San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Afternoon Session Rick Allen CISSP Manager Strategic Security Services [email protected].
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
4.4. Review of basic Unix shell commands used Review of basic Unix shell commands used for systems auditfor systems audit
3.3. Value & Impact Analysis between typical and Value & Impact Analysis between typical and integrated audit plansintegrated audit plans
2.2. Understanding and application of Minimum Understanding and application of Minimum Unix Security Control Baseline methodsUnix Security Control Baseline methods
1.1. Introduction to Unix Armoring TechniquesIntroduction to Unix Armoring Techniques
5.5. Recommendations for building integrated audit Recommendations for building integrated audit plans with control objectives and test activities plans with control objectives and test activities (Sample audit program)(Sample audit program)
Unix Armoring TechniquesUnix Armoring Techniques
Determine Initial OS package load: CORE – DEV – END USER?
Determine File System Partitioning Scheme /root Determine File System Partitioning Scheme /root & /var should be separate including /usr logging for & /var should be separate including /usr logging for web serverweb server
User partition should be mounted RO User partition should be mounted RO (Read Only)(Read Only)
Unix Armoring TechniquesUnix Armoring Techniques
Send inet daemon the SIGHUP via shell Send inet daemon the SIGHUP via shell commandcommand
After reboot – install recommended patch After reboot – install recommended patch cluster from sunsolvcluster from sunsolv
Patch clusters are frequently updated and Patch clusters are frequently updated and should be checked periodicallyshould be checked periodically
Begin review of armoring controls and Begin review of armoring controls and proceduresprocedures Turning off unnecessary Turning off unnecessary servicesservices
Modifying various key files and configurationsModifying various key files and configurations
Installing TCP wrappersInstalling TCP wrappers on necessary services on necessary services
Unix Armoring TechniquesUnix Armoring Techniques
Confirm what services are commented outConfirm what services are commented out
Unix inetd.conf (Solaris) defaults to 35 Unix inetd.conf (Solaris) defaults to 35 servicesservices
Audit for ownership and permission flagsAudit for ownership and permission flags
Permission values sPermission values should be 640hould be 640
Audit /etc/rc2.d and rc3.d for startup scripts Audit /etc/rc2.d and rc3.d for startup scripts launched by init processes.launched by init processes.
Stopping script load by replacing S Stopping script load by replacing S with s with s
Unix Armoring TechniquesUnix Armoring Techniques
Audit ownership and permissions to Audit ownership and permissions to 640640
Are these files included in the audit plan Are these files included in the audit plan and reviewed by operations on a regular and reviewed by operations on a regular basis?basis?
Enable logging and audit in /Enable logging and audit in /var/admvar/adm the the default logging directory. Need to add two default logging directory. Need to add two additional log files:additional log files:
SulogSulog logs all successful and failed logs all successful and failed attempts to switch users to root perms attempts to switch users to root perms
Audit the /etc/issue file this is a text banner that Audit the /etc/issue file this is a text banner that appears for service logins (telnet) this legal appears for service logins (telnet) this legal warning will appear whenever someone warning will appear whenever someone attempts to login to the system.attempts to login to the system.
Audit the /etc/group file for existence of the Audit the /etc/group file for existence of the WHEEL GROUP – this group is for accounts WHEEL GROUP – this group is for accounts that can execute powerful commands such as that can execute powerful commands such as susu
Identify critical system binaries such as Identify critical system binaries such as /usr/bin/su change the group ownership to /usr/bin/su change the group ownership to WHEEL and the permissions to owner and WHEEL and the permissions to owner and group executable only group executable only
Unix Armoring TechniquesUnix Armoring Techniques
Maintain the suid or guid bit for specific binaries Maintain the suid or guid bit for specific binaries # /usr/bin/chgrp WHEEL /usr/bin/su # /usr/bin/chgrp WHEEL /usr/bin/su
# /usr/bin/chmod 4750 /usr/bin/su# /usr/bin/chmod 4750 /usr/bin/su A 4 digit number is used to express “sticky” A 4 digit number is used to express “sticky”
“SetUID” “SetGID” bits to enhance access “SetUID” “SetGID” bits to enhance access controlscontrols
su is statically linked to another binary in su is statically linked to another binary in /sbin/su.static. This is the same as /usr/bin/su/sbin/su.static. This is the same as /usr/bin/su
However the libs are stat linked hence the However the libs are stat linked hence the larger file size, /sbin/su.static must be chgrp’d larger file size, /sbin/su.static must be chgrp’d and chmod’d as welland chmod’d as well
drwxrwsrwxdrwxrwsrwx 2 debi2 debi lplp 512 Mar 30 06:00512 Mar 30 06:00
$ cd test$ cd test
$ touch newfile$ touch newfile
$ ls –la newfile$ ls –la newfile
-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile-rw-r—r-- 2 debi lp 512 Mar 31 09:00 newfile
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
The Root AccountThe Root Account
Used by Unix Admin for unlimited access to all Used by Unix Admin for unlimited access to all programs, files and resources the system has to programs, files and resources the system has to offer (An obvious high profile security target)offer (An obvious high profile security target)
Root’s name can be changed but as long as Root’s name can be changed but as long as the userid is 0, its still rootthe userid is 0, its still root
Is omnipotent due to the userid of 0 not its name.Is omnipotent due to the userid of 0 not its name.
