Automating Audit Tests with Eventtriggers.exe (20 Critical Control Scripting Tip)

James Tarala20 Critical Controls, Audit

One of the issues that we have been dealing with extensively lately is the issue of auditing and automation. This has come most often been raised when we’ve been discussing how to address automating control assessments in conjunction with implementing the 20 Critical Controls. One of the core principles of the 20 Critical Controls is that organizations need to have the ability to automate security assessments in order to reduce risk detection times and allow for a more prompt response to detected threats.

One way to assist with the automation of any given assessment is to script your assessments and automate the scripts you write. This way your tests can work for you and can automatically respond in some way should a particular event be discovered. Rather than creating a mechanism to perform detection and alerting from scratch, why not use a mechanism that’s already built into most Microsoft Windows versions you’re already running? The Windows Event Log is a great place to start.

First, you can use a command such as EventCreate to generate new event log entries as a result of a particular action in your scripts. For example, if you use nmap with PBNJ to look for new hosts on your network (think critical control #1), then you could use EventCreate to generate an event log entry every time a new device is discovered. Or, for example, let’s say you use WMIC to list startup items on a machines (think critical control #2), then you could use EventCreate to generate an event log entry every time a new startup entry is added. Get the idea? Use built in Windows tools to support your automation efforts – and all it costs is a little sweat equity and trial with built in tools!

For more details on how to use EventCreate, check out these resources to get started:

Microsoft TechNet Reference on EventCreate:

http://technet.microsoft.com/en-us/library/bb490899.aspx

Microsoft Support article for creating custom event log entries:

http://support.microsoft.com/kb/324145

For details on how to use eventtriggers in more depth, here are a couple resources that will help to get you started:

Microsoft TechNet Reference on EventTriggers.exe:

http://technet.microsoft.com/en-us/library/bb490901.aspx

Petri.co.il Article on EventTriggers.exe:

http://www.petri.co.il/how-to-use-eventtriggersexe-to-send-e-mail-based-on-event-ids.htm

In addition to automating tasks with the eventtriggers.exe command, you may also want to consider command line e-mail tools which can be used to generate an e-mail as a result of an action in your command line tool. Two such free command line tools that you may want to consider are:

Blat (http://www.blat.net/)

Bmail (http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm)

To run either of these tools you will need to have access to an active mail server, although thankfully it does not need to listen only on tcp/25 – but you do have to use the SMTP protocol. While security by obscurity is certainly no singular way to protect your system, running administrative mail servers like this on alternate ports can never hurt!