San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Afternoon Session Rick Allen CISSP Manager Strategic Security Services [email protected]

©2000 Deloitte & Touche LLP. Deloitte & Touche refers to Deloitte & Touche LLP and related entities.

San Francisco Chapter

Establishing Effective Audit Control Objectives for UNIX

Afternoon Session

Rick Allen CISSPManager Strategic Security Services

[email protected]

Afternoon Course AgendaAfternoon Course Agenda

Over the next four hours we will learn about:

4.4. Review of basic Unix shell commands used Review of basic Unix shell commands used for systems auditfor systems audit

3.3. Value & Impact Analysis between typical and Value & Impact Analysis between typical and integrated audit plansintegrated audit plans

2.2. Understanding and application of Minimum Understanding and application of Minimum Unix Security Control Baseline methodsUnix Security Control Baseline methods

1.1. Introduction to Unix Armoring TechniquesIntroduction to Unix Armoring Techniques

5.5. Recommendations for building integrated audit Recommendations for building integrated audit plans with control objectives and test activities plans with control objectives and test activities (Sample audit program)(Sample audit program)

Unix Armoring TechniquesUnix Armoring Techniques

Determine Initial OS package load: CORE – DEV – END USER?

Determine File System Partitioning Scheme /root Determine File System Partitioning Scheme /root & /var should be separate including /usr logging for & /var should be separate including /usr logging for web serverweb server

User partition should be mounted RO User partition should be mounted RO (Read Only)(Read Only)


Send inet daemon the SIGHUP via shell Send inet daemon the SIGHUP via shell commandcommand

After reboot – install recommended patch After reboot – install recommended patch cluster from sunsolvcluster from sunsolv

Patch clusters are frequently updated and Patch clusters are frequently updated and should be checked periodicallyshould be checked periodically

Begin review of armoring controls and Begin review of armoring controls and proceduresprocedures Turning off unnecessary Turning off unnecessary servicesservices

Modifying various key files and configurationsModifying various key files and configurations

Installing TCP wrappersInstalling TCP wrappers on necessary services on necessary services


Confirm what services are commented outConfirm what services are commented out

# grep –v “^#” /etc/inetd.conf# grep –v “^#” /etc/inetd.conf

Unix inetd.conf (Solaris) defaults to 35 Unix inetd.conf (Solaris) defaults to 35 servicesservices

Audit for ownership and permission flagsAudit for ownership and permission flags

Permission values sPermission values should be 640hould be 640

Audit /etc/rc2.d and rc3.d for startup scripts Audit /etc/rc2.d and rc3.d for startup scripts launched by init processes.launched by init processes.

Stopping script load by replacing S Stopping script load by replacing S with s with s


Audit ownership and permissions to Audit ownership and permissions to 640640

Are these files included in the audit plan Are these files included in the audit plan and reviewed by operations on a regular and reviewed by operations on a regular basis?basis?

Enable logging and audit in /Enable logging and audit in /var/admvar/adm the the default logging directory. Need to add two default logging directory. Need to add two additional log files:additional log files:

SulogSulog logs all successful and failed logs all successful and failed attempts to switch users to root perms attempts to switch users to root perms

Login log logs consecutive failed login attempts Login log logs consecutive failed login attempts (5 attempts, 5 failures) (5 attempts, 5 failures)

To enable “touch” the above files in the directory To enable “touch” the above files in the directory


Disable the followingDisable the following

S73nfs.client used for nfs mounting file systemS73nfs.client used for nfs mounting file system

S74autofsS74autofs used for auto mounting a file systemused for auto mounting a file system

S801p for local printingS801p for local printing

S88sendmail listens for incoming smtp S88sendmail listens for incoming smtp (you can still send mail)(you can still send mail)

S71rpc the portmapper daemonS71rpc the portmapper daemon

S99dtloginS99dtlogin ‘CDE daemon ‘CDE daemon

s15nfs.server - network file systems15nfs.server - network file system

s76snmpdx - network management s76snmpdx - network management


Audit the /etc/issue file this is a text banner that Audit the /etc/issue file this is a text banner that appears for service logins (telnet) this legal appears for service logins (telnet) this legal warning will appear whenever someone warning will appear whenever someone attempts to login to the system.attempts to login to the system.

