Upload
colin-heath
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
©2000 Deloitte & Touche LLP. Deloitte & Touche refers to Deloitte & Touche LLP and related entities.
San Francisco Chapter
Establishing Effective Audit Control Objectives for UNIX
Afternoon Session
Rick Allen CISSPManager Strategic Security Services
Afternoon Course AgendaAfternoon Course Agenda
Over the next four hours we will learn about:
4.4. Review of basic Unix shell commands used Review of basic Unix shell commands used for systems auditfor systems audit
3.3. Value & Impact Analysis between typical and Value & Impact Analysis between typical and integrated audit plansintegrated audit plans
2.2. Understanding and application of Minimum Understanding and application of Minimum Unix Security Control Baseline methodsUnix Security Control Baseline methods
1.1. Introduction to Unix Armoring TechniquesIntroduction to Unix Armoring Techniques
5.5. Recommendations for building integrated audit Recommendations for building integrated audit plans with control objectives and test activities plans with control objectives and test activities (Sample audit program)(Sample audit program)
Unix Armoring TechniquesUnix Armoring Techniques
Determine Initial OS package load: CORE – DEV – END USER?
Determine File System Partitioning Scheme /root Determine File System Partitioning Scheme /root & /var should be separate including /usr logging for & /var should be separate including /usr logging for web serverweb server
User partition should be mounted RO User partition should be mounted RO (Read Only)(Read Only)
Unix Armoring TechniquesUnix Armoring Techniques
Send inet daemon the SIGHUP via shell Send inet daemon the SIGHUP via shell commandcommand
After reboot – install recommended patch After reboot – install recommended patch cluster from sunsolvcluster from sunsolv
Patch clusters are frequently updated and Patch clusters are frequently updated and should be checked periodicallyshould be checked periodically
Begin review of armoring controls and Begin review of armoring controls and proceduresprocedures Turning off unnecessary Turning off unnecessary servicesservices
Modifying various key files and configurationsModifying various key files and configurations
Installing TCP wrappersInstalling TCP wrappers on necessary services on necessary services
Unix Armoring TechniquesUnix Armoring Techniques
Confirm what services are commented outConfirm what services are commented out
# grep –v “^#” /etc/inetd.conf# grep –v “^#” /etc/inetd.conf
Unix inetd.conf (Solaris) defaults to 35 Unix inetd.conf (Solaris) defaults to 35 servicesservices
Audit for ownership and permission flagsAudit for ownership and permission flags
Permission values sPermission values should be 640hould be 640
Audit /etc/rc2.d and rc3.d for startup scripts Audit /etc/rc2.d and rc3.d for startup scripts launched by init processes.launched by init processes.
Stopping script load by replacing S Stopping script load by replacing S with s with s
Unix Armoring TechniquesUnix Armoring Techniques
Audit ownership and permissions to Audit ownership and permissions to 640640
Are these files included in the audit plan Are these files included in the audit plan and reviewed by operations on a regular and reviewed by operations on a regular basis?basis?
Enable logging and audit in /Enable logging and audit in /var/admvar/adm the the default logging directory. Need to add two default logging directory. Need to add two additional log files:additional log files:
SulogSulog logs all successful and failed logs all successful and failed attempts to switch users to root perms attempts to switch users to root perms
Login log logs consecutive failed login attempts Login log logs consecutive failed login attempts (5 attempts, 5 failures) (5 attempts, 5 failures)
To enable “touch” the above files in the directory To enable “touch” the above files in the directory
Unix Armoring TechniquesUnix Armoring Techniques
Disable the followingDisable the following
S73nfs.client used for nfs mounting file systemS73nfs.client used for nfs mounting file system
S74autofsS74autofs used for auto mounting a file systemused for auto mounting a file system
S801p for local printingS801p for local printing
S88sendmail listens for incoming smtp S88sendmail listens for incoming smtp (you can still send mail)(you can still send mail)
S71rpc the portmapper daemonS71rpc the portmapper daemon
S99dtloginS99dtlogin ‘CDE daemon ‘CDE daemon
s15nfs.server - network file systems15nfs.server - network file system
s76snmpdx - network management s76snmpdx - network management
Unix Armoring TechniquesUnix Armoring Techniques
Audit the /etc/issue file this is a text banner that Audit the /etc/issue file this is a text banner that appears for service logins (telnet) this legal appears for service logins (telnet) this legal warning will appear whenever someone warning will appear whenever someone attempts to login to the system.attempts to login to the system.
