Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guide de l'utilisateur télécharger pdf (Page 70)

 tunneling software or applications like Tor, GoToMyPC and LogMeIn

Detecting Custom Activity Prohibited by Policy

The plugins provided with PVS are useful for detecting generally inappropriate activities, but there may be times when

more specific activities need to be detected. For example, a company may want to have an alert generated when email is

sent to a competitor’s mail service or if users are managing their Facebook accounts from the corporate network.

Tenable provides the ability for users to write their own custom plugins, as documented in the section “Writing Passive

Vulnerability Scanner Plugins”. These plugins are saved as “prm” files.

The following example shows how to create a custom plugin to detect users logging into their Facebook accounts. First, a

unique plugin ID is assigned, in this case “9000”. So, the first line of our plugin will be:

id=9000

Next, we will want to have a description of what the vulnerability detects:

description=The remote client was observed logging into a Facebook account. You should

ensure that such behavior is in alignment with corporate policies and guidelines. For

your information, the user account was logged as:\n %L

The “%L” will be the results of our regular expression statement that will be created later. Basically, we want to log the

source address of the offending computer as well as the user ID that was used to log in. Next, we create a distinct name

for our plugin.

name=POLICY - Facebook usage detection

Note that the name begins with the string “POLICY”. This will make all POLICY violations easily searchable from the

SecurityCenter interface.

You could also define a SecurityCenter dynamic asset list that contains only POLICY violators.

The next field defines a “family”. For this example, the application is a web browser, so the family ID is defined as follows:

family=Web Clients

Since this is a web browser, a dependency can be assigned that will tell PVS to only look at clients that have been

observed surfing the web:

dependency=1735

Further, since we are looking at client traffic, we will define:

clientissue

Next, we assign a risk rating for the observed behavior:

risk=MEDIUM

In the final section we create “match” and “regex” statements that PVS will look for passively. We want all of these

statements to be true before the client is flagged for inappropriate usage:

match=>POST /

The web request must begin with a POST verb. This will weed out all “GET” requests.

match=^Host: *.facebook.com

The statement above ensures that they are posting a host with a domain of “*.facebook.com”.

1 2 ... 65 66 67 68 69 70 71 72 73 74 75 ... 78 79

Pas de commentaire

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Guide de l'utilisateur Page 70