Audit the /etc/group file for existence of the Audit the /etc/group file for existence of the WHEEL GROUP – this group is for accounts WHEEL GROUP – this group is for accounts that can execute powerful commands such as that can execute powerful commands such as susu

Identify critical system binaries such as Identify critical system binaries such as /usr/bin/su change the group ownership to /usr/bin/su change the group ownership to WHEEL and the permissions to owner and WHEEL and the permissions to owner and group executable only group executable only


Maintain the suid or guid bit for specific binaries Maintain the suid or guid bit for specific binaries # /usr/bin/chgrp WHEEL /usr/bin/su # /usr/bin/chgrp WHEEL /usr/bin/su

# /usr/bin/chmod 4750 /usr/bin/su# /usr/bin/chmod 4750 /usr/bin/su A 4 digit number is used to express “sticky” A 4 digit number is used to express “sticky”

“SetUID” “SetGID” bits to enhance access “SetUID” “SetGID” bits to enhance access controlscontrols

su is statically linked to another binary in su is statically linked to another binary in /sbin/su.static. This is the same as /usr/bin/su/sbin/su.static. This is the same as /usr/bin/su

However the libs are stat linked hence the However the libs are stat linked hence the larger file size, /sbin/su.static must be chgrp’d larger file size, /sbin/su.static must be chgrp’d and chmod’d as welland chmod’d as well

Unix Armoring TechniquesPermission Details

Unix Armoring TechniquesPermission Details

/ root/ root

--------------------------------------------------------------------------------------------------------------------------------------------

|| | | || | | || || ||

/unix/unix /etc/etc /dev /tmp/dev /tmp /lib/lib /usr/usr /bin/bin

|-------------------------||-------------------------|

/test/newfile/test/newfile

$ id –a$ id –a

Uid=1001(rick) gid=10(staff) groups=10(staff), 8 (lp)Uid=1001(rick) gid=10(staff) groups=10(staff), 8 (lp)

$ $ mkdir testmkdir test

$ chgrp lp test$ chgrp lp test

$ chmod 777 test$ chmod 777 test

$ chmod g+s test$ chmod g+s test

$ ls –la$ ls –la

Total 32Total 32

drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09 .512 Mar 6 21:09 .

drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00 ..512 Apr 12 04:00 ..

drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00 test512 Mar 30 06:00 test

Unix Armoring Techniques Permission Details


/ root/ root

--------------------------------------------------------------------------------------------------------------------------------------

|| | | || || || || ||

/unix/unix /etc/etc /dev/dev /tmp/tmp /lib/lib /usr/usr //binbin

|-----||-----|



Total 32Total 32

drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09512 Mar 6 21:09

drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00512 Apr 12 04:00

drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00512 Mar 30 06:00

$ cd test$ cd test

$ touch newfile$ touch newfile

$ ls –la newfile$ ls –la newfile

-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile



/ root/ root

--------------------------------------------------------------------------------------------------------------------------------------

|| | | || || || || ||


|-----||-----|



Total 39Total 39

drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09 .512 Mar 6 21:09 .

drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00 . .512 Apr 12 04:00 . .

-rw-r—r-- -rw-r—r-- 22 debi lp 512 Mar 31 09:00 newfiledebi lp 512 Mar 31 09:00 newfile


$ chmod 1766 test (Public read and write w/ Sticky Bit set)$ chmod 1766 test (Public read and write w/ Sticky Bit set)

$ ls –la test$ ls –la test

drwxrw-rwTdrwxrw-rwT 2 debi2 debi lp lp 512 Mar 30 06:00 test512 Mar 30 06:00 test



/ root/ root

--------------------------------------------------------------------------------------------------------------------------------------

|| | | || || || || ||


|-----||-----|



Total 32Total 32

drwxr-xr-x drwxr-xr-x 8 rick8 rick staffstaff 512 Mar 6 21:09512 Mar 6 21:09

drwxr-xr-xdrwxr-xr-x 6 root6 root rootroot 512 Apr 12 04:00512 Apr 12 04:00


$ cd test$ cd test

$ touch newfile$ touch newfile

$ ls –la newfile$ ls –la newfile

-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile

Unix Armoring Techniques User Account Environment


The Root AccountThe Root Account

Used by Unix Admin for unlimited access to all Used by Unix Admin for unlimited access to all programs, files and resources the system has to programs, files and resources the system has to offer (An obvious high profile security target)offer (An obvious high profile security target)

Root’s name can be changed but as long as Root’s name can be changed but as long as the userid is 0, its still rootthe userid is 0, its still root

Root:x:0:1:Super-User:/:/sbin/shRoot:x:0:1:Super-User:/:/sbin/sh

Is omnipotent due to the userid of 0 not its name.Is omnipotent due to the userid of 0 not its name.

