Auditing user access to YESEFT/conf and YESEFT/properties folder

The encrypted card data is stored in the YESEFT/conf folder, access to this folder should be audited automatically. The YESEFT/properties folder contains the Keystore and the truststore file, access to this folder should also be audited.

For Windows

The audit log appears in the Security log in Event Viewer. Audit policy should be defined in the local security settings, just follow these steps for Windows:

Object Access Policy on Windows

  • Click the Start button, type “secpol.msc” into the search box and clicking secpol.‌

  • In the left pane, double-click Local Policies, then Audit Policy.

  • Right-click on Object Access Audit and select Properties

  • Ensure Success and Failure are both checked

  • Click on OK, and close the window.

Similarly define policy for the following:

  • Audit Account Logon Events

  • Audit Account Management

  • Audit Logon Events

  • Audit Privilege Use

Enabling Audit Trail

After enabling audit, the YESEFT/conf and YESEFT/properties folders should be specified for auditing. Follow these steps to enable auditing on the folder:

  • Right-click the document or file that you wish to keep track of, and click Properties.

  • Click Security, then Advanced, and then Auditing.

  • Click Add.

  • In the box enter the object name to select, type the name of the user or group whose actions you wish to track, and click OK in each of the four open dialog boxes.

Note: This article assumes that you are using Windows on a domain. You must be logged on as a member of the Administrators group or you must have been granted Manage auditing and security log privilege in Group Policy to perform this procedure.

  • The hard disk must be formatted with the NTFS file system for auditing to work.

  • If your computer is a member of a domain and the administrator has set domain-level auditing policies, those policies override these local settings.

YesEFT Folder Structure

For Linux

The audit log is /var/log/audit/audit.log.

auditd is the userspace component to the Linux Auditing System, responsible for writing audit records to the disk.

  • Install auditd with:

    sudo apt-get install auditd

  • Edit the configuration file with the below command and add the full path of the YESEFT/conf and YESEFT/properties folders. In the example shown in the screenshot below the full path is /home/POS/YESEFT/conf and /home/POS/YESEFT/properties, but this could vary for your installation.

    sudo vi /etc/audit/audit.rules

    # First rule - delete all

    -D

    # increase the buffers to survive stress events. make this bigger for busy systems.

    -b 1024

    # monitor unlink() and rmdir() system calls.

    -a exit,always -S unlink -S rmdir

    # monitor open() system call by Linux UID 1001.

    -a exit,always -S open -F loginuid=1001

    # monitor write-access and change in file properties (read/write/execute) of the following files.

    #-w /etc/group -p wa

    #-w /etc/passwd -p wa

    #-w /etc/shadow -p wa

    #-w /etc/sudoers -p wa

    # monitor read-access of the following directory.

    -w /home/POS/YESEFT/conf -p r

    -w /home/POS/YESEFT/properties -p r

    # lock the audit configuration to prevent any modification of this file.

    -e 2

  • Restart auditd when editing is finished with :

    sudo service auditd restart

  • Once auditd starts running, it will start generating an audit daemon log in /var/log/audit/audit.log as auditing is in progress. You can trace the log entries relevant for the IPC folder using command below:

    sudo grep –n YESEFT /var/log/audit/audit.log.