Files
You can create templates to regularly check the permissions, ownership and other attributes of directories and files. You can also use templates to find new files that didn’t exist during the last compliance check - for example, a new executable with the SUID bit set. Or you can monitor a set of files for ownership or group changes. Use your imagination and there are some very powerful administration and compliance tasks that can be automated. Let’s take a look at some examples.
Example 1 – Finding all files with the SUID bit and Monitor Ownership
You may have an application or set of files configured to run with the permission of the owner (i.e., the SUID bit is on). If one of these files’ owner changes, you’d obviously want to know that so that the application doesn’t fail or users aren’t gaining more permissions than they need. Finding those files and then monitoring to make sure the ownership doesn’t change may be something you’ve always wanted to do but didn’t have the time to write the script or just didn’t have the resources to get it done. This is a very easy scenario for Security Auditor.
Defining the template
- To get to the Files category, on the Manage Servers screen, click the category for the Private or Group Policy in the row of the desired server.
- Click New. The Add a New Files Policy Template screen appears.
- Fill in the General tab – see next example:
- On the General tab name the template, give it a description, and then specify the path that is to be searched. The Notes section can provide more documentation about why the template is being implemented.
Or, go to Servers and Policies > [server name]. In the drop-down lists, select whether this should be a Private or Group Policy, then select Files.
- On the Selections tab, click Add, then click the drop-down under 'Select Using' and choose Attributes. For the SUID parameter, select Yes. Leave the others at AnyValue.
- On the Policies tab, open Monitor then check Owner.
- Click Save.
Running a compliance check
When you run a compliance check on this template, it will include the files with the SUID bit set on. The first compliance check records the current owner. Subsequent compliance checks will examine the owner of these files and if the owner is different, the file will be out of compliance.
To run a compliance check, do one of the following
- On the Manage Servers screen, click and choose whether you want to check the Private Policy, Group Policy, or both for the server (or Server Group).
- On the Manage Servers screen, click next to a server to open the server's Files policies.
- Click for the Template under the Action column. Or,
- Select one or more Templates and click CheckIt. This will run a compliance check on all the selected file Templates.
- Choose Servers > CheckIt. Choose the server from the Servers tab and then File Templates from the Policies tab, then click CheckIt.
- Schedule a regular compliance check. Go to Admin tasks > Manage Scheduled Jobs.
If the template is out of compliance (indicated by a in the Compliant column), click on the template name and then the Compliance tab to determine the files that are out of compliance. Click on the file name to see the details of why it’s out of compliance.
Example 2 – Ensuring a Specific File is Secured Correctly
You may have an audit requirement to ensure a specific file(s) is secured appropriately. Perhaps it holds PCI or HR data or perhaps you want to make sure the directory containing payroll information is only accessible by the group processing payroll checks. Whatever the case, this is very easy to configure in Security Auditor.
Defining the template
- To get to the Files category, on the Manage Servers screen, click the category for the Private or Group Policy in the row of the desired server.
- Click New.
- Fill in the General tab – see next example:
- On the General tab:
- Name the template and give it a description.
- Type the path of the directory or file you want to work with in this template.
- Specify whether or not to Include Subdirectories. If this box is unchecked, only the items in that path will be examined and no subdirectories will be traversed.
- Use the Notes section to document the template. (These notes are displayed at the beginning of the print policy report.)
Or, go to Servers and Policies > [server name]. In the drop-down lists, select whether this should be a Private or Group Policy, then select Files.
- On the Selections tab, click Add for the files you want to include in the policy. With (for example) File selected under the drop-down menu, specify the files in the /PCI directory that you want examined. In the following screen, all files with the prefix of PCI will be examined on a compliance check with the exception of the file, PCI_test_data.
- Click the Policies tab and specify the attributes that you want checked when a compliance check is run against this policy.
- Click Save.
Running a compliance check
When you run a compliance check on this template the files will be checked to ensure the owner is PCI_OWN, the group is PCI_GROUP, the permissions are set to user RWX, group RWX, other --- and that the SUID, SGID and SVTX bits are not set. If any of these don’t match the current settings for these files, the file will be identified as out of compliance.
To run a compliance check, do one of the following
- On the Manage Servers screen, click and choose whether you want to check the Private Policy, Group Policy, or both for the server (or Server Group).
- On the Manage Servers screen, click next to a server to open the server's Files policies.
- Click for the file Template under the Action column. Or,
- Select one or more Templates and click CheckIt. This will run a compliance check on all the selected Templates.
- Choose Servers > CheckIt. Choose the server from the Servers tab and then file Templates from the Policies tab, then click CheckIt.
- Schedule a regular compliance check. Go to Admin tasks > Manage Scheduled Jobs.
If the template is out of compliance (indicated by a in the Compliant column), click on the template name and then the Compliance tab to determine the files that are out of compliance. Click on the file name to see the details of why it’s out of compliance.
Running FixIt
FixIt changes the settings of the file to match the policy (as defined by the template.) To run FixIt, you must first enable it for this template.
To enable FixIt
- Click on the template name then, on the General tab, check the Enable FixIt box.
- Click Save.
Once you have enabled FixIt, you can run FixIt on the individual file that’s out of compliance or run it on the entire template by selecting either the file or template and clicking the FixIt button.