File security check

 Home  Previous  Next

Objective

The aim of this tool is to offer you a complete coverage of file monitoring by allowing you to ensure that file security is respected.

With a few clicks, you can monitor the access and rights of groups and users and define who should be alerted if the file content is changed or if security is breached.

Create or edit a File security monitoring

To create a new File Security monitoring, right-click the File monitoring icon in the PATROL Console and select KM Commands > New > File security check....

To edit an existing File Security monitoring, right-click the File security icon in the PATROL Console and select KM Commands > Edit.

Step 1: Selecting the security parameters to monitor

The first panel of the File Security wizard allows you to select different file security options.

WIZ_FileSecurity_1Welcome

File Security Check Wizard — Welcome Page

 

Granted file access rights
User that owns the file
Group that may have access to the file
File integrity.

Check the options and click Next to proceed.

NoteBy default, Monitoring Studio will use the current file attributes and owners in the next steps. If the current file configuration is the correct one, simply click on Next until the end of the wizard.

Step 2: File’s access rights

This panel helps you select the type of alert to be triggered if the file’s access rights do not match the criteria entered. Depending on the operating system the PATROL agent is running on, you may get different options.

On UNIX and Linux systems

WIZ_FileSecurity_6Unix

Windows Service Monitoring Wizard — File Access Rights on UNIX/Linux Systems

Choose type of alert: The first dropdown list enables you to choose the type of alert to trigger if the current file mode does not match the "expected" file mode.

File access rights: These are the classic file access rights that can be looked up by executing an "ls –l" command.

The mode consists of 10 characters, for example, -rwxr-xr-x. The first character indicates the entry type:

b: block special file
c: character special file
d: directory
l: symbolic link
n: network special file
p: fifo (also called a \"named pipe\") special file
s: socket
-: ordinary file

The next 9 characters are interpreted as three sets of three characters each which identify access and execution permissions for the owner, group, and others categories.

The" – "indicates that permission is not granted. Various permission combinations are possible, except that the x, s, S, t, and T characters are mutually exclusive.

The access right characters are interpreted as follows:

-: Deny all permissions in the corresponding position.
r: Grant read permission to the corresponding user class.
w: Grant write permission to the corresponding user class.
x: Grant execute (or search in directory) permission to the corresponding user class.
s: Grant execute (search) permission to the corresponding user class. Execute the file as if by the owner (set user ID, SUID) or group (set group ID, SGID), as indicated by position.
S: Deny execute (search) permission to the corresponding user class. Execute the file as
if by the owner (set user ID, SUID) or group (set group ID, SGID), as indicated by position.
t: Grant execute (search) permission to others. The "sticky" (save text image) bit is set.
T: Deny execute (search directory) permission to others. The "sticky" (save text image) bit is set.

On Windows systems

The file access rights depend on the Access Control List (ACL) on Windows systems. An ACL is a table that tells a computer operating system the access rights each user has to a particular system object, such as a file directory or individual file.

Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges. The most common privileges include the ability to:

Read a file (or all the files in a directory)
Write to the file or files
Execute the file (if it is an executable file, or program).

WIZ_FileSecurity_2Windows

Windows Service Monitoring Wizard — File Access Rights on Windows Systems

In Windows, an access control list is associated with each system object.

Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users.
The user can also be a role name, such as "programmer," or "tester."
For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask.

Generally, the system administrator or the object owner creates the access control list for an object.

In this panel, you can:

Enter up to 8 users or groups
Indicate the access criteria: read, write or execute
Specify the type of alert to be triggered if the file’s access rights differ from the specified criteria.

Step 3: Ownership

Monitoring Studio can check if the file’s owner is approved.

WIZ_FileSecurity_3FileOwner

Windows Service Monitoring Wizard — File Ownership Page

Select the type of alert: Do nothing; Trigger an ALARM; Trigger a WARNING; Trigger an INFORMATION

Specify whether the file owner is or is not: Specify whether or not the file’s owner should or should not match the specified names.

Step 4: File’s group

Monitoring Studio checks if a group differs from the specified criteria.

WIZ_FileSecurity_3Group

Windows Service Monitoring Wizard — File Group Page

Select the type of alert: Do nothing; Trigger an ALARM; Trigger a WARNING; Trigger an INFORMATION

Specify whether the file’s group is or is not: Specify whether or not the file’s group matches the specified criteria.

Step 5: File’s integrity

In this panel, you are simply asked to select the type of alert to trigger when the file’s content is modified.

WIZ_FileSecurity_4Integrity

Windows Service Monitoring Wizard — File Integrity Page

Select the type of alert: Do nothing; Trigger an ALARM; Trigger a WARNING; Trigger an INFORMATION

Step 6: Monitoring Studio settings

WIZ_FileSecurity_5Settings

Windows Service Monitoring Wizard — Settings Page

PATROL Object Label: Label displayed in the PATROL Console.

PATROL Object ID: PATROL internal identifier of this File security monitoring. Although modifiable, it is strongly recommended not to change the default ID.

Poll every "x" minutes: Set the polling interval for this monitored object. The default polling interval is 2 minutes.

TipThresholds can be set or modified at anytime by right-clicking on the instance > KM commands > Set Thresholds.

File security check objects are instances of the SW_FILE_SECURITY class.

See Also

File > Restart scan from start of file

File monitoring and analysis

File Security > Acknowledge alerts and update

SW_FILE_SECURITY