtmp file is also used to identify successful logons.

Table 8-31 Description of the Root logon parameters used


System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to Syslog

Option Path

Root logonOption

Root_FTP_Logon_Success_syslogRule Names

WarningSeverity

Detects users who use FTP to log on as root.Description

Table 8-32 Description of the Non-root logon parameters used


System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to Syslog

Option Path

Non-root logonOption

User_FTP_Logon_Success_syslogRule Names

WarningSeverity

Detects non-root users who use FTP to log on.Description

Server reports to a log file

Set this option if your FTP servers report to a log file. You must specify the ptheto the FTP log file.

Table 8-33 Description of the Log Location parameters used


System Login Activity and Access Monitor > System Login SuccessMonitor > FTP logon Options > FTP server reports to a log file

Option Path

Log LocationOption

/var/log/vsftpd.logPath


Table 8-33 Description of the Log Location parameters used (continued)


Sets the path to the FTP log file.Description




Option Path

Root logonOption

Root_FTP_Logon_Success_Text_LogRule Name

NoticeSeverity

Detects root logon events that occur over FTP.Description




Option Path


User_FTP_Logon_Success_Text_LogRule Name

NoticeSeverity

Detects non-root user logon events that occur over FTP.Description

Telnet and Rlogin logon OptionsThis option group section of the policy monitors logons that occur over Telnetand rlogin. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.



System Login Activity and Access Monitor > System Login SuccessMonitor > Telnet and Rlogin logon Options

Option Path


202

Table 8-36 Description of the Root logon parameters used (continued)


Root logonOption

Root_Telnet_Rlogin_Logon_SuccessRule Name

WarningSeverity

Detects root logon events that occur over Telnet and rlogin.Description



System Login Activity and Access Monitor > System Login SuccessMonitor > Telnet and Rlogin logon Options

Option Path


User_Telnet_Rlogin_Logon_SuccessRule Name

WarningSeverity

Detects non-root users that log on over Telnet and rlogin.Description

SU Operation OptionsThis option group section of the policymonitors logons that involve the su utility.The events are identified using the UNIX syslog.



System Login Activity and Access Monitor > System Login SuccessMonitor > SU Operation Options

Option Path

SU to rootOption

SU_ToRoot_SuccessRule Name

WarningSeverity

Detects the successful logons as root, monitored in the UNIX syslog.Description




System Login Activity and Access Monitor > System Login SuccessMonitor > SU Operation Options

Option Path

SU to non-rootOption

SU_ToUser_SuccessRule Name

NoticeSeverity

Detects the successful logons of non-root users.Description

SSH Remote logon OptionsThis option group section of the policy monitors logons that occur over SSH. Theevents are identified using the UNIX syslog. On HP-UX operating systems, thewtmp file is also used.



System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logon Options

Option Path

Root logonOption

Root_SSH_Logon_SuccessRule Name

WarningSeverity

Detects logons as root that occur over SSH.Description



System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logon Options

Option Path


User_SSH_Logon_SuccessRule Name

NoticeSeverity

Detects non-root user logons that occur over SSH.Description


204

Local Console logon OptionsThis option group section of the policy monitors successful logons from the localconsole. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.



System Login Activity and Access Monitor > System Login SuccessMonitor > Local Console logon Options

Option Path

Root logonOption

Root_Local_Logon_SuccessRule Name

WarningSeverity

Detects root user logon events that occur over the console.Description



System Login Activity and Access Monitor > System Login SuccessMonitor > Local Console logon Options

Option Path


User_Local_Logon_SuccessRule Name

WarningSeverity

Detects non-root user logon events that occur over the console.Description

System Logoff MonitorThis option group section of the policy monitors successful root and user log offsfrom the local console and from remote access.

SU Operation Optionssu command events are monitored from the UNIX syslog.


Table 8-44 Description of the SU to root Logoff parameters used


System Login Activity and Access Monitor > System Logoff Monitor> SU Operation Options

Option Path

SU to root LogoffOption

SU_ToRoot_LogoffRule Name

WarningSeverity

Detects the successful logoff by user from SU to root.Description

Table 8-45 Description of the SU to non-root Logoff parameters used


System Login Activity and Access Monitor > System Logoff Monitor> SU Operation Options

Option Path

SU to non-root LogoffOption

SU_ToUser_LogoffRule Name

WarningSeverity

Detects the successful logoff by user from SU to a non-root user.Description

SSH Remote Logoff OptionsThis option group section of the policy monitors successful logoffs from remoteconsoles. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.

Table 8-46 Description of the Root logoff parameters used


System Login Activity and Access Monitor > System Login SuccessMonitor > SSH Remote logoff Options

Option Path

Root logoffOption

Root_SSH_LogoffRule Name

WarningSeverity


206

Table 8-46 Description of the Root logoff parameters used (continued)


Detects root user logoff events that occur over SSH from a remoteconsole.

Description

Table 8-47 Description of the Non-root logoff parameters used



Option Path

Non-root logoffOption

User_SSH_LogoffRule Name

WarningSeverity

Detects non-root user logoff events that occur over SSH froma remoteconsole.

Description

Local Console Logoff OptionsThis option group section of the policy monitors successful logoffs from localconsoles. The events are identified using the UNIX syslog. On HP-UX operatingsystems, the wtmp file is also used.

Table 8-48 Description of the Root Logoff parameters used



Option Path

Root LogoffOption

Root_Local_LogoffRule Name

WarningSeverity

Detects root user logoff events that occur on the local console.Description


Table 8-49 Description of the Non-Root Logoff parameters used



Option Path

Non-Root_LogoffOption

User_Local_LogoffRule Name

WarningSeverity

Detects non-root user logoff events that occur on the local console.Description

System Failed Login MonitorThis option group section of the policy monitors user and root failed logonattempts from the local console and by remote access. They report attempts tolog on to services that include local console sessions, telnet, Xwin, rsh, rlogin, andFTP. They also report failed attempts to change identification by using the suutility.

FTP logon failureSet this option to detect failed logons over FTP.

Repeated FTP logon failures

Set this option to detect users' repeated failures to log on. You can set the numberof failures that have to occur and the time interval within which the failures haveto occur.

Table 8-50 Description of the Number of logon failures in time intervalparameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure>Repeated FTP logon failures

Option Path

Number of logon failures in time intervalOption

blank value

The user specifies this value.

Value


208

Table 8-50 Description of the Number of logon failures in time intervalparameters used (continued)


Detects repeated failed logon attempts. Set the number of times a usercan fail to log on in a specific time interval before an event isgenerated.

Description

Table 8-51 Description of the Time interval parameters used



Option Path

Time intervalOption

In days, hours, minutes, and seconds.Duration

Sets a specific time interval during which the failed logon attemptshave to take place to generate an event.

Description

Table 8-52 Description of the FTP Repeated Failed Severity parameters used



Option Path

FTP Repeated Failed SeverityOption

MajorSeverity

Sets the severity of failed logon attempts.Description

FTP server reports to Syslog or WTMP

Set this option to detect logon failures that are reported in the UNIX syslog or,on HP-UX operating systems, in the wtmp file.

Table 8-53 Description of the Root logon failure parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > FTP server reports to Syslog or WTMP

Option Path

Root logon failureOption


Table 8-53 Description of the Root logon failure parameters used (continued)


Root_FTP_Logon_FailureRule Name

NoticeSeverity

Detects failed attempts to log on over FTP as a root user that arereported in the syslog or wtmp file.

Description

Table 8-54 Description of the Non-root logon failure parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > FTP server reports to Syslog or WTMP

Option Path

Non-root logon failureOption

User_FTP_Logon_FailureRule Name

WarningSeverity

Detects failed attempts to log on as a non-root user over FTP that arereported in the syslog or wtmp file.

Description

FTP server reports to a log file

Set this option if your FTP servers report to a log file. You must specify the ptheto the FTP log file.

Table 8-55 Description of the Path to FTP server log file parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > FTP logon failure > FTP server reports to a log file

Option Path

Path to FTP server log fileOption

/var/log/vsftpd.logPath

Sets the path to the FTP server log file.Description


210




Option Path


Root_FTP_Logon_Failure_Text_LogRule Name

NoticeSeverity

Detects failed attempts to log on over FTP as a root user.Description




Option Path


User_FTP_Logon_Failure_Text_LogRule Name

NoticeSeverity

Detects failed attempts to log on over FTP as a regular user.Description

Telnet and Rlogin logon failureThis option group section of the policy monitors user and root failed logonattempts over Telnet and rlogin. The events are identified using the UNIX syslog.On HP-UX operating systems, the btmp file is also used.

