1 / 21

System Auditing

System Auditing. Presenter Name. George Bailey , MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors Josh Gillam – IT Auditor @ Purdue University / Internal Audit. For the Systems administrators. System Auditing.

ursa
Download Presentation

System Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System Auditing • Presenter Name • George Bailey, MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors • Josh Gillam – IT Auditor @ Purdue University / Internal Audit • For the • Systems administrators

  2. System Auditing • Confirmation that certain process or system requirement is being fulfilled • Generally performed by a variety of tasks • Manually testing of a setting or control • Automated testing / probing for configuration settings • Monitoring of process, application, or user behaviors • Reviewing system / application logs, configuration files, etc.

  3. Topics • Auditing Hosts & Networks with NMAP • OS benchmarking / auditing with CIS-CAT • Validating configuration / vulnerability status with Metasploit Framework Purdue Research Foundation 2012

  4. NMAP • What is it? • Why use it? • Where to get it? • How to use it? Purdue Research Foundation 2012

  5. Network Mapper“NMAP” • Port scanner • OS fingerprinter • Scans a particular target for all / select open ports • Identifies service type and version listening • Very invasive and very powerful • NSE and Lua make extends nmap’s capabilities Purdue Research Foundation 2012

  6. Trinity uses Nmap, shouldn’t you? • Network exploration tool and port scanner • Security audits • Network inventory • Upgrade schedules • Monitoring host/service uptime • Reduce the number of hosts on a network to be audited or investigated • Specify how each host is to be identified as interesting • Firewall considerations Purdue Research Foundation 2012

  7. Purdue Research Foundation 2012 NMAP is Open & Free http://www.insecure.org/ • Open source tool available by default in many linux distributions. Source and install packages available for mainstream OSes • Command line and GUI versions • http://nmap.org/download.html or http://www.insecure.org/ • Backtrack and other live environments • Very active forum and community: http://seclists.org/ for mail lists and archives

  8. How Nmap works • Nmap uses many port scanning mechanisms: • Both TCP & UDP • OS detection, version detection • Ping sweeps • TCP full connect • Stealth Scan • XMAS Scan • and half open scan Purdue Research Foundation 2012

  9. Nmap Examples • # nmapscanme.nmap.org • Default scan • # nmap –A scanme.nmap.org • Performs OS & detection, traceroute info • # nmap –sV scanme.nmap.org • Performs service version detection • # nmap -sS –sV 128.46.4.0/24 –P0 • Performs stealth (SYN) scan of a class C network while determining service versions without pinging the host # nmap –sS –sV 128.46.4.0/24 –p80 • Performs a stealth (SYN) scan of a class C network while performing service detection and scanning port 80 • Zenmap is available for those preferring a GUI interface • http://nmap.org/zenmap/ Purdue Research Foundation 2012

  10. Nmap Output • nmapscanme.nmap.org • Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-01 13:08 Eastern Daylight Time • Nmap scan report for scanme.nmap.org (74.207.244.221) • Host is up (0.083s latency). • Not shown: 992 closed ports • PORT STATE SERVICE • 22/tcp open ssh • 80/tcp open http • 135/tcp filtered msrpc • 139/tcp filtered netbios-ssn • 445/tcp filtered microsoft-ds • 593/tcp filtered http-rpc-epmap • 1433/tcp filtered ms-sql-s • 1434/tcp filtered ms-sql-m • Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds • Scanning multiple systems can produce massive and cumbersome amounts of data to analyze • Learn Perl, grep & awk • Ndiff: used to compare nmap output files • Google: Nmap parsing tools…lots of options! PBNJ is my favorite. Purdue Research Foundation 2012

  11. Nmap Output formats • Normal (STDN Out) – Produces a text output • Use the –oN filename flag • Grepable format – Produces a text output that • Use the –oG filename flag • XML format – Produces a XML formatted file • Use the –oX filename flag Purdue Research Foundation 2012

  12. CIS-CAT • What is it? • Why use it? • Where to get it? • How to use it? Purdue Research Foundation 2012

  13. Configuration Assessment Tool CIS-CAT by Center for Internet Security • CIS-CAT is an automated assessment tool that supports a wide variety of operating systems and applications • Checks to see what security features of the assessment system are enabled • Commercial product with lots of community and back-end support • Free to Purdue System Admin through University’s membership

