Chapter 21. Tool: Validating Configuration

As a system administrator or security practitioner, it is useful to have a tool that allows you to verify the current configuration of a system, such as files that exist, registry values, or user accounts. In addition to verifying a configuration, this technique can be used as a lightweight host intrusion-detection system by recording a baseline configuration and then monitoring for variations from that baseline. You can also use it to look for specific indicators of compromise.

In this chapter, we develop a tool to read in a text file that consists of a series of configurations to validate, such as the existence of a file or user, and verify that the condition exists on the system. This tool is targeted at the Windows operating system but could easily be modified to support Linux.

Implementation

The validateconfig.sh tool validates the following:

  • The existence or nonexistence of a file

  • The SHA-1 hash of a file

  • A Windows Registry value

  • The existence or nonexistence of a user or group

Table 21-1 shows the syntax for the configuration file the script will read.

Table 21-1. Validation file format
Purpose Format

Existence of a file

file <_file path_>

Nonexistence of a file

!file <_file path_>

File hash

hash <_sha1 hash_> <_file path_>

Registry key value

reg "<_key path_>" "<_value_>" "<_expected_>"

Existence of a user

user <_user id_>

Nonexistence of a user

!user <_user id_>

Existence of a group

group <_group ...

Get Cybersecurity Ops with bash now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial