6.5 Custom Check Examples

This section provides custom check examples you can create using the wizard.

6.5.1 Accounts with Passwords More than 60 Days Old

Secure Configuration Manager provides the Accounts with Passwords More than 90 Days Old security check. You can edit this check to create the Accounts with Passwords More than 60 Days Old custom check.

The Accounts with Passwords More than 60 Days Old custom check has the following properties:

Description

Lists accounts with passwords older than 60 days.

Explanation

Users should change account passwords frequently to prevent passwords from being stolen or viewed.

Risks

Once malicious users have guessed a password, they can use that password until it is changed. The longer the interval between password changes, the more damage is possible by a compromised password.

Remedies

Require users to change their passwords every 60 days at a minimum.

To create the Accounts with Passwords More than 60 Days Old custom check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks > NetIQ Checks > Windows.

  3. Select User/Groups.

  4. In the content pane, right-click Accounts with Passwords more than 90 days old, and then click Edit Security Check.

  5. In the left pane, click Attributes.

  6. Select Password Policy in the Available Attributes pane.

  7. Click the right arrow to move Password Policy to the Attributes to Check field.

  8. In the left pane, click Filter.

  9. Type 5184000 in the Criteria list.

  10. Click Save As.

  11. Type Accounts with passwords more than 60 days old.

  12. Click OK.

6.5.2 Kernel Parameters

The following example shows how to create a simple informational check for a UNIX or Linux computer.

The Kernel Parameters custom check has the following properties:

Description

Lists kernel parameters.

Explanation

Provides a list of editable kernel parameters.

Risks

This security check is for information only.

Remedies

This security check is for information only.

To create the Kernel Parameters custom check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks.

  3. Right-click My Checks, and then click New Security Check.

  4. Select UNIX in the Platform field.

  5. Expand Host in the Object field to show the list of child objects.

  6. Select Kernel Parameter.

  7. Click Next.

  8. Click the right double arrow button.

  9. To create an unfiltered security check, click Next.

  10. Click Next.

  11. In the Scoring Method field, select Information Only.

  12. Click Next.

  13. Type Kernel Parameters in the Check Name field.

  14. Select System in the Category field.

  15. Type a description of your custom check in the Brief Description field.

  16. Click Next.

  17. Review the summary of your custom check.

  18. Click Finish.

6.5.3 Registry Keys Modified Since Date

The following example shows how to create a custom check for registry keys on a Windows computer.

The Registry Keys Modified Since Date custom check has the following properties:

Description

Checks for registry keys modified since specified date.

Explanation

Checks to identify any registry keys that have been modified since a specified date.

Risks

Unapproved modified registry keys may indicate an intruder or virus has tampered with your computer.

Remedies

Verify that all modified registry keys are from approved processes. Follow with other security checks to identify other evidence of tampering.

To create the Registry Keys Modified Since Date custom check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks.

  3. Right-click My Checks, and then click New Security Check.

  4. Select Windows in the Platform field.

  5. Expand Workstation in the Object field to show the list of child objects.

  6. Select Registry Key.

  7. Click Next.

  8. Select Key Name and Modification Date and click the right arrow button.

  9. Click Next.

  10. Select Modification Date in the Attribute list.

  11. Select greater than in the Operator list.

  12. Select User Parameter in the Type list.

  13. Click the Criteria field to open the User Parameter window.

  14. Type MODIFIED SINCE in the Name field.

  15. Type Modified keys since this date in the Description field.

  16. Click the checkmark button.

  17. Click Next.

  18. Type a default date in the Modified Since field using the MM/DD/YY HH:MM:SS format.

  19. In the Registry Key Name field, type an asterisk (*), and then click Next.

  20. Select Unique Count in the Scoring Method field.

  21. Click Next.

  22. Type Registry Keys Modified Since Date in the Check Name field.

  23. Select System in the Category field.

  24. Type a description of your custom check in the Brief Description field.

  25. Click Next.

  26. Review the summary of your custom check.

  27. Click Finish.

6.5.4 Password Policy Violations

The following example shows how to create a custom check with multiple filters.

The Password Policy Violations custom check has the following properties:

Description

Checks for simple password violations.

Explanation

Checks for users’ passwords being too short, empty, or in the dictionary.

Risks

Passwords that violate simple policy regulations are easy to break and are considered system vulnerable.

Remedies

Identify users with password violations and force password changes.

To create the Password Policy Violations custom check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks.

  3. Right-click My Checks, and then click New Security Check.

  4. Select Windows in the Platform field.

  5. Expand Workstation in the Object field to show the list of child objects.

  6. Select Password.

  7. Click Next.

  8. Click the right double arrow button.

  9. Click Next.

  10. Select Password found in dictionary in the Attribute list.

  11. Select equals in the Operator list.

  12. Select Value in the Type list.

  13. Select True in the Criteria list.

  14. Select Or in the AND/OR list.

  15. On the next line, select Password is blank in the Attribute list.

  16. Select equals in the Operator list.

  17. Select Value in the Type list.

  18. Select True in the Criteria list.

  19. Click Next.

  20. Click Next.

  21. Select Count in the Scoring Method field.

  22. Click Next.

  23. Type Password Policy Violations in the Check Name field.

  24. Select User/Groups in the Category field.

  25. Type a description of your custom check in the Brief Description field.

  26. Click Next.

  27. Review the summary of your custom check.

  28. Click Finish.

6.5.5 Suspicious User

The following example shows how to create a custom check with multiple filters combined in complex ways.

The Suspicious User custom check has the following properties:

Description

Checks for remote suspicious users.

Explanation

Checks for remote users with poor password protection.

Risks

These accounts may be compromised.

Remedies

Verify accounts belong to trusted users and ensure that password policies are enforced.

To create the Suspicious User custom check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks.

  3. Right-click My Checks, and then click New Security Check.

  4. Select UNIX in the Platform field.

  5. Expand Host in the Object field to show the list of child objects.

  6. Select User.

  7. Click Next.

  8. Select User name, Primary Group ID, umask Value, Last logon date and time, and Password strength in the Available Attributes pane.

  9. Click the right arrow button.

  10. Click Next.

    NOTE:The following filters are the logical equivalent to the following statement: “Check for all remote users without administrative accounts who have either umask values not equal to 022 or 033, or whose password strength is greater than 0.”

  11. Select Primary Group ID in the Attribute list.

  12. Select not equal to in the Operator list.

  13. Select Value in the Type list.

  14. Type 1 in the Criteria field.

  15. Select AND in the AND/OR list.

  16. On the next line, select Local or Remote Account in the Attribute list.

  17. Select equals in the Operator list.

  18. Select Value in the Type list.

  19. Select Remote in the Criteria list.

  20. Select AND in the AND/OR list.

  21. To select the first two filters, click in the ( or ) column of the first filter, press and hold Shift, and click in the ( or ) column of the second filter.

  22. To enclose the selected filters in parentheses, right click the highlighted area, and select Add ( ).

  23. On the next line, select umask Value in the Attribute list.

  24. Select not equal to in the Operator list.

  25. Select Value in the Type list.

  26. Type 022 in the Criteria field.

  27. Select AND in the AND/OR list.

  28. On the next line, select umask Value in the Attribute list.

  29. Select not equal to in the Operator list.

  30. Select Value in the Type list.

  31. Type 033 in the Criteria field.

  32. Insert parentheses to group the second and third filters.

  33. Select OR from the AND/OR list.

  34. On the next line, select Password Strength from the Attribute list.

  35. Select greater than from the Operator list.

  36. Select Value from the Type list.

  37. Type 0 in the Criteria field.

  38. To select the remaining filters, click in the ( or ) column of the umask Value filter, hold Shift, and click in the ( or ) column of the Password Strength filter.

  39. To enclose the selected filters in parentheses, right click in the highlighted area, and then select Add ( ).

  40. Click Next three times.

  41. Type Suspicious User in the Check Name field.

  42. Select User/Groups in the Category field.

  43. Type a description of your custom check in the Brief Description field.

  44. Click Next.

  45. Review the summary of your custom check.

  46. Click Finish.