Professional Documents
Culture Documents
SysPatrol Server Manual
SysPatrol Server Manual
Flexense Ltd.
SysPatrol
Server Security Monitor
User Manual
Version 1.6
Jan 2013
Flexense Ltd.
Product Overview
SysPatrol is a server security monitoring solution allowing one to monitor one or more servers and detect unauthorized changes in the system files, kernel drivers, system services, installed software products and registry database. The user is provided with the ability to learn a reference server configuration, periodically monitor the server configuration, detect all unauthorized system changes, automatically save reports and send E-Mail notifications.
SysPatrol Server allows one to send E-Mail notifications, submit error messages to the system event log and/or automatically save HTML, ASCII text, Excel CSV, XML or PDF reports when one or more unauthorized system changes are detected in a server. In addition, the user is provided with the ability to keep a history of system changes in an SQL database. Initially, SysPatrol scans the system configuration and saves a reference state of the system files (including SHA256 signatures), installed kernel drivers and system services, the state of the registry database and the installed software products and Windows updates. During the monitoring stage, SysPatrol periodically scans the current system configuration and compares it with the reference configuration detecting all newly created, modified and/or deleted system files, kernel drivers, system services, registry database entries or software products. By default, SysPatrol applies the most rigorous set of settings capable of detecting all types of changes, but if required, the system configuration may be customized for less secure environments thus minimizing the number of change alerts issued for minor or not important configuration changes. SysPatrol is especially designed to run on production servers using a very small amount of the system memory (6MB-8MB) and intentionally slowing down monitoring operations in order to minimize the performance impact on running production applications. By default, SysPatrol Server is configured to use up to 1%-2% of a single CPU core during the system learning and verification stages, which typically take up to 5 minutes per day. In order to simplify deployment and everyday use, SysPatrol Server provides a very simple web-based management interface allowing one to control, configure and manage the product locally or through the network using a regular web browser. The user is provided with a number of fully automatic configuration wizards allowing one to install SysPatrol Server and configure system monitors within a couple of minutes making it very easy to deploy the product even for novice computer users.
Flexense Ltd.
The installation package is very small, 4MB - 5MB depending on the target operating system, and the product requires just 10MB of the free disk space on the target server. In order to install SysPatrol Server, start the setup program, select a destination directory and press the 'Next' button.
Optionally, enter custom server control and/or web access ports. The server control port is used by the SysPatrol command line utility and the web access port is the port for the webbased management interface allowing one to control SysPatrol Server using a standard web browser. If SysPatrol Server should be controlled remotely through the network, make sure one or both of these ports are open in the server's firewall.
Flexense Ltd.
After finishing the installation procedure, the product is fully functional, but no system monitors are defined in the product configuration. In the simplest case, in order to initialize the default product configuration, just press the 'Init Default Configuration' button. By default, SysPatrol Server applies the most rigorous set of configuration options making sure that all types of system changes are detected.
During the initialization process, SysPatrol will scan the current system configuration and save it as the reference system configuration. By default, SysPatrol Server will save the state of the system files (including SHA256 signatures), installed kernel drivers and system services, installed network protocols, the state of the registry database and installed software products and Windows updates. During the monitoring stage, the saved reference configuration will be used to detect unauthorized system changes. The SysPatrol configuration wizard will create all the required system monitors and setup a daily periodic system test, which will verify the system configuration every 24 hours. If required, the automatically created system monitors and periodic system tests may be customized and tuned for user-specific needs and requirements.
Flexense Ltd.
By default, SysPatrol Server verifies the system configuration every 24 hours. In order to customize periodic tests, press the 'Periodic Tests' button. On the 'Periodic Tests' page click on the default daily periodic test or press the 'Add' button to add a new, custom periodic test.
On the periodic test page, set the time interval to execute the periodic test at, select the system monitors that should be verified and press the 'Save' button. SysPatrol Server will verify the selected system monitors periodically according to the specified time interval, detect all unauthorized system changes, save change reports and send E-Mail notifications if configured.
Flexense Ltd.
SysPatrol Server provides the ability to configure multiple report and/or notification actions allowing one to generate different types of reports and/or send notifications to multiple destinations addresses. In order to add a new report or notification action, press the 'Add' button located on the reports and notifications page.
For report actions, the user is provided with the ability to specify an absolute file name or a directory name to save the report to. If an existing directory is specified, SysPatrol Server will automatically generate file names containing the date and time of the test and save reports to the directory. For notification actions, the user is provided with the ability to specify the destination E-Mail address to send notifications to. In addition, in order to enable E-Mail notifications, the user is required to configure an SMTP server to use to send notifications.
Flexense Ltd.
SysPatrol Server exports SQL database reports through the ODBC database interface, which should be configured to operate properly. In order to configure the ODBC database interface, click on the 'Configure SQL Database' link located on the main settings page, enable the ODBC database interface, specify the ODBC data source, ODBC user name and password to use to save reports to the SQL database.
Flexense Ltd.
On the notification action page, select the 'Send Error to System Event Log' action type, enter an error message to submit to the system event log, enter the number of system changes to trigger the action and press the 'Save' button. During the monitoring stage SysPatrol Server will verify the system configuration and submit the error message to the system event log when the specified number of system changes is detected.
Flexense Ltd.
The 'System Files' test monitors the integrity of the operating system files. By default, the 'System Files' test is configured to monitor executable programs, DLL libraries and configuration files located in the Windows system directory and the 'Program Files' directory. During the learning stage, SysPatrol Server saves the state of the system files (including SHA256 signatures) and during the monitoring state verifies the integrity of all files by comparing file names, attributes, last modification dates and signatures with the reference system configuration.
Flexense Ltd.
The 'Kernel Drivers' and 'System Services' tests monitor the configuration of Windows kernel drivers and system services. During the learning stage, SysPatrol Server saves the reference configuration of kernel drivers and system services and during the monitoring stage verifies the system configuration by comparing kernel drivers and system services names, startup modes, statuses, attributes, registered executables, etc. In addition, SysPatrol Server detects newly created and deleted kernel drivers and system services.
The 'Network Protocols' test monitors and verifies the installed network protocols. SysPatrol Server is capable of monitoring and verifying all types of network protocols including hidden protocols, which are not visible in the Windows control panel. For each network protocol, SysPatrol Server verifies the protocol version, provider flags, service flags, security scheme, etc. In addition, SysPatrol Server detects all newly created and deleted network protocols.
10
Flexense Ltd.
The 'Registry Database' test monitors a number of important registry database keys, which are controlling execution of startup programs on the server. In order to add one or more custom registry keys to the SysPatrol configuration, click on the 'Add' link located beside the first registry key and select a root key and a sub key to monitor. By default, SysPatrol Server detects newly created, modified and deleted registry keys and values. In addition, SysPatrol Server detects unexpected changes in registry keys last modification dates and times.
The 'Installed Software' test monitors the installed software products and Windows updates. By default, SysPatrol Server detects newly installed, modified or uninstalled software packages and Windows updates. In order to disable detection of changing Windows updates, unselect the 'Detect Changes in Windows Software Updates' option.
11
Flexense Ltd.
History Reports
By default, SysPatrol Server keeps a history of last 30 reports showing previously detected configuration changes. In order to access the history reports, press the 'Reports' button located on the SysPatrol Server home page.
For each report, SysPatrol shows the test name, the date and time of the test and the number of detected system changes. In addition, the user is provided with the ability to export each report to a number of standard formats including HTML, PDF, Excel CSV and XML.
In order to delete a history report, press the report 'Delete' button displayed in the 'Tools' column. In order to delete all history reports, press the 'Delete All' button located below the report list.
12
Flexense Ltd.
The SysPatrol Server web-based management console, requires users to login with a SysPatrol user name and password. The default user name and password is set to admin/admin. In addition, SysPatrol Server provides the ability to set a custom user name and/or password for the SysPatrol web-based management interface and the command line utility, which may be used to automate configuration and management tasks.
In order to set a custom user name and password, click on the 'Configure Server Login' link located on the main settings page, enter a new user name and password and press the 'Save' button.
13
Flexense Ltd.
SysPatrol Server uses the TCP/IP port 9140 as the default server control port and the TCP/IP port 80 as the default web access port. Sometimes, these ports may be in use by some other software products or system services. If one or both of these ports are in use, SysPatrol will be unable to operate properly and the user needs to change the SysPatrol server control port and/or web access port.
In order to set a custom server control port and/or web access port, click on the 'Setup Server Ports' link located on the main settings page, select the 'Use Custom Port' option and enter a custom port number to use. If the SysPatrol server should be controlled through the network, make sure the custom ports are open in the server's firewall.
SysPatrol Server provides the ability to send E-Mail notifications when a user-specified number of system changes is detected. In order to configure an SMTP E-Mail server to use to send EMail notifications, click on the 'Configure E-Mail Server' link located on the main settings page, enter the SMTP server host name, SMTP server port, SMTP user name, password and the source E-Mail address to use to send E-Mail notifications.
14
Flexense Ltd.
Web-Based Interface
SysPatrol Server provides a complete web-based management interface, which allows one to fully control, manage and configure one or more SysPatrol servers locally or though the network using a standard Web browser. By default, the web-based interface uses the TCP/IP port 80, which is the default HTTP port web browsers are using to connect to a web server.
The SysPatrol web-based interface is a dynamic web application, which shows the current status of the server and the progress of performed operations without reloading the currently displayed web page. In order to operate properly, the web-based interface requires JavaScript to be enabled in the web browser.
15
Flexense Ltd.
When executed without any command line parameters, the command line utility operates in the interactive mode showing available menus, accepting commands and executing selected operations. The interactive mode is very simple to use, all available commands are displayed in a self-explanatory way making it very easy to setup and configure the product even for a novice computer user.
For example, in order to verify the current system status, start the SysPatrol command line utility without any command line parameters, type "1" to enter the "Status" menu and then type "4" to verify the current system status. If any system changes will be detected during the verification process, SysPatrol will save reports and send E-Mail notifications according to the configured report generating and notification actions.
16
Flexense Ltd.
For example, in order to initialize the SysPatrol configuration, learn the current server status and save the reference system configuration, type the following command: syspatrol -init SysPatrol Server will create default system tests, learn the current server status, save the reference system configuration and create a daily periodic system test, which will be executed every 24 hours.
In order to verify the current system status, type the following command: syspatrol -verify SysPatrol will scan the current system configuration, compare it with the reference system configuration, save reports and send E-Mail notifications if required. For detailed information about available command line options, execute the command line utility with the '-help' command line parameter.
17
Flexense Ltd.
Due to the fact that the product is especially designed for servers running in production environments where stability is a major decision factor, SysPatrol Server updates should be manually performed by the user. In order to update an existing product installation, download the latest product version and just start the setup program.
The SysPatrol Server setup program will properly shutdown the running SysPatrol Server, update the product and restart the SysPatrol service after finishing the update procedure. All product configuration files, the saved reference system configuration and product registration will remain valid and there is nothing to reconfigure or manage after the update.
18
Flexense Ltd.
If the computer where SysPatrol is installed on is connected to the Internet, login to the SysPatrol server (default user name and password: admin/admin) using a standard web browser, click on the 'About' link located on the top menu bar, press the 'Register' button, enter your name or your company name, enter the received unlock key and press the 'Register' button.
If the computer is not connected to the Internet, press the 'Manual Registration' button, export the product ID file and send the product ID file to register@syspatrol.com as an attachment. Within a couple of hours, you will receive an unlock file, which should be imported in order to finish the registration procedure.
19
Flexense Ltd.
Minimal System Configuration Supported Operating System 500 MHz or better CPU 256 MB of system memory 25 MB of free disk space
Recommended System Configuration Supported Operating System 2 GHz or better CPU 512 MB of system memory 25 MB of free disk space
20