Audit the /etc/group file for existence of the Audit the /etc/group file for existence of the WHEEL GROUP – this group is for accounts WHEEL GROUP – this group is for accounts that can execute powerful commands such as that can execute powerful commands such as susu
Identify critical system binaries such as Identify critical system binaries such as /usr/bin/su change the group ownership to /usr/bin/su change the group ownership to WHEEL and the permissions to owner and WHEEL and the permissions to owner and group executable only group executable only
Unix Armoring TechniquesUnix Armoring Techniques
Maintain the suid or guid bit for specific binaries Maintain the suid or guid bit for specific binaries # /usr/bin/chgrp WHEEL /usr/bin/su # /usr/bin/chgrp WHEEL /usr/bin/su
# /usr/bin/chmod 4750 /usr/bin/su# /usr/bin/chmod 4750 /usr/bin/su A 4 digit number is used to express “sticky” A 4 digit number is used to express “sticky”
“SetUID” “SetGID” bits to enhance access “SetUID” “SetGID” bits to enhance access controlscontrols
su is statically linked to another binary in su is statically linked to another binary in /sbin/su.static. This is the same as /usr/bin/su/sbin/su.static. This is the same as /usr/bin/su
However the libs are stat linked hence the However the libs are stat linked hence the larger file size, /sbin/su.static must be chgrp’d larger file size, /sbin/su.static must be chgrp’d and chmod’d as welland chmod’d as well
Unix Armoring TechniquesPermission Details
Unix Armoring TechniquesPermission Details
/ root/ root
--------------------------------------------------------------------------------------------------------------------------------------------
|| | | || | | || || ||
/unix/unix /etc/etc /dev /tmp/dev /tmp /lib/lib /usr/usr /bin/bin
|-------------------------||-------------------------|
/test/newfile/test/newfile
$ id –a$ id –a
Uid=1001(rick) gid=10(staff) groups=10(staff), 8 (lp)Uid=1001(rick) gid=10(staff) groups=10(staff), 8 (lp)
$ $ mkdir testmkdir test
$ chgrp lp test$ chgrp lp test
$ chmod 777 test$ chmod 777 test
$ chmod g+s test$ chmod g+s test
$ ls –la$ ls –la
Total 32Total 32
drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09 .512 Mar 6 21:09 .
drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00 ..512 Apr 12 04:00 ..
drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00 test512 Mar 30 06:00 test
Unix Armoring Techniques Permission Details
Unix Armoring Techniques Permission Details
/ root/ root
--------------------------------------------------------------------------------------------------------------------------------------
|| | | || || || || ||
/unix/unix /etc/etc /dev/dev /tmp/tmp /lib/lib /usr/usr //binbin
|-----||-----|
/test/newfile/test/newfile
$ ls –la$ ls –la
Total 32Total 32
drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09512 Mar 6 21:09
drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00512 Apr 12 04:00
drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00512 Mar 30 06:00
$ cd test$ cd test
$ touch newfile$ touch newfile
$ ls –la newfile$ ls –la newfile
-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile
Unix Armoring Techniques Permission Details
Unix Armoring Techniques Permission Details
/ root/ root
--------------------------------------------------------------------------------------------------------------------------------------
|| | | || || || || ||
/unix/unix /etc/etc /dev/dev /tmp/tmp /lib/lib /usr/usr //binbin
|-----||-----|
/test/newfile/test/newfile
$ ls –la$ ls –la
Total 39Total 39
drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09 .512 Mar 6 21:09 .
drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00 . .512 Apr 12 04:00 . .
-rw-r—r-- -rw-r—r-- 22 debi lp 512 Mar 31 09:00 newfiledebi lp 512 Mar 31 09:00 newfile
drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00512 Mar 30 06:00
$ chmod 1766 test (Public read and write w/ Sticky Bit set)$ chmod 1766 test (Public read and write w/ Sticky Bit set)
$ ls –la test$ ls –la test
drwxrw-rwTdrwxrw-rwT 2 debi2 debi lp lp 512 Mar 30 06:00 test512 Mar 30 06:00 test
Unix Armoring Techniques Permission Details
Unix Armoring Techniques Permission Details
/ root/ root
--------------------------------------------------------------------------------------------------------------------------------------
|| | | || || || || ||
/unix/unix /etc/etc /dev/dev /tmp/tmp /lib/lib /usr/usr //binbin
|-----||-----|
/test/newfile/test/newfile
$ ls –la$ ls –la
Total 32Total 32
drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09512 Mar 6 21:09
drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00512 Apr 12 04:00
drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00512 Mar 30 06:00
$ cd test$ cd test
$ touch newfile$ touch newfile
$ ls –la newfile$ ls –la newfile
-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
The Root AccountThe Root Account
Used by Unix Admin for unlimited access to all Used by Unix Admin for unlimited access to all programs, files and resources the system has to programs, files and resources the system has to offer (An obvious high profile security target)offer (An obvious high profile security target)
Root’s name can be changed but as long as Root’s name can be changed but as long as the userid is 0, its still rootthe userid is 0, its still root
Root:x:0:1:Super-User:/:/sbin/shRoot:x:0:1:Super-User:/:/sbin/sh
Is omnipotent due to the userid of 0 not its name.Is omnipotent due to the userid of 0 not its name.
