For a change detection system, Intact is right at the forefront of making this troublesome yet important task easier and easier to manage by general computer staff, although the person responsible for installing the product would need to be more of a specialist. But installation is only a one-off event, while ease of daily use is paramount, so ease of use comes down on the side of the much-oppressed user or administrator. While the auto-configuration features simplify the installation across systems with different structures and use, the installers really need to understand their network topology and database system.

There are several steps involved. Installing the Intact service and the application executable files and the control panel applet is fine. The default installation will create a configuration that uses self-ident mode, whereby the behavior of all important components on the system are studied for six days before it begins detecting changes with a configuration file that best matches the status of the system. Once installed though, it will learn from observed changes, and determine what it should monitor without any intervention from the administrator. Besides ease of use, the other big selling points are granularity of change detection, ease of deployment by utilizing an ODBC-compliant database, and comprehensiveness.

But you do need to be confident in using your ODBC database at a fairly advanced level when setting it up to work in conjunction with Intact. Both the administrator and the clients use ODBC to connect with the central database, so you must set up a valid ODBC DSN to activate the connection. Not all ODBC drivers support all the features necessary to run Intact properly. Pedestal Software recommends in the user manual that you download the very latest ODBC drivers, as old or incorrect drivers may crash Intact; the reviewer, though, did not experience a crash. The problem here, though, is what do you do if you already have an ODBC-compliant database system in place and it proves insufficient to meet the task of working fully and effectively with Intact?

There are three versions of Intact available, depending upon your particular requirements. Intelligence offers real-time integrity checking for standalone deployment, supporting Windows 95, 98, NT and 2000, Linux and Solaris platforms. Directory Services monitors LDAP-compliant directories such as Active Directory, while the Enterprise version offers all the above, and in addition can use an ODBC-compliant database to store centralized information and provide remote control. Designed for large-scale deployment of Intact, it requires the support of a relational database (Oracle, DB2, Sybase or Microsoft SQL Server) as a back-end for storing change detection records, client configurations, outputs and events. It also comes with the built-in advantages of a central management GUI. It is with the Enterprise version that this review is concerned.

Intact Enterprise works on a client/server model and has three components. The SQL database stores all the tables necessary for the operation of Intact across the network. The Enterprise administrator connects to the SQL database and views events, changes configurations, establishes new hosts and performs other common administrative tasks. It also connects remotely to client machines to browse drives and registries, and send commands directly to clients. Clients obviously reside on the client machines and connect to the SQL database periodically to receive commands and send events.

Detecting changes in computer systems and network directories, Intact uses a similar methodology to some disaster recovery products on the market; it takes a snapshot of objects and periodically compares the snapshot to the active system. It is important to remember, though, that because Intact takes a snapshot, you must have a clean and securely configured system to begin with; otherwise, any corruption or inconsistencies will be stored on the database. The usual bunch of knaves should be detected in the process: unauthorized intrusion, viruses, trojan horses, rogue installation programs, corruption security alterations, really any changes, additions or deletions that could compromise your system.

Intact monitoring goes from the grandiose to the almost insignificant. On Windows NT/2000 platforms it will detect changes in files and directories, registry keys and values, permissions, auditing parameters, users and groups, auditing policies, account policies and user rights. On Windows 95/98 platforms it will detect changes in files and directories, and registry keys and values. On UNIX platforms it will detect changes in files and directories, permissions, users and groups. LDAP-compliant directory servers will have changes detected in directory structure, content and special active directory integration. This feature is crucial for all organizations involved in e-commerce, as it will verify the integrity of your enterprise and e-commerce directory.

So, how does Intact learn your system behavior in order to do some effective change detection in real-time? The nuts and bolts operate thus. Over a set period of time Intact initially gathers information about the change characteristics of objects on your system by monitoring their change behavior. It will obviously learn what object changes are normal during this observation period, and the database will store what, when and how often a change occurs. You can set up and timetable this process on the control panel applet, selecting all objects and attributes or only a subset. You decide the number of days that Intact will monitor the system in order to build a behavior database.

On completion of this step, Intact utilizes the behavior database to create an optimal configuration file for the system, builds a new detection database using this new configuration file and takes itself out of learning mode. Intact is now ready to monitor your system looking for unauthorized changes and reporting them in your previously set preferred mode (eventlog, syslog, email or a combination thereof). Now Intact will only monitor those system objects that do not change during normal operation, greatly simplifying the potentially complex task by only concentrating on objects that should not change during normal operation. Put simply, it is primed to report unexpected changes immediately.
   

SC On-Line
SC Magazine
www.scmagazine.com