Hello there! Let’s continue looking at the Blue Medora ITM Agent for Files and Directories by considering a number of real world, enterprise problems that can be solved with the Files and Directories Agent. The Files and Directories Agent is a great utility agent that can be invaluable for system security, integrity, and the efficient allocation of resources. Let’s take a look at what it can do.
The security of your environment is the top priority for any system administrator, and the Blue Medora ITM Agent for Files and Directories can help ensure this security. In this example, we will try to make our system more secure by monitoring a number of areas that are vulnerable to attack. First, we will write our directives file. In the directives file, what we are going to look for is changes to files in any of the bin directories. This will help us avoid attacks where a commonly used executable, such as “ls”, is replaced with a malicious one. We will also be checking for unauthorized access changes, by monitoring the /etc/passwd and /etc/group files. Finally, we will monitor the host file to prevent DNS redirection. The lines we add to the directives file will look like the following:
/etc/passwd, /etc/passwd, noNow, we want to be notified for any changes. We can do this by creating custom situations in the TEP.
/etc/group, /etc/group, no
/etc/hosts, /etc/hosts, no
/usr/bin, /usr/bin, yes
/usr/sbin, /usr/sbin, yes
/bin, /bin, yes
/sbin, /sbin, yes
First, let’s create a situation to notify us whenever there is a change in any of the bin directories.
Start by clicking the “Situation Editor…” button.
Select “Files and Directories” in the list and click the “Create new Situation…” button in the top corner.
Go ahead and enter a Name and Description.
In the “KP7 RESULTS” attribute group, choose the “Path Modified Datetime” attribute.
Clicking the box underneath Path Modified Datetime in the formula window will allow you to choose a time for comparison. We will keep the current time (default). Change the comparison operator to the greater than (>) symbol. What this will do is cause the situation to fire whenever the modified date is newer than the date of the creation time of the situation. So, if an attacker, Eve, were to drop a malicious executable named “ls”, we would be notified through a situation in the TEP.
Now let’s create a situation to monitor some of the important system files. The formula for this situation will look a little different.
Here we are going to look at whether or not the md5 checksum for the file has changed. This can help us determine if another user (possibly with permissions we do not want to allow) was added to the system or a group without our knowledge. Monitoring the modification of the hosts file can help keep us safe from a DNS redirection attack. Click the “Until” tab.
We can set the “Interval Expires” to a more realistic setting. This way we will see the situation fire even if we aren’t immediately at the TEP at the exact time the event happens.
Let’s consider this scenario: You have a number of automated scripts that create a gzipped tarball of important files and uploads them to an Amazon S3 bucket every night at 2 AM. We would like the Files and Directories Agent to verify the upload. So how can we do this? Let’s start by adding both the file being transferred and the file’s location on the S3 bucket (which we have mounted) to our directives file:
Production, /data/important.tgz, no S3, /mnt/s3/important.tgz, noNow, the first thing we want to know is that the file transfer did occur. To do that, let’s create a situation. In the formula screen, choose the Path Modified Datetime attribute.
Now, change the comparison value to “Compare Time to a time + or – delta”. Set the delta to +24 hours.
Change the comparison operator to > and the formula is all set.
However, we aren’t done yet. We only want the situation to fire for the file on the S3 bucket. So, let’s add a condition, select “Line Number” and set it equal to the line number corresponding with out path to the S3 file (this can be found in the Results workspace).
Now we will be alerted whenever the file on the S3 bucket is over 24 hours old. Then, we know for sure a backup was missed. We can also verify the uploaded file’s integrity by comparing the md5 checksum of the file on the production server to the md5 checksum of the file on the backup server. This can be done right in the TEP.
In this scenario, we will determine whether or not our environment needs a hardware upgrade or resource reallocation. Here we will monitor a Windows server’s resources to determine if they are getting low. For this scenario, our directives file will look like this:
C:\, C:\, yes Page File, C:\pagefile.sys, noWith these directives, we can monitor our disk space to see when we are using a very large amount. We can also monitor the size of the swap file to determine if we currently have enough RAM on the system. First, let’s make a situation to let us know when we’ve used most of our maximum available space.
Now that we will be alerted when we’re running out of disk space, let’s take a look at the swap file. This is a good place to take a look at historical data. Let’s create a new workspace to show the change in swap size over time. First, click File->Save Workspace As…:
Give your new workspace a nice, descriptive name.
Now, let’s drop a graph onto the workspace view near the bottom.
Choose the “Size Delta in bytes” attribute.
Now click the “Edit Properties…” button on the top, right corner of the view.
“Size Delta in bytes” should already be checked, but we need to set the “Line Number” equal to the value of the pagefile directive, which can be found in the Data Snapshot underneath or the Results workspace.
Now we can monitor the change in size of the swap file! If the swap file is continuously growing, it is likely a good time to reallocate resources or upgrade the hardware.
Well, that’s it for now. I hope these scenarios have given you a good idea of the power behind the Blue Medora ITM Agent for Files and Directories.