Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Customize ESM Checks to match custom standard

Created: 18 May 2011 • Updated: 31 May 2011 | 10 comments
ekotsonis's picture
This issue has been solved. See solution.

Hi all, I am at the stage of configuring some new standards to CCS, which are largely different from the standards that are provided out of the box. I have already completed some standards for the assets that RMS will be used and now I am in the stage that I will configure the corresponding ESM standards.

The values that I want to examine have three types:

1."Group Policy Setting = <something>"

2. "HKLM\...\" Parameter has value=<something>

3. Service Named <someting> is set to start Manualy/Automatic/Disabled\

 

The problem is that I cannot find a way to configure this to ESM. The only way that I found is to change the existing templates to transform the values to the correct ones (as the standard I am implementing contains deviations from security standards that are provided by CCS).

Can you provide some guidance on how I should approach the implementation of this custom standard? It looks like it is quite a lot of work if template change is required.

Evangelos

Comments 10 CommentsJump to latest comment

Sunny G's picture

Hi Evangelos,

I think for what you are trying to do the best way IS to use the templates.  There is a registry template that allows customization for any keys you want to monitor, a couple of services one (used in the Startup Files module), and several Group Policy Templates (used in the Active Directory template or depending on what you are checking may be in other modules as well).

its not that difficult.  the services one is pretty easy, just remember to use the services name that is the 'short name' for the service.  for example, "World Wide Web Publishing" is "w3svc".

With registry, it may look complex but doesn't need to be.  Just copy settings from a line in the built-in templates and should be able to figure out the details.  you do no need to use every box in the row either, just what you need such as ownership, permissions, check values, and maybe any forbidden or mandatory values.

I think that the group policy ones are fairly self-explanatory..  i haven't used them much so don't remember off the top of my head, but they weren't too bad.

Sunny

Sunny G's picture

If you would like,

send a few specific keys and I can forward sample template files with what you want in them.

What version of ESM are you running?

ekotsonis's picture

Actually I have about 120 keys to implement, which have already been implemented for RMS collection, so I was hoping that there exists a more straight forward way to create the connection between tthese two standards (Windows RMS and Windows ESM).

I will proceed with the templates, as you mentioned, as this seems to be the only way to do what I need to.

The only thing I am not sure about is if I will be able to export all the settings (and templates) that will be created from the development instance to the test and production environment, when the standard is finalized. Is this performed through the policy tool or should I use something else?

If you can send me template files that I can edit outside ESM and then import it, it would be great.

Thank you very much for your response.

Evangelos

Clementine's picture

Hello,

Here we have some custom templates derived from Symantec ones so that we don't care about overwrite when applying a new SU.

You can move templates from one manager to another with policytool or the ESM console. For this purpose, I often use fake policies in order to avoid any potential problem with suppression records.

Hope this helps

ekotsonis's picture

Have you ever developed a check that examines if a registry key exists and has a specific value?

For example I want to implement in ESM the following:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\

Name: KeepAliveTime

Type: DWORD

Value: 1

In CCS Standard I have defined the following:

IF ([Message String ID != 'ESM_NOEXISTVALUE' Where ESM Policy = '<ESM STANDARD NAME>' AND ESM Module Name = '[Registry]' AND Name = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect' with Missing Data Outcome being 'Pass' and Multiple Data Operator being 'AND' ] AND [Message String ID != 'ESM_NOEXISTKEY' Where ESM Policy = '<ESM STANDARD NAME>' AND ESM Module Name = '[Registry]' AND Name = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect' with Missing Data Outcome being 'Pass' and Multiple Data Operator being 'AND' ]) THEN ( IF ([Is Error Message = 'False' Where ESM Policy = '<ESM STANDARD NAME>' AND ESM Module Name = '[Registry]' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]) THEN ([True]) ELSE ([Unknown])) ELSE ([False])

In ESM I have added a row in a template, with the following and added it to the Registry Module that is included in the <ESM STANDARD NAME> Policy:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\

Name: KeepAliveTime

Type: DWORD

Regular expression Value: [1]

Is this approach correct? It does not seem to work.

ekotsonis's picture

I found this article which explains the ESM part of the check.

http://www.symantec.com/business/support/index?page=content&id=TECH115988&actp=search&viewlocale=en_US&searchid=1305786234634

I have created the template file and enabled it in the Registry module of the ESM policy I am running, so the only thing I believe is missing is the part of the configuration of the check in ccs.

Can someone provide a guidance on the CCS check that should be configured?

Walter_A's picture

Hi there,

Once you have your ESM policy configured to your likings you can use the ESM policy migration Utility to automatically convert an ESM policy into a CCS standard. 

Here is a document explaining how it works ftp://ftp.symantec.com/public/english_us_canada/products/symantec_control_compliance_suite/9.0/updates/esm/Symantec_ESM_Policy_to_CCS_Standard_Migration_Utility_User's_Guide.pdf

and here is the tool itself ftp://ftp.symantec.com/public/english_us_canada/products/symantec_control_compliance_suite/9.0/updates/esm/Symantec_Control_Compliance_Suite_ESM_Migration_Utility_9.0.1_Win.exe.

There are several versions of the tool in that FTP directory depending on the SU you have because each SU could have new checks in it and thus requireing an updated tool but the check you're talking about has been there for several year so the original tool should work fine.

Walter

ekotsonis's picture

Hi Walter,

I have tried to run the migration tool but it seems like it cannot run, as I get an error that the application failed to initialize. I believe that theres is either something wrong at the operating system level. Nevertheless, by searching for more information, I found the document that is linked to the following location:

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_control_compliance_suite/9.0/utilities/ESM_Policy_to_CCS_Standard_Migration-FSD.docx

In this document it is mentioned that the checks of the CCS standard will be the checks of ESM, which means that the rows of the target (which will be the registry values) will not be represented in the CCS standard that will be created, which is something that I want to be provided in the report. So it seems that this tool will not fit and I should go with manually creating these checks in CCS.

The question still remains. Is there a way to create a check in CCS that looks in a ESM Policy, that has the Registry Module if the value of one row of the target is correct or wrong? If yes, what is the form that the check should have?

ekotsonis's picture

After some experimenting and after getting more familiar with the way that ESM checks in CCS operate, I managed to create this check. I followed the following steps:

Step 1: Create a template

In ESM Manager, I created a copy of one of the Registry templates that are available and added rows that include the names and values of the expected registry keys (according to what is mentioned in this article).

Step 2: Create and run the ESM Policy

In ESM Manager, I created a policy and added the Registry Module, in which I checked the following values:

  • Template File List. (Here I added the template I built)
  • Key and value existence
  • Allow any priviledged account
  • Automatically update snapshots

After creating the policy, run it and wait for it to be finalized.

Step 3: Configure the CCS Check

Create a new check, which will include the following 3 expressions.

1. The first one returns unknown if ESM Message that is returned is error message. This will have the following attributes:

  • Category: ESM Message
  • Field: Is Error Message
  • Operator: =
  • Value: False
  • Filter: ESM Policy = <name of the policy>,ESM Module Name = '[Registry]'
  • Outcome for missing data items = Unknown

2. The second passes if ESM does not return the value "ESM_NOEXISTVALUE"  (which means that the key exists). This will have the following attributes,

  • Category: ESM Message
  • Field: Message String ID
  • Operator: !=
  • Value: ESM_NOEXISTVALUE
  • Filter: ESM Policy = <name of the policy>,ESM Module Name = '[Registry]', Name=<the name of the registry key e.g. HKEY_LOCAL_MACHINE\System\....\keyname>
  • Outcome for missing data items = Pass

3 The third passes if ESM does not return the value "ESM_WRONG_DATA" (which means that the key has the correct value). This will have the following attributes,

  • Category: ESM Message
  • Field: Message String ID
  • Operator: !=
  • Value: ESM_WRONG_DATA
  • Filter: ESM Policy = <name of the policy>,ESM Module Name = '[Registry]', Name=<the name of the registry key e.g. HKEY_LOCAL_MACHINE\System\....\keyname>
  • Outcome for missing data items = Pass

This one worked for me. I hope it also works for you.

SOLUTION