1 / 105

Creating, Using and Justifying the Auditor's Toolkit

Creating, Using and Justifying the Auditor's Toolkit. Welcome General announcements. Creating, Using and Justifying the Auditor's Toolkit. ISACA Presentation April 2003 Ed Capizzi. Schedule etc. Breakfast Intro, admin & Methodology Outside – In tools Unix Lunch Windows Hands on.

Download Presentation

Creating, Using and Justifying the Auditor's Toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Creating, Using and Justifying the Auditor's Toolkit • Welcome • General announcements

  2. Creating, Using and Justifying the Auditor's Toolkit ISACA Presentation April 2003 Ed Capizzi

  3. Schedule etc. • Breakfast • Intro, admin & Methodology • Outside – In tools • Unix • Lunch • Windows • Hands on

  4. Administrivia • Location information • Pagers and cell phones • Fire escapes • Food • Start stop times • Location of restrooms • General room rules and mood

  5. Assumptions • Auditors have all the front end time & field work time they need • Auditors have large budgets for tools and training • Auditors always get full cooperation of and unlimited access to audit areas • No one minds being audited • You are already experts on everything

  6. Real World Assumptions • You have to become an expert at everything FAST (or at least brush up!) • You need something you can apply now • You probably run a WinTel based machine • You probably don't have admin / root level access (of your own) to the systems you audit • You have to be part tech, part teacher, part politician • Even “free, industry best practices” require some selling

  7. Real World Assumptions • This is one way to do things, not THE way • Linux (for this presentation) is RedHat • Solaris (for this presentation) is 2.6 • HP (for this presentation) is 11.x

  8. Our Approach • Learn to fish • Basics, basics, basics • Keep it simple • Inside out, Outside in • Creative use of “indigenous resources” (utilities included in the existing OS) • Audits (& auditors) must be “environmentally friendly and low impact”

  9. Our Approach 1. Subsystem(s) involved 2. Best practice examples/settings 3. Ramifications of settings or principles 4. How to sell to administrators and management 5. Which tool to use to accomplish which task

  10. 15 Main Areas • Account Policies 9) Remote Access • Auditing 10) Scheduled Tasks • Device Drivers 11) System Info • Drives 12) Services • Event Log 13) Shares • Printer Permissions 14) Trusted Relationships • Processes 15) Users & Groups • Registry

  11. Account Policies What are the tools? • admintool (gui-Solaris) • /etc/default/passwd (sun) • /etc/passwd • sam (gui-HP) /etc/passwd • userconf or redhat-config-users (gui Red Hat Linux) • /etc/passwd (linux) What can they tell us?

  12. Account Policies What can they tell us*: o login name o encrypted password o numerical user ID o numerical group ID o reserved gecos ID o initial working directory o program to use as shell BUT WE WANT MORE!

  13. Account Policies To get more, the system has to be using: shadow passwords (Solaris / Linux) /etc/shadow or “trusted system” (HP) /tcb/files/auth/ More on this later, stay tuned...

  14. Account Policies Where are the files? (review) Standard systems /etc/default/passwd (Sun) /etc/passwd (HP & Linux) Shadowed or trusted systems /etc/default/passwd (Sun) /etc/passwd (Sun & Linux) /tcb/files/auth/ (HP)

  15. SAM

  16. Sam

  17. Sam

  18. Linuxconf

  19. Linuxconf

  20. Auditing • user logon / logoff • system restart, start up, shutdown • object access

  21. Auditing Linux • /etc/syslog.conf • /var/log/messages Sun • /etc/syslog.conf • /var/adm/message HPUX • /etc/syslog.conf • /var/adm/syslog/syslog.log

  22. Auditing Linux & HP dmesg -boot diagnostics & messages Sun prtdiag Cool tool alert!!! Rosetta Stone for Unix!

  23. Rosetta Stone for Unix

  24. Auditing lastb

  25. Auditing • last

  26. Auditing • dmesg

  27. Auditing • HPUX “Trusted System” • passwords moved from /etc/passwd • All users must have a password • Check /etc/rc.config.d/auditing & /sbin/rc2.d/S760auditing./etc/rc.config.d/auditing for auditing control parameters. • /tcb/files/ttys • uid of user log into terminal, logins & unsuccessful logins.

