Claimsman

August 1, 2016 ยท View on GitHub

Coverity Scan Build Status

Introduction

Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system. The goal is to collect information that helps in answering the following two questions:

  • What files has user X accessed within defined time frame?
  • Who has accessed file X within defined time frame?

The application consists of a kernel driver, and an application (windows service) that forwards the data to log management system. The outcome will look something like:

Screenshot from Graylog

Features

  • Local file, containing JSON, saved
  • Log forwarding done with GELF (HTTP, HTTPS)
  • Can recover from temporary server availability issues
  • Ability to ignore users (for instance service accounts) by SID (see the claimsman.inf for details)
  • Ability to select what files get logged by extension (see the claimsman.inf for details)
  • Automatically monitors also shares, and removable devices
  • Extendable (log a copy of the accessed files, etc)
  • Does not block cross-platform usage (similar logs from Linux systems etc can be forwarded to same solution, using same format)

Currently the following information is logged:

FieldDescriptionExample
filenameFilename with full device and path\\Device\\HarddiskVolume4\\Users\\bakteeri\\Desktop\\KMCS_Walkthrough.doc
messageSummary messageClaimsman: bakteeri@Lahna \Device\HarddiskVolume4\Users\bakteeri\Desktop\KMCS_Walkthrough.doc
logtypeType of log eventclaimsman
sidSID of the userS-1-5-21-3211507568-3023894989-1537079942-1001
usernameUserbakteeri@Lahna
sizeFile size1983488
sourceDNS of the sending computerLahna
readaccessFile handle was created for readingtrue
writeaccessFile handle was created for writingtrue
deleteaccessFile handle was created for deletingtrue
lastmodifiedLast modification, timestamp as ISO-86012015-06-10T13:45:58.419Z
unixlastmodifiedLast modification, unix timestamp + 3 digits for milliseconds1433943958.419
TimestampTimestamp of the event2015-06-10 13:45:59.420 +00:00
unixtimestampTimestamp of the event, unix timestamp + 3 digits for milliseconds1433944519.073
statusStatus of the file operation. See ntstatus.h for more information.The operation completed successfully.

Requirements

  • Visual Studio 2010+
  • zlib
  • Casablanca (C++ REST SDK)
  • Certificates for KMCS
  • Log management system (for example Graylog or ELK)
  • Packaging toolchain (for example InstallShield)

Configuration options

The following registry keys are available:

FieldDescriptionExample
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\claimsman\DebugFlagsDebugging option for the driver0x1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\claimsman\ExtensionsFile extensions included in monitoring"docx","doc","xls","xlsx","ppt","pptx","txt","rtf"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\claimsman\ExtensionsUsers (SIDs) to be ignored"S-1-5-18"
HKEY_LOCAL_MACHINE\SOFTWARE\Claimsman\LogFileLocation of the log filec:\logs\activity.log
HKEY_LOCAL_MACHINE\SOFTWARE\Claimsman\LogServerTarget server (Graylog/HTTP)http://192.168.1.200:12201

Packaging & Installation

  1. Setup your certificates for signing the driver
  2. Build solution
  3. Package the driver - the provided INF should be informative enough, set the SIDs and file extensions
  4. Package the service
  5. Make sure all configuration options (registry keys) are correct
  6. Test
  7. Mass deploy

Please notice that from Windows 10 Build 1607 the driver must be signed by Microsoft Dev Portal.