Other accounts can be created with a userid of 0; Other accounts can be created with a userid of 0; those other accounts have all the power and those other accounts have all the power and privilege that root hasprivilege that root has
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Other Admin Accounts & GroupsOther Admin Accounts & Groups
Several admin accounts exist in Unix. While Several admin accounts exist in Unix. While they don’t have root privilege they should be they don’t have root privilege they should be protected as though they didprotected as though they did
System processes using these accounts control System processes using these accounts control functions including email, dbms, lp functions including email, dbms, lp
Lock the following accounts and groupsLock the following accounts and groups
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
When Users Need Root PrivilegeWhen Users Need Root Privilege
Mount disks, CD’s where the mount & unmount Mount disks, CD’s where the mount & unmount commands are required in the absence of commands are required in the absence of volume managementvolume management
Example:Example:
A user may need to kill and restart a A user may need to kill and restart a database instance or application (non-root database instance or application (non-root users can only kill their own process) users can only kill their own process)
Kill or restart specific processes not belonging Kill or restart specific processes not belonging to the userto the user
Root’s .profile establishing the path should be Root’s .profile establishing the path should be protected from directories whose contents are protected from directories whose contents are questionable or unknown. questionable or unknown. PATH=/usr/bin;/sbin;/usr/sbinPATH=/usr/bin;/sbin;/usr/sbin
Consistency of the passwd file can be checked Consistency of the passwd file can be checked with the pwck command. with the pwck command.
Modern Unix stores the encrypted value of the Modern Unix stores the encrypted value of the password in the /etc/shadow file with other password in the /etc/shadow file with other information like password aginginformation like password aging
The passwd file is owned by root and must be The passwd file is owned by root and must be readable by all users but write able only by readable by all users but write able only by root. /etc/passwd –rw-r—r--root. /etc/passwd –rw-r—r--
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Using Good Password ConstructionUsing Good Password Construction
A Unix weakness exists whereby password aging A Unix weakness exists whereby password aging restrictions are ignored if root is changing another's restrictions are ignored if root is changing another's password (including its own password)password (including its own password)
Force account smar to change password at next Force account smar to change password at next login.login.
# passwd –f smar# passwd –f smar
Prevent user from changing passwordPrevent user from changing password
# Passwd –n 2 –x 1 smar# Passwd –n 2 –x 1 smar
Force the account jsmith to change password every Force the account jsmith to change password every 30 days.30 days.
# passwd –n 30 jsmith# passwd –n 30 jsmith
Unix Armoring Techniques User Account Environment
Unix Armoring Techniques User Account Environment
Protect /etc/default/passwd & direct root login.Protect /etc/default/passwd & direct root login.
Set CONSOLE=/dev/console in /etc/default/loginSet CONSOLE=/dev/console in /etc/default/login
Set CONSOLE=/dev/null in /etc/default/loginSet CONSOLE=/dev/null in /etc/default/login
Unix Armoring Techniques Executable Environment
Unix Armoring Techniques Executable Environment
Protecting from Buffer OverflowsProtecting from Buffer Overflows
Add the following lines to /etc/system:Add the following lines to /etc/system:
set noexec_user_stack=1set noexec_user_stack=1
set noexec_user_stack_log=1set noexec_user_stack_log=1
Then restart the system with the init 6 commandThen restart the system with the init 6 command
Caution: the above can limit legitimate programs that Caution: the above can limit legitimate programs that do run code on the stack. (Test prior to production)do run code on the stack. (Test prior to production)
Unix can be configured to prevent stack based buffer Unix can be configured to prevent stack based buffer overflows with this procedureoverflows with this procedure
Unix Armoring Techniques XWindows Environment
Unix Armoring Techniques XWindows Environment
Protecting XWindowsProtecting XWindows
For local Unix auto-configure the XWin Screen For local Unix auto-configure the XWin Screen LockLock
For local / remote Unix use the xhost command For local / remote Unix use the xhost command for access controlfor access control# xhost# xhost
access control enabled, only authorized clients access control enabled, only authorized clients can connect – to allow access enter:can connect – to allow access enter:
Physical Entry, Social Engineering, Collusion, Physical Entry, Social Engineering, Collusion, Electronic penetration, successful system hackElectronic penetration, successful system hack
You have no control over an attacker’s skill…You have no control over an attacker’s skill…but you do control the skill required for a but you do control the skill required for a successful attack!successful attack!
You have little control over the speed of an You have little control over the speed of an attack…but you do have control over the attack…but you do have control over the response time to an attackresponse time to an attack
Given sufficient skill, time, motivation and Given sufficient skill, time, motivation and opportunity ANY defense can be breached!opportunity ANY defense can be breached!
Effective measures for controlling “Target Selection”
Limit IP/hostname informationLimit IP/hostname information Remove unauth hosts (e.g. remote controls) Remove unauth hosts (e.g. remote controls) Securely configure internet accessible hostsSecurely configure internet accessible hosts
Remove bannersRemove banners
Disable modems and use strong security for Disable modems and use strong security for those remaining.those remaining.
Limit use of unsecured info services, (finger)Limit use of unsecured info services, (finger) Ensure no data resides on DMZ Ensure no data resides on DMZ
Place Servers behind firewall (Unix based) Place Servers behind firewall (Unix based)
Disable or change default accountsDisable or change default accounts
Limit logon attempts, record and review logs Limit logon attempts, record and review logs Periodically run passwd crackers and/or Periodically run passwd crackers and/or
integrity check softwareintegrity check software Use anti-virus software on all platformsUse anti-virus software on all platforms
Consider use of strong authentication and Consider use of strong authentication and encryptionencryption
Consider intrusion detection software Consider intrusion detection software for networks and hostsfor networks and hosts
Use a deny all unless explicit design ruleUse a deny all unless explicit design rule Limit services to those absolutely essential Limit services to those absolutely essential Develop & Implement strong policies and Develop & Implement strong policies and