^Chapter

₁

^{Using Intact}

^{How this manual is organized}

This manual is divided into the following chapters and sections.

Chapter 1: Using Intact. Provides installation information. Describes the tools used to configure and execute Intact.

Chapter 2: Background. Offers a background into Integrity Checking technology and Intrusion Detection.

Chapter 3: Securing your NT system. Explains various policies and procedures you may want to implement in order to secure your Intact installation and your NT system.

^Installation

Intact is distributed on write-protected diskettes or a CD. It includes a “SETUP.EXE” application that will install all necessary files, create a simple configuration and optionally schedule execution. When installing Intact, make sure you start with a completely secure, clean and virus-free system.

Intelligence

The default installation will copy over all the files and create a configuration that uses self-ident mode to try to identify the important components of your system for 6 days before it begins detecting changes. By selecting different options, you will be able to modify this default behavior.

1) Execute “SETUP.EXE”.

2) Click “NEXT” to continue with the installation. If at any time, you wish to stop the installation, click “CANCEL”. If you make a mistake and want to return to an earlier box, press “BACK”. You should have received a key via email or on a letter or card with your CD.

3) Enter the information required keeping in mind the following points (some of the following points may not apply if you did not select to create a configuration file).

n The installation directory is where all the files are stored by default.

n When Intact asks you whether you want to create a log file locally or email it, you can choose either one or both. If you decide to mail the log output, you will need to know the email address you wish to send to as well as the name of the computer which can accept and forward email for your network (the SMTP server). Intact uses it’s own email delivery system rather than the Windows NT messaging system because of security considerations.

n If you choose syslog or Event Log notifications, you can optionally select a server to receive them. If you want the notifications sent to the local machine, leave the Server field blank.. If you do select a remote server, make sure you change the permissions on the remote system so that it accepts remote notifications.

n Intact will make a best attempt at determining which drives are local to your system (that is, physically connected). For security reasons and for network efficiency, a computer should check only its local drives.

Directory Services

The installation for Intact Directory Services is the same as for Intact Intelligence. After installation, you will need to modify the configuration and include directory services to monitor for change. See the section on the Configuration file on page 20 and Configuration Browser or page 34 for identifying the directory object to monitor.

Enterprise

Enterprise works on a client/server model. There are three components that comprise Intact Enterprise.

1) SQL database that will store all the tables necessary for the operation of Intact across your network.

2) Enterprise Administrator that will connect to the SQL database and view events, change configurations, establish new hosts, and other administrative tasks. Furthermore, it will connect remotely to client machines to browse drives, registry hives and send commands directly to clients.

3) Intact Clients reside on client machines and connect to the SQL database periodically to receive commands and send events.

A typical setup has one SQL database, one or more Enterprise Administrators and many Clients.

SQL Database

To prepare a SQL database, you must set up a new database or namespace for Intact, create user accounts that the clients will use to connect to the database and initialize the database with the Administrator. You start the Administrator by clicking on the Start button, choosing Programs, Intact and Administrator.

1) Create a database. Depending on the database vendor you are using (for example, Microsoft, Oracle or IBM), you will have to consult that vendor’s documentation for establishing a new database or namespace. Each database vendor has different setup procedures and requirements. The Enterprise Administrator requires that you connect to this database using an account that has authority to:

· Drop and create tables.

· Truncate tables.

· Have full access to table contents for all rows.

· Assign permissions to tables and columns.

For instance, the SA or DBA account will have these permissions.

2) Create Intact Client Logins. Intact Clients connect to the database using database user accounts that you establish. The Enterprise Administrator will not create new database logins. Creating new logins should be done using user management tools provided by your database vendor. If your vendor supports the concept of a “default” database or namespace, you should set the “default” for each user to the Intact database or namespace.

For security reasons, it is recommended that the database logins used for Intact Clients are unique for each client and are used exclusively for Intact. For example, each client machine should have its own account so that when the Enterprise Administrator grants and revokes permissions depending on the working stage of the client (build vs. check) such changes will not affect other machines. Furthermore, it the client machine is compromised, the only tables exposed will be those belonging to the client machine.

3) Initialize. The Intact Administrator will initialize a database when it first connects to it. It will detect that certain tables are not present, prompt you for the database vendor and create tables as needed.

4) Connect clients. After the Administrator initializes the database, you should prepare the database for each Intact Client that will connect. Use the Host/New menu. When prompted fill in the form with the required information. The defaults are recommended, except for the user account where you will have to enter the user account name that you created for each client.

Enterprise Administrator

The Enterprise Administrator can be set up on the same machine as the database or on a separate machine. It does not require the Intact executable or the Intact service to run because it only manipulates the database. However, you must set up an ODBC connection to the SQL database that you have created.

You must set up an ODBC connection on all machines that will connect to the database. To do this, bring up the Settings from the Start menu and choose “ODBC data sources”. If you are installing the Client and the Administrator, make sure you set up a “System DSN” and not a “User DSN” so that the DSN will be available to the Intact service that may run on the machine. Your database manual should cover the details of creating a new DSN.

The “Typical” installation will install both the Enterprise Administrator and the Intact Client software. If you just want the Enterprise Administrator, choose “Custom” installation.

Additionally, the Enterprise Administrator requires the Microsoft Active Data Objects to connect to the SQL database. If you received a CD, you may install ADO by executing “mdac_typ.exe” located on your CD. This file may also be obtained from Pedestal by request, or on the web from Microsoft by visiting “http://www.microsoft.com/Data/mdac2.htm” and downloading “MDAC 2.1 typical install”.

Intact Client

The Intact Client only needs the Intact program, the Intact service and the Intact Control Panel. The “Compact” installation option is suitable for a client machine that will do no administration. The Intact Control Panel is needed in order to configure the connection to the database. It may be removed after the configuration is complete, or its installation may be skipped if you alter the registry directly. These topics will be covered in Control Panel Registry Keys in page 7.

^{The Control Panel}

Intact installs a Control Panel application. This applet will provide the interface with most of the functionality of the Intact programs. When you start up the Intact Control Panel application, you should get the following applet. The numbers indicate regions that will be explained in detail.

· Figure 1: Control panel window and configuration tab

Starting and Stopping the Service (1)

Region 1 contains a button that starts or stops the Intact service. Intact runs as a service in order to schedule itself and have access to all system objects. The current status of the service is displayed on the left. Press the button to start if Intact is not running, or to stop if Intact is running.

You may also enable or disable the Intact service via the “Services” control panel.

ODBC Connection (2)

The Enterprise version of Intact contains parameters for connecting to a centralized secure repository of configuration information. This feature is disabled in other version of the software.

In the “ODBC Datasouce” field, enter or select an available ODBC datasource. Intact may only utilize “System” datasources – “User” datasources are not available to the service program, which operates under the credentials of LocalSystem.

In the “ODBC Logon” field, enter the database login name for the remote database (if required). Some databases allow you to specify the login credentials within the ODBC control panel (where you define the datasource parameters). If you've specified credentials in the datasource configuration within the ODBC control panel, you should probably leave this field blank.

In the “ODBC Password” field, enter the user password for the remote database (if required).

Enter the table prefix parameter in the “Intact Config Name” field. It is recommended that you use the computer name of the client computer for this field. However, it is possible to use different names by configuring the Administrator.

ODBC Connection Polling

Intact can be activated in at least three ways:

1) Interactively from the Control Panel.

2) Scheduled execution at intervals established by a schedule you provide (see the scheduling tab below).

3) Commands are queued in the ODBC database via the Enterprise Administrator; they are retrieved and executed by the client via a Polling mechanism.

Polling is the process of periodically retrieving commands, issued by the Enterprise Administrator, stored in the ODBC database. The “Forcepoll file” option is designed for on-demand polling. If this field is not empty, Intact will look for a change to the last modified time of the “Forcepoll file”. When one is detected a poll is issued and any awaiting commands are executed. This feature is used by the Administrator to issue commands for immediate execution.

The polling interval is an additional polling trigger. The polling interval is the number of minutes between each poll of the database to look for new commands. Polling is only available in the Enterprise version.

Configuration File (3)

For the Open Use, Intelligence and Directory Services versions, you must use a configuration file. For the Enterprise version, you may use a configuration file or an ODBC database, but not both. Choose one or the other by selecting the appropriate radio button.

The configuration file can be located anywhere in the file system, including remote read-only directories, or diskettes. It is recommended that the configuration file be secured against unauthorized tampering and review. The best way to do this is to place it in read-only media or share and grant read/write access only to Administrator with everyone else having no permissions. Regular users should not be able to look at this file.

The contents of this file will be described below in the “Configuration file” section on page 20.

Other buttons (4)

Button	Action
Help	Bring up the Help
Apply	Make changes permanent but do not close window
OK	Apply changes and close the window
Cancel	Do not make any changes and close the window
Edit Config	Opens the Configuration Browser, an easy-to-use wizard for building an Intact configuration file. Trick: to open the configuration in Notepad instead of the Configuration Browser, hold down the Control key while pressing the button.
Parse Config	Parses the configuration file and returns a message indicating whether the configuration file is syntactically valid.

· Table 1: Control panel buttons

Scheduling Tab

· Figure 2: Scheduling tab

Intact can be scheduled to run unattended at various times[1]. You schedule Intact by selecting the minutes, hours, etc. for which you want to execute. When you select multiple items in one list, Intact will run at each one. For example, if you select “Any” for hour and “00” and “30” for minutes, Intact will run twice every hour, once on the hour and once on the half hour.

Commands Tab

· Figure 3: Commands tab

Command buttons allow you to immediately begin a check, build, or other function. Pressing these buttons to “Build” or “Check” will bring up a window that displays the output and messages from Intact. See the above discussion on “Polling” for help with the “Poll” button.

Advanced Defines Tab

· Figure 4: Advanced Defines tab

This option allows you to add additional variables that you want to define in the configuration file. This is a comma-separated list of “variable=value” pairs. This feature will become clearer in the context of the configuration file description later in this manual.

If you are having difficulty receiving email from Intact, click the “Debug email” option, apply your changes then press the “parse config” button from the “Configuration” tab. This will display detailed information regarding the SMTP mail delivery.

Control Panel Registry Keys

Intact and the Intact Control Panel applet use the following registry key values under HKEY_LOCAL_MACHINE\Software\Pedestal Software\Intact. For the Enterprise version, most of this information is stored in the SQL database, and not in the registry.

Key	Description
ServiceConfigFile	Location of Intact configuration file. Eg. “c:\applications\intact\intact.icf”.
ServiceConfigType	Boolean: 0=Enterprise 1=Intelligence/Open Use
ServiceExecutionSchedule	Cron formatted execution schedule. Eg. “0 1 * * *”.
ServiceExtraDefines	Comma separated list of NAME=VALUE pairs.
ServiceForcepollFile	File location of Enterprise version polling file.
ServiceNonStop	Boolean: 0=run as scheduled; 1=run continuously
ServiceODBCDatasource	Enterprise version datasource name.
ServiceODBCLogin	Enterprise version login name.
ServiceODBCPassword	Enterprise version database password stored in a reversible obfuscated format.
ServiceODBCTable	Enterprise version database configuration name. Normally the COMPUTERNAME of the workstation or server.
ServicePollingInterval	Enterprise version polling interval, in minutes.
ServiceScheduleActivate	Boolean: 0=disable execution schedule; 1=enable execution schedule
<behavior db path>	In Intelligence and Enterprise, this is a full path to a behavior database. This value is use to countdown self-identification runs in auto mode.

· Table 2: Registry keys for Control Panel

^{Using the Enterprise
Administrator}

This functionality is only supported in the Enterprise version of Intact.

The Intact Enterprise Administrator is a GUI tool for administering the central repository of Intact databases, configurations and output logs. It will also allow you to modify the settings on client machines, schedule builds, checks and issue other commands to the clients.

· Figure 5: Intact Enterprise Administrator

Logging in

When first run, the administrator will prompt you to log into an ODBC data source that connects to the Intact database. You must first set this up on your system using the ODBC control panel, which NT provides. Please make sure to read “ODBC Setup” on page 13 later in this chapter for important information about getting Intact to work with your particular database vendor.

If you plan on making changes to the database, the login you use must have select, update, insert, delete access to all tables in the database as well as create, grant, revoke access on the database. The best type of account to use is an SA or DBA account.

Also, some databases create user spaces for tables created by specific users. For example, if you log in as “db2admin”, all your tables will be preceded by “db2admin”. This is important because the Administrator expects certain tables to be in the default name space. So if a different user logs in, he or she may be unable to see any configurations. This is useful in order to manage permissions and to create sandbox environments where administrators are only allowed to manage a subset of systems. More information is in the section “SQL Table Structures” on page 14.

The first thing that the Enterprise Administrator does when it connects to a new database is ask whether you want to prepare the database for Intact use. If you select “No”, nothing will happen.

If you choose “Yes,” The Enterprise Administrator will ask you about what type of database server you are using. Intact will use this information to determine how to access your database and create tables. If you need more information see “SQL Table Structures” on page 14. After selecting the best choice, the Enterprise Administrator will attempt to create all the necessary tables and open up a blank Hosts List.

Hosts List

The first window to come up is the “Hosts list,” which lists all the computers managed by this user on this server. This list contains four columns.

· Figure 6: Hosts list

These columns are:

1) Computer name: the host name known to the database. This may or may not correspond to the actual hostname used by TCP/IP networks or Netbios.

2) Status: indicates whether there are any pending commands or actions.

3) Mode: the current mode of operation as determined by looking at the detection database.

4) Items Flagged: number of records flagged in the output table.

Right clicking on a single host to get a menu. This menu allows you to operate on the host entries. The options are

1) Properties: Display information about the host, its settings, how to establish connections, database properties, permissions, etc.

2) Configure: Bring up the configuration browser for this host. The configuration browser is described in its own section.

3) View Output: Bring up the output viewer and display all output in the database. The output viewer is described in its own section.

4) Commands: Display the client commands issues, pending and executed.

5) Refresh: reload the information on the list.

6) Update Statistics: this item will only appear if your SQL vendor requires an “update statistics” command to be issued periodically in order to keep indexes up-to-date.

7) Delete: Delete the entry from your host list and remove all its associated tables. This command will permanently remove the detection database, configuration, and output for this host.

8) New: Create a new entry.

Properties

Selecting the properties menu option brings up the properties dialog box.

· Figure 7: Properties dialog box

This dialog box allows you to change parameters about the host and connectivity. It is divided into tabs. Each tab will be discussed in detail below.

SQL

This section includes information about connecting to the database server.

1) Client user name: This is the name which the client will use to connect to the server. The password is stored on the client only and must be changed from there.

2) Table name prefix: Intact creates all sorts of tables for this host. They all begin with this prefix (such as “www_det”, “www_output”).

3) Change Permissions: This will issue grant and revoke commands to the database so that the user in “Client user name” will have limited permissions to perform only the roles you select.

4) SQL Settings: Allows you to modify the type of database and database defaults which the Enterprise Administrator will use. This rarely needs to be changed.

5) Duplicate Host: define a new host based on the setting of this one.

6) Rename Host: rename this host.

Schedule

This is the schedule that the client will keep for running Intact unattended. The schedule is in the cron[2] format.

To edit using an easy-to-use graphical form, press the “?” button. This button will bring up a window with five listboxes that allow you to select the times and days to execute.

An example may serve to illustrate the cron format. If you select “0” and “30” for minutes, the scheduler will execute every time the system clock shows minutes of 0 or 30 such as 1:00, 1:30, 2:00, 2:30, etc. If, in addition, you select only hours of “5”, it will execute only at 5:00 and 5:30. It will execute every time the system clock matches all of the parameters you select.

The “run continuously” field, if checked, will instruct the client to continuously execute Intact – when Intact completes one iteration, it is immediately launched again.

Polling

Polling is when the client looks to see if there are any pending commands to execute. Commands are covered later in this section.

The client will look for commands at an interval that is specified by the “minutes” field at the bottom of the dialog box. If this item is set to 0, the client will not check for new commands periodically. If the client is not checking, the only way to issue commands is by using a force poll method described below or by logging on directly on the client.

During a poll, the client will connect to the database. Setting the interval to a small value will increase the load on your database server but decrease the time you have to wait for the client to notice and execute commands that you’ve queued. Conversely, setting this to a higher number will increase the amount of time you have to wait, but decrease the amount of database activity generated by Intact clients. Choosing an appropriate number depends on the capacity of your database, the number of clients, your use of the forcepoll option, and the responsiveness you require.

Additionally, you can select a force poll method to have the client initiate polls via a trigger. A poll is triggered not only after the polling interval, but also when a change to the last modified time of the “forcepoll file” as entered in the “forcepoll path”, has been detected. This method provides a protocol-independent method for managing Intact clients and eliminates delays waiting for the polling interval to expire. The Enterprise Administrator can create a remote forcepoll file by using Windows Networking, FTP or executing any command.

The location of this file and its access control list are important. The file name entered must be relative to the client and you should ensure that the file has locked down access control. An appropriate access control list will depend on the protocol you choose, but must at least allow read access to LocalSystem and write access to the user used to connect with the Enterprise Administrator.

These are the supported methods built into the Enterprise Administrator:

1) None: Don’t use the “forcepoll” option (you may still use the polling interval).

2) FTP: Use FTP to create the file.

3) Windows Net: Use Windows Networking to create the file.

4) Command: Execute an external command that will create the file.

If you select FTP or Windows Net, another dialog box will come up asking for information about how to establish the connection, such as the remote host, user, password, path, etc. You can check the field at the bottom of the dialog to have the Administrator prompt you every time for this information before creating the file. Keep in mind that anything you enter in this dialog box will be stored in the database in a scrambled but reversible form, so you may not want to enter the password.

Remote

This tab only has a single field that contains the computer name used for remote browsing while building the configuration file and for starting and stopping the Intact service (available in the Action tab). This is the real computer name.

Action

The action tab covers a variety of operations you may want to perform for the host.

1) Send Command: Bring up the commands dialog described below.

2) Show Output: Bring up the Output Viewer.

3) Edit Configuration: Bring up the Configuration Browser.

4) Poll Now: Create a forcepoll file.

5) Start and stop: start and stop the Intact Service on the remote client.

Additionally, a checkbox allows you to select whether a forcepoll file should be created every time you issue a new command to the remote host. Using this options simplifies remote administration and ensures that commands will be executed promptly.

Notes

A text area is provided for entering any notes you wish. These notes are not used by the program and are provided for you to store important information.

Commands

Commands are issued from the Enterprise Administrator to the clients. Typical commands are “Build” and “Check”. When a command is issued, it is placed in a table on the database. The client periodically looks at the table for new commands and when it finds them, it executes them. The interval for checks is set at the client or in the Properties dialog box. After choosing “Commands” from the pop-up menu or the pull-down menu, a dialog box comes up listing all the commands on the table.

· Figure 8: Host commands dialog box

Commands that are no longer needed are removed by selecting them and pressing the “Delete” button.

New commands are issued by choosing an item from the “New client command” pull-down listbox. The commands provided are:

1) Build: build a new database based on the current configuration.

2) Check: check an existing database against the current state of the system.

3) Make configuration: during self-identification mode, you can cause intact to create a new configuration file even if self-identification mode has not finished.

4) Auto build/check: run Intact automatically. This is the mode that is typically used for self-identification mode. Intact will determine whether it should be checking the behavior of the system, creating a new configuration, building a new database or checking the system.

5) Reload settings: when you change settings (schedule, ODBC, etc.), use this command to make sure the client software will use the new settings.

6) Ping: requests acknowledgement from the client. Use this option to make sure the client is alive and functioning.

7) Terminate: this command will cause Intact to stop whatever it doing.

^ODBC^Setup

Both the Administrator and the Intact client use ODBC to communicate with your central database. Therefore, you must set up a valid ODBC DSN to connect to the same database. Directions for setting up the DSN vary depending on the database vendor and is beyond the scope of this manual. However, some considerations are important.

1) Not all ODBC drivers support all features necessary to run Intact properly. Ensure that you are using the latest ODBC drives. Use of old or incorrect drivers may crash Intact. Your driver must be ODBC 3.0 Level 2 compliant. We recommend installing MDAC 2.1, which is downloadable from Microsoft.

2) The Administrator uses ADO 2.0 to access data through ODBC. Both ADO and ODBC must be installed on the computers that will run the Administrator. Most installations of NT have the proper library support. If not, ADO is a free download from Microsoft. A copy is included on Intact CD’s.

^{SQL Table Structures}

The Enterprise Administrator creates two tables to keep track of hosts and database settings.

Table

Purpose

host_list

This table has a list of hosts. It has the following columns

Host name of host displayed in host list

Stable SQL table prefix for host-specific tables

Notes any notes displayed in the Properties dialog box

host_info

This table contains key/value paris of configuration information related to the database.

· Table 3: SQL configuration tables

Additionally, for each Intact client, four tables are created. Each table name is the “Stable” table prefix followed by the extension given in the table below.

Extension	Purpose
_det	This is the detection database. It contains the following columns: k, i, s ,v.
_conf	This is the configuration and command table. It contains the following columns: Name setting or command Statusid status of command if this is a command Status text representation of statusid with explanation S size of config column Config value of setting or command parameters
_output	This is the output log. It contains the following columns: Id a line number Itemtype type of record Item name of item being flagged Rtype type of flag Msg text message
_cinfo	This is information about the computer. The client does not have access to this table. It is used by the Administrator. It contains key/value pairs.

· Table 4: SQL client tables

Permissions

The user name used to log into the database with the Administrator must have the following special access to the database.

1) CREATE TABLE

2) DROP TABLE

3) UPDATE TABLE

4) INSERT INTO

The user that logs into the client should have no access to any tables. The Administrator will grant and revoke access as needed when the host changes roles. There are two roles:

1) Check: This role grants only select access to the _det and _conf tables. It grants update access to _conf columns status and statusid. It also grants only insert access to _output (and select to _output column id so it can keep writing sequentially)

2) Build: In addition to the check permissions, this role requires insert, update and delete access to the _det table.

The same user name can be used by more than one client to access the database. However, because of the sensitive nature of the Intact database, this is not recommended. Each client machine should use its own user name so that in case the client is compromised, the user name can only be used to cause damage for one machine. Even so, the user name can only alter the status of commands or enter new rows at the end of the _output table. It cannot destroy any data or alter the detection database.

User Space

It is typical for many database servers to assign created tables to the creating user’s space. A database that does this will require tables to be accessed as username.table instead of simply table. If this is the case for you, you will have to take extra precautions that on each client machine the “Intact Config Name” entry in the Control Panel is preceded by the appropriate namespace.

Furthermore, since the Administrator creates global tables “host_list” and “host_info” in its own space, only the user used to log into the Administrator when this tables are created will be able to see these tables. You can use this to your advantage by creating different “views” of the Intact database for different users.

Microsoft SQL Server

This database is the preferred database for using Intact. It is the only fully-supported database because it handles Unicode characters properly. There are only a few special considerations for using SQL Server.

One thing to keep in mind is to set the “Clear log on checkpoint” option when installing SQL Server so that database updates do not fill up your transaction log space.

In addition, older versions of both MS SQL Server and Sybase require the periodic running of an “update statistics” command on all the tables that contain indexes in order to achieve optimal performance. If SQL accesses seem slow, it is advisable to have your DBA issue this command. Since performance degrades over time, it is probably even better if the execution of this command is scheduled periodically. Newer versions of SQL Server will update statistics automatically.

Oracle

Oracle will work well with Intact. However, because the current version does not handle Unicode completely, some features may look strange. For example, file names with Unicode characters will show up with a “?” in the non-ASCII characters. Intact will function properly because it stores the binary representation of Unicode characters, but the reporting will not be as clear.

Also, some versions of Oracle may not support SELECT permissions on specific columns, so this feature is turned off. This means that anyone who gets the client-side username and password will be able to read the output table (but not update it).

IBM DB2

IBM’s DB2 also works well with Intact. Like Oracle, it cannot handle Unicode properly. Additionally, if you are using an older version of DB2, you must change your db2cli.ini file in your “SQLLIB” directory (or wherever you installed the DB2 client software) directory. Add “LONGDATACOMPAT=1” to the section where your Intact database is defined. This ensures that Intact’s binary data is stored correctly.

Other database vendors

Other databases may or may not work depending on the syntax they use to define binary objects and large text object and their support of GRANT/REVOKE. You may want to try different settings and checking to see if tables were created, errors generated and permission set properly. Your best bet is to try the “Oracle” defaults first.

^{Execution: the intact.exe}^command

intact.exe is the command which updates, builds and checks the database. This command performs all the critical functions of Intact. It is typically executed by the Control Panel and Service, but may also be executed independently. This section describes how to execute intact.exe independently. Not all functions described here are available in the Open Use version. Self-ident, make-conf and auto mode are only available in the Intelligence, Directory Services, and Enterprise versions.

intact.exe has several command-line options which affect reporting and performance. Each time intact is executed, it will read the configuration file you specify. That configuration file contains rules for processing the system. The format of this file is outlined in the next section.

Intact works in five operating modes, build, check, self-identification, make-conf and auto.

Mode	Description
build	Build mode builds a new detection databases for use in subsequent check mode or self-identification mode executions
check	Check mode reports on changes to the system as last recorded in an Intact detection database.
self-identification	Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. The scope and duration of the observation period is user-defined.
make-conf	After a sufficient learning period, you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file.
auto	Auto mode is intended for completely automated installation and configuration. This is the default mode when Intact is installed. In auto mode, Intact will observe the system for some period of time, automatically produce a configuration file, and automatically report on changes forthwith to a centralized management station

· Table 5: Intact execution modes

Creating a new database

· Figure 9: Creating a new database

When creating a database, you execute intact.exe specifying a configuration file and database file name such as

intact -build web1.icf a:\web1.idb

intact will then read the configuration file which specifies which directories, files and registries to read (or not read) and begin storing all relevant information about these objects into the detection database. If you are running in self-identification mode, Intact will also create the initial behavior database. Typically, the database is stored on a removable media, such as.

When you have created the database remove the disk and store it on a secure location. The database contains information about where and when it was created and with what configuration file, but is not itself guarded against alteration. Any person with physical access to the disk could alter the database in conjunction with malicious changes to the system. Write-protecting the disk will at least prevent programs from changing the data without physical interaction.

Comparing an existing database to a system

· Figure 10: Comparing a database with a system

When you wish to check the system against the database, first reinsert the disk or removable media with the database, or connect to the network drive which contains the database. Then execute the check command. Make sure you use the same configuration file.

intact -check web1.icf a:\web1.idb

The configuration file contains information about notification of errors. They may be reported on the screen or sent via e-mail to a particular user. Additionally, if running in self-identification mode, the behavior database will be updated to reflect detected changes. You may also specify more parameters on the command line to control various aspects of verification, creation and reporting. See the section Command line interface below on page 34.

Self-identification

Self-identification mode is a unique feature to Pedestal Software’s integrity checking system. The idea behind self-identification is to observe the system and record changes occurring to files, directories and registry keys to allow Intact to build a configuration file automatically pruning the objects or aspects of objects which are likely to change on a system. Auto mode described in the next section makes this process easy to use and administer.

The scope and duration of the observation period is user-defined. Self identification mode requires a configuration file, a detection database, and a behavior database as arguments. The behavior database argument must be supplied in the configuration file by #define’ing BEHAVIORDB, and the syntax to Intact is the same as for check mode:

Intact –check myconfig.icf moving-baseline.idb

When preparing for self-identification mode, the general idea is to keep the configuration file broad and simple, including even those files which you know change frequently or are even inaccessible (for example “c:\pagefile.sys”). Intact will observe which aspects of all objects[3] within this scope do not change and all aspects of objects within the scope that do change. For example, the file “c:\winnt\system32\config\system” may not be accessible for recording the SHA hash, but is accessible for recording the ACL and last modified time. Intact will observe this behavior and build a configuration file (in make-conf mode) instructing Intact to report on the aspects of objects not likely to change. It is acceptable to ignore the errors and other output during this phase.

Self-identification mode creates a new detection database each time it is run which permits Intact to observe changes in the system between runs. The old detection database is discarded each time as it is no longer needed. More specifically, during a self-identification run the system is compared to the current detection database and at the same time a new database is built with the old name plus a “.inuse” extension. When the self-identification process has completed the old detection database is removed and the new one renamed to the original name. At the same time, the behavior database is updated to reflect the observed changes and object properties. If an existing behavior database does not exist, a new one is created.

After an observation period you may instruct Intact to utilize the self-identification information to build a new configuration file. This is accomplished by running Intact in make-conf mode. Make-conf mode takes a configuration file and a behavior database as inputs and produces a new configuration file as output. The new configuration file will have a scope within that of the supplied configuration file even if the behavior database contains information about objects out of the scope of the supplied configuration file. The behavior database parameter must be supplied in the configuration file by #define’ing BEHAVIORDB (or by running Intact with –D BEHAVIORDB=myconfig.icf). For example:

Intact –makeconf myconfig.icf output-config.icf

Auto mode

Auto mode helps you automate installation and configuration of self-identification. This is the default mode when installing Intact. In auto mode, Intact will observe the system for some period of time. Then, it will produce a configuration file. After that, it will report on changes to a centralized management station. See the section on event notification for information on the options and configuration details. In this mode, the system uses the “hklm\software\pedestal software\intact” registry key to keep a countdown timer for self-identification mode. When this timer has expired a new configuration file is automatically generated replacing the existing one by renaming it with a “.orig” extension and subsequent runs are in check mode. You can revert back to self-identification mode simply by copying the original configuration file over the current configuration file.

You generally want to retain the behavior database even when the self-identification mode observation period has completed. When new software is added to the system and as changes are made, Intact can reuse the behavior database to continually learn more about the system’s behavior and subsequently produce more accurate configuration files. It’s also advisable to save the detection database used for self-identification and not to overwrite it with a new baseline. When you reset Intact into self-identification mode because of system changes, Intact will be able to observe changes since the last self-identification run.

Event Notification and centralized management

Intact utilizes your operating system and standard protocols to report on system changes to a centralized console. Intact supports syslog, NT Event Log, files (including file systems accessible via NT networking), and SMTP e-mail. If you are using the Enterprise version, your output will also be sent to a central repository.

You may want to deploy more than one of these protocols in your environment. One typical combination is both e-mail and NT Event Log notification. If you are not using the Enterprise version, another possibility is saving all output to a “write-only” centralized share. You could also save the output file locally within a protected area of a running web server and retrieve the output via HTTP or HTTPS and receive notifications via syslog and/or NT Event Log.

Using standard file extensions will also help to manage your system. The table below outlines the recommended file extensions for each type of file.

File	Extension
Detection database	.idb
Behavior database	.bhv
Configuration file	.icf
Output file	.iof

· Table 6: Recommended file extensions

^{Configuration file}

The configuration file describes which objects and object properties Intact should monitor. An easy-to-use GUI is provided with the software. Information about the GUI can be found in the section below titled “Configuration Browser” on page 34. However, the configuration file contains a rich language that is not entirely covered by the GUI.

Comments in the configuration file begin with the semi-colon character (“;”) and can occur anywhere in the line; all characters after the “;” character are ignored by Intact.

Commands begin with a “#” character. Readers familiar with C and C++ will recognize many of the commands as standard pre-processor commands. Note, however that there are some differences in syntax when using variables. As in C, commands are followed by a list of parameters separated by spaces if any parameters are required. The commands are shown in the table below. The column labeled Parameters indicates the name of each parameter

Command	Parameters	Meaning
#define	VAR TEXT	Define VAR so that wherever $(VAR) is found, TEXT is substituted in the file. VAR and TEXT should be replaced with a specific variable name and a text to define
#undef #undefine	VAR	Removes VAR from the list of defined variables. You must issue this command before redefining a variable
#ifdef	VAR	Process until “#endif” if variable VAR is defined
#ifndef	VAR	Process if VAR is not defined
#if	EXPR	Evaluate an expression EXPR and process if true. Expressions are algebraic. The operators are described below.
#else		Follows an “#if”, “#ifdef” or “#ifndef” to indicate that what the commands after the “#else” should be executed if the commands above were not.
#endif		Terminates an “#if”, “#ifdef” or “#ifndef” command

· Table 7: Configuration file commands

Expressions

In expressions, several operators can be used. They will be explained in the table below. The Syntax column will contain an upper case letter that represents variables or values.

Operator	Syntax	Meaning
==	A==B	True if A and B are equal
!=	A!=B	True if A and B are not equal
>	A>B	True if A is greater than B
>=	A>=B	True if A is greater than or equal to B
<	A<B	True if A is less than B
<=	A<=B	True if A is less than or equal to B
&&	A&&B	Logical and
\|\|	A\|\|B	Logical or
+	A+B	Add two integers
-	A-B	Subtract two integers
*	A*B	Multiply two integers
/	A/B	Divide two integers
%	A%B	Modulus
int()	int(expr)	Force interpretation of expr as integer.

· Table 8: Configuration file expression operators

Accociativity is left to right with standard precedence.

Variables

There are several pre-existing variables that can be used throughout the configuration file. In addition, all environment variables are also available. The internal values are shown in the table below. Variables are not case sensitive.

Variable	Meaning	Default value
SystemRoot	Root of the system directory which is usually:	C:\WINNT
TEMP	Windows temporary directory
FULLNAME	Domain name of current user
COMPUTERNAME	The Netbios name of the computer.
MONTH	Current month number (1-12)
DAY	Current day of the month (1-31)
YEAR	Current year (including century)
HOUR	Current hour (00-23)
MINUTE	Current minute (00-59)
SECOND	Current second (00-59)
TIMESTAMP	Current time in format: YYYYMMDDHHMMSS
PRIORITY	Set execution priority	normal
CHECK	Set if Intact is running in check mode
BUILD	Set if Intact is running in build mode.
AUTO	Set if Intact is running in auto mode.
MAKECONF	Set if Intact is in makeconf mode.
CONFIG_FROM	Set to either ‘FILE’ or ‘ODBC’ depending on where the config file came from.
DETECTIONDB	Path of database file
BEHAVIORDB	Path of the behavior database
BEHDBTYPE	Optimization of behavior db is “mem” or “disk”	mem
OUTPUTFILE	Name of file to receive messages
EVENTLOG	Notify Event Log (value is server; blank is local)
SYSLOG	Notify syslog (value is server; blank is local)
SYSLOGFACILITY	Facility for syslog messages	user
SYSLOGSEVERITY	Severity for syslog messages	info
AUTO_COUNTDOWN_TIMER	Number of times to execute in self-identification mode	6
MAKECONF_SENSITIVITY	Sensitivity to changes during self-identificaiton mode (high, normal, low)	normal
PRIORITY	System priority for process
MAILSERVER	SMTP mail server to use
MAILTO	Address to send mail to
MAILFROM	Return address	Intact@[host]
MAILSUBJECT	Subject of mail message	date and time
MAILTEMPFILE	Temporary file for mail	$(TEMP)\intact_tmp.txt
RA	Registry: all parameters	ckmogpz2
A	File: all parameters	tcmvsniogpz2
LOG	Log file changes	tcnogpz
UA	Ntuser: all parameters	ncCdjhspwlSoebxmuMgRrfLO
GA	Ntgroup: all parameters	ncgm

· Table 9: Configuration file variables

When accessing these values, the variable name should be preceded by “$(” and terminated by “)”. For example, “$(FULLNAME)” would be substituted by the domain name of the current user. More examples will be given farther along in this section.

Several commands require special explanation. PRIORITY sets the execution priority of the process. It can be one of the following, in order of slowest to fastest:

n idle

n lowest

n low

n normal

n high

n highest

n critical

Other programs may be executing at the same time as Intact. If you set your configuration to run at idle Intact may never receive any execution time. For example, screen savers may often have a priority of normal or above. If you set Intact to run at a lesser priority than your screen saver, it may never receive any execution time.

DETECTIONDB specifies the path of the database file. You must specify a database file either on the command line or by using this variable unless you are using ODBC. OUTPUTFILE specifies the path of the text log file for errors, flags and warnings.

Objects and flags

In addition to these commands, a line can also contain an object description. This description tells Intact to store the information of an object, sub-objects, permissions, time-stamps, etc. It consists of three parts:

1) Prefix

2) Object: a file, directory, user, group, registry, etc. to check

3) Flags

Each prefix is only one or two characters. It precedes the object name and is not separated from it by spaces. There are four prefixes. Not all prefixes apply to all types of objects

The following table describes the prefixes for files, directories and the registry.

Prefix	Meaning
=	Directory/folder: Do not store all files within the given directory but do store directories within that directory. Files in subdirectories are stored. Registry: Store the given key only.
==	Directory/folder: Do not store all files within the given directory nor any files within subdirectories at any level below the given directory. Registry: Store the given key but not subkeys.
!	All objects: Do not store item.
!!	Directory/folder and Registry: Do not store item or its children.

· Table 10: Object prefixes

The following table describes prefixes for LDAP object.

Prefix	Meaning
=	This flag instructs Intact to disregard any results of other queries for the BASEDN in this query. This flag is used to fine-tune a broad search by overriding a subtree with a new search.
!	This flag instructs Intact to disregard an entire single distinguished name or a subset of the attributes for a single distinguished name.
!!	This flag instructs Intact to disregard an entire subtree of distinguished names entirely or to disregard a subset of attributes for objects matching search criteria within a subtree.

· Table 11: LDAP object prefixes

The object name tries to uniquely describe the object. Objects can be any of the following:

Object	Starts with	Applies to
File/Folder	[Drive-letter]:\	Files and directories/folders within the specified path.
Registry	HKLM\ HKCU\ HKCR\ HKU\ HKCC\	Registry keys and values.
NT User	NTUSER:	User accounts.
NT Group	NTGROUP:	Local and global groups.
User right	USERRIGHT:	Accounts assigned certain privileges. Eg. “backup files and directories” user right.
Account policy	ACCOUNTPOLICY	System-wide account policy.
Audit policy	AUDITPOLICY	System-wide audit policy.
Directory Server (LDAP)	LDAP://	LDAP V2 or higher compliant directory servers.

· Table 12: Objects

File and Directory/Folder Objects

Files and directories are entered as a complete path, such as “C:\WEB\DATA.” Wildcards may be used to match specific file and directory names. Wildcards may only be used within the file portion of a path specification, such as c:\winnt\system32\*.dll. Placing wildcards within the path is not supported, for example, c:\winnt\*\data will report an error. Both the “*” and “?” wildcard characters may be used.

Registry Objects

Registry keys begin with a hive identifier and are followed by the full key path specification. The valid hive identifiers are in the table below. For example, “hklm\Software.”

ID	Registry Hive
hkcu	HKEY_CURRENT_USER
hkcr	HKEY_CLASSES_ROOT
hku	HKEY_USERS
hklm	HKEY_LOCAL_MACHINE
hkcc	HKEY_CURRENT_CONFIG

· Table 13: Registry prefixes

Intact is also capable of monitoring and excluding individual registry values. To specify individual values, append a comma separated list of value names enclosed in parenthesis to the end of the key name. For example, to monitor for change only the “CurrentBuildNumber” and “CurrentVersion” values of the “HKLM\Software\Microsoft\Current Version” registry key, specify:

“HKLM\Software\Microsoft\CurrentVersion(CurrentBuildNumber,CurrentVersion)” $(RA)

To exclude an individual value, or set of values, from being monitored, place a “!” flag in front of the key:

!HKLM\SYSTEM\Select(LastKnownGood)

User and Group Objects

Users and groups begin with an identifier of “ntuser:” or “ntgroup:” followed by a name twhich may contain wildcards. For example, “ntuser:s*” will check all users whose user id begins with “s”. The wildcard “?” is also supported. If a user or group matches a wildcarded entry and you also specify that user or group without wildcards, the non-wildcarded entry will take precedence. Consider:

NTUSER:*admin* amrf

NTUSER:administrators $(UA)

Even though “administrators” matches both lines, the flags $(UA) will be used because that line is not wildcarded.

ID	Meaning
Ntuser	Local or global user
Ntgroup	Local or global domain groups

· Figure 11: Users and groups

User Rights Objects

User rights are special privileges that allow selected accounts special rights to perform some specific task. For instance an account possessing “add workstations to the domain” permits that account to install new workstations as members of the domain or to have existing workstations join a domain. Intact can detect changes in user rights settings. The user rights you wish to monitor for change are specified in the following manner “userright:[right name or descriptive name]”. The following rights are known by Intact, these are the full set of userrights for Windows NT 4.0:

User right name	Descriptive Name
SeInteractiveLogonRight	Log on locally
SeNetworkLogonRight	Access this computer from network
SeBatchLogonRight	Log on as a batch job
SeServiceLogonRight	Log on as a service
SeCreateTokenPrivilege	Create a token object
SeAssignPrimaryTokenPrivilege	Replace a process level token
SeLockMemoryPrivilege	Lock pages in memory
SeIncreaseQuotaPrivilege	Increase quotas
SeMachineAccountPrivilege	Add workstations to domain
SeTcbPrivilege	Act as part of the operating system
SeSecurityPrivilege	Manage auditing and security log
SeTakeOwnershipPrivilege	Take ownership of files or other objects
SeLoadDriverPrivilege	Load and unload device drivers
SeSystemProfilePrivilege	Profile system performance
SeSystemtimePrivilege	Change the system time
SeProfileSingleProcessPrivilege	Profile a single process
SeIncreaseBasePriorityPrivilege	Increase scheduling priority
SeCreatePagefilePrivilege	Create a pagefile
SeCreatePermanentPrivilege	Create permanent shared objects
SeBackupPrivilege	Back up files and directories
SeRestorePrivilege	Restore files and directories
SeShutdownPrivilege	Shut down the system
SeDebugPrivilege	Debug programs
SeAuditPrivilege	Generate security audits
SeSystemEnvironmentPrivilege	Modify firmware environment values
SeChangeNotifyPrivilege	Bypass traverse checking
SeRemoteShutdownPrivilege	Force shutdown from a remote system

· Figure 12: User rights privilege names

User rights may also be specified using wildcards. A user right specified with a wildcard will be included in the set to be monitored if the wildcard matches either the user right name or the descriptive name.