  28. Auditing A.K.A Setting up syslog!

  29. Syslog.conf • Simple text file with format of daemon.loglevel <Tab> log target mail.* /var/log/daemon.log -rw------- 1 root root 702093 Mar 17 17:56/var/log/messages Owned by root (rw) • 'log' group (r) (if needed) • 'other' group not permissions # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console

  30. Syslog.conf (con't) # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log

  31. Syslog logging Levels • emerg System is unusable • alert Action must be taken NOW • crit Critical conditions • err Error conditions • warning Warning conditions • notice Normal but significant • info FYI • debug More than you want to know (Programmers only)

  32. Syslog targets • /path/to/file Message appended to the given file • @loghost Sent to syslog server on 'loghost' server • * Message written to all loged in users • user1,user2 Message written to user1 & user2 • /dev/console Message written to named ttys • | /path/to/name_pipe Message written to named pipe

  33. Device Drivers • How the system handles hard drives, keyboards or any other peripheral attached to the system • located in /dev • Character Device • communicate in echoed characters • Block Devices • communicate in 512 or 1024 blocks of data • Faster access

  34. Devices • The device type is indicated by the first character in the permission block. i.e. crw--w--w- 1 root root 4, 1 Jul 19 13:26 tty1 crw--w--w- 1 root root 4, 2 Jul 19 13:26 tty2 Major device number – identifies the device driver number Minor device number – identifies the device number

  35. Devices • device permissions are important! • /dev/kmem = kernel memory • /dev/hda1 =hard disk • access to this may allow dump of disk files bypassing /etc/passwd • use groups and sudo

  36. Drives • mount – to show what is mounted • df- k, df -h to see free space • etc/fstab (/etc/vfstab - Solaris) to see file system mount point descriptions description of /dev/dsk -vs- /dev/rdsk

  37. Local-vs-remote • mount • /etc/fstab • /etc/dfs/dfstab share lists all current shares (Sun) exportfs -v lists all current shares (HP & Linux) nfsstat NFS performance statistics (HP & Sun)

  38. Event Log • Syslog (and /etc/syslog.conf) /var/log/messages Linux /var/adm/messages HP & Sun tail and / or grep Ask if Swatch or logcheck may be running

  39. Printer Permission • /etc/hosts.lpd = hosts that can print • You can also put in /etc/hosts.equiv but that opens them to use rservices too! • lpadmin (solaris) lsR -al /etc/lp Linux • cat /etc/printcap.local • shows all local printers • printtool (gui) • Hpux – lpadmin • /etc/lp/* • /var/adm/lp*

  40. Processes • Before we begin.. Policy Best Practices Goals of Security

  41. init Process init is always process #1 (all other things that happen before this are actually part of the kernel or kernel process) The “system father task” that propagates all child processes needed for operation. Configuration file: /etc/inittab

  42. /etc/inittab • Defines the default run level • id:5:initdefault: • strt:3:initdefault: • Executes and process entries that have sysinit in the action field (so that any special initialisation takes place before the users log in). • Defines processes for specific run levels • rebt:6:wait:/etc/init.d/announce restart identifier:runlevel processed at:the action:the process

  43. Runlevels • 0 – Shutdown or halt the system • 1 – Single user (administrative) mode • 2 – Basic Multi user mode (all daemons, no NFS) • 3 – Multi User Mode (all daemons and NFS) • 4 - Reserved • 5 – Reboot the system (passing through runlevel 0) • S or s – single user mode all file systems mounted and accessible • 6 Shut down the machine /reboot

  44. Run Levels con't How do I display the current runlevel? • HP & Solaris • # who -r • run-level 3 Feb 28 10:55 30S • current run level date and time of run level change current run levelnumber of times at this run level since last rebootprevious run level • Linux • # /sbin/runlevel • N 5 or 3 5 (none before and now 5 or 3 before and 5 now)

  45. rc scripts Run Control Scripts exist for each run level Scripts start and/or stop all processes needed to put system into appropriate Run Level S start, K kill (stop) • processed sequentially 0-99

  46. Solaris rc scripts Run Control Scripts exist for each run level • /sbin/rc • directory for each script • /sbin/rc3 -> /etc/rc3.d/ • S15nfs.server

  47. Linux rc scripts Run Control Scripts exist for each run level • /etc/rc.d/rc.local • /etc/rc.d/rc# • directory for each script • /etc/rc.d/rc3 • K20nfs

  48. rc scripts Run Control Scripts exist for each run level

  49. HP rc scripts Run Control Scripts exist for each run level • /sbin/rc#.d • directory for each script • /sbin/rc3.d/ K20nfs

  50. Processes • ps -aef • ps -aux • inet.d /etc/inetd.conf • how to start, & stop /etc/init.d/name start or stop, restart • /proc directory cd /proc/proc#; ls

More Related