Tracker: Platform Configuration

This page documents instructions on platform-specific policy settings for Tracker. This work should be completed before you run the program. 'Administrative privileges may be required'.

Windows

Tracker uses the Event Log service on Windows. This section describes how to set up Audit Policy for the service to create event logs required by Tracker. Both graphical user interface (GUI) and command line interface (CLI) methods will be introduced. We also introduce a PowerShell script for those who need a quick setup.

Powershell Script

We provide a PowerShell script with which you can easily enable or disable Audit Policy required by Tracker. If you want to know what exactly the script does, it would be helpful to read the rest of this instruction. Otherwise, just execute the script. When you run the script, you will need a file (represented by TARGET in the script) that contains a list of directories to audit. You may need to use Set-ExecutionPolicy to execute the script.

Download Powershell Script

To audit process tracking

Control Panel\System and Security\Administrative Tools\Local Security Policy

  1. Local Security Policy\Local Policies\Audit\Policy\Audit process tracking.
  2. Check Audit Success only.

Above is equivalent to below commands.

auditpol /Set /subcategory:"Process Creation" /Success:Enable
auditpol /Set /subcategory:"Process Termination" /Success:Enable

Below may be necessary to get the name of (sub)category on non-English Windows.

auditpol /list /category
auditpol /list /subcategory:"Detailed Tracking"

To include command line in process creation events

  1. Run gpedit.msc or serach Local Group Policy Editor. Local Computer Policy\Computer Configuration\Administrative Templates\System\Audit Process Creation\Include command line in process creation events.
  2. Set the option enabled.

Above is equivalent to below commands.

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1

To audit object tracking

Control Panel\System and Security\Administrative Tools\Local Security Policy.

  1. Local Security Policy\Local Policies\Audit\Policy\Audit object access.
  2. Check Audit Success only.

Above is equivalent to below command. (more fine-grained setting)

auditpol /Set /subcategory:"File System" /Success:Enable

To set up folders to audit

  1. Right click on a target directory and click Properties.
  2. Click the Advanced button.
  3. Click the Continue button.
  4. Check "Replace all child object auditing entries with inheritable auditing entries from this object", if necessary. Click the Add button.
  5. Click the "Select a principal" link
  6. Select User or Group, e.g., Authenicated Users.
  7. Check Read and Write options on the Advanced permissions.

Above is equivalent to below PowerShell script.

#########
# Enumerate target folders on $TargetFolders
#########
$TargetFolders = "Z:\TEMP", "Z:\DOWN"
$AuditUser = "Everyone"
$AuditRules = "WriteData,ReadData"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
foreach ($TargetFolder in $TargetFolders)
{
    $ACL = Get-Acl $TargetFolder
    $ACL.SetAuditRule($AccessRule)
#########
#   To Remove Audit Rule, comment above two lines and uncomment below two lines
#   $ACL = Get-Acl $TargetFolder -Audit
#   $ACL.RemoveAuditRule($AccessRule)
#########
    Write-Host "Processing >",$TargetFolder
    $ACL | Set-Acl $TargetFolder
}
Write-Host "Audit Policy applied successfully."
#   ENTER UNTIL YOU SEE "Audit Policy applied successfully."

Linux

Tracker uses the Linux Auditing System on Linux.

No existing rule should prevent from generating audit events. On some Linux distributions, such as Fedora, the initial audit rule may contain -a never,task that suppresses event generations. To see and remove existing audit rules, use below commands:

sudo auditctl -l # To see a list of current rules 
sudo auditctl -D # To delete all the current rules

If you use the Linux Auditing System for any other purposes, conflicts may occur. Note that once you run Tracker, all audit events are sent to it, not to auditd any more. If you want to use auditd again after terminating Tracker, you should restart auditd as follows:

sudo service auditd restart

If auditd doesn't work with Tracker, you may need to kill '/sbin/auditd -n' process first (in Ubuntu).

OSX

The program uses the OpenBSM audit facility on OSX. Add pc, cl, fr, fw classes into flags and naflags on /etc/security/audit_control. You need root privileges to access it. The new configuration will be effective after reboot. Below is an example of configuration.

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:pc,cl,fr,fw
minfree:5
naflags:pc,cl,fr,fw
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
Page last modified on April 10, 2018, at 05:36 AM