This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vincent_Bacher
Advisor
Advisor
‎2023-03-07 04:28 AM

change directory for Identity Collector logs

Hi mates,

i want to change logdir in ServiceDebugPath.cfg but when shutting down the collector process, modifying the path and starting again the collector process the path is reset to c:\windows\temp.
Any idea?
Thanks in advance
Vince

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-03-07 04:57 AM

You could try to make ServiceDebugPath.cfg immutable:

As IC is Windows:

Raymond Chen from Microsoft just recently wrote an article that's closely related: The way to stop people from copying files to a folder is to use NTFS security, not to block drag/dro.... While this one mentions trying to stop someone from copying a file to a specific folder you can use the same solution presented to fix your problem here.

To properly secure the file and prevent tampering you can set the ACLs on the file to have Read permissions but deny Write, Delete and Change permissions. You can set that for a specific user, group, or even everyone! The owner of the file will always have permission to change the permissions, so you can't permenantly lock yourself out (even if you try to deny the CREATOR OWNER special object). Keep in mind that to manually set these from the security dialog box, you'll have to enter the advanced permissions area, they aren't available from the standard page. You may also want to break inheritance so that the file has only the permissions you set and none from its parent.

In this case it would be best to leverage options that are already there and so you won't have to try and hack the system to make work. NTFS has robust security and can accomplish what you want without you writing code. You can also work with the security directly through the WINAPI using methods related to File Security and Access Rights (MSDN). You can provide the permissions when you call the first CreateFile or change permissions after the fact by using SetNamedSecurityInfo or SetSecurityInfo.

EDIT: To address the concerns of malware, you can even deny SYSTEM access so even services running under the system account cannot delete it or write to it. I've actually taken care of one pesky virus in that method. it would keep creating a directory, so I booted PE, emptied out the directory, then denied everyone access to it including the SYSTEM account. The virus was unable to propagate while I worked on removing it.

(https://stackoverflow.com/questions/1333807/how-can-i-make-a-file-trully-immutable-non-deletable-and...)

If you need to make a file immutable under Linux:

[Expert@HostName]# lsattr /.../<filename>
[Expert@HostName]# chattr +i /.../<filename>
[Expert@HostName]# lsattr /.../<filename>

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
Vincent_Bacher
Advisor
Advisor
‎2023-03-07 06:21 AM
In response to G_W_Albrecht

Does lsattr exist on Windows? Not on my server 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-03-07 07:22 AM
In response to G_W_Albrecht

OK i set permissions to DENY on this file for the file. Now my setting seems to persist.
Will now have to check if logs are written where i defined......

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-03-08 02:03 AM
In response to Vincent_Bacher

Interesting. I managed to keep the file unchanged but the process ignores the directory definition and still logs to \windows\temp 😄

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-08 02:16 AM
In response to Vincent_Bacher

Looked into the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\IdentityCollector\

The debug log level and others are set (sk122686 & sk119692) but no path available...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-08 05:48 AM
In response to Vincent_Bacher

It should be possible to change \windows\temp to a hard link but i am no specialist there...

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-03-08 07:32 AM
In response to G_W_Albrecht

Thanks for your contribution. I think at this point it's not worth researching more. Maybe later in case we set collector into production.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events