Data Center Security

Hi,
I'm having trouble getting DCS:SA 6.7 to detect/alert when FTP service is being started. I have requirement from customer to alert who and when starts FTP. This needs to apply to Solaris and RHEL servers (various versions). Preventing FTP from starting is not requirement, requirement is to tell when this happens as there might be valid business reasons for FTP to run.

I've been playing with different ways to do this:

• detect when specific command is executed
  • RHEL: /etc/init.d/vsftpd start
  • SOL: svcadm enable network/ftp
• detect when specific process is running
  • RHEL:

    [root@srv04 ~]# ps -ef | grep ftp
    root      5399     1  0 10:20 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
    

     

  • SOL:

    root@srv03:~# ps -ef | grep ftp
         ftp  1551     1   0 11:22:36 ?           0:00 /usr/lib/inet/proftpd
    

     

However I was not successful in getting  this to work.

Would appreciate any idea or suggestion how to get this done.

Thanks.

I'd suggest this is far better accomplished at your network gateway, as the FTP connections must go through it, whereas using DCS:SA means you'll only hear about it when someone on a machine with the DCS:SA agent installed makes a FTP connection.

If you're set on doing this via DCS:SA policies, just go into the network controls of a UNIX policy, create a rule to Allow and Log connections on a remote port of 21, and you should be done.

If that's what you did, then perhaps a bit more detail?  It's also worth checking if whatever FTP client you're using isn't getting sent off to another sandbox instead...

This is what I tried:

1. In the Prevention Policies tab, click Add
2. Launch Legacy Policy Builder
3. Selected Operating System: Unix
4. For starting policy used sym_unix_targeted_prevention_sbp
5. Opened new policy and under Sandboxes -> Default PSET Options opened Process Access Controls
6. Under No-Access Process Access Controls added Target Program Path /usr/sbin/vsftpd
7. Under Global Policy Options selected Disable Prevention -- Log but do not prevent poilcy violations for entire system
8. Assinged this policy to the Securty Group where the asset belongs -> click save and reapply
9. Ensured new policy has been applied in the Monitor tab
   1. Successfully updated the policy to ftp_poc_proc3 37
10. on server executed /etc/init.d/vsftpd start/stop but I'm not seeing any expected event logged
    1. I verified that other events are logged, like su so agent is working but my policy not

Does this also fail to log if you were to launch sftpd manually as a user process rather than a service/daemon?

Have you tried the "Log process create and destroy messages" under General Settings?

Does this also fail to log if you were to launch sftpd manually as a user process rather than a service/daemon?

-> not sure what you refere here - I'm starting it from shell under root account by running "/etc/init.d/vsftpd start"

Have you tried the "Log process create and destroy messages" under General Settings?

-> yes, does not help

Perhaps you'd prefer to do this using a Detection politcy instead then.  A File Watch rule for File Access would do the trick.

I haven't tested this myself but I believe you had the right idea. Use the Targeted prevention policy and create a custom sandbox for the ftp daemon. If you don't want any restrictions then make it a Fully Open sandbox.

Edit the list of programs to route to the PSET, then add the FTP program path.

/usr/sbin/vsftpd

Use the Arguments field to desigate the Start variable. 

&ci; *start*

Use the Rule Name field so we can reference this event for our Alert. 

In the UMC Server Console go to Monitor->Alerts

Add a new Alert called FTP Daemon Started or whatever makes sense to you.

For the Filter we want to say if we see an event with our custom rule name trigger the Alert.

Add the Email Alert section with the body populated with all of the feilds from the event you wish to include.

Note: You need to see the event being generated in the Console first. The Alert will only trigger if the event makes it into the DB. The event may be Informational severity so you need to make sure your Prevention Parameters (aka Configs)  are configured to send all events up to the manager while you are testing. 

Thanks Shane,

I tried following your suggestion but does not work in my lab. I tested on RHEL 5.8 (64bit) and no events are being generated.

Attached is the policy I created.

Attachment(s)

ftp_sym_unix_targeted_prevention_sbp.zip   57 KB 1 version

Sorry, just saw this!

Ok,

Try enabling trivial logging in the Default PSET and in Cust_ftp_ps

Make a copy of a Prevention Config and delete all the rules. Setup one logging rule to Transmit when Event Type Equals Any

Assign that config to the RHEL box

stop/start vsftpd and reboot

Find where vsftpd is ending up, maybe the Default PSET

Hi Shane,

Prevention Config was the right path, events that got generated by the policy were Information serverity that was filtered by the default preventon config parameters. I'm still tweeking final policy but I'm now close to completition.

Thanks for your support guys.

Glad you were able to see those events. I circled back to this after getting my centos box back online. If using a custom Prevention policy as we had discussed you would have to modify the prevention config to send Information severity events to the manager. You could narrow it down to get only Informational events related to the rule name.

OR...

If you were only looking for monitoring the stopping and starting of vsftpd then using a detection policy would work out better.

I created a custom detection policy to monitor Syslog for event patterns. Every time the vsftpd daemon is stopped and started there are 4 events generated:

systemd: Starting Vsftpd ftp daemon...
systemd: Started Vsftpd ftp daemon.

systemd: Stopping Vsftpd ftp daemon...
systemd: Stopped Vsftpd ftp daemon.

Here is a screencap of my detection policy that I tested.

Here is a screencap of the events

Hope this helps.

Regards,

Shane