Practical, Efficient Unix Auditing:(with Scripts)James Tarala, Enclave Security
Why Audit an Operating System?• Data is stored and processed by operating systems• Operating system audits are one of the ...
Common Operating System Audits• When an auditor audits any of the following types of systems,  the audit starts with the o...
Examples of Missing Controls• Operating system mis-configurations can lead to data loss or  realization of risk• Operating...
System Baselines• Ideally before any system is placed into production a baseline  of the system’s known good configuration...
Simple Baseline ProcessA simple baseline process would be to:    1. Establish what a normal, known-good baseline of the   ...
Where to Start an OS Audit• Before we start to consider individual security settings, the  first thing to do is gather gen...
Data Gathering Tips / Philosophies• Use built in commands whenever you can• Limit the changes you make to the system in or...
Initial Baselines to Request• To perform this portion of the audit, an auditor should  request the following system baseli...
What if there are no baselines?• Then the first audit recommendation is that baselines are  created for the system being a...
Collect Business Data• Auditors should answer the question, what is the business  purpose of the system being audited?• Co...
Collect Operating System Information• Auditors need to gather information about the operating  system that is installed on...
Collecting OS Info in UNIX• Audit evidence to collect:   – Output from “uname –a” command   – Output from various OS updat...
Collect Network Demographics• Auditors need to gather general network demographics about  the system being audited• Contro...
Collecting Network Info in UNIX• Audit evidence to collect:   – Output from “hostname” command   – Output from “ifconfig –...
Collect Hardware Inventory• Auditors need to perform a hardware inventory on the system  being audited to understand physi...
UNIX Hardware Inventory• Audit evidence to collect:   – Output from “lspci” command   – Output from “lshw” command (not na...
Inventory Installed / Running Services• Auditors should understand which services are installed and  which services are ru...
Service Inventory on UNIX• Audit evidence to collect:   – Output from “ps aux” command   – Output from “netstat –an” command
Inventory Installed Software• Auditors should identify what software is installed on the system  being audited• Control ob...
Inventory Security Software• Auditors should identify what security software (if any) is utilized by  the system being aud...
UNIX Software Inventory• Audit evidence to collect:   – Output from “rpm –Va -v” command   – Output from inventory command...
Auditing User Accounts• Next step is to ensure that only authorized user accounts are  present on the system• Control obje...
UNIX / Linux Local Accounts• Audit Evidence to Request:   – Output from “cat /etc/passwd” command   – Output from “cat /et...
Auditing Groups & Group Memberships • Auditors also need to validate whether only authorized groups   are present on the s...
UNIX / Linux Local Groups• Audit Evidence to Request:   – Output from “cat /etc/passwd” command   – Output from “cat /etc/...
Auditing User & Group Permissions • One of the most important areas an auditor can evaluate are   the permissions assigned...
Viewing UNIX / Linux Permissions • Audit evidence to request:    – Output from “ls –al” command
Automating Audits with Lynis• One free script to start with to automate these audits is Lynis• Free tool, created to help ...
Getting Started with Lynis  Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
Starting the Lynis Script Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
Lynis ResultsPractical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
Lynis Reults (cont)Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
Parsing Lynis Output• One option is to ask a sysadmin to run the script and give you  the output file   /var/log/lynis-rep...
Other Lynis Parsing Commands• MAC Address:cat /var/log/lynis-report.dat | grep network_mac_address | sed –e s/network_mac_...
Next Steps to Consider• Once you are done with these steps, there is always more you  can do to audit• Other areas you may...
Further Questions• James Tarala   – E-mail: james.tarala@enclavesecurity.com   – Twitter: @isaudit, @jamestarala   – Blog:...
Upcoming SlideShare
Loading in …5
×

Practical, efficient unix auditing with scripts

3,720 views

Published on

Technical audits of Unix operating system controls can scare auditors – especially if the scope is a flavor of Unix that the auditor is not 100% comfortable with the operating system. But operating system audits are the bread and butter of most IS auditors. In most every technical audit that an IS auditor will perform there will be some level of inspection that’s performed at the operating system level. Auditors therefore need the skills be able to audit the technical components of an operating system, whether they have a strong background in that operating environment or not. In this presentation James Tarala, a senior instructor with the SANS Institute, will provide a practical, step by step approach to auditing Unix operating systems. Not only will students receive a better understanding of the audit process for these technical controls, but they will walk out of the presentation with access to an audit script to assist them in their efforts!

Published in: Technology
  • Be the first to comment

Practical, efficient unix auditing with scripts

  1. 1. Practical, Efficient Unix Auditing:(with Scripts)James Tarala, Enclave Security
  2. 2. Why Audit an Operating System?• Data is stored and processed by operating systems• Operating system audits are one of the most common types of audits most IS auditors will ever perform• Mis-configurations in operating systems are one of the primary causes of data loss in systems
  3. 3. Common Operating System Audits• When an auditor audits any of the following types of systems, the audit starts with the operating system: – Workstations – File Servers – E-mail Servers – Web Servers – Active Directory Servers – Oracle / Microsoft SQL Servers – Application Servers – And many more…
  4. 4. Examples of Missing Controls• Operating system mis-configurations can lead to data loss or realization of risk• Operating systems provide controls to limit risk, but they must be properly configured & audited regularly• Each of the following are examples of potential risks: – Windows file system configured as FAT32 – Windows systems storing passwords in LM format – UNIX server storing password hashes in /etc/passwd – Telnet enabled on a UNIX system – Anti-malware software disabled on a system
  5. 5. System Baselines• Ideally before any system is placed into production a baseline of the system’s known good configuration is created• Definition: “Baselines are used to define the configuration of a product or system established at a specific point in time.” – Microsoft Technet• Organizations decide on appropriate controls and them implement them in their “known good” system baseline• Baselining becomes one of the most powerful techniques in the auditor’s tool chest
  6. 6. Simple Baseline ProcessA simple baseline process would be to: 1. Establish what a normal, known-good baseline of the system should be in any area 2. Create a current snapshot of the system 3. Compare the current snapshot of the system to the established known-good baseline 4. Analyze the results for differences 5. Report on the results, recommending that all differences are either documented (accepted) or remediated
  7. 7. Where to Start an OS Audit• Before we start to consider individual security settings, the first thing to do is gather general information about the system being audited• This first step is gathering an inventory & demographics of the subject of the audit• This information should then be compared to the system’s original baseline and analyzed• The value of the auditor is the ability to both gather & analyze the data that is collected
  8. 8. Data Gathering Tips / Philosophies• Use built in commands whenever you can• Limit the changes you make to the system in order to gather information (including installing software)• Use tools that can export to standard formats (CSV & XML formats are preferred)• Provide external tools to data custodians in advance to review & approve prior to running• Give data custodians instructions on how to run the tools and ask for the output files
  9. 9. Initial Baselines to Request• To perform this portion of the audit, an auditor should request the following system baselines: – System business definitions – Operating system information baseline – Network configuration baseline – Hardware inventory baseline – Installed / running services baseline – Installed software application baseline – Installed security application baseline
  10. 10. What if there are no baselines?• Then the first audit recommendation is that baselines are created for the system being audited• Auditors should still gather the same information as if there are already baselines documented• The organization being audited may want to use this data as the start of a new baseline for the system• With no baselines or documentation, auditors will have to rely on their experience & best practices to analyze potential recommendations for this system
  11. 11. Collect Business Data• Auditors should answer the question, what is the business purpose of the system being audited?• Control objective: Each system should have a clear business purpose, and defined business owner• Define the following: – Business purpose – Primary data owner (s) – Primary data custodian (s) – Data classification / sensitivity level• No automated tools for gathering this data
  12. 12. Collect Operating System Information• Auditors need to gather information about the operating system that is installed on the subject system• Control objective: Only authorized operating systems should be running on systems• Specifically auditors should gather: – Operating system vendor – Operating system version – Service packs installed (if any) – Missing software patches (if any)
  13. 13. Collecting OS Info in UNIX• Audit evidence to collect: – Output from “uname –a” command – Output from various OS update commands
  14. 14. Collect Network Demographics• Auditors need to gather general network demographics about the system being audited• Control objective: All systems should be documented in an inventory database• Data points to collect are: – Host name – Number / speed / type of network adapters – IP Address (es) (static / dynamic) – MAC Address (es) – Network location
  15. 15. Collecting Network Info in UNIX• Audit evidence to collect: – Output from “hostname” command – Output from “ifconfig –a” command
  16. 16. Collect Hardware Inventory• Auditors need to perform a hardware inventory on the system being audited to understand physical characteristics• Define the following characteristics: – Make / model / form factor of system – Number / size / type of physical hard disks – Number / size / file system of logical volumes – Number / speed / types of processors – Amount / type of installed memory – Inventory of peripheral devices – Number / type of power supplies
  17. 17. UNIX Hardware Inventory• Audit evidence to collect: – Output from “lspci” command – Output from “lshw” command (not native)
  18. 18. Inventory Installed / Running Services• Auditors should understand which services are installed and which services are running on the system• Control objective: Only authorized services should be enabled on a system• Each of the following are examples: – File and printer sharing – Web services – Mail services – Database services – Network services – Custom applications
  19. 19. Service Inventory on UNIX• Audit evidence to collect: – Output from “ps aux” command – Output from “netstat –an” command
  20. 20. Inventory Installed Software• Auditors should identify what software is installed on the system being audited• Control objective: Only authorized software should be running on organization’s systems• Inventory all software, including: – Office document software – PDF reader / creation software – Line of business applications – Multimedia applications – Command interpreters / processors – System or maintenance utilities – Personal or unauthorized applications
  21. 21. Inventory Security Software• Auditors should identify what security software (if any) is utilized by the system being audited• Control objective: Only authorized software should be running on organization’s systems• For example: – Anti-malware software – Whitelisting software – File integrity assessment software – Host based firewalls / IDS / IPS software – Whole disk encryption software – Backup software agents – Any other installed security software
  22. 22. UNIX Software Inventory• Audit evidence to collect: – Output from “rpm –Va -v” command – Output from inventory command per UNIX version
  23. 23. Auditing User Accounts• Next step is to ensure that only authorized user accounts are present on the system• Control objective: Only authorized user accounts should be present on a system• Both accounts for actual people and system service accounts should be examined• All workforce member types should be included• Unauthorized accounts lead to unauthorized access which leads to data disclosure• Auditing for only authorized accounts helps to limit the risk of such data disclosure
  24. 24. UNIX / Linux Local Accounts• Audit Evidence to Request: – Output from “cat /etc/passwd” command – Output from “cat /etc/shadow” command (optional)
  25. 25. Auditing Groups & Group Memberships • Auditors also need to validate whether only authorized groups are present on the system • Auditors should also validate that the membership of all groups has been properly authorized • Control objective: Only authorized groups should be present on a system and only authorized users should be members of each group • Unauthorized groups or accounts in groups lead to unauthorized access which leads to data disclosure • Auditing for only authorized groups helps to limit the risk of such data disclosure
  26. 26. UNIX / Linux Local Groups• Audit Evidence to Request: – Output from “cat /etc/passwd” command – Output from “cat /etc/groups” command for u in `cut -f1 -d: /etc/passwd`; do echo -n $u:; groups $u; done | sort
  27. 27. Auditing User & Group Permissions • One of the most important areas an auditor can evaluate are the permissions assigned to users & groups • Control objective: Users & groups should only be assigned authorizes permissions to system objects • This is not a “fun” area to audit – the process can be quite tedious • But this is one of the most relied upon controls for actually hardening an operating system – and most often configured incorrectly • As with many of the other steps in this section, it is nearly impossible to perform without baselines
  28. 28. Viewing UNIX / Linux Permissions • Audit evidence to request: – Output from “ls –al” command
  29. 29. Automating Audits with Lynis• One free script to start with to automate these audits is Lynis• Free tool, created to help auditors evaluate Unix security• General tool demographics: – Author: Michael Boelen – Website: http://www.rootkit.nl – Latest Version: 1.3.0 – Supported OS’s: Arch Linux, CentOS, Debian, Fedora Core 4 and higher, FreeBSD, Gentoo, Knoppix, Mac OS X, Mandriva 2007, OpenBSD 4.x, OpenSolaris, OpenSuSE, PcBSD, PCLinuxOS, Red Hat, RHEL 5.x, Slackware 12.1, Solaris 10, Ubuntu Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  30. 30. Getting Started with Lynis Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  31. 31. Starting the Lynis Script Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  32. 32. Lynis ResultsPractical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  33. 33. Lynis Reults (cont)Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  34. 34. Parsing Lynis Output• One option is to ask a sysadmin to run the script and give you the output file /var/log/lynis-report.dat• The output file is a text file, can easily be parsed• Can be parsed from any Unix system as long as you have the output file as audit evidence• For example, the following command in Unix will list only the Warnings detected by the Lynis script: cat /var/log/lynis-report.dat | grep warning | sed –e s/warning[]=//g Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  35. 35. Other Lynis Parsing Commands• MAC Address:cat /var/log/lynis-report.dat | grep network_mac_address | sed –e s/network_mac_address[]=//g‘• Installed Packages:cat /var/log/lynis-report.dat | grep installed_package | sed –e s/installed_package[]=//g‘• Installed Kernel Modules:cat /var/log/lynis-report.dat | grep loaded_kernel_module | sed –e s/loaded_kernel_module[]=//g‘• Log Directories:cat /var/log/lynis-report.dat | grep log_directory | sed –e s/log_directory[]=//g Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  36. 36. Next Steps to Consider• Once you are done with these steps, there is always more you can do to audit• Other areas you may also want to consider are: – Governance, Risk, Compliance (GRC) controls – Physical security controls – System performance audits – External network scanning (NMAP) – Vulnerability scanning with commercial tools – Service specific audits (Apache, BIND, Sendmail, etc) Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012
  37. 37. Further Questions• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – SANS Audit Program – Audit 407 in Las Vegas (Sept 2012) – SANS Audit Program – Audit 566 in Virginia (Aug 2012) – Classic Shell Scripting (Arnold Robbins & Nelson Beebe) – bash Cookbook (Carl Albing, JP Vossen, & Cameron Newham) – sed & awk (Dale Dougherty & Arnold Robbins) Practical, Efficient Unix Auditing (With Scripts) © Enclave Security 2012

×