Title: AUDITING and SECURITY Jim Patterson, CISSP, CBCP, CRM Jefferson Wells
1AUDITING and SECURITY
Jim Patterson, CISSP, CBCP,
CRMJefferson Wells
2Introduction
- The goals of Security (CIA)
- Confidentiality
- Integrity
- Availability
- (They are mutually dependent)
- Avoid Audit Findings
3Security Considerations
- Identify Assets
- Network Discovery
- AD Discovery
- DHCP and DNS Imports
- File Import (from existing sources)
- Assess Vulnerabilities
- How are vulnerability definitions updated,
frequency - Map vulnerabilities to industry/vendor
nomenclature - Types of vulnerabilities found (configuration and
patch) - When to do the assessment
4Security Considerations
- Remediate Vulnerabilities
- How are remediations updated, frequency
- Configuration and patch-based remediations
- Use of industry/vendor nomenclature
- Different remediation policies for different
classes of assets - Different remediation schedules for different
classes of assets - Manage rebooting of different classes of assets
5Secured Network Model
6Enterprise Architecture
- Central Console
- XP/2000/2003
UNIX/Windows
NT
2003
2000
- Distributed Proxy
- XP/2000/2003
XP/2000
Reporting Database
DMZ
- Windows Server
- NT
- 2000
- 2003
ODBC
SSL
XP/2000
Solaris
Linux
HP-UX
AIX
- UNIX Server
- Solaris
- Linux
- AIX
- HP-UX
System Reach (Mainframe, Windows, UNIX and Linux
7(No Transcript)
8System Security Categories
9Audit and Compliance
Security configuration settings Antivirus
status Security patch status Personal
firewall status Unauthorized
software Unauthorized hardware Industry-kn
own vulnerabilities Enforcement Access
Control Patching Risk Management Asset
Management Configuration Management
System SecurityAudit and Compliance
Audit and Compliance is not focused on
10Event Management Model
11Auditing System Components
Logger
SystemLog
Notifier
Higher-level Audit Events
Actions Email Popup Reconfig Report
Analyzer
12Audit System Structure
- Logger
- Records information, usually controlled by
parameters - Analyzer
- Analyzes logged information looking for something
- Notifier
- Reports results of analysis
13Logger
- Type, quantity of information recorded controlled
by system or program configuration parameters - Tuning what is audited
- May be human readable or not
- If not, usually viewing tools supplied
- Space available, portability influence storage
format
14Example RACF
- Security enhancement package for IBMs MVS/VM
- Logs failed access attempts, use of privilege to
change security levels, and (if desired) RACF
interactions - View events with LISTUSERS commands
15RACF Sample Entry
- USEREW125004 NAMES.J.TURNER OWNERSECADM
CREATED88.004 - DEFAULT-GROUPHUMRES PASSDATE88.004
PASS-INTERVAL30 - ATTRIBUTESADSP
- REVOKE DATENONE RESUME-DATENONE
- LAST-ACCESS88.020/141510
- CLASS AUTHORIZATIONSNONE
- NO-INSTALLATION-DATA
- NO-MODEL-NAME
- LOGON ALLOWED (DAYS) (TIME)
- --------------------------------
- ANYDAY ANYTIME
- GROUPHUMRES AUTHJOIN CONNECT-OWNERSECADM
-
CONNECT-DATE88.004 - CONNECTS 15 UACCREAD LAST-CONNECT88.018/
164506 - CONNECT ATTRIBUTESNONE
- REVOKE DATENONE RESUME DATENONE
- GROUPPERSNL AUTHJOIN CONNECT-OWNERSECADM
CONNECT-DATE88.004 - CONNECTS 25 UACCREAD LAST-CONNECT88.020/1
41510 - CONNECT ATTRIBUTESNONE
16Example Windows NT
- Different logs for different types of events
- System event logs record system crashes,
component failures, and other system events - Application event logs record events that
applications request be recorded - Security event log records security-critical
events such as logging in and out, system file
accesses, and other events - Logs are binary use event viewer to see them
- If log full, can have system shut down, logging
disabled, or logs overwritten - Logging enabled by SACLs and Windows Policy
17Windows NT Sample Entry
- Date 2/12/2000 Source Security
- Time 1303 Category Detailed Tracking
- Type Success EventID 592
- User WINDSOR\Administrator
- Computer WINDSOR
- Description
- A new process has been created
- New Process ID 2216594592
- Image File Name
- \Program Files\Internet Explorer\IEXPLORE.EX
E - Creator Process ID 2217918496
- User Name Administrator
- FDomain WINDSOR
- Logon ID (0x0,0x14B4c4)
- would be in graphical format
18Syslog
- De facto standard in Unix and networking
- RFC 3164
- UDP transport
- Log locally or send to collecting server
- Limited normalization
19Syslog Format
- PRI field
- Facility part of system generating log
- 0 kernel
- 2 mail system
- 6 line printer
- Severity fully ordered list
- 0 Emergency
- 3 Error
- 6 Informational
- Header
- Time stamp Host name
- Msg
20Top 10 Things to Audit in a Win2k Domain
- Local Security Policy of one DC
- 1. Password
- 2. Lockout policy
- 3. Audit policy
- Account Management, Account Logon, System Policy,
Policy Changes - Failure AND Success!
- Active Directory Users and Computers
- 4. Important group memberships
- Domain Admins, Administrators, Account Ops,
Server Ops, Backup Ops - If the root domain of the forest also check
Enterprise Admins, Schema Admins, DNSAdmins
21Top 10 Things to Audit in a Win2k Domain
- One or more Domain Controllers
- 5. Service Pack Level
- 6. Dangerous Services
- One or more Member Servers
- 7. Audit Policy
- Account Logon, Account Management, System Policy,
Policy Change - 8. Service Pack Level
- 9. Dangerous Services
- 10. Administrator account
22Analyzer
- Analyzes one or more logs
- Logs may come from multiple systems, or a single
system - May lead to changes in logging
- May lead to a report of an event
23Examples
- Using swatch to find instances of telnet from
tcpd logs - /telnet/!/localhost/!/.site.com/
- Query set overlap control in databases
- If too much overlap between current query and
past queries, do not answer - Intrusion detection analysis engine (director)
- Takes data from sensors and determines if an
intrusion is occurring
24Notifier
- Informs analyst, other entities of results of
analysis - May reconfigure logging and/or analysis on basis
of results
25Examples
- Using swatch to notify of telnets
- /telnet/!/localhost/!/.site.com/ mail
staff - Query set overlap control in databases
- Prevents response from being given if too much
overlap occurs - Three failed logins in a row disable user account
- Notifier disables account, notifies sysadmin
26Analyzer
- Analyzes one or more logs
- Logs may come from multiple systems, or a single
system - May lead to changes in logging
- May lead to a report of an event
27Examples
- Using swatch to find instances of telnet from
tcpd logs - /telnet/!/localhost/!/.site.com/
- Query set overlap control in databases
- If too much overlap between current query and
past queries, do not answer - Intrusion detection analysis engine (director)
- Takes data from sensors and determines if an
intrusion is occurring
28Application Logging
- Applications logs made by applications
- Applications control what is logged
- Typically use high-level abstractions such as
- su bishop to root on /dev/ttyp0
- Does not include detailed, system call level
information such as results, parameters, etc.
29System Logging
- Log system events such as kernel actions
- Typically use low-level events
- 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xb
fbff5d8) - 3876 ktrace NAMI "/usr/bin/su"
- 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1"
- 3876 su RET xecve 0
- 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928
,0xbfbff478,0,0) - 3876 su RET __sysctl 0
- 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0
,0,0) - 3876 su RET mmap 671473664/0x2805e000
- 3876 su CALL geteuid
- 3876 su RET geteuid 0
- Does not include high-level abstractions such as
loading libraries
30Contrast
- Differ in focus
- Application logging focuses on application
events, like failure to supply proper password,
and the broad operation (what was the reason for
the access attempt?) - System logging focuses on system events, like
memory mapping or file accesses, and the
underlying causes (why did access fail?) - System logs usually much bigger than application
logs - Can do both, try to correlate them
31Access ControlCollection of mechanisms that
permits managers of a system to exercise a
directing influence over the behavior, use and
content of the system
- System Access Control
- Password and other authentication
- System Auditing
- Discretionary Access Control (DAC)
- Access Control List
- Mandatory Access Control (MAC)
- Reference Monitor
32UNIX File System
-
- Ordinary files
- Directory files
- Special files
33Basic Access Control
- From an ls -l command you will see following
- 1 Type of file.
- 2 4 Owners permission.
- 5 7 Groups permission.
- 8 10 Others permission.
PERMISSION MEANING
- rwx rwx rwx File. Everyone can read, write and execute this.
- rwx r-x r-x File. Everyone can read and execute this but only the owner can write to it.
- r-- r-- --- File. The owner and everyone in his group can only read this file, but the others have no access to it.
d rw- rw- rw- Directory. Everyone can read and write. No one including the owner can traverse it.
l rwx r-x r-x Link. The permissions for a link generally do not matter.
34Access Control List - UNIX
- An access control list (ACL) is an ordered list
of access control entries (ACEs) that define the
protections that apply to an object and its
properties - ACLs entry contains
- Attributes
- Defines special file modes such as SETUID,
SETGID Sticky bit - Base permissions
- Reflect the basic access rights
- Extended permissions
- specify, permit, deny
35Access Control List
ACL Entries Description
1. attributes setuid,setgid,stickybit Special file modes.
2. base permissions Standard Unix file permissions.
3. owner(owner_user) rwx owner and access rights
4. (owner_group) r-x group and access rights
5. others r-- other's rights
6. extended permissions Additional ACL entries.
7. enabled enabled or disabled
8. permit --x usome_user, gsome_group Permits access to the specified user-group combination in a boolean AND manner.
9. deny rwx ga_group Forbids access to the specified user-group combination in a boolean AND manner.
36Auditing
- Is a feature which provides accountability to all
system activities from file access to network and
database - Each audit event such as user login is formatted
into fields such as the event type, user id, file
names and time - Audit events
- Administrative event class
- Security administrator events
- System administrator events
- Operator events
- Audit event class
- Describes the operation of the audit system
itself
37Windows File System
- Supports two file system
- FAT (File Allocation Table)
- File system does not record security information
such as owner or access permission of a file or
directory - NTFS (New Technology Files System)
- Supports a variety of multi-user security models
- NTFS Vs FAT
- Fault tolerance
- Access Control by directory or file
- Can compress individual or directories
- POSIX support
38Access Control List - Windows
- Data structure of an ACL
- ACL size - of bytes of memory allocated
- ACL Revision revision for the ACLs data
structure - ACE Count - of ACEs in the ACL
39Access Control Entries
- Contains the following access control information
- A security identifier (SID)
- An access mask specifies access rights
- A set of bit flags that determines which child
objects can inherit the ACE - A flag that indicates the type of ACE
40ACE Types
Type Description
Access-denied Used in a DACL to deny access.
Access-allowed Used in a DACL to allow access.
System-audit Used in a SACL to log attempts to access.
- 3 Generic types
- 3 Object-Specific ACE types
Type Description
Access-denied, object-specific Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.
Access-allowed, object-specific Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.
System-audit, object-specific Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object
41Access Rights
Constant in Win32 API Meaning
GENERIC_ALL Read, write, and execute access
GENERIC_EXECUTE Execute access
GENERIC_READ Read access
GENERIC_WRITE Write access
- Generic Access Rights
- Standard Access Rights
- Other rights like, SACL access rights,
Object-specific access rights, user rights
Constant in Win32 API Meaning
DELETE The right to delete the object.
READ_CONTROL The right to read the information in the object's security descriptor, not including the information in the SACL.
SYNCHRONIZE The right to use the object for synchronization. Some object types do not support this access right.
WRITE_DAC The right to modify the DACL in the object's security descriptor.
WRITE_OWNER The right to change the owner in the object's security descriptor.
42How Access Control Works?
43Automated Tools By Category
- Enterprise Vulnerability Management
- Hercules AVR (Citadel)
- Class 5 AVR (Secure Elements)
- Vulnerability Assessment
- Retina Network Security Scanner (eEye)
- FoundScan Engine (Foundstone)
- STAT Scanner (Harris)
- Internet Scanner (ISS)
- SiteProtector (ISS)
- System Scanner (ISS)
- Microsoft Baseline Security Analyzer (Microsoft)
- IP360 Vulnerability Management System (nCircle)
- Nessus Scanner (Nessus)
- SecureScout SP (NexantiS)
- QualysGuard Scanner (Qualys)
- SAINT Scanning Engine (Saint)
- Lightning Console (Tenable)
- NeWT Scanner (Tenable)
- WebInspect (SPI Dynamics )
- Patch Management
- System Management Server (Microsoft)
- Windows Update Service (Microsoft)
- PatchLink (PatchLink)
- Big Fix (BigFix)
- UpdateExpert (St. Bernard)
- HFNetChk (Shavlik)
- Policy Management
- Active Directory Group Policy Objects
(Microsoft) - Security Policy Management (NetIQ)
- Enterprise Security Manager (Symantec)
- Compliance Center (BindView)
- Configuration/Asset Management
- System Management Server (Microsoft)
- TME (Tivoli)
- Unicenter (CA)
- Enterprise Configuration Manager (Configuresoft)
- Asset Management Suite (Altiris)
44Conclusion
- UNIX Vs Windows
- Easy to control system configuration on UNIX
- ACL's are much more complex than traditional UNIX
style permissions - In basic UNIX, it is impossible to give a number
of users different access rights
45System Security Policy Files
46Perfect World (almost) A Scenario
- Anytime a machine joins (or re-joins) the
corporate network, it is automatically
quarantined, assessed, and remediated to bring it
into compliance, prior to gaining access to
network resources - Every night, critical vulnerability configuration
compliance checks are performed on all Windows
desktops and remediated if needed - Every Saturday, from 200 AM 300 AM, newly
approved patches are automatically applied to all
Windows desktops - Every Sunday from 200 AM 300 AM, all Windows
and Unix servers are checked for security policy
compliance. Selected items are remediated, others
items generate alerts
47Perfect World (almost) A Scenario
- During monthly maintenance intervals, Unix and
Windows servers are fully patched and rebooted if
required - Monthly, a full, automated network assessment is
performed to independently scan for
vulnerabilities - Quarterly, remediation policies are reviewed and
updated to incorporate new vulnerability
remediations - Critical, zero-day remediations are applied where
needed in the enterprise within an hour of
notification and remedy availability
48Contact Information
Jim Patterson, CISSP, CBCP, CRM Technology Risk
Management Phoenix / Las Vegas (602) 643-1600
(o) (480) 529-9393 (c) (602) 643-1606 (f)
- Patti Walker
- Director, Technology Risk Management
- Phoenix / Las Vegas
-
- (602) 643-1600 (o)
- (480) 734-6960 (c)
- (602) 643-1606 (f)
Jefferson Wells A Manpower Company 11811 N. Tatum
Blvd., Suite 3076 Phoenix, Arizona 85028