System Account Policy Object

To monitor the system account policy, simply specify “ACCOUNTPOLICY” in the configuration file. This will default to both the “c” and “p” flags. Account policies specify password aging, account lockout and other account-oriented options.

System Audit Policy Object

To monitor the system audit policy, simply specify “AUDITPOLICY” in the configuration file. Audit policies specify what events should be audited. For example: successful or failed logon and logoff events.

LDAP Directory Services Objects

Intact Directory Services includes support for detecting change in LDAP-compatible databases. You specify where and what properties of LDAP objects to monitor by using a modified LDAP URL[4] format:

LDAP://USER:PASSWORD@HOST:PORT/BASEDN?ATTRIBUTES?SCOPE?SEARCH-FILTER

LDAP Object Syntax
Item	Required	Meaning
LDAP://	Yes	Required prefix for all LDAP URLs
USER	No	The fully qualified distinguished name of the authenticating user.
PASSWORD	No	The directory login password for USER.
HOST	No	The IP address or DNS domain name of an LDAP directory server (default is localhost).
PORT	No	The port the LDAP server is listening for connections (default is 389).
BASEDN	Yes	The base relative distinguished name from which the search will begin.
ATTRIBUTES	No	A comma separated list of attributes to retrieve. If this field is empty, all attributes are retrieved.
SCOPE	No	Scope may be one of the following values: “ONE”, “BASE” or “SUB”. If this field is empty, the default value is BASE. A scope of BASE limits the searching scope to only the BASEDN. A scope of ONE limits the searching scope to only the BASEDN and all it’s immediate children. A scope of “SUB” searches all objects at or below the BASEDN.
SEARCH-FILTER	Yes	A search filter as described in RFC2254.

For example, the following configuration file line would check for changes to all attributes where the surname is “Jones”:

LDAP://directory.domain.com/ou=marketing??sub?(sn=*Jones*) D20,2

The object flags “D20,2” tell Intact to store the actual attribute value instead of computing the hash if the attribute value is 20 bytes or less, otherwise store the SHA hash of the attribute.

Special Objects

The object “client:” has special meaning. Currently there is only one client type supported, “drives”:

ID	Meaning
Client:drives	Intact will add the root directory of all fixed type drives to the configuration file with the $(A) flags.

· Figure 13: Special Client object

For example, specifying “client:drives” in the configuration file will be expanded to the root directory of all fixed drives on the system and have flags equivalent to $(A).

Object Flags

Each flag is a single character with special meaning. Flags determine what information to store about each object and sub-object in the line in which they are specified. Flags are listed in sequence without any spaces between flag characters. Valid flags for each object type are given in the tables below.

Flags are case sensitive, for example, the NTUSER flag “r” is not the same as “R”.

Applies to ALL OBJECTS
Flag	Meaning
EVTn	When sending event notifications to SYSLOG and/or the EVENTLOG, use event id number (n).

Applies to FILES,REGISTRY,LDAP
Flag	Meaning
1	Store MD5[5] signature of file or value
2	Store SHA signature of file or value

· Table 14: Generic configuration file flags

Applies to REGISTRY
Flag	Meaning
c	Classname
k	Key info (number of subkeys, values, lengths, etc.)
m	Last write time
o	Owner sid
g	Group acl
p	Standard acl
z	Auditing acl
G[n]	Indicate how may values to group together when computing the hash.

· Table 15: Registry flags

Applies to FILES
Flag	Meaning
t	Attributes (read-only, system, hidden, etc)
c	Creation time
a	Access time
A	Always reset last-access time on files (useful when also using flags 1,2)
m	Modification timestamp
v	Volume serial number
s	Size of file
n	Number of links
i	File index number
o	Owner sid
g	Group acl
p	Standard acl
z	Auditing acl

· Table 16: File and directory flags

Applies to NTUSERS
Flag	Meaning
n	Name
c	Comment (description)
C	User comment
d	Country code/code page
j	Logon hours
h	Home directory
s	Script path
p	Profile
w	Workstations user may logon to
l	Number of logons
S	Server
o	Password
a	Password age
e	Password expired
b	Bad password count
x	Account expires
m	Max storage
u	Uid
g	Primary gid
M	Group membership
r	RAS flags
R	RAS callback phone number
f	User flags
L	Last logon
O	Last logoff

· Table 17: NTUSER flags

Applies to NTGROUPS
Flag	Meaning
n	Name
c	Comment
g	Group id
m	Group membership

· Table 18: NTGROUP flags

Applies to ACCOUNTPOLICY
Flag	Meaning
c	Store all account policy information except “Users must logon in order to change password” option.
p	Store the “Users must logon in order to change password” option.

· Table 19: ACCOUNTPOLICY flags

Applies to AUDITPOLICY
Flag	Meaning
c	Store the Audit Policy

· Table 20: AUDITPOLICY flags

Two special flags “+” (plus) and “-“ (minus) allow you to add and subtract flags from existing groups of flags. For example, file flags “tcmpgz-zg” is equivalent to “tcmp”, likewise, ntuser flags “Mfa+r-a” would be equivalent to “Mfr”. To switch from the default SHA1 digest algorithm to MD5 in the set of flags defined in $(RA), specify “$(RA)-2+1” in the flags argument. You may also use a comma to separate flags, eg the registry flags “G1,1”.

The G[n] flag for registry keys specifies how many registry key values to group together when computing hashes for a registry key. The default is 5 values per group. Set to 0 to indicate that all values should be grouped together under one hash computation. Setting the value to 0 will produce the least amount of change detection granularity. The finest granularity is specified using “G1”, which will produce a separate hash for every value.

LDAP/Directory Services Flags

Applies to LDAP Directory Services Objects
Flag	Meaning
1	Compute the MD5 hash
2	Compute the SHA1 hash
D0	Specifies that the LDAP objects will only have their hashes computed; never store the actual attribute values.
D-1	Specifies that all attribute values are stored in the detection database regardless of the size of the attribute value.
Dn	Specifies that attribute values that have a size less than or equal to (n) will be stored, and that attribute values that have a size greater than (n) will have their hash computed. For multi-valued attributes, the size of the attribute is the cumulative size of all the values for the attribute.

Examples of Directory Services URLs

A few examplex may help to clarify the use of LDAP objects. The following is a small LDAP tree used for the examples. It has a root prefix of “o=Ace Detectives” and one subtree:

o=Ace Detectives

cn=Ace

cn=Charlie

ou=Marketing,o=Ace Detectives

cn=Jones

· Figure 14: Covered query (only 1 query is issued against LDAP server)

Example 1:

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

"ldap://localhost/ou=Marketing,o=Ace Detectives??sub?(objectclass=*)" D-1

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/ou=Marketing,o=Ace Detectives (flags: D-1)

Adding 4: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Adding 5: ldap://localhost/cn=Jones,ou=Marketing,o=Ace Detectives (flags: D-1)

Example 2: ! flag (exclude a whole DN)

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

!"ldap://localhost/ou=Marketing,o=Ace Detectives" D-1

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Adding 4: ldap://localhost/cn=Jones,ou=Marketing,o=Ace Detectives (flags: D10)

Example 3: ! flag (limit attribs)

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

!"ldap://localhost/ou=Marketing,o=Ace Detectives?cn"

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/ou=Marketing,o=Ace Detectives (flags: D10)

Adding 4: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Adding 5: ldap://localhost/cn=Jones,ou=Marketing,o=Ace Detectives (flags: D10)

Example 4: !! flag (exclude a whole subtree)

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

!!"ldap://localhost/ou=Marketing,o=Ace Detectives"

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Example 5: !! flags (limit attribs)

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

!!"ldap://localhost/ou=Marketing,o=Ace Detectives?cn,sn"

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/ou=Marketing,o=Ace Detectives (flags: D10)

Adding 4: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Adding 5: ldap://localhost/cn=Jones,ou=Marketing,o=Ace Detectives (flags: D10)

Example 6: = flags

Configuration:

"ldap://localhost/o=Ace Detectives??sub?(objectclass=*)" D10

="ldap://localhost/ou=Marketing,o=Ace Detectives??sub?(objectclass=person)" D-1

Output:

Adding 0: ldap://localhost/o=Ace Detectives (flags: D10)

Adding 1: ldap://localhost/cn=Ace,o=Ace Detectives (flags: D10)

Adding 2: ldap://localhost/cn=Charlie,o=Ace Detectives (flags: D10)

Adding 3: ldap://localhost/cn=Jones,o=Ace Detectives (flags: D10)

Adding 4: ldap://localhost/cn=Jones,ou=Marketing,o=Ace Detectives (flags: =D-1)

Sample configuration File

Below is a sample configuration file. It will store information about the system directories, the application directory and selected registry keys depending on who executes the program. It is not intended as a production sample. The distribution contains several sample files which are very useful.

“C:\Program Files” $(A)

$(SystemRoot)\system32 $(A)

#if $(FULLNAME) == “NT AUTHORITY\SYSTEM”

hklm\sam $(RA)

#else

hklm\hardware $(RA)-m12

#endif

· Figure 15: Sample configuration file

Below is another, more comprehensive and fully commented sample configuration file.

NTUSER:*admin* $(UA)

NTUSER:guest $(UA)

NTGROUP:*admin* $(GA)

NTGROUP:”domain guests” $(GA)

==$(TEMP) $(LOG) ; just temp alone

$(SystemRoot)\system32 $(A)

==$(SystemRoot)\system32\spool $(LOG) ; just directory

$(SystemRoot)\system32\config\AppEvent.Evt $(LOG)

$(SystemRoot)\system32\config\default $(LOG)

$(SystemRoot)\system32\config\default.LOG $(LOG)

$(SystemRoot)\system32\config\SAM $(LOG)

$(SystemRoot)\system32\config\SAM.LOG $(LOG)

$(SystemRoot)\system32\config\SecEvent.Evt $(LOG)

$(SystemRoot)\system32\config\SECURITY $(LOG)

$(SystemRoot)\system32\config\SECURITY.LOG $(LOG)

$(SystemRoot)\system32\config\software $(LOG)

$(SystemRoot)\system32\config\software.LOG $(LOG)

$(SystemRoot)\system32\config\SysEvent.Evt $(LOG)

$(SystemRoot)\system32\config\system $(LOG)

$(SystemRoot)\system32\config\SYSTEM.ALT$(LOG)

=$(SystemRoot)\system32\ras $(A) ; skip files in ras, not subdirs

!!$(SystemRoot)\system32\os2 ; skip os2 and everything under it

C:\DOCS $(A)

D:\WWWROOT $(A)

hklm\Software $(RA)

#if $(FULLNAME) == "NT AUTHORITY\SYSTEM"

hklm\sam $(RA)

hklm\security $(RA)

hklm\hardware $(RA)-m

#else

hklm\hardware $(RA)-m

#endif

· Figure 16: Sample configuration file

^{Configuration
Browser}

Intact installs a configuration browser. The browser facilitates some of the tedious functions of creating and maintaining a configuration file. It can be invoked from the command line or through the Control Panel when pressing the “Edit Config” button. The Configuration Browser is not available in the Open Use versions of Intact.

· Figure 17: Intact configuration browser

You may open files, save and drag configuration files into this window as you would any other standard Windows application.

The configuration file is explained in the section “Configuration File”. You may want to read that section to understand all the details.

To add a new item select an option from the “Add new object” box as shown in the following figure.

· Figure 18: Create new item

When you select one of the options, a dialog will come up which contains information relevant for the type of object you have selected. If you select Registry, a registry dialog will come up.

· Figure 19: Registry edit dialog box

You may check off the attributes you want to monitor, or press the shortcut buttons “All” and “Log”. Click on browse to receive a tree of the registry keys so that you can choose the one which is of interest. Pressing Browse will bring up another dialog box which will display a tree representation of the Registry and allow you to browse for the information you need.

To edit an existing line, you can double-click on the line. This will bring up either the specialized dialog box for the type of object you have clicked on, or a generic dialog box depending on you Options settings (menu View/Options).

^{Output Viewer}

This feature is not available in the Open Use version. The Output Viewer can be run as either a standalone program to view output files or integrated into the Enterprise Administrator if you have the Enterprise version.

· Table 21: Output browser

During installation, the extension “.iof” is registered with the Output Viewer. When Intact mails out an output log, it can send it as an attachment with the extension “.iof” so that you email program will automatically launch the Output Viewer.

The entire file is displayed in a listbox with five columns:

1) Object: name of the object (file, directory, registry key, etc.) to which the row pertains. If this is a general message it may say “CONFIG”.

2) Type: type of object or message.

3) Event: event which triggered the message, such as “CHANGE”, “DELETE”, etc.

4) Message(s): any text explanation of the message.

5) Line: the sequential line number showing the order in which records were entered

The lower section of the window displays additional information about the selected item..

Navigating

Clicking on the column headers will sort the output by the column.

Clicking on the object name will display the message on the lower portion of the window or right-hand pane if the view split is vertical. The view split can be changed by clicking on the menu View/Split

If you right-click on an object, a menu pops up with these items:

1) Find: Locate entries based on a text search.

2) Go to: view the first record of a particular intact run

3) .Set to update: mark (or unmark) record for updating the database to reflect the new record. Updating is covered in the next section.

4) Begin update: start the update process on marked records.

5) Remove from config: this will add a line to the configuration to exclude the selected object.

6) Delete: remove old records. This option will allow you to remove all records, records below the selection, above the selection or the selected records. This option is only available on the Enterprise Administrator.

Updating

Updating will change the detection database record to reflect the current state of the object. If an object (such as a configuration file) is changed in your system after you build a database, you can use this feature to change the database so that the change will not be flagged every time Intact runs.

Select the items you want to update by right-clicking on the object name and using the “Set to update”. After you have selected all the items you want to update, right-click on any object and click “Begin update”.

If you are using the stand-along Output Viewer and reading from a file, you will be asked to enter the location of the configuration file. The default configuration file will come up. Intact will use this configuration file to determine where all the relevant files are located.

If you are running the Enterprise Administrator, the information will be sent to the database, and an “update” command will be sent to the client and will be executed at the next poll (see Polling, page 11).

Deleting and Adding

When you update a file that has been deleted, it will be removed from the detection database. When you update a file that has been added, it will be added to the detection database.

Updating what to check

If you want to stop checking for a particular item’s properties (such as access time on a file), you must change the configuration file. Update mode will not do this.

Furthermore, if you want to add whole new objects or containers (directories, hives, etc.) which were previously not being watched, you should add them to the configuration file. First, update your configuration by adding the object. Then, run a check. Bring up the output and select the items for updating. Finally, update the items you wish to add.

^{Command line interface}

Using the command line interface

The intact core has a command line user interface. Several interfaces such as the Control Panel or Configuration Builder help you work with Intact without understanding the command line usage that may appear cumbersome at first. However, there are several reasons why direct use of the command line executable may sometimes be useful.

n Smaller executable allows you to fit the entire integrity checker and database for small systems on one or two 3½ inch floppy disk.

n Fewer libraries to load means there’s less chance that altered system library files will affect Intact.

n Command line interfaces are easier to script, schedule, and run remotely.

intact options

The intact.exe command has several options. Each option begins with a dash, “-”, not a slash, “/” as is sometimes used in Windows and MS-DOS. Some options are followed by one or more parameters. If the parameters contain spaces, they should be enclosed in quotes (“).

