San Francisco Chapter

San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Afternoon Session Rick Allen CISSP Manager Strategic Security Services Ricallen@deloitte.com

Afternoon Course Agenda Over the next four hours we will learn about: • Introduction to Unix Armoring Techniques • Understanding and application of Minimum Unix Security Control Baseline methods • Value & Impact Analysis between typical and integrated audit plans Review of basic Unix shell commands used for systems audit Recommendations for building integrated audit plans with control objectives and test activities (Sample audit program)

Unix Armoring Techniques • Determine Initial OS package load: CORE – DEV – END USER? • Determine File System Partitioning Scheme /root & /var should be separate including /usr logging for web server • User partition should be mounted RO (Read Only)

Unix Armoring Techniques • After reboot – install recommended patch cluster from sunsolv • Patch clusters are frequently updated and should be checked periodically • Begin review of armoring controls and procedures Turning off unnecessary services • Modifying various key files and configurations • Installing TCP wrappers on necessary services • Send inet daemon the SIGHUP via shell command

Unix Armoring Techniques • Confirm what services are commented out • # grep –v “^#” /etc/inetd.conf • Unix inetd.conf (Solaris) defaults to 35 services • Audit for ownership and permission flags • Permission values should be 640 • Audit /etc/rc2.d and rc3.d for startup scripts launched by init processes. • Stopping script load by replacing S with s

Unix Armoring Techniques • Enable logging and audit in /var/adm the default logging directory. Need to add two additional log files: • Login log logs consecutive failed login attempts (5 attempts, 5 failures) • Sulog logs all successful and failed attempts to switch users to root perms • To enable “touch” the above files in the directory • Audit ownership and permissions to 640 • Are these files included in the audit plan and reviewed by operations on a regular basis?

Unix Armoring Techniques • Disable the following • S73nfs.client used for nfs mounting file system • S74autofs used for auto mounting a file system • S801p for local printing • S88sendmail listens for incoming smtp (you can still send mail) • S71rpc the portmapper daemon • S99dtlogin ‘CDE daemon • s15nfs.server - network file system • s76snmpdx - network management

Unix Armoring Techniques • Audit the /etc/issue file this is a text banner that appears for service logins (telnet) this legal warning will appear whenever someone attempts to login to the system. • Audit the /etc/group file for existence of the WHEEL GROUP – this group is for accounts that can execute powerful commands such as su • Identify critical system binaries such as /usr/bin/su change the group ownership to WHEEL and the permissions to owner and group executable only

Unix Armoring Techniques • Maintain the suid or guid bit for specific binaries • # /usr/bin/chgrp WHEEL /usr/bin/su • # /usr/bin/chmod 4750 /usr/bin/su • A 4 digit number is used to express “sticky” “SetUID” “SetGID” bits to enhance access controls • su is statically linked to another binary in /sbin/su.static. This is the same as /usr/bin/su • However the libs are stat linked hence the larger file size, /sbin/su.static must be chgrp’d and chmod’d as well

Unix Armoring TechniquesPermission Details • / root • ---------------------------------------------------------------------- • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • |-------------------------| • /test/newfile • $ id –a • Uid=1001(rick) gid=10(staff) groups=10(staff), 8 (lp) • $ mkdir test • $ chgrp lp test • $ chmod 777 test • $ chmod g+s test • $ ls –la • Total 32 • drwxr-xr-x 8 rick staff 512 Mar 6 21:09 . • drwxr-xr-x 6 root root 512 Apr 12 04:00 .. • drwxrwsrwx 2 debi lp 512 Mar 30 06:00 test

Unix Armoring Techniques Permission Details • / root • ------------------------------------------------------------------- • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • |-----| • /test/newfile • $ ls –la • Total 32 • drwxr-xr-x 8 rick staff 512 Mar 6 21:09 • drwxr-xr-x 6 root root 512 Apr 12 04:00 • drwxrwsrwx 2 debi lp 512 Mar 30 06:00 • $ cd test • $ touch newfile • $ ls –la newfile • -rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile

Unix Armoring Techniques Permission Details • / root • ------------------------------------------------------------------- • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • |-----| • /test/newfile • $ ls –la • Total 39 • drwxr-xr-x 8 rick staff 512 Mar 6 21:09 . • drwxr-xr-x 6 root root 512 Apr 12 04:00 . . • -rw-r—r-- 2debi lp 512 Mar 31 09:00 newfile • drwxrwsrwx 2 debi lp 512 Mar 30 06:00 • $ chmod 1766 test (Public read and write w/ Sticky Bit set) • $ ls –la test • drwxrw-rwT 2 debi lp 512 Mar 30 06:00 test

Unix Armoring Techniques Permission Details • / root • ------------------------------------------------------------------- • | | | | | | | • /unix /etc /dev /tmp /lib /usr /bin • |-----| • /test/newfile • $ ls –la • Total 32 • drwxr-xr-x 8 rick staff 512 Mar 6 21:09 • drwxr-xr-x 6 root root 512 Apr 12 04:00 • drwxrwsrwx 2 debi lp 512 Mar 30 06:00 • $ cd test • $ touch newfile • $ ls –la newfile • -rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile

Unix Armoring Techniques User Account Environment The Root Account Used by Unix Admin for unlimited access to all programs, files and resources the system has to offer (An obvious high profile security target) • Is omnipotent due to the userid of 0 not its name. • Other accounts can be created with a userid of 0; those other accounts have all the power and privilege that root has • Root’s name can be changed but as long as the userid is 0, its still root • Root:x:0:1:Super-User:/:/sbin/sh

Unix Armoring Techniques User Account Environment • Other Admin Accounts & Groups • Several admin accounts exist in Unix. While they don’t have root privilege they should be protected as though they did • System processes using these accounts control functions including email, dbms, lp • Lock the following accounts and groups • Daemon, bin, sys, adm, lp, uucp, nuucp, listen, nobody, noaccess, toor • Sys (groupid 3)

Unix Armoring Techniques User Account Environment • When Users Need Root Privilege • Mount disks, CD’s where the mount & unmount commands are required in the absence of volume management • Kill or restart specific processes not belonging to the user • Example: • A user may need to kill and restart a database instance or application (non-root users can only kill their own process)

Unix Armoring Techniques User Account Environment • Protecting Root Privilege • Root’s .profile establishing the path should be protected from directories whose contents are questionable or unknown. PATH=/usr/bin;/sbin;/usr/sbin • The passwd file is owned by root and must be readable by all users but write able only by root. /etc/passwd –rw-r—r-- • Consistency of the passwd file can be checked with the pwck command. • Modern Unix stores the encrypted value of the password in the /etc/shadow file with other information like password aging

Unix Armoring Techniques User Account Environment • Using Good Password Construction • A Unix weakness exists whereby password aging restrictions are ignored if root is changing another's password (including its own password) • Force the account jsmith to change password every 30 days. • # passwd –n 30 jsmith • Force account smar to change password at next login. • # passwd –f smar • Prevent user from changing password • # Passwd –n 2 –x 1 smar

Unix Armoring Techniques User Account Environment Protect /etc/default/passwd & direct root login. #ident “@(#) passwd.fdl1.392/07/14 SMI” MAXWEEKS=4 MINWEEKS=1 WARNWEEKS=3 PASSLENGTH=7 Set CONSOLE=/dev/console in /etc/default/login Set CONSOLE=/dev/null in /etc/default/login

Unix Armoring Techniques Executable Environment Protecting from Buffer Overflows Unix can be configured to prevent stack based buffer overflows with this procedure • Add the following lines to /etc/system: • set noexec_user_stack=1 • set noexec_user_stack_log=1 • Then restart the system with the init 6 command Caution: the above can limit legitimate programs that do run code on the stack. (Test prior to production)

Unix Armoring Techniques XWindows Environment Protecting XWindows For local Unix auto-configure the XWin Screen Lock For local / remote Unix use the xhost command for access control # xhost access control enabled, only authorized clients can connect – to allow access enter: # xhost +sneezy@7dwarfs.org

Sample Systems Architecture Unix Firewall Perimeter Router & Internet Load Balancer External Unix Clients Interior Router Unix Web Servers Interior Network Switch Internal Unix Clients

Understanding Unix Baseline Security Controls Why adopt Baseline Security Controls • Given sufficient skill, time, motivation and opportunity ANY defense can be breached! • Physical Entry, Social Engineering, Collusion, Electronic penetration, successful system hack • You have no control over an attacker’s skill…but you do control the skill required for a successful attack! • You have little control over the speed of an attack…but you do have control over the response time to an attack

Understanding Unix Baseline Security Controls Effective measures for controlling “Target Selection” • Remove banners • Limit IP/hostname information • Remove unauth hosts (e.g. remote controls) • Securely configure internet accessible hosts • Disable modems and use strong security for those remaining. • Limit use of unsecured info services, (finger) • Ensure no data resides on DMZ • Place Servers behind firewall (Unix based)

Understanding Unix Baseline Security Controls Effective measures for controlling “Attack” • Disable or change default accounts • Limit logon attempts, record and review logs • Periodically run passwd crackers and/or integrity check software • Use anti-virus software on all platforms • Consider use of strong authentication and encryption • Consider intrusion detection software for networks and hosts

Understanding Unix Baseline Security Controls Effective measures for controlling “Infiltration” • Securely configure services (e.g. sendmail, ftp) • Use a deny all unless explicit design rule • Limit services to those absolutely essential • Develop & Implement strong policies and awareness • Limit system and network trust relationships • Consider internal firewalls for containment • Strong change control process & procedures • Regular audit / security reviews (internal / external)

Basic Unix Shell Commands for systems auditing 1 • $ uname -a • $ which /usr/bin/su • $ file /usr/bin/su • $ df -H • $ ls -laf • $ chmod _ _ _ _ /path/filename • $ set (without arguments) & (with arguments)

Basic Unix Shell Commands for systems auditing 2 • $ grep –v “^#” /etc/inetd.conf • $ touch /path/filename • $ find / -perm –002 –type d -print • $ ps –ef | grep “stringname” • $ passwd –n 30 jsmith • $ passwd –f smar • $ passwd –n 2 –x 1 smar

San Francisco Chapter

San Francisco Chapter

Presentation Transcript

San Francisco Chapter

San Francisco Props and Event Production San Francisco

San Francisco Art Institute San Francisco, CA

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

San Francisco

Backpage San Francisco | back page San Francisco

San Francisco