Repeated Telnet or Rlogin logon failures

Set this option to detect users' repeated failures to log on over Telnet and rlogin.You can set the number of failures that have to occur and the time interval withinwhich the failures have to occur.


Table 8-58 Description of the Number of Logon Failures in Time Intervalparameters used


System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure>Repeated Telnet or Rloginlogon failures

Option Path

Number of Logon Failures in Time IntervalOption

blank value


Value

Detects repeated failed logon attempts. Set the number of times a usercan fail to log on in a specific time interval before an event isgenerated.

Description



System Login Activity and Access Monitor > System Failed LoginMonitor >Repeated Telnet or Rlogin logon failures

Option Path

Time IntervalOption


Sets a specific time interval during which the failed logon attemptstake place.

Description

Table 8-60 Description of the Telnet Repeated Failed Severity parametersused


System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure>Repeated Telnet or Rloginlogon failures

Option Path

Telnet Repeated Failed SeverityOption

MajorSeverity

Sets the severity of the Telnet or rlogin failed logon attempts.Description


212



System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure

Option Path


Root_Telnet_Rlogin_Logon_FailureRule Name

WarningSeverity

Detects failed attempts to log on over Telnet or rlogin as a root user.Description



System Login Activity and Access Monitor > System Failed LoginMonitor >Telnet and Rlogin logon failure

Option Path


User_Telnet_Rlogin_Logon_FailureRule Name

blank value


Severity

Detects failed attempts to log on over Telnet or rlogin as a regularuser.

Description

SU failureSet this option to detect failures that involve the su utility. The events areidentified using the UNIX syslog. OnHP-UX operating systems, the btmp file andbtmps file are also used.

Repeated SU failures

Set this option to detect users' repeated failures to use the su utility. You can setthe number of failures that have to occur and the time interval within which thefailures have to occur.




System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure>Repeated SU failures

Option Path


blank value


Value

Detects repeated failed logon attempts that use theSUcommand. Youcan set the number of times a user can fail to log on in a specific timeinterval before an event is generated.

Description




Option Path

Time IntervalOption



Description

Table 8-65 Description of the SU Repeated Failed Severity parameters used



Option Path

SU Repeated Failed SeverityOption

MajorSeverity

Sets the severity of the SU failed logon attempts.Description


214

Table 8-66 Description of the SU to root failure parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure

Option Path

SU to root failureOption

SU_ToRoot_FailureRule Name

WarningSeverity

Detects repeated failed attempts to log on as a root user.Description

Table 8-67 Description of the SU to non-root failure parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > SU failure

Option Path

SU to non-root failureOption

SU_ToUser_FailureRule Name

NoticeSeverity

Detects repeated failed attempts to log on as a regular user.Description

SSH logon failureSet this option to detect failures to log on over SSH. The events are identifiedusing the UNIX syslog. On HP-UX operating systems, the btmp file is also used.

Repeated SSH logon failures

Set this option to detect users' repeated failures to log on over SSH. You can setthe number of failures that have to occur and the time interval within which thefailures have to occur.



System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure>Repeated SSH logon failures

Option Path



Table 8-68 Description of the Number of Logon Failures in Time Intervalparameters used (continued)


blank value


Value

Detects repeated failed logon attempts that are tracked using syslogor the btmp file (HP-UX). Set the number of times a user can fail tolog on in a specific time interval before an event is generated.

Description




Option Path

Time IntervalOption



Description

Table 8-70 Description of the SSH Repeated Failed Severity parameters used



Option Path

SSH Repeated Failed SeverityOption

MajorSeverity

Sets the severity of the SSH failed logon attempts.Description



System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure

Option Path


Root_SSH_Logon_FailureRule Name


216

Table 8-71 Description of the Root logon failure parameters used (continued)


WarningSeverity


Table 8-72 Description of the Non-Root logon failure parameters used


System Login Activity and Access Monitor > System Failed LoginMonitor > SSH logon failure

Option Path

Non-Root logon failureOption

User_SSH_Logon_FailureRule Name

NoticeSeverity


Local logon failureThis option group section of the policy monitors user and root failed logonattempts from the local console. The events are identified using the UNIX syslog.On HP-UX operating systems, the btmp file is also used.

Repeated local logon failures

Set this option to detect users' repeated failures to log on from the local console.You can set the number of failures that have to occur and the time interval withinwhich the failures have to occur.



System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure>Repeated local logon failures

Option Path


blank value


Value


Table 8-73 Description of the Number of Logon Failures in Time Intervalparameters used (continued)


Detects repeated local failed logon attempts that are tracked usingsyslog or the btmp file (HP-UX). Set the number of times a user canfail to log on in a specific time interval before an event is generated.

Description




Option Path

Time IntervalOption



Description

Table 8-75 Description of the Local Repeated Failed Severity parameters used



Option Path

Local Repeated Failed SeverityOption

MajorSeverity

Sets the severity of the failed logon attempts from the local console.Description



System Login Activity and Access Monitor > System Failed LoginMonitor > Local logon failure

Option Path


Root_Local_Login_FailureRule Name

WarningSeverity



218



System Login Activity and Access Monitor > System Failed LoginMonitor >Local logon failure

Option Path


User_Local_Login_FailureRule Name

NoticeSeverity


System Privileged Command and Bash HistoryMonitor

This option group section of the policymonitors for specific privileged commandand bash events.

Sudo Monitoring Options

Global Sudo Monitoring Settings

Table 8-78 Description of the Authorized Sudo Users, Strings, or Commands(whitelisted) parameters used


System Privileged Command and Bash History Monitor > SudoMonitoring Options > Global Sudo Monitoring Settings

Option Path

Authorized Sudo Users, Strings, or Commands (whitelisted)Option

blank value


Value

Use to set up a user-defined list of users, strings, and commands thatare monitored for use with the sudo command.

Description

219Policy optionsSystem Privileged Command and Bash History Monitor

Table 8-79 Description of the Banned Sudo Commands (blacklisted)parameters used


System Privileged Command and Bash History Monitor > SudoMonitoring Options > Global Sudo Monitoring Settings

Option Path

Banned Sudo Commands (blacklisted)Option

*rm -rf /*Value

Use to set up auser-defined list of commands that aremonitoredwhenused with the sudo command.

Description

Sudo Command Monitor

Table 8-80 Description of the Sudo Command Monitor parameters used


System Privileged Command and Bash History Monitor > SudoMonitoring Options

Option Path

Sudo Command MonitorOption

Baseline_Sudo_Command_WatchRule Name

NoticeSeverity

Detects use of the sudo command.Description

Sudo Command Failure Monitor

Table 8-81 Description of the Sudo Command Failure Monitor parametersused



Option Path

Sudo Command Failure MonitorOption

Baseline_Sudo_Command_FailureRule Name

Detects the failures of sudo command use.Description

Policy optionsSystem Privileged Command and Bash History Monitor

220

Sudo Authorization Failure Monitor

Table 8-82 Description of the SudoAuthorization FailureMonitor parametersused



Option Path

Sudo Authorization Failure MonitorOption

Baseline_Sudo_Authentication_FailureRule Name

WarningSeverity

Detects failures in the authorization of the sudo command.Description

Additional Sudo Monitoring Options

Table 8-83 Description of theAdditional SudoMonitoringOptions parametersused



Option Path

Additional Sudo Monitoring OptionsOption

System_PrivCmd_BashHist_Sudo_AddContentRule Name

InfoSeverity

Detects use of the sudo command.Description

User Command History Options

Table 8-84 Description of the User 1 Command History Monitor parametersused


System Privileged Command and Bash History Monitor > UserCommand History Options

Option Path

User 1 Command History MonitorOption

221Policy optionsSystem Privileged Command and Bash History Monitor

Table 8-84 Description of the User 1 Command History Monitor parametersused (continued)


Baseline_User_Command_WatchRule Name

NoticeSeverity

/home/user1/.bash_historyUser's BashHistory Log FilePath

Monitors the commands used by a specific user.Description

Table 8-85 Description of the User 2 Command History Monitor parametersused


System Privileged Command and Bash History Monitor > UserCommand History Options

Option Path

User 2 Command History MonitorOption

Baseline_User2_Command_WatchRule Name

NoticeSeverity

/home/user2/.bash_historyUser's BashHistory Log FilePath

Monitors the commands used by a second specific user.Description

Superuser (Root Level) Command History Options

Table 8-86 Description of the Root Command History Monitor parametersused


System Privileged Command and Bash History Monitor > Superuser(Root Level) Command History Options

Option Path

Root Command History MonitorOption

Baseline_Root_Command_WatchRule Name

Policy optionsSystem Privileged Command and Bash History Monitor

222

Table 8-86 Description of the Root Command History Monitor parametersused (continued)


NoticeSeverity

/root/.bash_historyRoot's BashHistory Log FilePath

Monitors the commands used by users who are logged in as root.Description

Table 8-87 Description of the Superuser Command History Monitorparameters used


System Privileged Command and Bash History Monitor > Superuser(Root Level) Command History Options

Option Path

Superuser Command History MonitorOption

Baseline_Superuser_Command_WatchRule Name

NoticeSeverity

/home/superuser/.bash_historySuperuser's BashHistory Log FilePath

Monitors the commands used by userswho are logged in as superuser.Description

System Hardening MonitorThis option group section detects changes to the user-configurable files that areconsidered sensitive inmaintaining the security posture of the operating system.It detects modifications of the system configuration that change whether itautomatically runs code during system startup. This behavior is normal if anadministrator needs to change autorun behavior. If unexpected, it can indicatethat the system is being prepared to operate outside established security policy,or that it is about to be compromised.

Various areas are monitored to generate events for the administrator if either ofthe following entities changed any of the selected values:

■ Malware


■ A malicious individual attempting to lower the security posture of the hostsystem

Table 8-88 Description of the Daemon Run Level RC.D Monitor parametersused


System Hardening Monitor > System Auto Start Change OptionsOption Path

Daemon Run Level RC.D MonitorOption

AutoStart_RC.D_MonitorRule Name

WarningSeverity

/etc/rc.*

/etc/rc.d/*

/etc/init.d/*

File Paths

You can also monitor the following events:

■ Monitor Value Addition to Run Level Files

■ Monitor Value Removal to Run Level Files

■ Monitor File Modification

■ Monitor File Creation

■ Monitor File Removal

AdditionalSettings

Detects changes to the daemon rc files on the computer.Description

Table 8-89 Description of the System Run Level INITTABMonitor parametersused


System Hardening Monitor > System Auto Start Change OptionsOption Path

System Run Level INITTAB MonitorOption

AutoStart_Inittab_MonitorRule Name

WarningSeverity

/etc/inittabFile Paths


224

Table 8-89 Description of the System Run Level INITTABMonitor parametersused (continued)


You can also monitor the following events:

■ Monitor Value Additions to the Inittab File

■ Monitor Value Removal to the Inittab File

■ Monitor File Modification

■ Monitor File Creation

■ Monitor File Removal

AdditionalSettings

Detects changes to the inittab file on the computer.Description

System File and Directory MonitorThis option group section of the policy monitors for file and directory changes.It also includes a completely rewritten file monitoring area that was renamedSystemFileWatchMonitor.Thisnewareaprovides enhancedconfigurationoptionsto enable more precise monitoring of file and directory additions, deletions,modifications, and access attempts.

System FileWatch MonitorThis optiongroup sectionof thepolicymonitors additions, deletions,modifications,and access attempts to the system critical files that are listed as monitored files.If you use a default security posture, then Symantec Critical System Protectionautomatically sets up the filewatch monitor for you. If you use your own securityposture, you must select the files that you want to monitor so that the filewatchmonitor functions correctly.

Awide range of options that enable very specific tuning of how the file or directoryis monitored are available for each rule. A global settings area sets the followingparameters for all rules in the filewatch monitor area:

■ Polling Interval: The interval inwhich the filewatch engine polls or checks thefiles that are configured for change monitoring. This option is available toenable tuning of how frequently files are polled for changes. You may want toadjust the default polling rate if your environment has a large number of filesto bemonitored. This adjustment helps to ensure that resources are not overlyused for the filewatch engine. A drop-down selection criteria area is providedto easily switch polling interval frequency.


■ Search Depth: The search depth is a configurable parameter. It specifies therecursion level, or number of directories and subdirectories that aremonitoredwhen you apply a wildcard path. For more information on recursion level andsearch depth, see the path to the existing definition.

Monitor System-Critical Files

Table 8-90 Description of the Core System Files parameters used


System File and Directory Monitor > System FileWatch Monitor >Monitor System-Critical Files

Option Path

Core System FilesOption

FileWatch_Sys_Core_FilesRule Name

WarningSeverity

/bin/*

/lib/*

/sbin/*

/stand/vmunix

/unix

/usr/bin/*

/usr/lib/*

/usr/sbin/*

/usr/spool/cron/*

/var/adm/cron/*

/var/lib/*

/var/spool/cron/*

Monitor Paths


226



/usr/lib/cron/log

/usr/lib/objrepos

/usr/spool/cron/tmp

/var/adm/cron/FIFO

/var/adm/cron/log

/var/lib/objrepos

/var/log

/var/spool/cron/tmp

Ignore Strings

Deleted, Created, Modified

Accessed (not enabled by default)

Monitor Ops



Lets you monitor the core system files that the operating systemmaintains. If you check this option, youmust specify at least one pathin the subsequent list.


Description

Table 8-91 Description of the Core System Configuration Files parametersused



Option Path

Core System Configuration FilesOption

FileWatch_Sys_Core_Configuration_FilesRule Name

WarningSeverity


Table 8-91 Description of the Core System Configuration Files parametersused (continued)


/etc/*.conf

/etc/*.config

/etc/*_conf

/etc/*_config

/etc/sudoers

Monitor Paths

/etc/*.log

/etc/*.pid

/etc/btmp

/etc/btmps

/etc/cron.d/FIFO

/etc/security/*log

/etc/sisips

/etc/sisips/*

/etc/sulogin

/etc/symantec/*

/etc/utmp

/etc/utmppipe

/etc/utmps

/etc/utmpx

/etc/wtmps

/etc/wtmpx

Ignore Strings



Monitor Ops




228

Table 8-91 Description of the Core System Configuration Files parametersused (continued)


Lets youmonitor the core systemconfiguration files that the operatingsystem maintains. If you check this option, you must specify at leastone path in the subsequent list.


Description

Table 8-92 Description of theSetupProgramsandPackagesparameters used



Option Path

Setup Programs and PackagesOption

FileWatch_Sys_Setup_FilesRule Name

WarningSeverity

/usr/sbin/pkg*

/var/lib/rpm/*

/var/sadm/install/admin/*

Monitor Paths

*.log*Ignore Strings



Monitor Ops




Table 8-92 Description of theSetupProgramsandPackagesparameters used(continued)


Lets youmonitor the setup programs andpackages that the operatingsystem maintains. If you check this option, you must specify at leastone path in the subsequent list.


Description

Table 8-93 Description of the Common Daemon Files parameters used



Option Path

Common Daemon FilesOption

FileWatch_Sys_Common_Program_FilesRule Name

WarningSeverity


230

Table 8-93 Description of the Common Daemon Files parameters used(continued)


Monitor Paths




/etc/cron.d/logchecker

/etc/fs/*/mount

/lib/svc/nfs/lockd

/lib/svc/nfs/statd

/opt/sbin/in.named

/opt/sbin/lwresd

/opt/sbin/name

/sbin/auditd

/sbin/klogd

/sbin/syslogd

/usr/lib/cups/daemon/cups-lpd

/usr/lib/fs/*/moun

/usr/lib/sendmail

/usr/lib/ssh/sshd

/usr/lib/zones/zoneadmd

/usr/local/sbin/in.named

/usr/local/sbin/in.tnamed

/usr/local/sbin/lwresd

/usr/local/sbin/named

/usr/local/sbin/sshd

/usr/sbin/atd

/usr/sbin/automount

/usr/sbin/cron

/usr/sbin/crond

/usr/sbin/cupsd

/usr/sbin/in.named

/usr/sbin/in.tnamed

/usr/sbin/inetd

/usr/sbin/lwresd


232



/usr/sbin/named

/usr/sbin/nmbd

/usr/sbin/rpc.mountd

/usr/sbin/smbd

/usr/sbin/sshd

/usr/sbin/syslogd

/usr/sbin/xinetd

/usr/sfw/sbin/nmbd

/usr/sfw/sbin/smbd



Monitor Ops



Lets youmonitor the commondaemon files that the operating systemmaintains. If you check this option, youmust specify at least one pathin the subsequent list.


Description

Table 8-94 Description of the Monitor Script Files and Cron Files parametersused



Option Path

Monitor Script Files and Cron FilesOption


Table 8-94 Description of the Monitor Script Files and Cron Files parametersused (continued)


FileWatch_Sys_Script_FilesRule Name

WarningSeverity

blank value


Monitor Paths



Monitor Ops



Lets you monitor the user-defined script files and cron files that areused on the computer. If you check this option, you must specify atleast one path in the subsequent list.