Option	Meaning
-S	Run as SYSTEM in a new window[6]
Odbc:[info]	Set ODBC connection parameters[7]
-build	Build a new database
-check	Compare the system against a database
-makeconf	Create new configuration file from behavior database
-auto	Run in autoconfigure mode
-update	Update the detection database
-digest	Calculate the MD5 and SHA1 digest for a given file.
-applyaudit	Apply auditing ACLs to files, directories and registry keys based on the scope specified in the configuration file.
-removeaudit	Remove auditing ACLs on files, directories and registry keys based on the scope specified in the configuration file.
-copyconf	Copy a configuration file to ODBC.
-Dname=val	Set variables (see Configuration File)
-std	Direct stderr to stdout
-verbose	Display many messages
-dN	Debug (N is from 1 to 3 where 1 is least verbose)

· Table 22: intact.exe command line options

Because the SYSTEM account has permissions to look at every aspect of the computer, it is often desirable to execute Intact as SYSTEM. SYSTEM is able to see things which not even administrator can. If you specify the “-S” option, Intact will execute in a separate window using the SYSTEM account.

The “-build” option is used to create a new database. This option is followed by the file name of the configuration file and the database file name you want to create or overwrite.

intact -build intact.icf intact.idb

The “-check” option compares an existing database against the files that it represents. You must follow it with the configuration file used to create the database and the database name.

intact -check intact.icf intact.idb

If BEHAVIORDB is defined in the configuration file, the check will run in self-identification mode. In this mode, any changes that are detected are stored in a behavior database. You may want to run in this mode during the normal operation of your system when Intact is initially installed. The database will keep track of all changes so that you can later create a configuration file that more accurately reflects the normal behavior of your system.

The option “-std” makes sure that errors and output are both sent to the standard output of the program so that you can redirect it easily. Normally, errors are sent to standard error.

If you specify “-verbose” more messages will be generated during the build and check phases. These messages indicate all the files that are being added or checked. They are interspersed between the error and warning messages that may be generated.

intact -verbose -check intact.icf intact.idb

By using “-dN” options, where N is a number between 1 and 3, you will get even more information about the processing of intact.exe. These options are often used to isolate particular anomalies in your file system or registry that may be causing you problems. Technical support personnel may as you to provide the output if you are having difficulties.

intact -d1 -verbose -check intact.icf intact.idb

If you just enter the command “intact” without any options or parameters, the program will display a summary of its usage.

^{Interpreting reports}

Generating reports

Typically, the output is sent to a file, a mail recipient, or a central repository.

The variables listed in Table 9 on page 20 which begin with “MAIL” allow you to specify an email recipient which will receive the complete output of the run. You should specify at least “MAILSERVER” and “MAILTO” using the standard internet email format, such as “intact@pedestalsoftware.com”. You may send to multiple recipients by supplying a comma-separated list as the argument.

The OUTPUTFILE variable will specify the filename to receive the output.

If you are using the Enterprise version, the output is automatically sent to your central repository.

Section Using the “at” command in page 47 explains how to schedule the execution of Intact without using the Intact Service Scheduler available in the Intact Control Panel.

Different error types

The first error of concern occurs when you execute the program without Administrator privileges. The program will be unable to detect auditing changes and display:

WARNING: could not assert SECURITY privilege. Access to auditing information will not be permitted.

Occasionally, different system errors will be displayed prefixed by “ERROR”. These errors are the standard windows errors that should be familiar to trained systems administrators. Because there are so many possibilities for errors, they will not be listed here. However, please keep in mind that all errors should be carefully reviewed because they could indicate a misconfiguration or an attempted hack on the system.

Other errors indicate changes in the object parameters and are clearly labeled. Below is a list of sample reports which should cover most situations.

Sample report

Report output displays an explanation of what changed. Below is a directory which was modified:

CHANGED: FILE: d:\Apps:

Last write time changed

was: May 06, 1998 10:03:16

is: May 18, 1998 21:00:19

· Figure 20: File last-modified time changed

The format of the output might differ slightly if viewed via the Output Viewer which allow you to search and sort the output.

Below is a file which has been modified. Note that the index is different, so the file has probably been deleted and rewritten, which is common practice with many applications when saving files. The signature is different because the contents of the file have changed.

CHANGED: FILE: c:\data files\letter.doc:

Last write time changed

was: January 26, 1998 14:17:56

is: May 12, 1998 01:22:21

File index different

was: 3490289711212146792

is: 2792794718923138748

DIGEST is different

was: (MD5: 9A 02 17 1E AF 61 52 94 36 66 C6 E5 E1 CD 97 3C)

is: (MD5: 07 B6 B1 44 FA D4 53 2C 8A 64 D7 76 81 C4 71 CD)

· Figure 21: File changes detected

The file below was radically altered. It’s contents were changed. It was rewritten to a disk rather than being modified in place. Furthermore, user joe took ownership of the file from Administrator.

CHANGED: FILE: c:\data files\info:

Creation time changed

was: September 16, 1997 08:40:13

is: May 12, 1998 01:11:31

Last write time changed

was: April 25, 1998 19:21:32

is: May 12, 1998 01:11:31

Size has changed

was: 631344

is: 624514

File index different

was: 2779565395017737866

is: 2824601391291442990

DIGEST is different

was: (MD5: E2 08 B0 DB 05 18 8A C4 D6 7E 89 1D DB 09 63 51)

is: (MD5: 3C F5 29 04 C4 9A 56 D1 61 43 27 F9 FD D3 E0 7E)

OWNER is different

was: BUILTIN\Administrators

is: USERPC\joe

· Figure 22: Many file changes detected

Here Intact detected some changes to the administrators group: a user account was added to the administrators group. Additionally, the “Account disabled” checkbox was unchecked:

CHANGED: NTUSER: Guest:

Flags changed:

Flag removed: UF_ACCOUNTDISABLE

Local Group membership changed:

Added: 'Administrators'

was: Guests

is: Administrators,Guests

CHANGED: NTGROUP: Administrators:

Group membership changed:

Added: 'PEDESTAL\Guest'

was: PEDESTAL\Administrator,PEDESTAL\Domain Admins

is: PEDESTAL\Administrator,PEDESTAL\Domain Admins,PEDESTAL\Guest

· Figure 23: NTUSER and NTGROUP changes detected

.Copyright © 1998, 2000 by Pedestal Software..Windows NT is a registered trademark of Microsoft Corp. Intact is a trademark of Pedestal Software. All other trademarks are trademarks of their respective companies.

[1] The scheduling mechanism is similar to “cron” which is widely used in Unix systems.

[2] This format is used on all Unix computers as well as many other systems.

[3] The word “objects” from this point forward will refer to items on the computer which Intact is able to detect changes in. For example, files, directories, registry keys, users and group.

[5] MD5 is the RSA Data Security Ind. MD5 Message Digest Algorithm.

[6] Must be the first parameter if specified. This option requires the Scheduling service to be running. It will schedule Intact to come up in a new window with the System credentials.

[7] Option available only in Enterprise version.

[8] By file signatures we mean only a unique large number which represents the contents of the file.

How this manual is organized

Intelligence

Enterprise

SQL Database

Enterprise Administrator

Intact Client

Starting and Stopping the Service (1)

ODBC Connection (2)

ODBC Connection Polling

Configuration File (3)

Other buttons (4)

Scheduling Tab

Commands Tab

Advanced Defines Tab

Logging in

Hosts List

Properties

SQL

Schedule

Remote

Action

Notes

Commands

ODBC Setup

Permissions

User Space

Microsoft SQL Server

Oracle

IBM DB2

Other database vendors

Execution: the intact.exe command

Self-identification

Auto mode

Event Notification and centralized management

Expressions

Variables

Objects and flags

File and Directory/Folder Objects

Registry Objects

User and Group Objects

User Rights Objects

System Account Policy Object

System Audit Policy Object

LDAP Directory Services Objects

Special Objects

Object Flags

LDAP/Directory Services Flags

Examples of Directory Services URLs

Example 1:

Example 2: ! flag (exclude a whole DN)

Example 3: ! flag (limit attribs)

Example 4: !! flag (exclude a whole subtree)

Example 5: !! flags (limit attribs)

Example 6: = flags

Sample configuration File

Navigating

Updating

Deleting and Adding

Updating what to check

Generating reports

Different error types

Sample report

How is Intact unique?

Scanning is not enough

Control Panel

Use removable write-protected media

ODBC Database Permissions for Intact Enterprise

File locks

Checking frequency

^{How this manual is organized}

^ODBC^Setup

^{Execution: the intact.exe}^command