Creating, Using and Justifying the Auditor's Toolkit • Welcome • General announcements
Creating, Using and Justifying the Auditor's Toolkit ISACA Presentation April 2003 Ed Capizzi
Schedule etc. • Breakfast • Intro, admin & Methodology • Outside – In tools • Unix • Lunch • Windows • Hands on
Administrivia • Location information • Pagers and cell phones • Fire escapes • Food • Start stop times • Location of restrooms • General room rules and mood
Assumptions • Auditors have all the front end time & field work time they need • Auditors have large budgets for tools and training • Auditors always get full cooperation of and unlimited access to audit areas • No one minds being audited • You are already experts on everything
Real World Assumptions • You have to become an expert at everything FAST (or at least brush up!) • You need something you can apply now • You probably run a WinTel based machine • You probably don't have admin / root level access (of your own) to the systems you audit • You have to be part tech, part teacher, part politician • Even “free, industry best practices” require some selling
Real World Assumptions • This is one way to do things, not THE way • Linux (for this presentation) is RedHat • Solaris (for this presentation) is 2.6 • HP (for this presentation) is 11.x
Our Approach • Learn to fish • Basics, basics, basics • Keep it simple • Inside out, Outside in • Creative use of “indigenous resources” (utilities included in the existing OS) • Audits (& auditors) must be “environmentally friendly and low impact”
Our Approach 1. Subsystem(s) involved 2. Best practice examples/settings 3. Ramifications of settings or principles 4. How to sell to administrators and management 5. Which tool to use to accomplish which task
15 Main Areas • Account Policies 9) Remote Access • Auditing 10) Scheduled Tasks • Device Drivers 11) System Info • Drives 12) Services • Event Log 13) Shares • Printer Permissions 14) Trusted Relationships • Processes 15) Users & Groups • Registry
Account Policies What are the tools? • admintool (gui-Solaris) • /etc/default/passwd (sun) • /etc/passwd • sam (gui-HP) /etc/passwd • userconf or redhat-config-users (gui Red Hat Linux) • /etc/passwd (linux) What can they tell us?
Account Policies What can they tell us*: o login name o encrypted password o numerical user ID o numerical group ID o reserved gecos ID o initial working directory o program to use as shell BUT WE WANT MORE!
Account Policies To get more, the system has to be using: shadow passwords (Solaris / Linux) /etc/shadow or “trusted system” (HP) /tcb/files/auth/ More on this later, stay tuned...
Account Policies Where are the files? (review) Standard systems /etc/default/passwd (Sun) /etc/passwd (HP & Linux) Shadowed or trusted systems /etc/default/passwd (Sun) /etc/passwd (Sun & Linux) /tcb/files/auth/ (HP)
Auditing • user logon / logoff • system restart, start up, shutdown • object access
Auditing Linux • /etc/syslog.conf • /var/log/messages Sun • /etc/syslog.conf • /var/adm/message HPUX • /etc/syslog.conf • /var/adm/syslog/syslog.log
Auditing Linux & HP dmesg -boot diagnostics & messages Sun prtdiag Cool tool alert!!! Rosetta Stone for Unix!
Auditing • last
Auditing • dmesg
Auditing • HPUX “Trusted System” • passwords moved from /etc/passwd • All users must have a password • Check /etc/rc.config.d/auditing & /sbin/rc2.d/S760auditing./etc/rc.config.d/auditing for auditing control parameters. • /tcb/files/ttys • uid of user log into terminal, logins & unsuccessful logins.
Auditing A.K.A Setting up syslog!
Syslog.conf • Simple text file with format of daemon.loglevel <Tab> log target mail.* /var/log/daemon.log -rw------- 1 root root 702093 Mar 17 17:56/var/log/messages Owned by root (rw) • 'log' group (r) (if needed) • 'other' group not permissions # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Syslog.conf (con't) # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
Syslog logging Levels • emerg System is unusable • alert Action must be taken NOW • crit Critical conditions • err Error conditions • warning Warning conditions • notice Normal but significant • info FYI • debug More than you want to know (Programmers only)
Syslog targets • /path/to/file Message appended to the given file • @loghost Sent to syslog server on 'loghost' server • * Message written to all loged in users • user1,user2 Message written to user1 & user2 • /dev/console Message written to named ttys • | /path/to/name_pipe Message written to named pipe
Device Drivers • How the system handles hard drives, keyboards or any other peripheral attached to the system • located in /dev • Character Device • communicate in echoed characters • Block Devices • communicate in 512 or 1024 blocks of data • Faster access
Devices • The device type is indicated by the first character in the permission block. i.e. crw--w--w- 1 root root 4, 1 Jul 19 13:26 tty1 crw--w--w- 1 root root 4, 2 Jul 19 13:26 tty2 Major device number – identifies the device driver number Minor device number – identifies the device number
Devices • device permissions are important! • /dev/kmem = kernel memory • /dev/hda1 =hard disk • access to this may allow dump of disk files bypassing /etc/passwd • use groups and sudo
Drives • mount – to show what is mounted • df- k, df -h to see free space • etc/fstab (/etc/vfstab - Solaris) to see file system mount point descriptions description of /dev/dsk -vs- /dev/rdsk
Local-vs-remote • mount • /etc/fstab • /etc/dfs/dfstab share lists all current shares (Sun) exportfs -v lists all current shares (HP & Linux) nfsstat NFS performance statistics (HP & Sun)
Event Log • Syslog (and /etc/syslog.conf) /var/log/messages Linux /var/adm/messages HP & Sun tail and / or grep Ask if Swatch or logcheck may be running
Printer Permission • /etc/hosts.lpd = hosts that can print • You can also put in /etc/hosts.equiv but that opens them to use rservices too! • lpadmin (solaris) lsR -al /etc/lp Linux • cat /etc/printcap.local • shows all local printers • printtool (gui) • Hpux – lpadmin • /etc/lp/* • /var/adm/lp*
Processes • Before we begin.. Policy Best Practices Goals of Security
init Process init is always process #1 (all other things that happen before this are actually part of the kernel or kernel process) The “system father task” that propagates all child processes needed for operation. Configuration file: /etc/inittab
/etc/inittab • Defines the default run level • id:5:initdefault: • strt:3:initdefault: • Executes and process entries that have sysinit in the action field (so that any special initialisation takes place before the users log in). • Defines processes for specific run levels • rebt:6:wait:/etc/init.d/announce restart identifier:runlevel processed at:the action:the process
Runlevels • 0 – Shutdown or halt the system • 1 – Single user (administrative) mode • 2 – Basic Multi user mode (all daemons, no NFS) • 3 – Multi User Mode (all daemons and NFS) • 4 - Reserved • 5 – Reboot the system (passing through runlevel 0) • S or s – single user mode all file systems mounted and accessible • 6 Shut down the machine /reboot
Run Levels con't How do I display the current runlevel? • HP & Solaris • # who -r • run-level 3 Feb 28 10:55 30S • current run level date and time of run level change current run levelnumber of times at this run level since last rebootprevious run level • Linux • # /sbin/runlevel • N 5 or 3 5 (none before and now 5 or 3 before and 5 now)
rc scripts Run Control Scripts exist for each run level Scripts start and/or stop all processes needed to put system into appropriate Run Level S start, K kill (stop) • processed sequentially 0-99
Solaris rc scripts Run Control Scripts exist for each run level • /sbin/rc • directory for each script • /sbin/rc3 -> /etc/rc3.d/ • S15nfs.server
Linux rc scripts Run Control Scripts exist for each run level • /etc/rc.d/rc.local • /etc/rc.d/rc# • directory for each script • /etc/rc.d/rc3 • K20nfs
rc scripts Run Control Scripts exist for each run level
HP rc scripts Run Control Scripts exist for each run level • /sbin/rc#.d • directory for each script • /sbin/rc3.d/ K20nfs
Processes • ps -aef • ps -aux • inet.d /etc/inetd.conf • how to start, & stop /etc/init.d/name start or stop, restart • /proc directory cd /proc/proc#; ls