On Tue, 28 Sep 2010 00:18:17 -0300, Daniel Cid <[email protected]> wrote: > Hi list, > > OSSEC v2.5 is out. Full details at: > http://www.ossec.net/main/ossec-v25-released > > What is new?
> 6. Added granular Windows rules. I'd like to make a few comments about the granular group rules and how they might affect people... There are about 60 new rules for groups. Most, if not all, of the built-in Windows groups have a unique rule associated with them. They have been tested on Win2k and up. Why do we need all of these rules? Read on... One reason is that Windows does strange things. It does things like adds users to a group called "NONE" upon creation. It sometimes adds and removes users to groups very quickly (well, applications like Data Protector do that). More importantly, not all groups are created equal. A user added to the Schema Admins group is quite a different thing than a user being added to the users group (which also happens upon account creation) or a computer added to the Domain Computers group. So, by breaking these down, we can pre-tune the rules to only get alerts that are truly meaningful. In general, this means things that are sensitive in nature (privileged groups) and things that are rare. We generally need not be bothered with alerts for non-privileged activity. But wait, there's more! Wouldn't you like to know if a system account (IUSR, Guest) was now an Administrator? Would you like to know if a privileged group changed immediately after an attack was detected by other rules? This sets the stage for that kind of stuff. I tried to maintain backward compatibility as much as possible, but as with any rules update, you'll want to evaluate your local rule dependencies to see how things play out. In particular, if you have dependencies on 18114, 18128, account_changed or group_changed, this may affect you. You may want to get notified about all group changes as before, in which case your rules are probably best triggered by group, rather than ID (e.g. <if_group>win_group_changed</if_group>. Finally, there is a small bug in these rules. Rule 18233 doesn't get triggered. Instead, the parent rule is triggered. I don't know why. Rule 18234, right below it, does work, and it is written the exact same way. If you see the bug, please let me know. Feedback, as always, is welcome.. -- [I] Immutable Security Information Security, Privacy and Personal Liberty http://www.immutablesecurity.com
