Talvolta, specialmente per questioni di sicurezza è importante sapere, se le porte USB di un server siano state usate, e se sì, quali attività sono state effettuate. Con la nuova versione dell’agente Safed 1.7.0 possiamo monitorare le porte USB per Windows Vista 2008 e versioni superiori. L’agente può ricevere notifiche di eventi WMI che riguardano “Win32_PnPEntity”. Le attività delle classi “__InstanceCreationEvent”, “__InstanceDeletionEvent” e “__InstanceModificationEvent” vengono registrate, filtrate ed inoltrate al collettore syslog.
La configurazione di Safed per il monitoraggio delle porte USB è abbastanza facile:
Primo passo – consentire il monitoraggio: Dal menu di sinistra scegliamo “Network Configuration” e segniamo “Enable active USB auditing”. (Img. 1)
Primo passo – consentire il monitoraggio
Secondo passo – aggiungere una nuova “EventLog Objective Configuration”: Dalla lista “Identify the high level event” scegliamo “USB Event” (Img. 2). Se desiderato, possiamo inserire un filtro basato su “regular expression” al campo “General Search Term”. Un esempio sarebbe filtrare per “USB Mass Storage Devices” per essere informati di aggiunta, rimozione o modifica di dispositivi di archiviazione di massa USB.
Secondo passo – aggiungere una nuova “EventLog Objective Configuration”
Dopo questa configurazione, Safed registra tutte le attività USB, le identifica con una ID (18 = USB aggiunto, 19 = USB rimosso, 20 = USB modificato) e le manda al collettore syslog. (Img. 3)
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”
Author
MarinovMihail
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”
Both Microsoft and Google will terminate within summer/autumn 2022 the possibility of accessing POP and IMAP mailboxes using usernames and passwords! In the course of the year 2022 Microsoft and Google will terminate support for Basic Auth (the authentication with Read More
More and more companies are adopting the now “quasi-standard” JIRA Software issue tracking and software project management tool, and the emerging ticketing tool JIRA Service Management. For most of them, when transitioning from their previous system, it is essential to Read More
Welcome to the latest version of our Service Management solution EriZone version 5.9. Product: EriZoneRelease Number: 5.9Release Date: January 7, 2021Release Type: MinorPrevious Release: 5.8 These release notes for EriZone 5.9 describe changes and improvements, and provide information on how to upgrade. Read More
More and more enterprises rely on Microsoft Azure Active Directory as a company-wide identity provider for Office365, Teams, Sharepoint and other Microsoft and various non-Microsoft services. It provides Single Sign-On (SSO), so when opening any of these applications, if an Read More
This article will show you an EriZone innovation you can introduce into your process: a Transition Action for Activity Management. One of the main uses of this new feature is in the area of HR. There is no doubt that Read More