Unix Audit Script for Disk Utilization

James TaralaBaselining, Scripting, Unix Auditing

We’ve noticed an issue on some of our Unix servers lately. This may not be completely security related (unless of course we’re talking about the availability of a system). We have noticed on quite a few occurrences lately that the disk space on our Unix servers has started to grow out of control to the point where the availability of … Read More

More Unix Audit Script One Liners

James TaralaBaselining, Scripting, Unix Auditing

In our last post we gave some examples of Unix audit script one liners for baselining information from a Unix system. It turns out there are more people than we thought who are interested in this topic and are looking to include commands like these in their scripts. We definitely appreciate everyone’s enthusiasm and decided to post more commands in … Read More

Unix Audit Script One Liners

James TaralaBaselining, Scripting, Unix Auditing

Lately I’ve had quite a few requests come in from students and clients to review the audit script that companies are using to audit their Unix / Linux systems. It seems like every company has one person who, at some point in time, wrote a script to audit Unix systems, or they downloaded one from someone online. But in either … Read More

Comparing Text Files in Windows

James TaralaBaselining, Tools, Windows Auditing

So last month we wrote a post about the built in capabilities of Microsoft Windows to be able to perform comparisons of two text files. Personally when I am comparing two files I am concerned that I can do it from the command line, can easily automate the comparison, and that the output is easy to parse and understand. Built … Read More

Comparing Two Files with PowerShell

James TaralaBaselining, Windows Auditing

One of the concepts that we have written about over and over again on this blog is the principal of baselining and how to compare the present state of a system with a known good snapshot of the same attribute of a system. If for instance we have a server with 10 running services on it today, and tomorrow we … Read More

Auditing Windows Permissions with Get-ACL

James TaralaBaselining, Uncategorized, Windows Auditing

One of the new Microsoft PowerShell cmdlets that auditors should appreciate is the GET-ACL cmdlet. Now, through native PowerShell commands, an auditor can retrieve a list of all the permissions associated with a given Windows object. The output from this command can be used to create a permissions baseline if someone is trying to alert on permissions changes. Or this … Read More

PowerShell Remoting and Get-Process

James TaralaIncident Response, Scripting

One of the exciting features of Microsoft Windows PowerShell is the ability to run commands both against a local computer and against remote machines that the user has rights to access. PowerShell has a couple different ways it can do this – one is through Windows Management Instrumentation (WMI) calls against remote machines and the other is through true PowerShell … Read More

Parsing Windows Firewall Rules

James TaralaScripting, Uncategorized, Windows Auditing

In our last post we discussed how to gather general information about the configuration of a Microsoft Windows Firewall, host based firewall configuration. But what most people are really interested in when doing a firewall audit is how the firewall rules themselves are configured. One of the challenges of auditing a Microsoft Windows Firewall ruleset is how do you parse … Read More

Script for Windows Firewall Baseline

James TaralaBaselining, Windows Auditing

Another baseline an auditor or system administrator might want to consider when assessing their systems is a baseline for the general configuration of the Microsoft Windows Firewall. Many organizations are starting to utilize the built in Microsoft Windows Firewall more and more when protecting even their internal systems. The use of a host based firewall should definitely be on the … Read More

Parsing Active Directory Groups

James TaralaBaselining, Scripting, Windows Auditing

In a previous post we shared a PowerShell script that would allow an auditor to parse a list of groups and group members on a Microsoft Windows system as a part of a security assessment or baselining process. The question has come up though – what if someone wants to follow the same process but parse a list of Active … Read More