AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells

1
AUDITING and SECURITY
Jim Patterson, CISSP, CBCP,
CRMJefferson Wells
2
Introduction

• The goals of Security (CIA)
• Confidentiality
• Integrity
• Availability
• (They are mutually dependent)
• Avoid Audit Findings

3
Security Considerations

• Identify Assets
• Network Discovery
• AD Discovery
• DHCP and DNS Imports
• File Import (from existing sources)
• Assess Vulnerabilities
• How are vulnerability definitions updated,
  frequency
• Map vulnerabilities to industry/vendor
  nomenclature
• Types of vulnerabilities found (configuration and
  patch)
• When to do the assessment

4
Security Considerations

• Remediate Vulnerabilities
• How are remediations updated, frequency
• Configuration and patch-based remediations
• Use of industry/vendor nomenclature
• Different remediation policies for different
  classes of assets
• Different remediation schedules for different
  classes of assets
• Manage rebooting of different classes of assets

5
Secured Network Model
6
Enterprise Architecture

• Central Console
• XP/2000/2003

UNIX/Windows
NT
2003
2000

• Distributed Proxy
• XP/2000/2003

XP/2000
Reporting Database
DMZ

• Windows Server
• NT
• 2000
• 2003

ODBC
SSL
XP/2000
Solaris
Linux
HP-UX
AIX

• UNIX Server
• Solaris
• Linux
• AIX
• HP-UX

System Reach (Mainframe, Windows, UNIX and Linux
7
(No Transcript)
8
System Security Categories
9
Audit and Compliance
Security configuration settings Antivirus
status Security patch status Personal
firewall status Unauthorized
software Unauthorized hardware Industry-kn
own vulnerabilities Enforcement Access
Control Patching Risk Management Asset
Management Configuration Management
System SecurityAudit and Compliance
Audit and Compliance is not focused on
10
Event Management Model
11
Auditing System Components
Logger
SystemLog
Notifier
Higher-level Audit Events
Actions Email Popup Reconfig Report
Analyzer
12
Audit System Structure

• Logger
• Records information, usually controlled by
  parameters
• Analyzer
• Analyzes logged information looking for something
• Notifier
• Reports results of analysis

13
Logger

• Type, quantity of information recorded controlled
  by system or program configuration parameters
• Tuning what is audited
• May be human readable or not
• If not, usually viewing tools supplied
• Space available, portability influence storage
  format

14
Example RACF

• Security enhancement package for IBMs MVS/VM
• Logs failed access attempts, use of privilege to
  change security levels, and (if desired) RACF
  interactions
• View events with LISTUSERS commands

15
RACF Sample Entry

• USEREW125004 NAMES.J.TURNER OWNERSECADM
  CREATED88.004
• DEFAULT-GROUPHUMRES PASSDATE88.004
  PASS-INTERVAL30
• ATTRIBUTESADSP
• REVOKE DATENONE RESUME-DATENONE
• LAST-ACCESS88.020/141510
• CLASS AUTHORIZATIONSNONE
• NO-INSTALLATION-DATA
• NO-MODEL-NAME
• LOGON ALLOWED (DAYS) (TIME)
• --------------------------------
• ANYDAY ANYTIME
• GROUPHUMRES AUTHJOIN CONNECT-OWNERSECADM
• 
  CONNECT-DATE88.004
• CONNECTS 15 UACCREAD LAST-CONNECT88.018/
  164506
• CONNECT ATTRIBUTESNONE
• REVOKE DATENONE RESUME DATENONE
• GROUPPERSNL AUTHJOIN CONNECT-OWNERSECADM
  CONNECT-DATE88.004
• CONNECTS 25 UACCREAD LAST-CONNECT88.020/1
  41510
• CONNECT ATTRIBUTESNONE

16
Example Windows NT

• Different logs for different types of events
• System event logs record system crashes,
  component failures, and other system events
• Application event logs record events that
  applications request be recorded
• Security event log records security-critical
  events such as logging in and out, system file
  accesses, and other events
• Logs are binary use event viewer to see them
• If log full, can have system shut down, logging
  disabled, or logs overwritten
• Logging enabled by SACLs and Windows Policy

17
Windows NT Sample Entry

• Date 2/12/2000 Source Security
• Time 1303 Category Detailed Tracking
• Type Success EventID 592
• User WINDSOR\Administrator
• Computer WINDSOR
• Description
• A new process has been created
• New Process ID 2216594592
• Image File Name
• \Program Files\Internet Explorer\IEXPLORE.EX
  E
• Creator Process ID 2217918496
• User Name Administrator
• FDomain WINDSOR
• Logon ID (0x0,0x14B4c4)
• would be in graphical format

18
Syslog

• De facto standard in Unix and networking
• RFC 3164
• UDP transport
• Log locally or send to collecting server
• Limited normalization

19
Syslog Format

• PRI field
• Facility part of system generating log
• 0 kernel
• 2 mail system
• 6 line printer
• Severity fully ordered list
• 0 Emergency
• 3 Error
• 6 Informational
• Header
• Time stamp Host name
• Msg

20
Top 10 Things to Audit in a Win2k Domain

• Local Security Policy of one DC
• 1. Password
• 2. Lockout policy
• 3. Audit policy
• Account Management, Account Logon, System Policy,
  Policy Changes
• Failure AND Success!
• Active Directory Users and Computers
• 4. Important group memberships
• Domain Admins, Administrators, Account Ops,
  Server Ops, Backup Ops
• If the root domain of the forest also check
  Enterprise Admins, Schema Admins, DNSAdmins

21
Top 10 Things to Audit in a Win2k Domain

• One or more Domain Controllers
• 5. Service Pack Level
• 6. Dangerous Services
• One or more Member Servers
• 7. Audit Policy
• Account Logon, Account Management, System Policy,
  Policy Change
• 8. Service Pack Level
• 9. Dangerous Services
• 10. Administrator account

22
Analyzer

• Analyzes one or more logs
• Logs may come from multiple systems, or a single
  system
• May lead to changes in logging
• May lead to a report of an event

23
Examples

• Using swatch to find instances of telnet from
  tcpd logs
• /telnet/!/localhost/!/.site.com/
• Query set overlap control in databases
• If too much overlap between current query and
  past queries, do not answer
• Intrusion detection analysis engine (director)
• Takes data from sensors and determines if an
  intrusion is occurring

24
Notifier

• Informs analyst, other entities of results of
  analysis
• May reconfigure logging and/or analysis on basis
  of results

25
Examples

• Using swatch to notify of telnets
• /telnet/!/localhost/!/.site.com/ mail
  staff
• Query set overlap control in databases
• Prevents response from being given if too much
  overlap occurs
• Three failed logins in a row disable user account
• Notifier disables account, notifies sysadmin

26
Analyzer

• Analyzes one or more logs
• Logs may come from multiple systems, or a single
  system
• May lead to changes in logging
• May lead to a report of an event

27
Examples

• Using swatch to find instances of telnet from
  tcpd logs
• /telnet/!/localhost/!/.site.com/
• Query set overlap control in databases
• If too much overlap between current query and
  past queries, do not answer
• Intrusion detection analysis engine (director)
• Takes data from sensors and determines if an
  intrusion is occurring

28
Application Logging

• Applications logs made by applications
• Applications control what is logged
• Typically use high-level abstractions such as
• su bishop to root on /dev/ttyp0
• Does not include detailed, system call level
  information such as results, parameters, etc.

29
System Logging

• Log system events such as kernel actions
• Typically use low-level events
• 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xb
  fbff5d8)
• 3876 ktrace NAMI "/usr/bin/su"
• 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1"
• 3876 su RET xecve 0
• 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928
  ,0xbfbff478,0,0)
• 3876 su RET __sysctl 0
• 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0
  ,0,0)
• 3876 su RET mmap 671473664/0x2805e000
• 3876 su CALL geteuid
• 3876 su RET geteuid 0
• Does not include high-level abstractions such as
  loading libraries

30
Contrast

• Differ in focus
• Application logging focuses on application
  events, like failure to supply proper password,
  and the broad operation (what was the reason for
  the access attempt?)
• System logging focuses on system events, like
  memory mapping or file accesses, and the
  underlying causes (why did access fail?)
• System logs usually much bigger than application
  logs
• Can do both, try to correlate them

31
Access ControlCollection of mechanisms that
permits managers of a system to exercise a
directing influence over the behavior, use and
content of the system

• System Access Control
• Password and other authentication
• System Auditing
• Discretionary Access Control (DAC)
• Access Control List
• Mandatory Access Control (MAC)
• Reference Monitor

32
UNIX File System

• Ordinary files
• Directory files
• Special files

33
Basic Access Control

• From an ls -l command you will see following
• 1 Type of file.
• 2 4 Owners permission.
• 5 7 Groups permission.
• 8 10 Others permission.

PERMISSION MEANING
- rwx rwx rwx File. Everyone can read, write and execute this.
- rwx r-x r-x File. Everyone can read and execute this but only the owner can write to it.
- r-- r-- --- File. The owner and everyone in his group can only read this file, but the others have no access to it.
d rw- rw- rw- Directory. Everyone can read and write. No one including the owner can traverse it.
l rwx r-x r-x Link. The permissions for a link generally do not matter.
34
Access Control List - UNIX

• An access control list (ACL) is an ordered list
  of access control entries (ACEs) that define the
  protections that apply to an object and its
  properties
• ACLs entry contains
• Attributes
• Defines special file modes such as SETUID,
  SETGID Sticky bit
• Base permissions
• Reflect the basic access rights
• Extended permissions
• specify, permit, deny

35
Access Control List

• .

ACL Entries Description
1. attributes setuid,setgid,stickybit Special file modes.
2. base permissions Standard Unix file permissions.
3. owner(owner_user) rwx owner and access rights
4. (owner_group) r-x group and access rights
5. others r-- other's rights
6. extended permissions Additional ACL entries.
7. enabled enabled or disabled
8. permit --x usome_user, gsome_group Permits access to the specified user-group combination in a boolean AND manner.
9. deny rwx ga_group Forbids access to the specified user-group combination in a boolean AND manner.
36
Auditing

• Is a feature which provides accountability to all
  system activities from file access to network and
  database
• Each audit event such as user login is formatted
  into fields such as the event type, user id, file
  names and time
• Audit events
• Administrative event class
• Security administrator events
• System administrator events
• Operator events
• Audit event class
• Describes the operation of the audit system
  itself

37
Windows File System

• Supports two file system
• FAT (File Allocation Table)
• File system does not record security information
  such as owner or access permission of a file or
  directory
• NTFS (New Technology Files System)
• Supports a variety of multi-user security models
• NTFS Vs FAT
• Fault tolerance
• Access Control by directory or file
• Can compress individual or directories
• POSIX support

38
Access Control List - Windows

• Data structure of an ACL
• ACL size - of bytes of memory allocated
• ACL Revision revision for the ACLs data
  structure
• ACE Count - of ACEs in the ACL

39
Access Control Entries

• Contains the following access control information
• A security identifier (SID)
• An access mask specifies access rights
• A set of bit flags that determines which child
  objects can inherit the ACE
• A flag that indicates the type of ACE

40
ACE Types
Type Description
Access-denied Used in a DACL to deny access.
Access-allowed Used in a DACL to allow access.
System-audit Used in a SACL to log attempts to access.

• 3 Generic types
• 3 Object-Specific ACE types

Type Description
Access-denied, object-specific Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.
Access-allowed, object-specific Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.
System-audit, object-specific Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object
41
Access Rights
Constant in Win32 API Meaning
GENERIC_ALL Read, write, and execute access
GENERIC_EXECUTE Execute access
GENERIC_READ Read access
GENERIC_WRITE Write access

• Generic Access Rights
• Standard Access Rights
• Other rights like, SACL access rights,
  Object-specific access rights, user rights

Constant in Win32 API Meaning
DELETE The right to delete the object.
READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL.
SYNCHRONIZE The right to use the object for synchronization. Some object types do not support this access right.
WRITE_DAC The right to modify the DACL in the object's security descriptor.
WRITE_OWNER The right to change the owner in the object's security descriptor.
42
How Access Control Works?
43
Automated Tools By Category

• Enterprise Vulnerability Management
• Hercules AVR (Citadel)
• Class 5 AVR (Secure Elements)
• Vulnerability Assessment
• Retina Network Security Scanner (eEye)
• FoundScan Engine (Foundstone)
• STAT Scanner (Harris)
• Internet Scanner (ISS)
• SiteProtector (ISS)
• System Scanner (ISS)
• Microsoft Baseline Security Analyzer (Microsoft)
• IP360 Vulnerability Management System (nCircle)
• Nessus Scanner (Nessus)
• SecureScout SP (NexantiS)
• QualysGuard Scanner (Qualys)
• SAINT Scanning Engine (Saint)
• Lightning Console (Tenable)
• NeWT Scanner (Tenable)
• WebInspect (SPI Dynamics )

• Patch Management
• System Management Server (Microsoft)
• Windows Update Service (Microsoft)
• PatchLink (PatchLink)
• Big Fix (BigFix)
• UpdateExpert (St. Bernard)
• HFNetChk (Shavlik)
• Policy Management
• Active Directory Group Policy Objects
  (Microsoft)
• Security Policy Management (NetIQ)
• Enterprise Security Manager (Symantec)
• Compliance Center (BindView)
• Configuration/Asset Management
• System Management Server (Microsoft)
• TME (Tivoli)
• Unicenter (CA)
• Enterprise Configuration Manager (Configuresoft)
• Asset Management Suite (Altiris)

44
Conclusion

• UNIX Vs Windows
• Easy to control system configuration on UNIX
• ACL's are much more complex than traditional UNIX
  style permissions
• In basic UNIX, it is impossible to give a number
  of users different access rights

45
System Security Policy Files
46
Perfect World (almost) A Scenario

• Anytime a machine joins (or re-joins) the
  corporate network, it is automatically
  quarantined, assessed, and remediated to bring it
  into compliance, prior to gaining access to
  network resources
• Every night, critical vulnerability configuration
  compliance checks are performed on all Windows
  desktops and remediated if needed
• Every Saturday, from 200 AM 300 AM, newly
  approved patches are automatically applied to all
  Windows desktops
• Every Sunday from 200 AM 300 AM, all Windows
  and Unix servers are checked for security policy
  compliance. Selected items are remediated, others
  items generate alerts

47
Perfect World (almost) A Scenario

• During monthly maintenance intervals, Unix and
  Windows servers are fully patched and rebooted if
  required
• Monthly, a full, automated network assessment is
  performed to independently scan for
  vulnerabilities
• Quarterly, remediation policies are reviewed and
  updated to incorporate new vulnerability
  remediations
• Critical, zero-day remediations are applied where
  needed in the enterprise within an hour of
  notification and remedy availability

48
Contact Information
Jim Patterson, CISSP, CBCP, CRM Technology Risk
Management Phoenix / Las Vegas   (602) 643-1600
(o) (480) 529-9393 (c) (602) 643-1606 (f)

• Patti Walker
• Director, Technology Risk Management
• Phoenix / Las Vegas
•  
• (602) 643-1600 (o)
• (480) 734-6960 (c)
• (602) 643-1606 (f)

Jefferson Wells A Manpower Company 11811 N. Tatum
Blvd., Suite 3076 Phoenix, Arizona  85028