Description

Table 8-95 Description of the Solaris Specific Files parameters used



Option Path

Solaris Specific FilesOption

FileWatch_Sys_Other_Files_SolarisRule Name

WarningSeverity

blank value


Monitor Paths


234

Table 8-95 Description of the Solaris Specific Files parameters used(continued)




Monitor Ops



Lets youmonitor the critical user-defined files that are specific to theSolaris operating system. If you check this option, you must specifyat least one path in the subsequent list.


Description

Table 8-96 Description of the AIX Specific Files parameters used



Option Path

AIX Specific FilesOption

FileWatch_Sys_Other_Files_AIXRule Name

WarningSeverity

blank value


Monitor Paths



Monitor Ops




Table 8-96 Description of the AIX Specific Files parameters used (continued)


Lets youmonitor the critical user-defined files that are specific to theAIX operating system. If you check this option, you must specify atleast one path in the subsequent list.


Description

Table 8-97 Description of the Linux Specific Files parameters used



Option Path

Linux Specific FilesOption

FileWatch_Sys_Other_Files_LinuxRule Name

WarningSeverity

blank value


Monitor Paths



Monitor Ops




236

Table 8-97 Description of the Linux Specific Files parameters used (continued)


Lets you monitor the critical user-defined files that are specific toLinux operating systems. If you check this option, you must specifyat least one path in the subsequent list.


Description

Table 8-98 Description of the HPUX Specific Files parameters used



Option Path

HPUX Specific FilesOption

FileWatch_Sys_Other_Files_HPUXRule Name

WarningSeverity

blank value


Monitor Paths



Monitor Ops




Table 8-98 Description of theHPUXSpecific Files parameters used (continued)


Lets youmonitor the critical user-defined files that are specific to theHP-UX operating system. If you check this option, you must specifyat least one path in the subsequent list.


Description

Table 8-99 Description of the Tru64 Specific Files parameters used



Option Path

Tru64 Specific FilesOption

FileWatch_Sys_Other_Files_Tru64Rule Name

WarningSeverity

blank value


Monitor Paths



Monitor Ops




238

Table 8-99 Description of the Tru64Specific Files parameters used (continued)


Lets youmonitor the critical user-defined files that are specific to theTru64 operating system. If you check this option, you must specify atleast one path in the subsequent list.


Description

System Symantec Software MonitorThis option group area of the policy contains monitoring functions for Symantecsoftware. Currently the monitored ancillary application is Symantec AntiVirusfor Linux. The policy automatically detects if the host machine has SymantecAntiVirus for Linux installed.



System Symantec Software Monitor > Symantec AntiVirus for Linux(SAVFL) Client Communication

Option Path


Virus_DetectedRule Name

CriticalSeverity

Detects the discovery of a virus orTrojanhorse bySymantecAntiVirusfor Linux. This detection indicates thatmalicious software has arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. Immediate action is usually warranted.

Description

Table 8-101 Description of the Service Stopped parameters used



Option Path

Service StoppedOption


Table 8-101 Description of the Service Stopped parameters used (continued)


Service_StoppedRule Name

WarningSeverity

Detects the stopping of the Symantec AntiVirus for Linux service.SymantecAntiVirus issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that theSymantec AntiVirus service has stopped, it reports this status.

Description

Table 8-102 Description of the Service Started parameters used



Option Path

Service StartedOption

Service_StartedRule Name

NoticeSeverity

Detects the starting of the Symantec AntiVirus for Linux service.SymantecAntiVirus issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that theSymantec AntiVirus service has started, it reports this status.

Description

Table 8-103 Description of the Scan Started parameters used



Option Path

Scan StartedOption

Scan_StartedRule Name

NoticeSeverity

Detects the starting of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions and errors. When SymantecAntiVirus determines that it has initiated a manual scan of the host,it reports this status.

Description


240

Table 8-104 Description of the Scan Canceled parameters used



Option Path

Scan CanceledOption

Scan_CanceledRule Name

WarningSeverity

Detects the canceling of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions. When Symantec AntiVirusdetermines that it has been commanded to cancel a manual scan, itreports this status.

Description

Table 8-105 Description of the Scan Complete parameters used



Option Path

Scan CompleteOption

Scan_CompleteRule Name

NoticeSeverity

Detects the completion of a manual scan of a host with SymantecAntiVirus for Linux. Symantec AntiVirus issues the status messagesfor various application conditions and errors. When SymantecAntiVirus determines that it has successfully completed a manualscan, it reports this status.

Description




Option Path



NoticeSeverity


Table 8-106 Description of the New Virus Definition Loaded parameters used(continued)


Detects the updating of Symantec AntiVirus for Linux with the latestvirus definitions. Symantec AntiVirus issues the status messages forvarious application conditions and errors.When SymantecAntiVirusdetermines that it has loaded anewvirus definition file, it reports thisstatus.

Description




Option Path



NoticeSeverity

Detects that the installed virus definitions are current. SymantecAntiVirus for Linux issues the statusmessages for various applicationconditions and errors.WhenSymantecAntiVirus determines that thedefinitions are current, it reports this status.

Description

Table 8-108 Description of the Realtime Protection Loaded parameters used



Option Path

Realtime Protection LoadedOption

Realtime_Protection_LoadedRule Name

NoticeSeverity

Detects the disabling of the Symantec AntiVirus for Linux real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been disabled, it reports this status.

Description


242

Table 8-109 Description of the Realtime Protection Disabled parameters used



Option Path

Realtime Protection DisabledOption

Realtime_Protection_DisabledRule Name

CriticalSeverity

Detects the disabling of the Symantec AntiVirus for Linux real-timesystem protection option. Symantec AntiVirus issues the statusmessages for various application conditions and errors. WhenSymantec AntiVirus determines that the real-time protection optionhas been disabled, it reports this status.

Description




Option Path



CriticalSeverity

Detects the discovery of a virus orTrojanhorse bySymantecAntiVirusfor Linux. This detection indicates thatmalicious software has arrivedat the client side by email, download, document macro, or bydisk-to-disk transfer. This event indicates Symantec AntiVirus clientwas unable to clean, remove, or quarantine the identified malwareand the risk is still present on the system. Immediate investigation isrequired.

Description

System External Device Activity MonitorThis option group subsection monitors for specific external device activity suchas the various activities that are associatedwithUSBdevices. This activity shouldbe monitored on an enterprise network, as such devices may pose the threat ofdata loss.

243Policy optionsSystem External Device Activity Monitor

Table 8-111 Description of the USB Device Connected parameters used


System External Device Activity Monitor > USB Device ActivityOption Path

USB Device ConnectedOption

USB_Device_ConnectedRule Name

WarningSeverity

Detects a USB device connection event from the UNIX syslog.Description

Table 8-112 Description of the USB Device Disconnected parameters used



USB Device DisconnectedOption

USB_Device_DisconnectedRule Name

WarningSeverity

Detects a USB device disconnection event from the UNIX syslog.Description

Table 8-113 Description of theUSBDevice Additional Activity parameters used



USB Device Additional ActivityOption

USB_Device_AdditionalRule Name

WarningSeverity

Detects user-defined USB device-related activities from the UNIXsyslog.

Description

System Attack DetectionThis option group subsection contains basic Web attack monitoring criteria tothwart basic attacks on any Web server that produces any kind of access log.

The global settings area consists of the following:


244

■ Alert only on Success Attack Attempt (Code 200): This area configures all theattack detection rules to look for the trailing code 200when a suspicious stringis found in the access log. Trailing code 200means a successful process request.This setting dramatically decreases the amount of false positives andprovidesadministrators with events that are considered processed by the hostingsystem.

■ WebAccess Log File Path: This area configures theWeb access log path,whichthe rules in this policy subsection sift through to findmalicious request strings.SymantecCritical SystemProtectionprovides a default location for theApacheWeb server HTTP access log. Symantec recommends that you research whichpath location is best for this portion of the policy, since other Web serverpackages may be configured with different HTTP access log paths..

Note: The log format must follow W3C guidelines.

■ Whitelisted IPAddresses: This area configures the IP addresses that are allowedor otherwise ignored in this monitoring subsection. These IP addresses arefor tools like automatedvulnerability scanning systemsonenterprisenetworks,where you know that at regular intervals Web attack tests occur.

■ Blacklisted IP Addresses: This area configures the IP addresses that are notallowed access to the host system. Blacklisted IP addresses may be anyaddresses outside an internal network range if this areamonitored an intranetWeb host. Blacklisted IP addresses may also be known bad IP addresses fromany of the blacklists available on the Internet.

■ IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP codeon all requests that signifies that the request has been successfully processedon thehostWeb system.A success code that is pairedwith amaliciously craftedURI string would indicate a possible compromised system.

■ IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code thatsignifies a bad HTTP request. A high frequency repeating number of thesefound in the access log signifies that a possible Web vulnerability scan isoccurring.


Generic Web Attack Detection Options

Table 8-114 Description of the Generic VA Scan Attempt parameters used


System Attack Detection > Web Attack Detection Options > GenericWeb Attack Detection Options

Option Path

Generic VA Scan AttemptOption

WebAttackDetection_Generic_VAScanRule Name

WarningSeverity

20

Times in which a 404 or unknown request is received.

Invalid Count

2 minutes

Time frequency inwhich invalid count needs to occur to trigger event.

Invalid Interval

Detects a possible VA scan by triggering an event within a specificadministrator-defined threshold. If Symantec Critical SystemProtection receives a specified number of 404 error codes by auser-defined frequency, then this rule generates an alert on a possibleVA scan attempt.

Description

Table 8-115 Description of the Generic Blacklisted IP Request Attemptsparameters used



Option Path

Generic Blacklisted IP Request AttemptsOption

Baseline_WebAttackDetection_Generic_BlackListedIPRule Name

WarningSeverity

A simple rule that detects the access attempt by a blacklisted IPaddress that is found in the HTTP access log. You configure theblacklisted IP address in the Global Settings area. If you enable thisrule, any attempt by the predefined blacklisted IP address generatesan event.

Description


246

Table 8-116 Description of the Generic SQL Injection Attack Attemptsparameters used



Option Path

Generic SQL Injection Attack AttemptsOption

Baseline_WebAttackDetection_Generic_SQLInjectionRule Name

WarningSeverity

Detects the very simple and generic SQL injection-type attacks whenit monitors the HTTP access log file. Primary and secondary selectlogic is used to ensure that accurate rule tuning can occur. You cancustomize this area to your needs to add further SQL injectionmeasures.

Description

Table 8-117 Description of the Generic Directory Transversal Attemptsparameters used



Option Path

Generic Directory Transversal AttemptsOption

Baseline_WebAttackDetection_Generic_DirTransversalRule Name

WarningSeverity

Detects possible directory transversal attempts in HTTP requeststrings. The generic strings for directory transversal attempts areprovided. An individual or script attempting to transverse directoriesby HTTP request may be considered a malicious action.

Description

Table 8-118 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used



Option Path

Generic Malicious User Agent Request AttemptsOption

Baseline_WebAttackDetection_Generic_MaliciousUserAgentRule Name


Table 8-118 Description of theGenericMaliciousUser AgentRequest Attemptsparameters used (continued)


WarningSeverity

Detects themalicious user agent strings inHTTP requests. Automatedscripts commonly use bad user agents in large-scale attacks.Pre-scripted suites of programs also use them to attack a Web server.The presence of these known-bad user agent strings may indicate amalicious attempt to access your host Web system.

Description

Table 8-119 Description of the Generic Unwanted Extension Requestsparameters used



Option Path

Generic Unwanted Extension RequestsOption

Baseline_WebAttackDetection_Unwanted_Extension_RequestRule Name

WarningSeverity

Detects the unwanted or suspicious extension requests. Files that arerequested with the extensions configured in this rule may indicate amalicious script or user. You can add or remove extensions in thisarea to customize this event per host system environment.

Description

Table 8-120 Description of the Generic Unwanted Directory Requestsparameters used



Option Path

Generic Unwanted Directory RequestsOption

Baseline_WebAttackDetection_Unwanted_Directory_RequestRule Name

WarningSeverity

Detects the unwanted or suspicious directory requests. Directoryrequests as configured in this rule may indicate a malicious script oruser. You can add or remove sensitive directory paths in this area tocustomize this event per host system environment.

Description


248

Table 8-121 Description of the Generic Vulnerable CGI Requests parametersused



Option Path

Generic Vulnerable CGI RequestsOption

WebAttackDetection_Generic_VulnerableCGIRequestRule Name

WarningSeverity

Detects the unwanted or suspicious CGI and script requests. CGI andscript requests as configured in this rule may indicate a maliciousscript or user. You can add or remove sensitive directory paths in thisarea to customize this event per host system environment.

Description

UNIX Rootkit File / Directory DetectionA global settings area sets the following parameters for all rules in the UNIXRootkit File / Directory Detection area:

■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.A drop-down selection criteria area is provided to easily switch polling intervalfrequency.

■ A Monitor Checksums option is available to enable the monitoring of a file'schecksum during a file modification event. It reports the real-time SHA-256hash comparison to the Symantec Critical System Protection console underthe Event details. This option also enables the monitoring of file checksumsas calculated at agent startup. It determines whether the file was modifiedsince Symantec Critical System Protection was last shut down. This optionprovides detection ability even if the Symantec Critical System Protectionservice or daemon is shut down. If a monitored file is changed, once theSymantec Critical SystemProtection service or daemon is started, it comparesthe files in its monitored list to when it was shut down. Any differences arereported to the console.


Table 8-122 Description of the Bash Door parameters used


System Attack Detection > UNIX Rootkit File / Directory DetectionOption Path

Bash DoorOption

Rootkit_Detection_BashDoorRule Name

CriticalSeverity

/tmp/mcliZokhb

/tmp/mclzaKmfa

Monitor Paths

Detects rootkit activity.Description

Table 8-123 Description of the VOLC Rootkit parameters used



VOLC RootkitOption

Rootkit_Detection_VOLCRule Name

CriticalSeverity

/usr/lib/volcMonitor Paths


Table 8-124 Description of the Illogic Rootkit parameters used



Illogic RootkitOption

Rootkit_Detection_IllogicRule Name

CriticalSeverity

/etc/ld.so.hash

/lib/security/.config

/usr/bin/sia

Monitor Paths



250

Table 8-125 Description of the T0rn Rootkit parameters used



T0rn RootkitOption

Rootkit_Detection_T0rnRule Name

CriticalSeverity

/etc/ttyhash

/lib/ldlib.tk

/sbin/xlogin

/usr/info/.T0rn

/usr/src/.puta

/var/run/...dica

Monitor Paths


Table 8-126 Description of the RK17 Rootkit parameters used



RK17 RootkitOption

Rootkit_Detection_RK17Rule Name

CriticalSeverity

/bin/rtty

/bin/squit

/sbin/pback

/usr/src/linux/modules/autod.o

/usr/src/linux/modules/soundx.o

Monitor Paths


Table 8-127 Description of the RSHA Rootkit parameters used




Table 8-127 Description of the RSHA Rootkit parameters used (continued)


RSHA RootkitOption

Rootkit_Detection_RSHARule Name

CriticalSeverity

/etc/rc.d/arch/alpha/lib/.lib/*

/etc/rc.d/rsha/*

/usr/bin/chsh2

/usr/bin/kr4p

/usr/bin/n3tstat

/usr/bin/slice2

Monitor Paths


Table 8-128 Description of the RH-Sharpe Rootkit parameters used



RH-Sharpe RootkitOption

Rootkit_Detection_RHSharpeRule Name

CriticalSeverity


252

Table 8-128 Description of theRH-Sharpe Rootkit parameters used (continued)


/bin/.lpstree

/bin/.ps

/bin/ldu

/bin/lkillall

/bin/lnetstat

/usr/bin/.lpstree

/usr/bin/.ps

/usr/bin/cleaner

/usr/bin/ldu

/usr/bin/lkillall

/usr/bin/lnetstat

/usr/bin/slice

/usr/bin/vadim

Monitor Paths


Table 8-129 Description of the Showtee Romaniam Rootkit parameters used



Showtee Romaniam RootkitOption

Rootkit_Detection_ShowteeromaniamRule Name

CriticalSeverity

/usr/lib/.egcs

/usr/lib/.kinetic

/usr/lib/.wormie

/usr/lib/libfl.so

/usr/lib/liblog.o

/usr/sbin/xntps

Monitor Paths



Table 8-130 Description of the Optickit Rootkit parameters used



Optickit RootkitOption

Rootkit_Detection_OptickitRule Name

CriticalSeverity

/usr/bin/xchk

/usr/bin/xsf

Monitor Paths


Table 8-131 Description of the Tele Rootkit parameters used



Tele RootkitOption

Rootkit_Detection_TelekitRule Name

CriticalSeverity

/dev/hda06

/usr/info/libc1.so

Monitor Paths


Table 8-132 Description of the LRK Rootkit parameters used



LRK RootkitOption

Rootkit_Detection_LRKRule Name

CriticalSeverity

/dev/ida/.inet

/usr/lib/liblog.o

Monitor Paths



254

Table 8-133 Description of the ADORE Rootkit parameters used



ADORE RootkitOption

Rootkit_Detection_AdoreRule Name

CriticalSeverity

/etc/bin/ava

/etc/sbin/ava

Monitor Paths


Table 8-134 Description of the KNARK Rootkit parameters used



KNARK RootkitOption

Rootkit_Detection_KnarkRule Name

CriticalSeverity

/dev/.pizda

/dev/.pula

/proc/knark

Monitor Paths


Table 8-135 Description of the BOBkit Rootkit parameters used



BOBkit RootkitOption

Rootkit_Detection_BobkitRule Name

CriticalSeverity


Table 8-135 Description of the BOBkit Rootkit parameters used (continued)


/tmp/.bkp/*

/usr/include/.../*

/usr/lib/.../*

/usr/lib/.bkit-/*

Monitor Paths


Table 8-136 Description of the HID Rootkit parameters used



HID RootkitOption

Rootkit_Detection_HidRule Name

CriticalSeverity

/var/lib/games/.kMonitor Paths


Table 8-137 Description of the ARK Rootkit parameters used



ARK RootkitOption

Rootkit_Detection_ARKRule Name

CriticalSeverity

/dev/ptyxx

/usr/lib/.ark?

Monitor Paths



256

Table 8-138 Description of the Mithra Rootkit parameters used



Mithra RootkitOption

Rootkit_Detection_MithraRule Name

CriticalSeverity

/usr/sbin/ubootMonitor Paths


Table 8-139 Description of the LOC Rootkit parameters used



LOC RootkitOption

Rootkit_Detection_LOCRule Name

CriticalSeverity

/tmp/kidd0

/tmp/kidd0.c

/tmp/xp

/usr/lib/libmen.oo/.LJK2

Monitor Paths


Table 8-140 Description of the Anonoiyng Rootkit parameters used



Anonoiyng RootkitOption

Rootkit_Detection_AnonoiyngRule Name

CriticalSeverity

/usr/sbin/kswapd

/usr/sbin/mech

Monitor Paths


Table 8-140 Description of theAnonoiyngRootkit parameters used (continued)



Table 8-141 Description of the ZK Rootkit parameters used



ZK RootkitOption

Rootkit_Detection_ZKRule Name

CriticalSeverity

/etc/sysconfig/console/load.zkMonitor Paths


Table 8-142 Description of the S-it Rootkit parameters used



S-it RootkitOption

Rootkit_Detection_SitRule Name

CriticalSeverity

/dev/sdhu0/tehdrakg/*

/etc/rc.d/rc?.d/S23kmdac

/lib/.x

/lib/sk

Monitor Paths


Table 8-143 Description of the F-it Rootkit parameters used



F-it RootkitOption


258

Table 8-143 Description of the F-it Rootkit parameters used (continued)


Rootkit_Detection_FitRule Name

CriticalSeverity

/dev/proc/fuckit/*

/dev/proc/system-bins/init

Monitor Paths


Table 8-144 Description of the Beastkit Rootkit parameters used



Beastkit RootkitOption

Rootkit_Detection_BeastkitRule Name

CriticalSeverity

/lib/ldd.so/bktools

/usr/l/bin/idrun

/usr/local/bin/.../bktd

/usr/sbin/arobia/*

Monitor Paths


Table 8-145 Description of the Tuxkit Rootkit parameters used



Tuxkit RootkitOption

Rootkit_Detection_TuxkitRule Name

CriticalSeverity

/dev/tuxMonitor Paths



Table 8-146 Description of the Kenga3 Rootkit parameters used



Kenga3 RootkitOption

Rootkit_Detection_Kenga3Rule Name

CriticalSeverity

/usr/include/..Monitor Paths


Table 8-147 Description of the ESRK Rootkit parameters used



ESRK RootkitOption

Rootkit_Detection_ESRKRule Name

CriticalSeverity

/usr/lib/tcl5.3Monitor Paths


Table 8-148 Description of the FU Rootkit parameters used



FU RootkitOption

Rootkit_Detection_FURule Name

CriticalSeverity

/sbin/xc

/usr/include/ivtype.h

Monitor Paths



260

Table 8-149 Description of the SHKit Rootkit parameters used



SHKit RootkitOption

Rootkit_Detection_ShkitRule Name

CriticalSeverity

/etc/ld.so.hash

/lib/security/.config

Monitor Paths


Table 8-150 Description of the Ajakit Rootkit parameters used



Ajakit RootkitOption

Rootkit_Detection_AjakitRule Name

CriticalSeverity

/lib/.libgh-ghMonitor Paths


Table 8-151 Description of the zaRwT Rootkit parameters used



zaRwT RootkitOption

Rootkit_Detection_zaRwTRule Name

CriticalSeverity

/bin/imin

/bin/imout

Monitor Paths



Table 8-152 Description of the Madalin Rootkit parameters used



Madalin RootkitOption

Rootkit_Detection_MadalinRule Name

CriticalSeverity

/usr/include/iceconf.h

/usr/include/icekey.h

/usr/include/iceseed.h

Monitor Paths


Table 8-153 Description of the BMBL Rootkit parameters used



BMBL RootkitOption

Rootkit_Detection_BMBLRule Name

CriticalSeverity

/etc/.bmbl

/etc/.bmbl/sk

Monitor Paths


Table 8-154 Description of the aPa Rootkit parameters used



aPa RootkitOption

Rootkit_Detection_aPaRule Name

CriticalSeverity

/usr/share/.aPaMonitor Paths



262

Table 8-155 Description of the Enye-Sec Rootkit parameters used



Enye-Sec RootkitOption

Rootkit_Detection_EnyeSecRule Name

CriticalSeverity

/etc/.enyelkmHIDE^IT.koMonitor Paths


Table 8-156 Description of the Override Rootkit parameters used



Override RootkitOption

Rootkit_Detection_OverrideRule Name

CriticalSeverity

/dev/grid-hide-pid-

/dev/grid-hide-port-

/dev/grid-show-pids

/dev/grid-show-port-

/dev/grid-unhide-pid-

Monitor Paths


Table 8-157 Description of the PHALANX Rootkit parameters used



PHALANX RootkitOption

Rootkit_Detection_PHALANXRule Name

CriticalSeverity


Table 8-157 Description of the PHALANX Rootkit parameters used (continued)


/bin/host.ph1

/etc/host.ph1

/usr/share/.home/ph1

Monitor Paths


Table 8-158 Description of the Monkit Rootkit parameters used



Monkit RootkitOption

Rootkit_Detection_MonkitRule Name

CriticalSeverity

/lib/defs

/usr/lib/libpikapp.a

Monitor Paths


Table 8-159 Description of the Balaur Rootkit parameters used



Balaur RootkitOption

Rootkit_Detection_BalaurRule Name

CriticalSeverity

/usr/lib/.egcs

/usr/lib/.kinetic

/usr/lib/.wormie

Monitor Paths



264

Table 8-160 Description of the Bex2 Rootkit parameters used



Bex2 RootkitOption

Rootkit_Detection_Bex2Rule Name

CriticalSeverity

/usr/include/bexMonitor Paths


Table 8-161 Description of the Dreams Rootkit parameters used



Dreams RootkitOption

Rootkit_Detection_DreamsRule Name

CriticalSeverity

/dev/ida/.hpd

/dev/ttyoa

/dev/ttyof

/dev/ttyop

/usr/bin/logclear

/usr/bin/sense

/usr/bin/sl2

/usr/lib/libsss

Monitor Paths


Table 8-162 Description of the HJC Rootkit parameters used



HJC RootkitOption


Table 8-162 Description of the HJC Rootkit parameters used (continued)


Rootkit_Detection_hjcRule Name

CriticalSeverity

/dev/hijackerzMonitor Paths


Table 8-163 Description of the Duarawkz Rootkit parameters used



Duarawkz RootkitOption

Rootkit_Detection_DuarawkzRule Name

CriticalSeverity

/usr/bin/duarawkzMonitor Paths


Table 8-164 Description of the Oz Rootkit parameters used



Oz RootkitOption

Rootkit_Detection_OzRule Name

CriticalSeverity

/dev/.oz/.nap/rkit/terrorMonitor Paths


Table 8-165 Description of the Portacelo Rootkit parameters used



Portacelo RootkitOption


266

Table 8-165 Description of the Portacelo Rootkit parameters used (continued)


Rootkit_Detection_PortaceloRule Name

CriticalSeverity

/var/lib/.../.ak

/var/lib/.../.getty

/var/lib/.../.hk

/var/lib/.../.p

/var/lib/.../.rs

/var/lib/.../sssh_known_hosts

Monitor Paths


Table 8-166 Description of the Slapper Bot Rootkit parameters used



Slapper Bot RootkitOption

Rootkit_Detection_SlapperBotRule Name

CriticalSeverity

/tmp/.b

/tmp/.cinik

/tmp/.font-unix-cinik

Monitor Paths


Table 8-167 Description of the Scalper Bot Rootkit parameters used



Scalper Bot RootkitOption

Rootkit_Detection_ScalperBotRule Name

CriticalSeverity


Table 8-167 Description of theScalper Bot Rootkit parameters used (continued)


/tmp/.a

/tmp/.uua

Monitor Paths


Table 8-168 Description of the Flea Rootkit parameters used



Flea RootkitOption

Rootkit_Detection_FleaRule Name

CriticalSeverity

/usr/lib/ldlibct.so

/usr/lib/ldlibdu.so

/usr/lib/ldlibns.so

/usr/lib/ldlibpst.so

Monitor Paths


Table 8-169 Description of the Ignokit Rootkit parameters used



Ignokit RootkitOption

Rootkit_Detection_IgnokitRule Name

CriticalSeverity

/lib/defs/p

/lib/defs/q

/lib/defs/r

/lib/defs/s

/lib/defs/t

/usr/lib/.libigno/pkunsec

Monitor Paths


268

Table 8-169 Description of the Ignokit Rootkit parameters used (continued)



Table 8-170 Description of the Ni0 Rootkit parameters used



Ni0 RootkitOption

Rootkit_Detection_Ni0Rule Name

CriticalSeverity

/tmp/waza

/var/lock/subsys/...datafile.../*

Monitor Paths


Table 8-171 Description of the Devil Rootkit parameters used



DevilRootkitOption

Rootkit_Detection_DevilRule Name

CriticalSeverity

/dev/caca

/dev/dsx

/var/lib/games/.src

Monitor Paths


Table 8-172 Description of the Redstorm Rootkit parameters used



Redstorm RootkitOption


Table 8-172 Description of the Redstorm Rootkit parameters used (continued)


Rootkit_Detection_RedstormRule Name

CriticalSeverity

/bin/...

/var/log/tk02/see_all

Monitor Paths


UNIX WormFile / Directory DetectionA global settings area sets the following parameters for all rules in the UNIXWormFile / Directory Detection area:

■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.A drop-down selection criteria area is provided to easily switch polling intervalfrequency.


Table 8-173 Description of the Adore Worm parameters used


System Attack Detection > UNIX WormFile / Directory DetectionOption Path

Adore WormOption


270

Table 8-173 Description of the Adore Worm parameters used (continued)


Worm_Detection_AdoreWormRule Name

CriticalSeverity

/dev/.*/red.tgz

/usr/bin/adore

/usr/lib/libt

/usr/sbin/adore

Monitor Paths

Detects worm activity.Description

Table 8-174 Description of the 55808_A Worm parameters used



55808_A WormOption

Worm_Detection_55808aWormRule Name

CriticalSeverity

/tmp/.../a

/tmp/.../r

Monitor Paths


Table 8-175 Description of the Sadmind Worm parameters used



Sadmind WormOption

Worm_Detection_SadmindRule Name

CriticalSeverity

/dev/cucMonitor Paths



Table 8-176 Description of the Omega Worm parameters used



Omega WormOption

Worm_Detection_OmegaRule Name

CriticalSeverity

/dev/chrMonitor Paths


Table 8-177 Description of the LDP Worm parameters used



LDP WormOption

Worm_Detection_LDPRule Name

CriticalSeverity

/bin/.login

/bin/.ps

/dev/.kork

Monitor Paths


Table 8-178 Description of the Lion Worm parameters used



Lion WormOption

Worm_Detection_LionWormRule Name

CriticalSeverity


272

Table 8-178 Description of the Lion Worm parameters used (continued)


/bin/mjy

/dev/.lib

/dev/.lib/lib/1i0n.sh

/dev/.lib/lib/lib/dev/*

/dev/.lib/lib/lib/netstat

/dev/.lib/lib/scan/*

/usr/man/man1/man1/lib/.lib/.x

/usr/man/man1/man1/lib/.lib/in.telnetd

/usr/man/man1/man1/lib/.lib/mjy

Monitor Paths


Table 8-179 Description of the Cback Worm parameters used



Cback WormOption

Worm_Detection_CbackWormRule Name

CriticalSeverity

/tmp/cback

/tmp/derfiq

Monitor Paths


Malicious Module DetectionA global settings area sets the following parameters for all rules in the UNIXMalicious Module Detection area / Directory Detection area:

■ A Polling Interval option controls the interval in which the software polls orchecks the files and directories that are configured for change monitoring.This option is available to enable tuning of how frequently files and directoriesare polled for changes. You may want to adjust the default polling rate if yourenvironment has a large number of files and directories to bemonitored. Thisadjustment helps to ensure that resources are not overly used for the engine.


Adrop-down selection criteria area is provided to easily switch polling intervalfrequency.


Table 8-180 Description of the Suspicious Loadable Kernel Module (LKM)Detection parameters used


System Attack Detection > Malicious Module DetectionOption Path

Suspicious Loadable Kernel Module (LKM) DetectionOption

LKM_Suspicious_Module_DetectionRule Name

CriticalSeverity

/lib/adore_so

/lib/cleaner_o

/lib/flkm_o

/lib/modules/adore_so

/lib/phide_mod_o

Monitor Paths

Detects suspicious activity related to Loadable Kernel Modules.Description

Suspicious Permission Change Detection

Table 8-181 Description of the Suspicious Permission Change Detectionparameters used


System Attack DetectionOption Path

Suspicious Permission Change DetectionOption


274

Table 8-181 Description of the Suspicious Permission Change Detectionparameters used (continued)


Suspicious_Perm_Change_Critical_FilesRule Name

CriticalSeverity

/bin/*

/usr/bin/*

/usr/local/bin*

Monitor Paths

Detects suspicious changes in permissions in critical files anddirectories.

Description



276

Parameter reference syntax

This appendix includes the following topics:

■ Parameter reference syntax overview

■ Simple policy parameter

■ Compound policy parameter

■ Operating system environment variable

■ Windows registry value

■ Agent translator function

Parameter reference syntax overviewTable A-1 lists the types of references that Symantec Critical System Protectionsupports in parameter values. These can be references to parameters definedelsewhere in the policy or data on the operating system.

Table A-1 Types of references with syntax

SyntaxType

%parameter%Simple policy parameter

%parameter:field%Compound policyparameter

%environmentvariable%OSEnvironment variable

%%registrypath%%Windows Registry value

%?function(parameters)?%Agent TranslatorFunction

AAppendix

Inside the reference delimiters, you must escape any special characters that areused in strings by using a forward slash (/) on Windows and a backslash (\) onUNIX.

Note:The syntax is the same for policy parameters andOS environment variables.The Symantec Critical System Protection agent looks for a policy parameter withthe given name first. If the policy parameter is not found, it looks for an OSenvironment variable.

See “Simple policy parameter” on page 278.

See “Compound policy parameter” on page 278.

See “Operating system environment variable” on page 282.

See “Windows registry value” on page 282.

See “Agent translator function” on page 283.

Simple policy parameterA simple parameter is a list of single values. You reference the parameter by itsname – no field names are necessary since a simple parameter is a list of singlevalues. The agent replaces the parameter reference with the values. Parameternames are case sensitive.

The simple policy parameter types are mentioned as follows:

A single string value.String

A list of string values.String List

A single duration value, e.g 30 minutes.Date/Time Duration

A single repetition interval, e.g. hourly, daily.Date/Time Interval

See “Parameter reference syntax overview” on page 277.

Compound policy parameterAcompoundpolicy parameter is a list of sets of values. In the console, a compoundparameter is displayed as a table, where each row is one parameter value and thecolumns are the fields in the value. For each compound parameter type, there isa specific set of fields in the list. When referencing a compound parameter, youmust use the parameter name followed by a colon and a field name. You must

Parameter reference syntaxSimple policy parameter

278

always refer to a specific field. For example, youmightuse%myparameter:prog%.Parameter and field names are case sensitive.

The compoundpolicy parameter types alongwith their field names arementionedas follows:

DescriptionCompoundpolicyparameter

A list of processes, each element in the list consisting of one or moreprocess attributes.

