This page documents instructions on platform-specific policy settings for Tracker. This work should be completed before you run the program. 'Administrative privileges may be required'.
Windows
Tracker uses the Event Log service on Windows. This section describes how to set up Audit Policy for the service to create event logs required by Tracker. Both graphical user interface (GUI) and command line interface (CLI) methods will be introduced. We also introduce a PowerShell script for those who need a quick setup.
Powershell Script
We provide a PowerShell script with which you can easily enable or disable Audit Policy required by Tracker. If you want to know what exactly the script does, it would be helpful to read the rest of this instruction. Otherwise, just execute the script. When you run the script, you will need a file (represented by TARGET in the script) that contains a list of directories to audit. You may need to use Set-ExecutionPolicy to execute the script.
To audit process tracking
Control Panel\System and Security\Administrative Tools\Local Security Policy
- Local Security Policy\Local Policies\Audit\Policy\Audit process tracking.
- Check Audit Success only.
Above is equivalent to below commands.
auditpol /Set /subcategory:"Process Creation" /Success:Enable auditpol /Set /subcategory:"Process Termination" /Success:Enable
Below may be necessary to get the name of (sub)category on non-English Windows.
auditpol /list /category auditpol /list /subcategory:"Detailed Tracking"
To include command line in process creation events
- Run gpedit.msc or serach Local Group Policy Editor. Local Computer Policy\Computer Configuration\Administrative Templates\System\Audit Process Creation\Include command line in process creation events.
- Set the option enabled.
Above is equivalent to below commands.
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
To audit object tracking
Control Panel\System and Security\Administrative Tools\Local Security Policy.
- Local Security Policy\Local Policies\Audit\Policy\Audit object access.
- Check Audit Success only.
Above is equivalent to below command. (more fine-grained setting)
auditpol /Set /subcategory:"File System" /Success:Enable
To set up folders to audit
- Right click on a target directory and click Properties.
- Click the Advanced button.
- Click the Continue button.
- Check "Replace all child object auditing entries with inheritable auditing entries from this object", if necessary. Click the Add button.
- Click the "Select a principal" link
- Select User or Group, e.g., Authenicated Users.
- Check Read and Write options on the Advanced permissions.
Above is equivalent to below PowerShell script.
######### # Enumerate target folders on $TargetFolders ######### $TargetFolders = "Z:\TEMP", "Z:\DOWN" $AuditUser = "Everyone" $AuditRules = "WriteData,ReadData" $InheritType = "ContainerInherit,ObjectInherit" $AuditType = "Success" $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType) foreach ($TargetFolder in $TargetFolders) { $ACL = Get-Acl $TargetFolder $ACL.SetAuditRule($AccessRule) ######### # To Remove Audit Rule, comment above two lines and uncomment below two lines # $ACL = Get-Acl $TargetFolder -Audit # $ACL.RemoveAuditRule($AccessRule) ######### Write-Host "Processing >",$TargetFolder $ACL | Set-Acl $TargetFolder } Write-Host "Audit Policy applied successfully." # ENTER UNTIL YOU SEE "Audit Policy applied successfully."
Linux
Tracker uses the Linux Auditing System on Linux.
No existing rule should prevent from generating audit events. On some Linux distributions, such as Fedora, the initial audit rule may contain -a never,task
that suppresses event generations. To see and remove existing audit rules, use below commands:
sudo auditctl -l # To see a list of current rules sudo auditctl -D # To delete all the current rules
If you use the Linux Auditing System for any other purposes, conflicts may occur. Note that once you run Tracker, all audit events are sent to it, not to auditd any more. If you want to use auditd again after terminating Tracker, you should restart auditd as follows:
sudo service auditd restart
If auditd doesn't work with Tracker, you may need to kill '/sbin/auditd -n' process first (in Ubuntu).
OSX
The program uses the OpenBSM audit facility on OSX. Add pc, cl, fr, fw classes into flags and naflags on /etc/security/audit_control. You need root privileges to access it. The new configuration will be effective after reboot. Below is an example of configuration.
# # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $ # dir:/var/audit flags:pc,cl,fr,fw minfree:5 naflags:pc,cl,fr,fw policy:cnt,argv filesz:2M expire-after:10M superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated