[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: RE: Change control features in IDS products?
From: Chmielarski TOM-ATC090 <Tom.Chmielarski () motorola ! com>
Date: 2002-01-06 16:58:58
[Download RAW message or body]
Toby,
Unfortunately this will only tell who last modified a particular group.. It does not \
say what that change was. Nor does this seem totally accurate as the query does not \
reflect the times of some recent changes to agent version.. Nor does this help \
control at a local level when changes are applied. Here is a unified version of the \
queries that Andrew suggested.
NOTE: ICEcap stores in GST +0, so you probably have to adjust for your timeszone \
offset. I have adjusted for CST (-6)..
If your not comfortable with SQL queries, you can paste this into the ICECap \
interface at: Tools -> SQL Utilities -> SQL Query
--- CUT HERE ---
Select a.accountID as 'account',
a.accountname as 'Account Name',
pg.GroupID as 'Group ID',
pg.GroupName as 'Group Name',
cu.userName as 'Created By',
dateadd(hour,-6,pg.createTime) as 'Group Created',
mu.username as 'Last Mod By',
dateadd(hour,-6,pg.lastModified) as 'Last Mod Date'
FROM icecap..policygroup pg
JOIN icecap..account a ON a.accountID = pg.accountid
LEFT JOIN icecap..users cu ON cu.userid = pg.CreatedBy
LEFT JOIN icecap..users mu ON mu.userid = pg.LastModifiedBy
ORDER BY pg.lastModified desc
--- END ---
Regards,
Tom
-----Original Message-----
From: Andrew Plato [mailto:aplato@anitian.com]
Sent: Friday, January 04, 2002 3:25 PM
To: toby.kohlenberg@intel.com
Cc: focus-ids@securityfocus.com
Subject: Re: Change control features in IDS products?
> Does anyone know of any development
> being done to integrate change control
> features into IDS products? Have people
> got solutions that they've cobbled
> together for this? I can see using some
> source code control product to handle
> things like snort or dragon config and
> rule files, but what about a way to identify who made
> the last change to an ICEcap group config?
Toby,
ICEcap stores every last chunk of information in its SQL Server
database. This database has the ability to log the last ICEcap user who
made changes to the last group or policy config and when they made it.
If you navigate to the Tools item and then select longSQL query, run the
following Query:
select * from PolicyGroup
This will retrieve a list of all the groups in ICEcap. There is a field
for LastModifiedBy and LastModified. If you then Query the Users table
with:
select * from Users
You get a list of the users and their UserID....which is what is stored
in the LastModifiedBy column.
Now, you could code a report in Crystal Reports to pull this data from
the ICEcap database and then present it in a nicer format. You'd need a
copy of Crystal designer. You should also checkout the ICEcap Advanced
Admin Guide...which is supposed to be coming out one of these days (you
would think I know - I wrote the damn thing!) This tells you how to then
tie custom reports to ICEcap.
Now, I don't know if ISS has bigger plans for this feature. Its kind of
an undocumented thing. There are quite a few database fields that are
waiting for future use that actually do work. They just never tied them
to the UI.
Good luck!
------------------------------------
Andrew Plato
President / Principal Consultant
Anitian Corporation
(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
Yahoo Messenger: Anitian
------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic