250 likes | 445 Views
System Auditing. Presenter Name. George Bailey , MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors Josh Gillam – IT Auditor @ Purdue University / Internal Audit. For the Systems administrators. System Auditing.
E N D
System Auditing • Presenter Name • George Bailey, MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors • Josh Gillam – IT Auditor @ Purdue University / Internal Audit • For the • Systems administrators
System Auditing • Confirmation that certain process or system requirement is being fulfilled • Generally performed by a variety of tasks • Manually testing of a setting or control • Automated testing / probing for configuration settings • Monitoring of process, application, or user behaviors • Reviewing system / application logs, configuration files, etc.
Topics • Auditing Hosts & Networks with NMAP • OS benchmarking / auditing with CIS-CAT • Validating configuration / vulnerability status with Metasploit Framework Purdue Research Foundation 2012
NMAP • What is it? • Why use it? • Where to get it? • How to use it? Purdue Research Foundation 2012
Network Mapper“NMAP” • Port scanner • OS fingerprinter • Scans a particular target for all / select open ports • Identifies service type and version listening • Very invasive and very powerful • NSE and Lua make extends nmap’s capabilities Purdue Research Foundation 2012
Trinity uses Nmap, shouldn’t you? • Network exploration tool and port scanner • Security audits • Network inventory • Upgrade schedules • Monitoring host/service uptime • Reduce the number of hosts on a network to be audited or investigated • Specify how each host is to be identified as interesting • Firewall considerations Purdue Research Foundation 2012
Purdue Research Foundation 2012 NMAP is Open & Free http://www.insecure.org/ • Open source tool available by default in many linux distributions. Source and install packages available for mainstream OSes • Command line and GUI versions • http://nmap.org/download.html or http://www.insecure.org/ • Backtrack and other live environments • Very active forum and community: http://seclists.org/ for mail lists and archives
How Nmap works • Nmap uses many port scanning mechanisms: • Both TCP & UDP • OS detection, version detection • Ping sweeps • TCP full connect • Stealth Scan • XMAS Scan • and half open scan Purdue Research Foundation 2012
Nmap Examples • # nmapscanme.nmap.org • Default scan • # nmap –A scanme.nmap.org • Performs OS & detection, traceroute info • # nmap –sV scanme.nmap.org • Performs service version detection • # nmap -sS –sV 128.46.4.0/24 –P0 • Performs stealth (SYN) scan of a class C network while determining service versions without pinging the host # nmap –sS –sV 128.46.4.0/24 –p80 • Performs a stealth (SYN) scan of a class C network while performing service detection and scanning port 80 • Zenmap is available for those preferring a GUI interface • http://nmap.org/zenmap/ Purdue Research Foundation 2012
Nmap Output • nmapscanme.nmap.org • Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-01 13:08 Eastern Daylight Time • Nmap scan report for scanme.nmap.org (74.207.244.221) • Host is up (0.083s latency). • Not shown: 992 closed ports • PORT STATE SERVICE • 22/tcp open ssh • 80/tcp open http • 135/tcp filtered msrpc • 139/tcp filtered netbios-ssn • 445/tcp filtered microsoft-ds • 593/tcp filtered http-rpc-epmap • 1433/tcp filtered ms-sql-s • 1434/tcp filtered ms-sql-m • Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds • Scanning multiple systems can produce massive and cumbersome amounts of data to analyze • Learn Perl, grep & awk • Ndiff: used to compare nmap output files • Google: Nmap parsing tools…lots of options! PBNJ is my favorite. Purdue Research Foundation 2012
Nmap Output formats • Normal (STDN Out) – Produces a text output • Use the –oN filename flag • Grepable format – Produces a text output that • Use the –oG filename flag • XML format – Produces a XML formatted file • Use the –oX filename flag Purdue Research Foundation 2012
CIS-CAT • What is it? • Why use it? • Where to get it? • How to use it? Purdue Research Foundation 2012
Configuration Assessment Tool CIS-CAT by Center for Internet Security • CIS-CAT is an automated assessment tool that supports a wide variety of operating systems and applications • Checks to see what security features of the assessment system are enabled • Commercial product with lots of community and back-end support • Free to Purdue System Admin through University’s membership
Why use CIS-CAT? • CIS-CAT is created by security minded folks to assess built-in security features of an operating system or supported applications • Provides recommendations and manual testing criteria • Updated regularly (at least quarterly) • Supports both GUI and CLI environments • Can be automated via GPO • Issue: Requires Java JRE 1.5 or newer. Sampling of Supported Systems / Applications Apache Tomcat Apple OSX 10.5 Apple OSX 10.6 DebianLinux HP-UX 11i IBM AIX 4.3-5.1 Microsoft Windows 2003 Microsoft Windows 2008 Microsoft Windows XP Microsoft Windows 7 Mozilla Firefox Oracle Database 11g Oracle Database 9i-10g RedHatEnterprise Linux 4 RedHat Enterprise Linux 5 Slackware Linux 10.2 Solaris 10 Solaris 2.5.1-9 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 VMware ESX 3.5 VMware ESX 4
Where do I get Cis-cat? http://www.cisecurity.org/ • Can be downloaded from the Center for Internet Security’s web page • https://community.cisecurity.org/ • Request an account from the login page (takes a day or so to get approved) • $300.00 annual membership if you are not a Purdue Employee. • ~36MB foot print, includes CIS-CAT Jar file, documentation, and all centrally maintained benchmarks. • http://web.nvd.nist.gov/view/ncp/repository?tier=4&product=&category=&authority=&keyword= For NIST provided benchmarks
How to use Cis-cat • Interactively by: • Executing ciscat.jar with or without flags • Execute a canned script • Cis-cat.bat (windows) • Cis-cat.sh (unix) • Cis-cat-jump.bat (jump drive) • Remotely via command line • Via GPO and a centralized share • Via cron and a centralized mount • Via CLI with remote web services
How to use CIS-CAT from the CLI CLI options (i.e.,ciscat.jar –Help) • This is CIS-CAT version 2.2.19 • usage: Options Tip • -a,--accept-terms Accepts terms of use • -ap,--aggregation-period <arg> The width of a dashboard aggregation, • ex. 1M, 13W, 20D • -ar,--aggregate-reports <arg> Create a CIS-CAT Dashboard by • aggregating all the XML reports in the • specified directory • -b,--benchmark <arg> Path to benchmark to run • -c,--reset Reset preferences • -csv,--report-csv Creates a CSV report • -d,--benchmark-dir <arg> Override default location for • benchmarks. Used with --list and --find • -f,--find Interactively select a benchmark • -h,--help Prints help for this application • -l,--list List all benchmarks in default • benchmark location • -n,--report-no-html No HTML report will be created, by • default an HTML report is created • -p,--profile <arg> Title of benchmark profile to evaluate • -r,--results-dir <arg> Directory to save results in • -rn,--report-name <arg> The base name of the report, no • extension • -s,--status Status information is displayed • -t,--report-txt Creates a text report • -u,--report-upload <arg> Sends a HTTP POST with the XML report • to the specified URL. POST parameter • name is ciscat-report • -ui,--ignore-certificate-errors Ignores any SSL certificate errors • during report upload • -v,--version Display CIS-CAT version and JRE • information • -vs,--verify-signature Verify that the XML benchmarks have • valid signatures • -x,--report-xml Creates an XML report • -y,--report-all-tests Causes the HTML and text reports to • show all tests. Only applicable tests • are displayed by default
CIS-CAT output • Multiple output files are supported • HTML – Great for clients or end users • CSV – Great when assessing multiple systems at one time, less space required • TXT – Just the facts Mam • XML – Used when importing to other auditing systems / frameworks • Output is named after the host being assessed • Dashboards can be generated by processing a series of CIS-CAT reports • CIS-CAT -> File menu -> Create Dashboard
Sample CIS-CAT report HTML REPORT
Other note worthy tools http://sectools.org/ • Metasploit Community Edition • http://www.rapid7.com/products/metasploit-community.jsp • Microsoft Baseline Security Analyzer (MBSA) • http://www.microsoft.com/en-us/download/details.aspx?id=7558 • Nexpose VA Scanner [Community Edition] • http://www.rapid7.com/products/nexpose-community-edition.jsp • WMIC interface • http://technet.microsoft.com/en-us/library/bb742610.aspx • Nikto – Web Application Scanner • http://www.cirt.net/nikto2 • BackTrack – Linix Auditing OS Distro • http://www.backtrack-linux.org/
Contact Information George Bailey baileyga@purdue.edu Office: 49-47538 Josh Gillam jgillam@purdue.edu Purdue Research Foundation 2012