Menu

Home

khenkell

SecPoshMon

This page will go over the design of the SecPoshMon (SPM) system. For the project plan, please see [ProjectPlan]

Overview

At its most basic level, SecPoshMon will be one or more collection of scripts (SPM packages) running as scheduled tasks and using related powershell modules. Reports and Alerts will be sent via email. Events will be logged as to which scripts run when via a custom Event Log.

The underlying piece is the SPMServer which handles installing and removing packages, monitoring the status, providing common functions in a powershell module, and providing access to some common variables. The SPM server may also handle some basic self integrity checking using external tools should you not have better tools available.

Packages are collections of scripts that are related. Packages include scripts, a default schedule to run them, and any additional functions wrapped into a module.

The Package Task is a single script set to run as recurring task. The basic flow of the script is:

  1. Gather new data (for a specific purpose like "get a list of all applications")
  2. Compare new data to the expected (read only) data. Store deviations in a "needs investigation" array.
  3. Compare new data to previous data. Store deviations in a "needs investigation" array.
  4. Send report
  5. If anything is suspicious, send email alert.

Components

Underlying Components

Windows 2008 R2/Windows 7

SPM is targetting Windows 2008 and Windows 7 to run the system/scheduled tasks.

Scheduled Tasks

SPM uses the builtin task scheduler included in Windows

  • SPM Has its own folder/container:
    • \Task Scheduler\Task Scheduler Library\SecPoSHMon\

EventLogs

SPM does all logging to the Windows Event Logs

  • Has its own Event Log (SPMServer)
  • 1 Source for Server (SPMServer)
  • 1 source for each scheduled job (SPMJobName) which will be registered during package installation
  • EventIDs 1-999 reserved for server
  • EventIDs 1000+ reserved for packaged content using published IDs.

PowerShell Module

The core of the system is a PowerShell V2 module containing all scripts required to setup and monitor the SPM system.

See [PowerShellModule]

Packaged Content

Packaged Content (including the default content that will ship with the system) is a collection of scripts along with a schedule for running them.

  • Can be created as packages (zip?)
  • Set of default scripts with recommended schedules

There will be 2 packages at release:

  1. SPMPAK_ServerSelfCheck
  2. SPMPAK_SANS20CSC

See [PackagedContentDesign]

See also [PackagedContentSANS20CC]

Installer Script (New-SPMServerInstance.ps1)

The system will be self installing. As the built in module will not be available, this will be a standalone script.

See [InstallerScript]

Project Admins:

Related

Wiki: InstallerScript
Wiki: PackagedContentSANS20CC
Wiki: PowerShellModule
Wiki: ProjectPlan

Auth0 Logo