Other accounts can be created with a userid of 0; Other accounts can be created with a userid of 0; those other accounts have all the power and those other accounts have all the power and privilege that root hasprivilege that root has



Other Admin Accounts & GroupsOther Admin Accounts & Groups

Several admin accounts exist in Unix. While Several admin accounts exist in Unix. While they don’t have root privilege they should be they don’t have root privilege they should be protected as though they didprotected as though they did

Daemon, bin, sys, adm, lp, uucp, nuucp, Daemon, bin, sys, adm, lp, uucp, nuucp, listen, nobody, noaccess, toor listen, nobody, noaccess, toor

Sys (groupid 3) Sys (groupid 3)

System processes using these accounts control System processes using these accounts control functions including email, dbms, lp functions including email, dbms, lp

Lock the following accounts and groupsLock the following accounts and groups



When Users Need Root PrivilegeWhen Users Need Root Privilege

Mount disks, CD’s where the mount & unmount Mount disks, CD’s where the mount & unmount commands are required in the absence of commands are required in the absence of volume managementvolume management

Example:Example:

A user may need to kill and restart a A user may need to kill and restart a database instance or application (non-root database instance or application (non-root users can only kill their own process) users can only kill their own process)

Kill or restart specific processes not belonging Kill or restart specific processes not belonging to the userto the user



Protecting Root PrivilegeProtecting Root Privilege

Root’s .profile establishing the path should be Root’s .profile establishing the path should be protected from directories whose contents are protected from directories whose contents are questionable or unknown. questionable or unknown. PATH=/usr/bin;/sbin;/usr/sbinPATH=/usr/bin;/sbin;/usr/sbin

Consistency of the passwd file can be checked Consistency of the passwd file can be checked with the pwck command. with the pwck command.

Modern Unix stores the encrypted value of the Modern Unix stores the encrypted value of the password in the /etc/shadow file with other password in the /etc/shadow file with other information like password aginginformation like password aging

The passwd file is owned by root and must be The passwd file is owned by root and must be readable by all users but write able only by readable by all users but write able only by root. /etc/passwd –rw-r—r--root. /etc/passwd –rw-r—r--



Using Good Password ConstructionUsing Good Password Construction

A Unix weakness exists whereby password aging A Unix weakness exists whereby password aging restrictions are ignored if root is changing another's restrictions are ignored if root is changing another's password (including its own password)password (including its own password)

Force account smar to change password at next Force account smar to change password at next login.login.

# passwd –f smar# passwd –f smar

Prevent user from changing passwordPrevent user from changing password

# Passwd –n 2 –x 1 smar# Passwd –n 2 –x 1 smar

Force the account jsmith to change password every Force the account jsmith to change password every 30 days.30 days.

# passwd –n 30 jsmith# passwd –n 30 jsmith



Protect /etc/default/passwd & direct root login.Protect /etc/default/passwd & direct root login.

#ident “@(#) passwd.fdl1.392/07/14 SMI”#ident “@(#) passwd.fdl1.392/07/14 SMI”

MAXWEEKS=4MAXWEEKS=4

MINWEEKS=1MINWEEKS=1

WARNWEEKS=3WARNWEEKS=3

PASSLENGTH=7PASSLENGTH=7

Set CONSOLE=/dev/console in /etc/default/loginSet CONSOLE=/dev/console in /etc/default/login

Set CONSOLE=/dev/null in /etc/default/loginSet CONSOLE=/dev/null in /etc/default/login

Unix Armoring Techniques Executable Environment

Unix Armoring Techniques Executable Environment

Protecting from Buffer OverflowsProtecting from Buffer Overflows

Add the following lines to /etc/system:Add the following lines to /etc/system:

set noexec_user_stack=1set noexec_user_stack=1

set noexec_user_stack_log=1set noexec_user_stack_log=1

Then restart the system with the init 6 commandThen restart the system with the init 6 command

Caution: the above can limit legitimate programs that Caution: the above can limit legitimate programs that do run code on the stack. (Test prior to production)do run code on the stack. (Test prior to production)

Unix can be configured to prevent stack based buffer Unix can be configured to prevent stack based buffer overflows with this procedureoverflows with this procedure

