Use Symantec Enterprise Security Manager to Monitor File Changes
Created: 11 Jan 2012 | Updated: 12 Jan 2012 | 2 comments
Symantec Enterprise Security Manager™ automates the discovery of security vulnerabilities and deviations from the security policy in mission critical applications and servers across the enterprise. Symantec Enterprise Security Manager (ESM) provides enterprise-class tools that allow administrators to create security baselines for every system on the network and measure performance against those baselines to ensure that devices are properly configured and being used in accordance with policies. Using ESM, administrators can quickly and cost-effectively create and manage online security policies and user-defined security domains, identify systems that are not in compliance, and correct faulty security settings on systems at any location to bring them back into compliance.
Below is a simple example to use ESM to monitor OS file changes, for example, to monitor the files of the Windows IIS Server (C:\Inetpub).
1. Install ESM agent on the Windows Server that running the IIS Server.
2. Login to ESM enterprise console, expand the 'Templates' on the left panel, right the template named 'File - Windows Server 2003 (fileatt.s52)', choose 'Duplate':
3. Input the name of the new template:
4. Delete all the existing rows of this template.
5. Click 'Add Folder', input the folder name of the IIS server:
6. Confirm the files and folders that add into the list:
7. Save the settings of the template.
8. Right click 'Policies', choose 'New Policy' to create a new policy:
9. Edit the properties of this newly created policy, select to add 'File Attributes' from the 'Available Modules':
10. Expand the 'File Attributes', choose to select 'Changed file (signature), and uncheck others:
11. Select 'Template file list', add the template created on step7 into the list:
12. Select 'Keywords list', remove the 'windows.fkl' from the 'Enabled Template Files':
13. Save this policy.
14. Click to select policy created on step13, drop this policy to the ESM agent, this will trigger the policy to be run on the ESM agent:
15. Expand the 'Policy Runs', you can check the policy running state:
16. Wait some minutes, there will be a notification after the policy finished running:
17. There will be a report like this:
Until now, we create a base line of this Windows IIS server.
We can monitor any change of these files and folders, just run the policy again.
For example, we modify the IIS's home page: iisstart.htm. After that, we run the policy again on this ESM agent. The ESM can show us the file changed: