Your SlideShare is downloading. ×
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
HP-UX RBAC Audsys Setup by Dusan Baljevic
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HP-UX RBAC Audsys Setup by Dusan Baljevic

296

Published on

HP-UX RBAC Audsys Setup

HP-UX RBAC Audsys Setup

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
296
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 HP-UX 11i Preliminary RBAC and Auditing Setup Page 1
  • 2. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 Document Information Document Name: HP-UX 11i Preliminary RBAC Auditing Assessment and Setup October 2012 Document Version No: Dusan Baljevic Prepared By: 1.1 Preparation Date: 8 October 2012 Distribution List From Date Phone/Fax Dusan Baljevic 8 October 2012 0412 041 715 To Action* Due Date Phone/Fax Inform Action Types: Approve, Review, Inform, File, Action Required, Attend Meeting, Other (please specify) Modification History Version Owner Date Description 1.0 Dusan Baljevic 8 October 2012 New document 1.1 Dusan Baljevic 22 October 2012 Updates 1. Introduction.....................................................................................................................................4 2. SSH with RBAC and Keystroke Logging............................................................................................5 Page 2
  • 3. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 3. RBAC Setup with Privileged Shell.....................................................................................................6 4. Basic Security Recommendations....................................................................................................7 5. HP-UX Auditing Setup......................................................................................................................8 6. Disable HP-UX Auditing..................................................................................................................10 7. View Audit Logs.............................................................................................................................11 8. Web-Based Audit Reporting..........................................................................................................13 9. General Guidelines for HP-UX Auditing.........................................................................................15 Page 3
  • 4. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 1. 2012 Introduction This document serves as a template for setting up basic Role Based Access Control (RBAC), keystroke logging, and auditing, as per brief requirements provided by XYZ. The scope of the project can be extended in the future. Page 4
  • 5. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2. 2012 SSH with RBAC and Keystroke Logging Starting with the HP-UX RBAC B.11.31.05.01 and HP-UX SSH A.05.90 releases, keystroke logging when enabled now will successfully create a keystroke log file for a SSH login session. The HP-UX RBAC Keystroke logging feature is only supported on HP-UX 11iv3. Installation of RBAC release B.11.31.05.01 installs RBACExt and RBAC patch: # swlist -l product |grep -i rbac PHCO_41859 1.0 rbac cumulative patch RBAC B.11.31 HP-UX Role-based Access Control RBACExt B.11.31.05.01 HP-UX Role-based Access Control Extensions The steps to configure RBAC keystroke logging for SSH sessions: • Add libpam_keystroke.so.1 library to 'sshd' service. Note: it can be added to other services as needed: # vi /etc/pam.conf ... # Session management # sshd session required sshd session required sshd session optional • libpam_hpsec.so.1 libpam_unix.so.1 libpam_keystroke.so.1 Modify RBAC configuration file rbac.conf to support keystroke logging and define logging location: # vi /etc/rbac/rbac.conf ... # Keystroke Logging enabled: If this flag is set to 1, then keystroke # logging is enabled on the system, otherwise it is disabled. KEY_STROKE_LOGGING = 1 # Location of keystroke log file: An administrator may specify the # directory location in where the keystroke logs should reside. # If this location is not specified, the default is "/var/adm/rbac". KEY_STROKE_LOCATION = /var/adm/rbac # Banner page logging: The banner page will be logged if the below # flag set to 1; otherwise, it will not be captured in the log file. # The default is to omit the banner. KEY_STROKE_BANNERPAGE_LOG_ENABLE = 1 • Set key filter. An example: # vi /etc/rbac/key_filter newadm:*:dflt:dflt:ks_all • Ssh into the server as user newadm and run some commands. • Check log file. For example, for user newadm: # more /var/adm/rbac/klog-newadm-ssh-Mon_Oct_22_2012_12:41:16-8933 Page 5
  • 6. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 3. • 2012 RBAC Setup with Privileged Shell Create a new system administrator account and set the Shell as /usr/bin/privsh or /usr/bin/privksh (depending on the company’s policy of default Shells): # groupadd wheel # useradd -g wheel -s /usr/bin/privksh -m newadm # passwd newadm # roleadm assign newadm Administrator # cat /etc/rbac/user_role root: Administrator newadm: Administrator • Set up commands that newadm will be allowed through RBAC in command file /etc/rbac/cmd_priv: # vi /etc/rbac/cmd_priv For example, enable these lines to add new users: /usr/sbin/useradd :0/0// :dflt :dflt :dflt : • :dflt :(hpux.user.add,*) The permissions of the RBAC command file must not be restrictive to allow read access: # ls -als /etc/rbac/cmd_priv 48 -r--r--r-- • 1 root sys 18546 Feb 10 2011 /etc/rbac/cmd_priv To test it, log in as user newadm and try to add a new user: newadm$ useradd myfriend privksh: useradd: not found newadm$ /usr/sbin/useradd myfriend The last command is successful because full path to command is used. Page 6
  • 7. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 4. 2012 Basic Security Recommendations Some very simple recommendations follow. More comprehensive report can be provided as part of a separate engagement. • To disable direct root access unless logged via console. Set up file /etc/securetty with one line in it: console • Disable direct root access via ssh. Edit /etc/opt/ssh/sshd_config: PermitRootLogin no • Disable all insecure protocols in /etc/inetd.conf. The security can further be increased by editing /var/adm/inetd.sec. • To restrict who can su(1M) to root: edit /etc/default/security: SU_ROOT_GROUP=wheel Then, simply add all admin accounts to Unix group wheel. The name of Unix group is arbitrary (historically set to wheel). • Root’s home directory should be /root, not / (which should be restricted through permissions 700). • Daemon flags for inetd to set up correctly in /etc/rc.config.d/netdaemons (flag "-p" to limit number of processes). • Daemon flags for inetd to set up correctly in /etc/rc.config.d/netdaemons (flag "-a" to enable user-level auditing of processes). • Daemon flags for inetd to set up correctly in /etc/rc.config.d/netdaemons (flag "-l" to enable logging). • Account root is set up with password expiration. • And many other possible improvements. Page 7
  • 8. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 5. 2012 HP-UX Auditing Setup To enable auditing on the HP-UX 11i system, follow these steps: 1. To audit all users, set the following in /etc/default/security: AUDIT_FLAG=1 Or, to enable auditing per user, the userdbset(1M) command can be used: # userdbset -u newadm AUDIT_FLAG=1 (enable auditing for newadm) # userdbset –d -u newadm AUDIT_FLAG (disable auditing for newadm) 2. Create customized auditing configuration file /etc/audit/audit_site.conf (it is one single line). The list of events can be more comprehensive – it depends on business requirements: PROFILE XYZ = EVENT login, EVENT moddac, EVENT create, EVENT delete, EVENT modaccess, EVENT open, EVENT close, EVENT admin PROFILE Supplement = EVENT readdac, EVENT process, EVENT removable 3. To audit according to policy XYZ, enter the following command: # audevent -P -F -r XYZ 4. Use the audevent(1M) command with no options to display a list of events and system calls that are currently configured for auditing. 5. Set the audevent(1M) /etc/rc.config.d/auditing file: AUDITING=1 PRI_AUDFILE=/var/.audit/audtrail PRI_SWITCH=1000 SEC_AUDFILE=* SEC_SWITCH=0 NTHREADS=1 AUDEVENT_ARGS1="-P -F -r XYZ" AUDEVENT_ARGS2="" AUDEVENT_ARGS3="" AUDEVENT_ARGS4="" AUDOMON_ARGS="-p 20 -t 1 -w 90 -o /var/adm/syslog/syslog.log -X '/usr/bin/scp -R /var/.audit/audtrail* remsrv:/var/.audit/auditbackup'" The last line above creates a specific syslog entry and then copies audit logs to remsrv into /var/.audit/audit-backup directory whenever a new audit trail file is created. The maximum size of the primary audit trail (log file) is based on observed monitoring of the activity on the server: PRI_SWITCH=1000 (the size is in Kbytes) 6. Start the auditing system, or reboot the server: # /sbin/init.d/auditing start Page 8
  • 9. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 7. The entries in /var/adm/syslog/syslog.log look like: audit system approaching AuditFileSwitch point. current audit trail size = 905 kilobytes. Use -X option to schedule a task at each switch point to archive and backup current audit trail, and make sure file system not to become full. audomon: auto-switch to /var/.audit/audtrail.20121022_1220 was successful. audomon: auto-switch to /var/.audit/audtrail.20121022_1221 was successful. 8. To check the current auditing status, after some activity on the server, it might look like: # audsys auditing system is currently on current trail: /var/.audit/audtrail.20121022_1221 next trail: none statisticsafs Kb used Kb avail % fs Kb used Kb avail % current trail: 1000 703 30 12288000 5643048 54 next trail: none auditing system is actively writing to 1 file(s) # ps -ef | grep audomon root 3151 1 0 12:04:08 ? 0:00 /usr/sbin/audomon -p 20 -t 1 -w 90 -o /var/adm/syslog/syslog.log # ll /var/.audit total 0 drwx-----drwx-----drwx------ 2 root 2 root 2 root sys sys sys 96 Oct 22 12:04 audtrail 96 Oct 22 12:20 audtrail.20121022_1220 96 Oct 22 12:21 audtrail.20121022_1221 The audit trails (binary log files) are automatically created once the maximum size/threshold is reached. There is no need to run a script or cron job for it. Page 9
  • 10. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 6. 2012 Disable HP-UX Auditing To disable auditing on the system, follow these steps: 1. Stop system auditing using the following command: # audsys -f 2. Set the AUDITING flag to 0 in the /etc/rc.config.d/auditing file to prevent the auditing system from starting when the system is rebooted. 3. (Optional) Stop the audomon daemon. One method: # kill `ps -e | awk '$NFS~ /audomon/ {print $1}'` Page 10
  • 11. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 7. 2012 View Audit Logs The audisp(1M) command will be obsolete in a future release. Invoking /usr/sbin/auditdp -r audit_trail produces the same output as /usr/sbin/audisp audit_trail. The following options are available with the audisp command: -f -p -c system_call -t -s -u user-name -l terminal-name -e event-name > file-name Displays failed events only Displays successful events only. Displays the selected system call Display events that occurred after the given time Displays events that occurred before the given time Displays information for a specific user Displays information for a specific terminal Displays information for the given event Writes output to specified file It can take a few minutes to prepare the record for viewing when working with large audit logs. When viewing the audit data, be aware of the following anomalies: • Audit data can appear inaccurate when programs that collect data for auditable system calls supply incorrect parameters. The audit data shows what the user program passed to the kernel. For example, calling the kill system call with no parameters produces unpredictable values in the parameter section of the audit record. • System calls that take file name arguments may not have device and inode information properly recorded. The values will be -1 if the call does not complete successfully. • Auditing the superuser while changing the event or system call audit parameters will result in a long audit record. For example, when you add an event type to be audited, a record will be produced for each event type and system call that has been enabled for audit, not just for the new event type being added. Some examples of commands: • Display the log output on the screen: # /usr/sbin/audisp /var/.audit/audtrail/spu0.log • Direct the log output to /tmp/mylogoutput: # /usr/sbin/audisp /var/.audit/audtrail/spu0.log > /tmp/mylogoutput • View successful events only: # /usr/sbin/audisp -p /var/.audit/audtrail/spu0.log • View activities owned by user newadm: # /usr/sbin/audisp -u newadm /var/.audit/audtrail.20121022_1237 • View login events only: Page 11
  • 12. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 # /usr/sbin/audisp -e login /var/.audit/audtrail.20121022_1220 The better command is auditdp(1M) in the newer versions of auditing. An example for login auditing: # auditdp -r /var/.audit/audtrail.20121022_1220 -s "+event=login" Example of exporting auditing trail to standard output and appending the same data into syslog: # auditdp -r /var/.audit/audtrail.20121022_1220 -P -o follow -O sync | /opt/audit/AudReport/bin/audit_p2l | tee -a /var/adm/syslog/syslog.log Example of exporting auditing trail to file /tmp/myfile: # auditdp -r /var/.audit/audtrail.20121022_1220 -P -o follow -O sync | /opt/audit/AudReport/bin/audit_p2l >/tmp/myfile Page 12
  • 13. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 8. 2012 Web-Based Audit Reporting Note that these scripts in /opt/audit/AudReport directory, depending on the version of the software installed on HP-UX servers, might need minor modifications! Modify the Shell script /opt/audit/AudReport/bin/audreport_setup_web # vi /opt/audit/AudReport/bin/audreport_setup_web The following four lines had to be changed on my test server: HTPASSWD_EXE=/opt/hpws22/apache/bin/htpasswd APACHE_CTL=/opt/hpws22/apache/bin/apachectl HTTPD_CONF=/opt/hpws22/apache/conf/httpd.conf /sbin/init.d/hpws22_apache start The original ones were: HTPASSWD_EXE=/opt/hpws/apache/bin/htpasswd APACHE_CTL=/opt/hpws/apache/bin/apachectl HTTPD_CONF=/opt/hpws/apache/conf/httpd.conf /sbin/init.d/hpws_apache start Secondly, ensure that Apache web server is started: # vi /etc/rc.config.d/hpws22_apacheconf HPWS22_APACHE_START=1 Then, simply run: # /opt/audit/AudReport/bin/audreport_setup_web By default, the username to access the web reports is: # cat /var/opt/audit/AudReport/.htpasswd audreport_admin:Rd4heCHXvEWh2 # /opt/audit/AudReport/bin/audreport_generator NOTE: HTTP_ALIAS is not specified. Assuming /audreport_web. NOTE: REPORTS_FILENAME is not specified. Assuming index.html. NOTE: REPORTS_LOCATION is not specified. Assuming /var/opt/audit/AudReport. NOTE: STYLESHEETS_LOCATION is not specified. Assuming /opt/audit/AudReport/xslts. NOTE: REPORT_STYLE is not specified for the report "passwd_change_history". Assuming audreport_generic.xsl. NOTE: REPORT_STYLE is not specified for the report "user_account_history". Assuming audreport_generic.xsl. NOTE: REPORT_STYLE is not specified for the report "file_ownership_change_history". Assuming audreport_generic.xsl. Generating reports ...... Generated reports are now available at: http://<hostname>/audreport_web/index.html Here is a screenshot of a web-based report: Page 13
  • 14. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 2012 Page 14
  • 15. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 9. 2012 General Guidelines for HP-UX Auditing • Check the audit logs according to the security policy. For example, a security policy might state that an online audit file should be retained for at least 24 hours and all audit records stored offline should be retained for a minimum of 30 days. • Review the audit log for unusual activities, such as: late hours login, login failures, failed access to system files, and failed attempts to perform security-relevant tasks. • Prevent the overflow of the audit file by archiving on a regular basis. • Ensure that when the required data retention period has ended, the logs are retired by destroying them according to the organization's data destruction policies. • Revise current selectable events periodically, especially after installing new releases of HP-UX, since new system calls are often introduced in new releases. • Revise audited users periodically. • Do not follow any pattern or schedule for event or user selection. • Audit trails (binary log files) must never be part of root file system (/). Typically, they should be saved under /var. • Set site guidelines. Involve users and management in determining these guidelines. • If the audit data volume is expected to be high, configure audit trails on a logical volume consisting of multiple physical disks and multiple physical I/O cards. Use the -N option with audsys command to split the audit trail into multiple files. • Frequently accessed data, such as production data, must be available online. Data not requiring as frequent or ready access such as back-up data can be stored off-line. Use the auditdp command to filter on-line data to remove unnecessary information. This enables you to keep the audit file at a manageable size and keep the less interesting information in off-line, backup storage. For example, use auditdp to filter only login and logout events from one month’s audit trail. If you need to access other records, you can recover them from off-line backup tapes. • Ensuring the confidentiality, integrity, and availability of logs is very important: 1 2 3 4 5 Logging mechanisms must neither be deactivated nor compromised to provide business continuity of logging services in the event of an incident. Ensure that log files cannot be edited or deleted. Generally only administrators and auditors must have access to log files for review and management only. All privileged user (the administrator and auditor) access must be logged and reviewed thoroughly and frequently by others outside that user domain. 6 Page 15
  • 16. HP-UX 11iv3 Preliminary RBAC and Auditing Setup 7 8 9 0 1 10 0 1 2012 Communications must be protected with mechanisms such as encryption (for example, HP-UX IPSec and SSL). Protect the confidentiality and integrity of log files using either message digests or encryption or digital signatures. Provide adequate physical protection for logging mechanisms and stored logs by preventing unauthorized physical access. Page 16

×