Re: Local Security Policy Standards

[Adam Carlson <ajcarlson () BERKELEY EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,
        If you are looking for a command line tool that will apply security
policies and can be scripted, then I would suggest you look at secedit.
 It's been a few years since I've used it, but I'm pretty sure I applied
the NSA security templates with it in one of my previous positions:

Here is a manual page about it:

http://technet.microsoft.com/en-us/library/bb490997.aspx

There is also an example script using secedit from Microsoft on the page
below, scroll down to the section that is titled "Automated Scripts":

http://technet.microsoft.com/en-us/library/cc163078.aspx

Here is a page that talks about general usage:

http://www.appdeploy.com/tips/detail.asp?id=23

And here is a forum post about using it in a scripted environment to
overwrite existing policies:

http://www.eggheadcafe.com/forumarchives/windowsserverscripting/Jul2005/post23155047.asp

Hope that helps,

- -Adam

John Culkin wrote:
> Hello:
>
> Does anyone have some scripts which apply the Local Security Policy
> settings from the NSA or other respectable groups?
>
> Thanks,
>
> -- John C.
>
> Russell Fulton wrote:
> > I would run tcpdump on the sensor with an appropriate filter to make
> > sure the sensor is actually seeing the traffic you think it should
> > be.  I've been had by that one a couple of times -- spanning not set
> > up properly on routers etc.
> >
> > R
> >
> > On 3/12/2008, at 5:47 AM, Chris Green wrote:
> >
> > > Write the rules out using only your CIDR notation and you get:
> > > (assuming you have SSH_PORTS defined)
> > >
> > > alert tcp !137.165.0.0/16 any -> 137.165.224.0/24 22 (flow:stateless;
> > > flags:S,12; msg: “test”; sid: 1234125);
> > >
> > > Where are you testing from? On campus?
> > >
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Charbonneau
> > > Sent: Tuesday, December 02, 2008 10:14 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] writing SNORT rules
> > >
> > > Good morning
> > >
> > > I have written 3 "quick and dirty" SNORT rules and am trying to
> > > follow the write/test/write/test/write/test/write/test
> > >
> > > Unfortunately even the first test isn't working.  I never see the
> > > alert message for these rules in my alert log.  Is there some other
> > > directive in the snort.conf file that could be precluding these
> > > stateless "hits" from being processed in some way?
> > >
> > > If you have any responses, we should probably take this off-line to
> > > keep the list from being clogged, unless, of course, this is a
> > > "class" problem for all first time rule writers.  I think it's
> > > something stupid, but I just can't see it.
> > >
> > >
> > > These are the simplest rules I could think of with the ongoing
> > > process of modifying them for my final needs.  My ultimate goal is to
> > > be able to grep the alert file for this LOCAL message and grab the
> > > timestamps; I want come up with a way to sanity check the duration of
> > > established ssh sessions to compare against host machine log files.
> > >
> > > Here are the rules:
> > >
> > > [root@netsniff emerging]# cat /usr/local/etc/rules/local.rules
> > > # $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
> > > # ----------------
> > > # LOCAL RULES
> > > # ----------------
> > > #
> > > alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
> > > (flow:stateless; flags:S,12; msg: "LOCAL Connection attempt -- NetSys
> > > asset on port 22"; sid: 2008001;)
> > > alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
> > > (flow:stateless; flags:F,12; msg: "LOCAL Connection termination --
> > > NetSys asset on port 22"; sid: 2008002;)
> > > alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
> > > (flow:stateless; flags:R,12; msg: "LOCAL Connection reset -- NetSys
> > > asset for port 22"; sid: 2008003;)
> > > [root@netsniff emerging]#
> > >
> > > The variables EXTERNAL_NET, NETSYS_NET, SSH_PORTS are all defined:
> > >
> > > var HOME_NET 137.165.0.0/16
> > > var NETSYS_NET 137.165.224.0/24
> > > var EXTERNAL_NET !$HOME_NET
> > >
> > >
> > > RULE_PATH is defined as var RULE_PATH /usr/local/etc/rules
> > >
> > >
> > > Here is the portion of the snort.conf file that "includes" the
> > > local.rules file:
> > >
> > > #
> > > # Please read the specific include file for more information and
> > > # README.alert_order for how rule ordering affects how alerts are
> > > triggered.
> > > #=========================================
> > >
> > > include $RULE_PATH/local.rules
> > > # include $RULE_PATH/bad-traffic.rules
> > > include $RULE_PATH/exploit.rules
> > >
> > >
> > > I have stopped and restarted snort with the same command line I
> > > always use:
> > >
> > > snort -A full -i eth3 -N -K none -c /usr/local/etc/snort.conf -D
> > >
> > > PeteC
> > >
> > >
> > > Peter Charbonneau
> > > Sr. Network and Systems Administrator
> > > Williams College
> > > (413) 597-3408 (office)
> > > (413) 822-2922 (cell)


- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1z44ACgkQT0QSLt7kiaC+fQCfW4xDizIBvkZUrO/Jl3tsrFXP
95sAnjG4jKz6xuZdccfy9+p79NQAM76o
=mDr8
-----END PGP SIGNATURE-----