  14. Why use CIS-CAT? • CIS-CAT is created by security minded folks to assess built-in security features of an operating system or supported applications • Provides recommendations and manual testing criteria • Updated regularly (at least quarterly) • Supports both GUI and CLI environments • Can be automated via GPO • Issue: Requires Java JRE 1.5 or newer. Sampling of Supported Systems / Applications Apache Tomcat Apple OSX 10.5 Apple OSX 10.6 DebianLinux HP-UX 11i IBM AIX 4.3-5.1 Microsoft Windows 2003 Microsoft Windows 2008 Microsoft Windows XP Microsoft Windows 7 Mozilla Firefox Oracle Database 11g Oracle Database 9i-10g RedHatEnterprise Linux 4 RedHat Enterprise Linux 5 Slackware Linux 10.2 Solaris 10 Solaris 2.5.1-9 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 VMware ESX 3.5 VMware ESX 4

  15. Where do I get Cis-cat? http://www.cisecurity.org/ • Can be downloaded from the Center for Internet Security’s web page • https://community.cisecurity.org/ • Request an account from the login page (takes a day or so to get approved) • $300.00 annual membership if you are not a Purdue Employee. • ~36MB foot print, includes CIS-CAT Jar file, documentation, and all centrally maintained benchmarks. • http://web.nvd.nist.gov/view/ncp/repository?tier=4&product=&category=&authority=&keyword= For NIST provided benchmarks

  16. How to use Cis-cat • Interactively by: • Executing ciscat.jar with or without flags • Execute a canned script • Cis-cat.bat (windows) • Cis-cat.sh (unix) • Cis-cat-jump.bat (jump drive) • Remotely via command line • Via GPO and a centralized share • Via cron and a centralized mount • Via CLI with remote web services

  17. How to use CIS-CAT from the CLI CLI options (i.e.,ciscat.jar –Help) • This is CIS-CAT version 2.2.19 • usage: Options Tip • -a,--accept-terms Accepts terms of use • -ap,--aggregation-period <arg> The width of a dashboard aggregation, • ex. 1M, 13W, 20D • -ar,--aggregate-reports <arg> Create a CIS-CAT Dashboard by • aggregating all the XML reports in the • specified directory • -b,--benchmark <arg> Path to benchmark to run • -c,--reset Reset preferences • -csv,--report-csv Creates a CSV report • -d,--benchmark-dir <arg> Override default location for • benchmarks. Used with --list and --find • -f,--find Interactively select a benchmark • -h,--help Prints help for this application • -l,--list List all benchmarks in default • benchmark location • -n,--report-no-html No HTML report will be created, by • default an HTML report is created • -p,--profile <arg> Title of benchmark profile to evaluate • -r,--results-dir <arg> Directory to save results in • -rn,--report-name <arg> The base name of the report, no • extension • -s,--status Status information is displayed • -t,--report-txt Creates a text report • -u,--report-upload <arg> Sends a HTTP POST with the XML report • to the specified URL. POST parameter • name is ciscat-report • -ui,--ignore-certificate-errors Ignores any SSL certificate errors • during report upload • -v,--version Display CIS-CAT version and JRE • information • -vs,--verify-signature Verify that the XML benchmarks have • valid signatures • -x,--report-xml Creates an XML report • -y,--report-all-tests Causes the HTML and text reports to • show all tests. Only applicable tests • are displayed by default

  18. CIS-CAT output • Multiple output files are supported • HTML – Great for clients or end users • CSV – Great when assessing multiple systems at one time, less space required • TXT – Just the facts Mam • XML – Used when importing to other auditing systems / frameworks • Output is named after the host being assessed • Dashboards can be generated by processing a series of CIS-CAT reports • CIS-CAT -> File menu -> Create Dashboard

  19. Sample CIS-CAT report HTML REPORT

  20. Other note worthy tools http://sectools.org/ • Metasploit Community Edition • http://www.rapid7.com/products/metasploit-community.jsp • Microsoft Baseline Security Analyzer (MBSA) • http://www.microsoft.com/en-us/download/details.aspx?id=7558 • Nexpose VA Scanner [Community Edition] • http://www.rapid7.com/products/nexpose-community-edition.jsp • WMIC interface • http://technet.microsoft.com/en-us/library/bb742610.aspx • Nikto – Web Application Scanner • http://www.cirt.net/nikto2 • BackTrack – Linix Auditing OS Distro • http://www.backtrack-linux.org/

  21. Contact Information George Bailey baileyga@purdue.edu Office: 49-47538 Josh Gillam jgillam@purdue.edu Purdue Research Foundation 2012

More Related