See “Process List” on page 279.

Process List

A list of processes, each element in the list consisting of one or moreprocess attributes that excludes the command line arguments attribute.

See “Process List without Arguments” on page 280.

Process ListwithoutArguments

A list of resources such as file paths and registry paths, where eachelement consists of a resourcenameand zero ormore process attributes.

See “Resource List” on page 280.

Resource List

A list of network rules, where each element consists of networkconnection attributes, process attributes, and action attributes.

See “Network List with Processes” on page 281.

Network Listwith Processes

A list of network rules, where each element consists of networkconnection attributes and action attributes.

See “Network List” on page 281.

Network List

A single date/time value with a timezone.

See “Date/Time Value” on page 282.

Date/TimeValue


Process ListProcess List is a list of processes, where each element in the list consists of oneor more process attributes.

■ The prog field is the Program Path column and is required in each row. Itspecifies the program running in the process.

■ The cmdline field is the Arguments column, specifying the command lineparameters for the process. This field is optional.

279Parameter reference syntaxCompound policy parameter

■ The id field is the User Name column, specifying the username that for theprocess. This field is optional.

■ o The groupid field is the User Name column, specifying the group name forthe process. This field is optional.

Note: If you want to specify all processes for a specific user, you must still fill inthe Program Path column, but you can use a * to specify all programs and thenfill in the User Name column to specify the desired user account.

Process List without ArgumentsProcess List without Arguments is a list of processes, where each element in thelist consists of one or more process attributes that excludes the command linearguments attribute.

■ The column and field names are identical to the Process List parameter typeexcept the Arguments field is not included.

Resource ListResource List is a list of resources such as file paths and registry paths), whereeach element consists of a resource name and zero or more process attributes.

■ The value field is the Resource Path column and is required in each row. Itspecifies the file or registry path you are controlling.

■ The prog field is the Program Path column. This field is required if you wantto specify other process attributes. Otherwise it is optional.


■ The id field is the User Name column, specifying the username that for theprocess. This field is optional.

■ The groupid field is the User Name column, specifying the group name forthe process. This field is optional.

Note: If you want to specify all processes for a specific user, you must still fill inthe Program Path column, but you can use a * to specify all programs and thenfill in the User Name column to specify the desired user account.

Parameter reference syntaxCompound policy parameter

280

Network List with ProcessesNetwork Listwith Processes is a list of network rules, where each element consistsof network connection attributes, process attributes, and action attributes.

■ Connection information:

■ The protocol field is the Protocol column.

■ One or more additional connection elements are required:

■ RPort field is the Remote Port column and specifies the remote portor port range.

■ LPort field is the LocalPort column and specifies the local port or portrange.

■ RIP field is the Remote IP column and specifies the remote IP addressor address range.

■ Action information:

■ The action field is the Action column.

■ The log field is the Logging column.

■ Process information:

■ The prog field is the Program Path column. This field is required if youwant to specify other process attributes. Otherwise it is optional.


■ The id field is the User Name column, specifying the username that forthe process. This field is optional.

■ The groupid field is the User Name column, specifying the group namefor the process. This field is optional.

Note: If you want to specify all processes for a specific user, you must still fillin the Program Path column, but you can use a * to specify all programs andthen fill in the User Name column to specify the desired user account.

Network ListNetwork List is a list of network rules, where each element consists of networkconnection attributes and action attributes.

281Parameter reference syntaxCompound policy parameter

■ The column and field names are identical to the Network List parameter type,except the process-related fields are not included.

Date/Time ValueDate/Time Value is a single date/time value with a timezone.

■ This compound parameter type is not displayed as a table because it cannotbe a list.

■ The field name for the Date and Timezone fields in the Console are value andtimezone, respectively.

Operating system environment variableYou can use an operating system environment variable as a variable in a policy.Environment variable names follow the operating system’s normal conventionsfor case sensitivity, so they are case sensitive on UNIX and case insensitive onWindows.

Note: The environment variables are evaluated in the context of the SCSP agentIPS Service or daemon. Therefore, you should only reference the environmentvariables that have system-wide values. If you reference a variable with auser-specific value, you get the value for the IPS Service or daemon user, whichis probably not the desired value.


Windows registry valueFor registry references, the agent looks up the given value in the registry andreplaces the reference with the data that the value contains.

The data must be one of the following types:

■ REG_SZ (string)

■ REG_EXPAND_SZ (stringwith environment variables that should be expanded)

■ REG_MULTI_SZ (list of strings)

■ REG_DWORD (32-bit integer)

■ REG_QWORD (64-bit integer)

Parameter reference syntaxOperating system environment variable

282

The agent expands an environment variable's REG_EXPAND_SZ valuesimmediately, before it processes the resulting string. For REG_MULTI_SZ values,the reference expands to the list of strings.

On 64-bit versions of Windows, you can prefix registry paths with an optionalredirection specification. This redirection specification specifies how registryredirection should be used when looking up the path.

The valid redirection specifications are as follows:

■ 32: redirection is turned off or on to give a 32-bit program’s view of the registry

■ 64: redirection is turned off or on to give a 64-bit program’s view of the registry

■ 6432: looks in the 64-bit view of the registry first, and then if that fails, looksin the 32-bit view

■ 3264: looks in the 32-bit view of the registry first, and then if that fails, looksin the 64-bit view


Agent translator functionA function reference provides a way to call an extension function from within apolicy. The agent replaces the function reference with the return value or list ofreturn values of the function.

In a function reference such as %?function(parameters)?%, the parametersmaycontain any characters, even special characters, except that you must escape aclose parenthesis ")" . The functionparameters arenot processed, so if they containa reference themselves, the text of the reference is passed to the function. Forexample, %myvar% is passed rather thanmyvar's value after evaluation. However,if a function’s return value contains a reference, the reference is subsequentlyevaluated.

See “Translator function reference” on page 285.

283Parameter reference syntaxAgent translator function

Parameter reference syntaxAgent translator function

284

Translator functionreference

This appendix includes the following topics:

■ Generic functions

Generic functionsThe following functions can be used in both Prevention and Detection policiesand can be used on all operating systems:

■ %?LocalIPs()?%See “%?LocalIPs()?%” on page 285.

■ %?LocalIPAddresses()?%See “%?LocalIPAddresses()?%” on page 286.

■ %?AgentParams(<param name>)?%See “%?AgentParams(<param name>)?%” on page 286.

■ %?SplitPath(<path>)?%See “%?SplitPath(<path>)?%” on page 286.

■ %?ImportFileList(<filepath>)?%See “%?ImportFileList(<filepath>)?%” on page 286.

%?LocalIPs()?%Returns the list of IP addresses for the system. Includes only IPv4 addresses.

BAppendix

%?LocalIPAddresses()?%Returns the list of IP addresses for the system. Includes both IPv4 and IPv6addresses.

%?AgentParams(<param name>)?%Looks in the IPS agent.ini file and returns the requested parameter. The followingstrings are valid as "param name":

■ Notification Port: returns the port the agent listens on for notifications

■ Server IP: returns the list of IP addresses for management servers this agentcan connect to

■ Server Port: returns the management server port this agent connects to

For example: %?AgentParams(Notification Port)?%

%?SplitPath(<path>)?%Takes a pathname and puts out a list consisting of the original pathname plus allthe directory names on the pathname leading up to it.

For example, if you call %?SplitPath(C:\a\b\c)?% you get:

■ C:\a

■ C:\a\b

■ C:\a\b\c

%?ImportFileList(<filepath>)?%Takes a filepath and imports the data from the file into the policy as if a user hadtyped that data into the console. This data can be filepaths, registry keys,usernames, groupnames or any other strings that make sense at the point in thepolicy where the function is called.

By default, the file being imported is limited to 100 lines. This limit is defined inthe ips.importfile.maxlines setting in the IPS/agent.ini file and can be adjusted iflarger files are required.

Note: This function can be made optional by using in the following way :%?-ImportFileList(<path>)?% In this case, the translatorwill translate successfullyeven if the file to be imported is not available.

Translator function referenceGeneric functions

286

Note: To make the data inside the file to be optional, add a "-" in front of eachoptional line. For example, if the file youwant to import has usernames in the fileand certain user names are to be made optional then the file data should be:

admin

test1

-test2 (For optional an user)

287Translator function referenceGeneric functions

Translator function referenceGeneric functions

288

Symantec Critical System Protection 5.2.9 Detection Policy ...

Documents

Transcript of Symantec Critical System Protection 5.2.9 Detection Policy ...