Establishing effective audit control objectives for UNIX

Deloitte & Touche refers to Deloitte & Touche LLP and related entities.San Francisco Chapter Establishing Effective Audit Control Objectives for UNIX Morning Session Rick Allen CISSP Man

©2000 Deloitte & Touche LLP Deloitte & Touche refers to Deloitte & Touche LLP and related entities.

San Francisco Chapter

Establishing Effective Audit Control Objectives for UNIX

Morning Session

Rick Allen CISSP Manager Strategic Security Services

Ricallen@deloitte.com

Course Introduction

 Overview

security audit technology presented at an advanced fast paced level.

 Audience

 Security Officers, Internal Auditors, and

Systems Implementers in organizations

that rely upon complex networked Unix

systems environments

Course Objectives

At the end of the course the student will:

1. Enhance understanding of Unix & network

systems security & audit issues

2. Understand Unix default systems & network

configurations

3. Identify key objectives and tasks in planning a

Unix audit including basic shell commands used

in the audit

4. Understand basic and intermediate Unix

control objectives

5. Build Unix Control Objectives into a more

effective audit plan

6. Develop a detailed control activities testing

matrix for the Unix audit

Morning Course Agenda

Over the next three hours we will learn about:

2. Approaching Unix Systems Architecture from

a Security and Audit point of view

3. Understanding the associated security risks

& impact of default Unix systems

environments

4. Understanding the basis of Unix &

TCP/IP control objectives

1. Audit planning considerations in reviewing Unix

and network systems environments

Context & Expectation Management

I.T Audit Roles, Responsibilities & Member Perceptions

1. Unix professionals find limited value in

traditional audit approaches

2. Enhancing levels of technical credibility in the

Unix audit program is key to success

3. Elements of a successful integrated audit

approach include enhanced client relations and communications

 To become effective in leveraging the integrated

audit approach the auditor should gain insights into member perceptions

Context & Expectation Management

I.T Audit Roles, Responsibilities & Member Perceptions

4. Traditional audit approaches are best suited for

auditing application level control assurance to obtain overall control reliance strategies

5. Integrated audit approaches are best suited for

auditing critical infrastructure controls against industry and security best practices

6. Delivering integrated audit approach plans

establishes audit as a value added consultant while protecting independence of governance and oversight roles

Unix Audit Considerations

1. The Hacker who breaks into a system will probably

be someone known to the organization

 “Inside Jobs” & Sabotage

 Planting time & logic bombs

 Changing root passwords on critical systems,

recovery is problematic

 If you are hacked you probably do not care by

whom or for what motivation

2. Trust no one, or be careful about whom you are

required to trust

 Large simple webs of trust betray

weaknesses in the network

3. Don’t trust yourself, or verify everything you do

 Stop think & verify!

Unix Audit Considerations

4. Make would be intruders believe they will be caught

 Information is the merchandise of the computer age

 Means to deter must be visible such as banners and

messages Technical and operational countermeasures must be transparent for maximum effectiveness

5. Protect in Layers

 The Hacker’s Electronic Playbook runs the various system

and network layers

 To provide security you must forward deploy adequate

protection controls

 Understand Defense in depth concepts that single

controls are not resilient but as a group provide multiple layers of defense

Unix Audit Considerations

7. Make Security a part of the Initial Design

 Its always more difficult to retrofit than to

 Unix systems are shipped with all network

services enabled and default permissions

6. While planning your security strategy presume the

complete failure of any single security layer

 Properly designed layer protected system

application or service should presume a complete

or temporary failure of one layer of security

Unix Audit Considerations

9. Before Connecting, Understand and Secure

 No matter how urgent - make the time to

assess security prior to production release of tools, applications and features

 Holistic Security practices can enable the

business case and mitigate risk while meeting time to market objectives

10. Prepare for the Worst

 Assume that hackers are already

scheming to break into your site

 Preparation will diminish the security

risk of intrusion and compromise

 Quantify risk in dollar loss termsInnovative thinking about security systems administration &

integrating the audit approach

Unix Architecture Principles

Minimize Number of Failure Points (Shorten & Limit Critical Paths) Includes Minimum Security Baseline Configurations

Keep services close to those being served

Act locally communicate globally

Vertically align services with applications, function and mission Network Partitioning

Unix Systems Architecture

What is an architecture?

 The collection of elements that work together to fulfill the

intended objective The Unix operating system is a vast array of elements each providing a feature or function of architecture

Examples:

 A software development platform connected to

an interactive service provider

connect various system types over global geographies

 Your organizations interactive services &

applications – B2B, B2C and so on

Sample Systems Architecture

Unix

Web

Servers

Internal Unix Clients

Unix Clients

Internet

Interior Router

Interior Network

Switch

Unix Systems Architecture

Simple vs Complex Architectures?

A Hacker when given a choice would choose a complex

system or cluster of systems in an architecture to attack for the following…

 Complex systems inherently contain more

components and targets of interest

 Complex systems have greater likelihood that poor or

misconfigured designs are present

 A poorly designed or misconfigured element can be an

invitation to attack or exploitation

 Attacks against complex systems are more likely to go

unnoticed

unnoticed Yet attacks are often directed at simple architectures to gain additional footholds

Unix Core Architecture

Unix is made of three core elements

 Kernal is the heart of the Unix operating system

It role includes managing memory usage, system hardware and software

 Its low level language is below the shell syntax

which maintains processes

 Shell is a higher level language handling command

interpretation and syntax parsing

 Shell syntax is used to develop scripts that provide

high level programming functionality

 Common shells include the C Shell, Korn Shell

and Bourne Shell

Unix Core Architecture

The File System

 File Systems in Unix divide into 3 categories

 Directories Ordinary Files Special Files

/ root - system level

.profile /mail /pers /games /bin /data

Unix Core Architecture

The Basic File System

/ root - system level

/unix /etc /dev /tmp /lib /usr /bin

/unix is the kernal

/etc contains sysadmin files, most are available to regular users also contains the /passwd file Other files in /etc include:

Unix Core Architecture

The Basic File System

/ root - system level

/unix /etc /dev /tmp /lib /usr /bin

/unix is the kernal

/dev – contains files for physical devices such as printer and disk drives

/tmp – temporary file

/lib – directory that contains programs for high level languages

/usr – this directory contains directories for each user on the system /bin – contains commands and executable programs

Unix Core Architecture

Basic File System Navigation 1

/ root - system level

Going back one directory up type in:

$ cd

Or going back to your parent directory just type in “cd”

Unix Core Architecture

Basic File System Navigation 2

/ root - system level

Unix Core Architecture

Basic File System Navigation 3

/ root - system level

-rwxr-x - 5 john bluebox 10 april 9 7:04 mail

drxw - 7 john bluebox 30 april 2 4:09 pers

Note: The total 60 tells you the amount of disk space used in the directory

The first column is read in 3 groups of 3

-The first group specifies the permissions of the user, the

second for groups, the third for others.

Unix Core Architecture

Basic File System Navigation 4

/ root - system level

The CHMOD command changes permission of a directory

or a file You can use symbolic or octal notation

$ chmod o+r mail OR

$ chmod 754 mail

$ ls –la mail

-rwxr-xr 5 john bluebox 10 april 9 7:04 mail

Unix Core Architecture

Key Concepts to keep in mind

 Virtually all information stored on a Unix system

is stored in the file system

 The file system consists of the operating system

(kernel), system files, application programs and data

 Device files such as memory, disks and peripherals

are actually part of the file system

 File system Permission and access controls are

provided for all files including networking and device

files

 Example: Indirect device references /dev/dsk/c0t3d0s0 is

actually a logical link to:

/ /devices/iommu@f,e0000000/sbus@f,e0001000/espdma@f,800000 /sd@3,0:a

Unix Core Elements &

Systems Defaults

Why this is important Anatomy of a systems hack!

 Attacker selects target by company or computing /

network environment

 Goals is to Identify targets Internet footprint

 Attacker searches for system identifiers using basic

and stealth techniques to evade detection

 Version Numbers and Service Banners

 IP Address and Host/Domain Name Info

 Identify potential targets in decreasing order of

likelihood of penetration

 Default Unix systems can be “owned” in a

matter of minutes

Understanding Unix System

Defaults

First steps in building effective control objectives!

 Finishing a full Unix systems installation

 Servers use Entire Distribution

 Power Work Stations use Developer Distribution

Once complete with default file system partitioning now in place its time to configure the system

 Low End Work Stations use End User Distribution

Understanding Unix System

Defaults

Our newly installed and configured system now looks more like

this

 Basic Unix file system is more permissive than

required We can now determine exactly how to lessen permissiveness of the file system going forward

 Various startup scripts and run level commands are

configured and running that provide a wide variety of unnecessary services

 Local TCPIP Services are configured and running

providing almost unlimited network access

 Potentially Sensitive Interactive network sessions

are not encrypted

 System Trust Relationships are pervasive