Other accounts can be created with a userid of 0; Other accounts can be created with a userid of 0; those other accounts have all the power and those other accounts have all the power and privilege that root hasprivilege that root has
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Other Admin Accounts & GroupsOther Admin Accounts & Groups
Several admin accounts exist in Unix. While Several admin accounts exist in Unix. While they don’t have root privilege they should be they don’t have root privilege they should be protected as though they didprotected as though they did
Daemon, bin, sys, adm, lp, uucp, nuucp, Daemon, bin, sys, adm, lp, uucp, nuucp, listen, nobody, noaccess, toor listen, nobody, noaccess, toor
Sys (groupid 3) Sys (groupid 3)
System processes using these accounts control System processes using these accounts control functions including email, dbms, lp functions including email, dbms, lp
Lock the following accounts and groupsLock the following accounts and groups
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
When Users Need Root PrivilegeWhen Users Need Root Privilege
Mount disks, CD’s where the mount & unmount Mount disks, CD’s where the mount & unmount commands are required in the absence of commands are required in the absence of volume managementvolume management
Example:Example:
A user may need to kill and restart a A user may need to kill and restart a database instance or application (non-root database instance or application (non-root users can only kill their own process) users can only kill their own process)
Kill or restart specific processes not belonging Kill or restart specific processes not belonging to the userto the user
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Protecting Root PrivilegeProtecting Root Privilege
Root’s .profile establishing the path should be Root’s .profile establishing the path should be protected from directories whose contents are protected from directories whose contents are questionable or unknown. questionable or unknown. PATH=/usr/bin;/sbin;/usr/sbinPATH=/usr/bin;/sbin;/usr/sbin
Consistency of the passwd file can be checked Consistency of the passwd file can be checked with the pwck command. with the pwck command.
Modern Unix stores the encrypted value of the Modern Unix stores the encrypted value of the password in the /etc/shadow file with other password in the /etc/shadow file with other information like password aginginformation like password aging
The passwd file is owned by root and must be The passwd file is owned by root and must be readable by all users but write able only by readable by all users but write able only by root. /etc/passwd –rw-r—r--root. /etc/passwd –rw-r—r--
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Using Good Password ConstructionUsing Good Password Construction
A Unix weakness exists whereby password aging A Unix weakness exists whereby password aging restrictions are ignored if root is changing another's restrictions are ignored if root is changing another's password (including its own password)password (including its own password)
Force account smar to change password at next Force account smar to change password at next login.login.
# passwd –f smar# passwd –f smar
Prevent user from changing passwordPrevent user from changing password
# Passwd –n 2 –x 1 smar# Passwd –n 2 –x 1 smar
Force the account jsmith to change password every Force the account jsmith to change password every 30 days.30 days.
# passwd –n 30 jsmith# passwd –n 30 jsmith
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Protect /etc/default/passwd & direct root login.Protect /etc/default/passwd & direct root login.
#ident “@(#) passwd.fdl1.392/07/14 SMI”#ident “@(#) passwd.fdl1.392/07/14 SMI”
MAXWEEKS=4MAXWEEKS=4
MINWEEKS=1MINWEEKS=1
WARNWEEKS=3WARNWEEKS=3
PASSLENGTH=7PASSLENGTH=7
Set CONSOLE=/dev/console in /etc/default/loginSet CONSOLE=/dev/console in /etc/default/login
Set CONSOLE=/dev/null in /etc/default/loginSet CONSOLE=/dev/null in /etc/default/login
Unix Armoring Techniques Executable Environment
Unix Armoring Techniques Executable Environment
Protecting from Buffer OverflowsProtecting from Buffer Overflows
Add the following lines to /etc/system:Add the following lines to /etc/system:
set noexec_user_stack=1set noexec_user_stack=1
set noexec_user_stack_log=1set noexec_user_stack_log=1
Then restart the system with the init 6 commandThen restart the system with the init 6 command
Caution: the above can limit legitimate programs that Caution: the above can limit legitimate programs that do run code on the stack. (Test prior to production)do run code on the stack. (Test prior to production)
Unix can be configured to prevent stack based buffer Unix can be configured to prevent stack based buffer overflows with this procedureoverflows with this procedure
Unix Armoring Techniques XWindows Environment
Unix Armoring Techniques XWindows Environment
Protecting XWindowsProtecting XWindows
For local Unix auto-configure the XWin Screen For local Unix auto-configure the XWin Screen LockLock
For local / remote Unix use the xhost command For local / remote Unix use the xhost command for access controlfor access control# xhost# xhost
access control enabled, only authorized clients access control enabled, only authorized clients can connect – to allow access enter:can connect – to allow access enter:
# xhost [email protected]# xhost [email protected]
Sample Systems ArchitectureSample Systems Architecture
Unix Unix Web Web
ServersServers
Internal Unix Internal Unix ClientsClients
Load BalancerLoad Balancer External External Unix Unix
ClientsClients
Unix FirewallUnix Firewall Perimeter Router & Perimeter Router & InternetInternet
Interior RouterInterior Router
Interior Network Interior Network SwitchSwitch
Understanding Unix Baseline Security ControlsUnderstanding Unix Baseline Security Controls
Why adopt Baseline Security Controls
Physical Entry, Social Engineering, Collusion, Physical Entry, Social Engineering, Collusion, Electronic penetration, successful system hackElectronic penetration, successful system hack
You have no control over an attacker’s skill…You have no control over an attacker’s skill…but you do control the skill required for a but you do control the skill required for a successful attack!successful attack!
