

Show HN: Claimsman – tool for auditing users' file access - erglkjahlkh
https://github.com/mikkolehtisalo/claimsman

======
erglkjahlkh
Since the days of Orange Book in 80's three rules have been golden in IT
security: authorize, audit all information usage, and never let uncontrollably
the information out of the secure domain. Implementing properly access
management, watching users, and limiting the tools works still nowadays when
implemented correctly.

The leaks of the past a few years each one of the previous failed. The users
had baffling access to the information, there were oversights in auditing, and
it was somewhat easy to move the information mass out of the secured domain.
Leaking was downright easy, and getting caught was not certain.

I took recently a look at different products meant for file access auditing,
to solve the part "audit all information usage" in cases where the information
systems can not be adapted (COTS). There seems to be a surprisingly large
amount of products with different feature sets and value propositions. Some of
which have pretty steep prices and highly evolved features.

I got the inspiration to develop my own very simple tool, just for learning
new skills and for the heck of it. A few hours of wading through MSDN, nerve
wrecking C/C++ programming, tuning and it's ready. Quality is a bit so-so
(there might be at least memory leaks, although I attempted to catch them) and
I had no accurate specifications, but here it is...

With this application all file accesses (creation of low level handles) cause
an event that is logged at centralized log management system. I did not
implement hashing the files or gathering them, because it probably has a
direct impact on the performance of a desktop, but it would be trivial to add
as a feature.

After the information is in the centralized log management system, it is
relatively easy to generate for instance weekly report of all the file
accesses of users. In AD environments one could fetch information about
managers, push the data through a good PDF template, and email the reports. As
outcome the managers would get weekly reports of what their underlings have
accessed.

When the awareness of the previous would spread, that would raise the bar to
even attempt anything in the higher security environments. The impact on the
overall security in the long rould would be more significant than the actual
technical feature. The information security tools work best when they have a
psychological impact. Absurd but true. It's not always the best to crank some
technical bolt all the way.

On the other hand, some privacy should be guaranteed to the users by limiting
the tool. At least in lower security environments this might come across,
because employees probably nowadays have limited rights to use employer's
computers for their own matters, for instance accessing banking services while
on lunch break.

I would appreciate comments, code review, bug and feature reports, etc!

