4.1 Define these terms as they pertain to Microsoft Windows
- Processes: a program that the system is running
- Job: a group of processes
- Threads: basic units that an OS applies processing time to, spawned by a process which may have multiple threads
- Thread Pool: a group of asynchronous threads that report back to the application
- Memory Allocation: memory is allocated by the OS to an application in various ways.
- Static Memory Allocation: a program allocates the memory it needs when it is compiled.
- Dynamic Memory Allocation: memory is allocated at runtime
- Stack: memory set aside as space for a thread
- Heap: memory set aside for dynamic allocation
- Volatile memory: Loses contents when the device loses power.
- Nonvolatile memory: contents preserved when the device loses power
- Virtual Address Space: addresses physical RAM
- Windows Registry: The windows registry is the hierarchical database that stores configuration data for users, applications and devices.
- HKEY_CLASSES_ROOT (HKCR): Ensures that the correct program opens when executed in Windows Explorer, also contains details on and the user interface
- HKEY_CURRENT_USER (HKCU): contains configuration for any currently logged in user including folders, screen colors control panel settings
- HKEY_CURRENT_CONFIG (HCU): System current configuration
- HKEY_LOCAL_MACHINE (HKLM): machine hardware information, drive mounts and generic configurations of hardware and applications
- HKEY_USERS(HKU): Configuration of all user profiles
- Each of the above is referred to as a hive.
- Windows Management Instrumentation (WMI): Microsoft’s implementation of Web-Based Enterprise Management (WBEM) based on the Common Information Model (CIM) standard. The data must be pulled in with tools.
- Provides status information
- Allows configuration of security settings
- Allows modification of system properties
- Change permissions for users and groups
- Assign and change drive labels
- Schedule processes
- Enable or disable error logging
- Handles: a reference to a resource such as a file
- Hide real memory addresses
- Leaks occur if not released after use
- Services: long-running applications that operate in their own session
4.2 Define these terms as they pertain to Linux
- Child Process: process created by another process
- init process: First process in the boot that does not have a parent process
- orphan process: a child process allowed to continue after a parent is killed
- zombie process: a process terminated that is still in the state table
- daemon process: similar to services on Windows
- Forks: when a parent creates a child process
- Permissions: Permissions in Linux are based on , write and rights for the owner, group and everyone else. An example would be –-r–. This indicates a file that is readable, writeable and executable by the owner, only read/write for the group and read-only for everyone else. The table below shows the numeric values used with the command to change permissions on a file. For example, 755 would make it -xr-x.
|3||Execution and write||-wx|
|5||Read and excution||r-x|
|6||Read and write||rw-|
|7||Read, write and execution||rwx|
- Symlinks: Short for link, a symlink links to another file or directory.
- Daemon: programs that run in the background, usually created by init, equivalent to services in Windows
4.3 Describe the functionality of these endpoint technologies in regards to security monitoring
- Host-based intrusion detection (HIDS): software installed on a host to detect attempted attacks.
- Antimalware and Antivirus: software on a host to detect malware or viruses
- Host-based firewall: software firewall on a host to filter network connections to the host based on rules.
- Application-level whitelisting: Administrators make a list of approved software, only software on the list is allowed to run.
- Application-level blacklisting: Administrators make a list of software not allowed to run, everything else is allowed.
- Systems-based sandboxing (such as Chrome, Java, Adobe Reader): Software that creates a virtual environment to try to contain any attempted exploit.
4.4 Interpret these operating system log data to identify an event
Windows Security Event Logs
Windows event logs are viewed using the eventvwr.exe application. There are four primary types of logs:
- Error: Significant problems such as data loss or functionality
- Warning: Not significant, but may indicate future issues
- Information: successful operations of an application or service
- Success Audit: Security access attempts that were successful
- Failure Audit: Security access attempts that were not successful
There are three general logs of Application, System and Security.
UNIX based logs (Linux, FreeBSD, OSX)
Syslog is the common format for UNIX logs. By default the logs are in /var/log/. The facility of a log tells which application or process submitted the log entry. The priority is used to indicate the importance of the log entry.
|0||emerg||emergency condition such as a system crash|
|1||alert||that should be dealt with immediately|
|2||crit||Critical conditions such as hardware failure|
|3||err||Standard error messages|
|5||notice||No error condition, but attention needed|
Apache Access Logs
Apache is a common webserver. The logs are stored in the AccessLog (logs all requests) and ErrorLog (all errors produced by requests).
IIS Access Logs
IIS webservers log in plain text files. They can be in IIS, W3C or NCSA format.