You have little control over the speed of an You have little control over the speed of an attack…but you do have control over the attack…but you do have control over the response time to an attackresponse time to an attack
Given sufficient skill, time, motivation and Given sufficient skill, time, motivation and opportunity ANY defense can be breached!opportunity ANY defense can be breached!
Understanding Unix Baseline Security ControlsUnderstanding Unix Baseline Security Controls
Effective measures for controlling “Target Selection”
Limit IP/hostname informationLimit IP/hostname information Remove unauth hosts (e.g. remote controls) Remove unauth hosts (e.g. remote controls) Securely configure internet accessible hostsSecurely configure internet accessible hosts
Remove bannersRemove banners
Disable modems and use strong security for Disable modems and use strong security for those remaining.those remaining.
Limit use of unsecured info services, (finger)Limit use of unsecured info services, (finger) Ensure no data resides on DMZ Ensure no data resides on DMZ
Place Servers behind firewall (Unix based) Place Servers behind firewall (Unix based)
Understanding Unix Baseline Security ControlsUnderstanding Unix Baseline Security Controls
Effective measures for controlling “Attack”
Disable or change default accountsDisable or change default accounts
Limit logon attempts, record and review logs Limit logon attempts, record and review logs Periodically run passwd crackers and/or Periodically run passwd crackers and/or
integrity check softwareintegrity check software Use anti-virus software on all platformsUse anti-virus software on all platforms
Consider use of strong authentication and Consider use of strong authentication and encryptionencryption
Consider intrusion detection software Consider intrusion detection software for networks and hostsfor networks and hosts
Understanding Unix Baseline Security ControlsUnderstanding Unix Baseline Security Controls
Effective measures for controlling “Infiltration”
Use a deny all unless explicit design ruleUse a deny all unless explicit design rule Limit services to those absolutely essential Limit services to those absolutely essential Develop & Implement strong policies and Develop & Implement strong policies and
awarenessawareness
Securely configure services (e.g. sendmail, ftp)Securely configure services (e.g. sendmail, ftp)
Limit system and network trust relationshipsLimit system and network trust relationships
Consider internal firewalls for containmentConsider internal firewalls for containment
Strong change control process & procedures Strong change control process & procedures
Regular audit / security reviews (internal / external) Regular audit / security reviews (internal / external)
Basic Unix Shell Commands for systems auditing 1
Basic Unix Shell Commands for systems auditing 1
$ $ filefile /usr/bin/su /usr/bin/su
$ $ df -Hdf -H
$ $ ls -lafls -laf
$ $ chmodchmod _ _ _ _ /path/filename _ _ _ _ /path/filename
$ $ whichwhich /usr/bin/su /usr/bin/su
$ $ uname -auname -a
$ $ setset (without arguments) & (with arguments) (without arguments) & (with arguments)
Basic Unix Shell Commands for systems auditing 2
Basic Unix Shell Commands for systems auditing 2
$ $ find / -perm –002 –type d -printfind / -perm –002 –type d -print
$ $ ps –efps –ef | grep “stringname” | grep “stringname”
$ $ passwd –n 30 jsmithpasswd –n 30 jsmith
$ $ passwd –f smarpasswd –f smar
$ $ touchtouch /path/filename /path/filename
$ $ grep –v grep –v “^#” /etc/inetd.conf“^#” /etc/inetd.conf
$ $ passwd –n 2 –x 1 smarpasswd –n 2 –x 1 smar