Altiris Monitor Solution – Monitoring and Auditing Systems, Part 2
Antonp
May 12th, 2009
Monitoring System Crashes
1001 Event ID with event source "save dump" is generated.
How you would perform System Crash Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "System Crash Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "System"
- o The value is based on the "System" as we are getting the information from the System log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (1001) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule
Monitoring Processes
Windows NT and Windows 2000 include the ability to log the creation and destruction of each process on the system. To enable this feature, set the system's Audit policy to audit success and failure events in the "Detailed Tracking" category.
| 592 | A new process has been created |
| 593 | A process has exited |
| 594 | A handle to an object has been duplicated |
| 595 | Indirect access to an object has been obtained |
How you would perform Process Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "Process Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "System"
- The value is based on the "System" as we are getting the information from the System log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (592|593|594|595) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule
Object Monitoring
Windows NT and Windows 2000 enable you to monitor accesses to specific objects: files and directories, registry keys, directory service objects, and kernel objects.
Monitorable Objects
Several kinds of objects can be audited. Each type of object has unique access types; that is, each kind of object is accessed in a way appropriate only to that kind of object. For example, while the "start" and "stop" accesses are appropriate to services, they don't make much sense when talking about files and directories.
Here are the most common auditable objects:
- Files and directories. The most commonly audited objects are file and directory objects.
- Registry keys. These are the second most commonly audited objects.
- Services. Services in Windows NT and Windows 2000 are objects that can be secured and audited just like other objects.
- Kernel objects. Kernel objects like mutexes and semaphores can be audited. The audits generated generally are of use to no one other than developers.
- Directory service objects.
- Printers.
Monitoring User Activity
Monitoring Logons
You can monitor logon activity in Windows NT and Windows 2000 in a very detailed way by enabling success and failure auditing of the "Logon" category activity in the system's Audit policy.
| 528 | Successful Logon |
| 529 | Logon Failure: Reason: Unknown user name or bad password |
| 530 | Logon Failure: Reason: Account logon time restriction violation |
| 531 | Logon Failure: Reason: Account currently disabled |
| 532 | Logon Failure: Reason: The specified user account has expired |
| 533 | Logon Failure: Reason: User not allowed to logon at this computer |
| 534 | Logon Failure: Reason: The user has not been granted the requested logon type at this machine |
| 535 | Logon Failure: Reason: The specified account's password has expired |
| 536 | Logon Failure: Reason: The NetLogon component is not active |
| 537 | Logon Failure: Reason: An unexpected error occurred during logon |
| 538 | User Logoff: |
| 539 | Logon Failure: Reason: Account locked out |
| 540 | Successful Network Logon |
One of the most useful reasons to monitor logons is to capture account lockout events. Any reasonably secure site will have an account lockout policy, and every account lockout event will be useful either to the help desk for gathering statistics on how often users lock themselves out, or to your security team for watching for possible password-guessing attacks.
How you would perform User Activity Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "User Activity Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "Security"
- o The value is based on the "Security" as we are getting the information from the Security log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (528|529|530|531) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule
