Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

Use Symantec Enterprise Security Manager to Monitor File Changes

Created: 11 Jan 2012 • Updated: 12 Jan 2012 | 2 comments
Language Translations
yang_zhang's picture
+3 3 Votes
Login to vote
Symantec Enterprise Security Manager™ automates the discovery of security vulnerabilities and deviations from the security policy in mission critical applications and servers across the enterprise. Symantec Enterprise Security Manager (ESM) provides enterprise-class tools that allow administrators to create security baselines for every system on the network and measure performance against those baselines to ensure that devices are properly configured and being used in accordance with policies. Using ESM, administrators can quickly and cost-effectively create and manage online security policies and user-defined security domains, identify systems that are not in compliance, and correct faulty security settings on systems at any location to bring them back into compliance.
Below is a simple example to use ESM to monitor OS file changes, for example, to monitor the files of the Windows IIS Server (C:\Inetpub).
1. Install ESM agent on the Windows Server that running the IIS Server.
2. Login to ESM enterprise console, expand the 'Templates' on the left panel, right the template named 'File - Windows Server 2003 (fileatt.s52)', choose 'Duplate':
3. Input the name of the new template:
4. Delete all the existing rows of this template.
5. Click 'Add Folder', input the folder name of the IIS server:
6. Confirm the files and folders that add into the list:
7. Save the settings of the template.
8. Right click 'Policies', choose 'New Policy' to create a new policy:
9. Edit the properties of this newly created policy, select to add 'File Attributes' from the 'Available Modules':
10. Expand the 'File Attributes', choose to select 'Changed file (signature), and uncheck others:
11. Select 'Template file list', add the template created on step7 into the list:
12. Select 'Keywords list', remove the 'windows.fkl' from the 'Enabled Template Files':
13. Save this policy.
14. Click to select policy created on step13, drop this policy to the ESM agent, this will trigger the policy to be run on the ESM agent:
15. Expand the 'Policy Runs', you can check the policy running state:
16. Wait some minutes, there will be a notification after the policy finished running:
17. There will be a report like this:
Until now, we create a base line of this Windows IIS server.
We can monitor any change of these files and folders, just run the policy again.
For example, we modify the IIS's home page: iisstart.htm. After that, we run the policy again on this ESM agent. The ESM can show us the file changed:

Comments 2 CommentsJump to latest comment

22Aug's picture

Thumbs up!

Good article to explain about the file change.

Login to vote
jehnavi's picture

Enterprise Security ------- There's an access to airspace issue brewing with the FAA concerning something called ADS-B. For those in the space vehicle design business, if you haven't rolled reception and bandwidth requirements of this Next Generation aircraft transponder into your design, you could find yourself missing GNC and telemetry issues and opportunities. There are security elements that deal with the installation and proper use of the ADS-B system, so this topic really does fall within the realm of security.

Login to vote