Unix Armoring Techniques XWindows Environment

Unix Armoring Techniques XWindows Environment

Protecting XWindowsProtecting XWindows

For local Unix auto-configure the XWin Screen For local Unix auto-configure the XWin Screen LockLock

For local / remote Unix use the xhost command For local / remote Unix use the xhost command for access controlfor access control# xhost# xhost

access control enabled, only authorized clients access control enabled, only authorized clients can connect – to allow access enter:can connect – to allow access enter:

# xhost [email protected]# xhost [email protected]

Sample Systems ArchitectureSample Systems Architecture

Unix Unix Web Web

ServersServers

Internal Unix Internal Unix ClientsClients

Load BalancerLoad Balancer External External Unix Unix

ClientsClients

Unix FirewallUnix Firewall Perimeter Router & Perimeter Router & InternetInternet

Interior RouterInterior Router

Interior Network Interior Network SwitchSwitch

Understanding Unix Baseline Security ControlsUnderstanding Unix Baseline Security Controls

Why adopt Baseline Security Controls

Physical Entry, Social Engineering, Collusion, Physical Entry, Social Engineering, Collusion, Electronic penetration, successful system hackElectronic penetration, successful system hack

You have no control over an attacker’s skill…You have no control over an attacker’s skill…but you do control the skill required for a but you do control the skill required for a successful attack!successful attack!

You have little control over the speed of an You have little control over the speed of an attack…but you do have control over the attack…but you do have control over the response time to an attackresponse time to an attack

Given sufficient skill, time, motivation and Given sufficient skill, time, motivation and opportunity ANY defense can be breached!opportunity ANY defense can be breached!


Effective measures for controlling “Target Selection”

Limit IP/hostname informationLimit IP/hostname information Remove unauth hosts (e.g. remote controls) Remove unauth hosts (e.g. remote controls) Securely configure internet accessible hostsSecurely configure internet accessible hosts

Remove bannersRemove banners

Disable modems and use strong security for Disable modems and use strong security for those remaining.those remaining.

Limit use of unsecured info services, (finger)Limit use of unsecured info services, (finger) Ensure no data resides on DMZ Ensure no data resides on DMZ

Place Servers behind firewall (Unix based) Place Servers behind firewall (Unix based)


Effective measures for controlling “Attack”

Disable or change default accountsDisable or change default accounts

Limit logon attempts, record and review logs Limit logon attempts, record and review logs Periodically run passwd crackers and/or Periodically run passwd crackers and/or

integrity check softwareintegrity check software Use anti-virus software on all platformsUse anti-virus software on all platforms

Consider use of strong authentication and Consider use of strong authentication and encryptionencryption

Consider intrusion detection software Consider intrusion detection software for networks and hostsfor networks and hosts


Effective measures for controlling “Infiltration”

Use a deny all unless explicit design ruleUse a deny all unless explicit design rule Limit services to those absolutely essential Limit services to those absolutely essential Develop & Implement strong policies and Develop & Implement strong policies and

awarenessawareness

Securely configure services (e.g. sendmail, ftp)Securely configure services (e.g. sendmail, ftp)

Limit system and network trust relationshipsLimit system and network trust relationships

Consider internal firewalls for containmentConsider internal firewalls for containment

Strong change control process & procedures Strong change control process & procedures

Regular audit / security reviews (internal / external) Regular audit / security reviews (internal / external)

Basic Unix Shell Commands for systems auditing 1


$ $ filefile /usr/bin/su /usr/bin/su

$ $ df -Hdf -H

$ $ ls -lafls -laf

$ $ chmodchmod _ _ _ _ /path/filename _ _ _ _ /path/filename

$ $ whichwhich /usr/bin/su /usr/bin/su

$ $ uname -auname -a

$ $ setset (without arguments) & (with arguments) (without arguments) & (with arguments)



$ $ find / -perm –002 –type d -printfind / -perm –002 –type d -print

$ $ ps –efps –ef | grep “stringname” | grep “stringname”

$ $ passwd –n 30 jsmithpasswd –n 30 jsmith

$ $ passwd –f smarpasswd –f smar

$ $ touchtouch /path/filename /path/filename

$ $ grep –v grep –v “^#” /etc/inetd.conf“^#” /etc/inetd.conf

$ $ passwd –n 2 –x 1 smarpasswd –n 2 –x 1 smar

Documents

San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Afternoon Session Rick Allen CISSP Manager Strategic Security Services [email protected]