Tuesday,May8,2012
8:30AM 10:00AM
Mik S hill
MikeSchiller
DirectorofSales&MarketingIT,TexasInstruments
CoAuthor,ITAuditing:UsingControlstoProtectInformationAssets
, g g f
SPEAKER BIOGRAPHY
Mike Schiller, CISA, is the director of global server, database, and storage
infrastructure at Texas Instruments (TI) and is the co-author of IT
Auditing: Using Controls to Protect Information Assets (2011, McGraw-
Hill). He has more than 15 years of experience in the IT audit field,
including as the worldwide IT audit manager at TI and as the IT audit
manager at Sabre. He is an active speaker on IT auditing, including
conferences such as CACS, InfoSec World, and ASUG, and has been an
instructor of IT audit curriculum at Southern Methodist University.
Schiller has held numerous IT leadership positions at TI, including as the
director of user support, data centers, and asset management and
manager of support for TIs web applications and infrastructure.
Agenda
TheBasics
AccountManagementandPasswordControls
NetworkSecurityandControls
A dit L
AuditLogs
SecurityMonitoringandGeneralControls
Tools
TheBasics
TheBasics
e as cs
Why Audit Your Operating System?
root
root account = admin / super-user
E
Example:
l If permissions
i i on a fil
file or di
directory
t are di
displayed
l d as
rwxr-xr--
This means that the files owner has read, write, and execute
permissions on the file,
file the file
filess group has read and execute
permissions, and everyone else has read permissions.
This can also be described as 754 (rwx=7, r-x=5, r--=4).
total 20180
-r-xr-xr-x
r xr xr x 1 bin sys 33600 Jul 26 2008 acctcom
-rwxrwxrwx 1 bin sys 122116 May 2 2006 adb
-r-xr-xr-x 1 bin mail 9076 May 2 2006 addbib
-r-s--x--x 1 root sys 335784 Jul 26 2008 admintool
-r-xr-xr-x
r xr xr x 17 bin sys 131 May 2 2006 alias
-r-xr-xr-x 1 bin sys 15068 May 2 2006 aliasadm
-rwxr-xr-x 1 bin sys 17228 Apr 25 2006 apm
dr-xr-xr-x 4 root sys 21984 May 2 2006 apropos
-r-xr-xr-x
r xr xr x 1 bin go 944 May 2 2006 arch
-r-xr-xr-x 1 bin rangers 5232 May 2 2006 asa
TheBasics
e as cs
Interaction between file and directory permissions
Directory Permissions
- r x wx
- No access No access No access Delete file
D l t fil
Delete file
or read
missions
Add to or or clear
w No access No access clear data data
Delete file
Update or update
rw N access No
No N access d t
data d t
data
If a file has permissions set to 651, what access does it grant to the
owner? The group? The world?
You have read access to a file and full access to the directory in
which it resides. What access will you have to the file?
TheBasics
e as cs
/etc/passwd file
Contains information on the systems users
Format:
F t
account:password:UID:GID:GECOS:directory:shell
Account - Name representing the user to the system (the name used when
logging
gg g in).
)
Password - Encrypted password (but note that it may be kept in /etc/shadow
instead).
UID - Numeric user ID
GID - Numeric g group
p ID for the users pprimaryyg
group
p
GECOS - Optional field used to store arbitrary additional information about the
account. It often contains the real name and/or employee ID of the user.
Directory - Location of the users home directory
Shell - Users default shell. The shell is the command line environment that
interprets commands and passes them to the kernel.
Be aware of centralized account management mechanisms (e.g. NIS,
NIS+, LDAP)
TheBasics
e as cs
/etc/passwd file example
> more /etc/passwd
root:x:0:1:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
sp1adm:x:228:500:SP1 R3 Admin. ID, SAP, 292-4283:/home/sp1adm:/bin/ksh
orasp1:x:229:250:SP1 R3 Oracle ID, SAP, 292-4243:/oracle/SP1:/bin/ksh
iss:x:2000:2000::/home/iss:/bin/ksh
camgr:x:6201:6200:camgr id for ca unicenter:/etc/admin/ca:/bin/csh
z485804:x:9601:9600:mike schiller, internal audits:/home/z485794:/bin/ksh
TheBasics
e as cs
Password File Quiz
/etc/group
g p file
Contains information on user groups
Format: name:password:GID:users
Name - Name of the group
Password - Group password (if used)
GID - Numeric group ID
Users - List of users who are a member of the group. Note that members
off the
th group whoh are assigned
i d tto it th
through
h th
their
i GID iin //etc/password
t / d
wont necessarily be in this list.
TheBasics
e as cs
/etc/group file example
> more /etc/group
root::0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
sysadmin::14:
smmsp::25:
g
gdm::44:
webservd::80:
postgres::90:
nobody::60001:
noaccess::60002:
nogroup::65534:
sshd::60014:
TheBasics
e as cs
Methods for Executing Commands with Elevated Privilege
sudo
Allows a specific user to execute a specific command with the privilege
of another user
Frequently used for selective root access
Configured in /etc/sudoers
SUID
A SUID (Set-UID) file allows users to execute that file under the
privileges of the ID that owns the file
Frequently used to allow all users to execute a specific command with
root access
Permissions on a SUID file are displayed as (example):
rwsr-sr-x
TheBasics
e as cs
Important Linux and UNIX Navigation Commands for Auditors
cd - Change Directory
ypcat
ypcat - List NIS File Contents ((niscat
niscat for NIS+)
find
Unix/Linux Test Steps
Unix/LinuxTestSteps
Categories:
g
File Security
Network
N t kSSecurity
it
Audit Logs
g
ls -l /etc/passwd
Expected output:
-rw-r--r-- 1 root sys 728 Jan 26 16:23 /etc/passwd
ls -l /etc/shadow
Expected output:
-rw------- 1 root sys 374 Jan 26 16:23 /etc/shadow
AccountManagementandPasswordTestSteps
g p
/etc/default/passwd example
R i
Review th
the contents
t t off the
th password
d and
d group fil
file(s)
( )
R i
Review th
the contents
t t off the
th password
d file(s)
fil ( )
10. Review the security of user home directories and config files
Anyone can delete files within the directory and replace them
with their own files of the same name
fi d / -perm -u+s
find +
Provides a list of all SUID files (must be run by superuser)
Review file permissions using ls -l command
FileSecurityTestSteps
e Secu ty est Steps
SUID permissions example
> find / -perm -u+s
total 290874
-rwsr-sr-x 3 alexbkup alexbkup 8564848 Mar 13 2007 Xalex
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-cntrl
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-command
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-dbase
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-device
-rwsr-sr-x
rwsr sr x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-media
alex media
-rwsr-srwx 1 root root 5245540 Mar 13 2007 alex-net
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-opcard
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-option
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-perms
-rwsr-sr-x 14 alexbkup
l bk alexbkup
l bk 5574456 Mar 13 2007 alex-person
l
FileSecurityTestSteps
e Secu ty est Steps
4. Review the default umask value
D
Determines
i what
h permissions
i i new fil
files and
d di
directories
i will
ill h
have b
by d
default
f l
The umask
Th k subtracts
bt t privileges
i il when
h fil
files and
d di
directories
t i are created
t d
Normal default 777
Minus the umask 027
Default permissions on this server 750
Thi provides
This id ffullll access tto th
the owner, readd andd execute
t access tto th
the
group, and no access to the world.
All crons are run as if the owner of the crontab is running them
If a file being executed within a crontab is not secure, it may allow for
the execution of arbitrary commands
D l t where
Delete h possible;
ibl minimize
i i i and
d secure otherwise
th i
Certain protocols (e.g. telnet, ftp, rsh, rlogin, and rcp) transmit
all information in clear text, including userID and password
sulog
Typically /usr/adm/sulog, /var/adm/sulog, or /var/log/auth.log
sudo
d llog
Typically written to the syslog but this can be changed in /etc/sudoers
syslog
/etc/syslog.conf
y g file determines where each message
g type
yp is routed
wtmp
Typically /usr/adm/wtmp, /var/adm/wtmp or /etc/wtmp
utmp
Typically located at /etc/utmp on UNIX and /var/run/utmp on Linux
AuditLogTestSteps
ud t og est Steps
Sulog
g example
p
SU 07/14 13:54 + pts/1 root-sp1adm
SU 07/16 12:47 + pts/2 root-sp1adm
SU 07/16 13:01 + pts/1
p root-sp1adm
p
SU 07/16 15:45 + pts/4 iss-root
SU 07/17 11:21 + pts/6 iss-root
SU 07/17 13:03 + pts/6 iss-root
SU 07/18 11:02 - pts/4 aa170450
aa170450-rtcov
rtcov
SU 07/18 11:02 + pts/4 aa170450-rtcov
SU 07/20 20:05 + pts/0 root-sp1adm
SU 07/20 20:08 + pts/1 root-sp1adm
SU 07/20 22:01 + pts/0 root-sp1adm
SU 07/20 22:03 + pts/1 root-sp1adm
SecurityMonitoringandGeneral
Controls
SecurityMonitoringandGeneralControls
y g
1. Review procedures for monitoring the state of security on the system
Look for evidence that the security monitoring tools are actually used
and acted upon
SecurityMonitoringandGeneralControls
y g
Physical security
Environmental controls
Capacity planning
Change management
System monitoring
Backup processes
Online resources:
http://isaca.org/
standards and security guidance
http://www.sans.org/rr/
certifications and other documents from SANS
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtm
security configuration guides from the National Security Agency
http://csrc.nist.gov/publications/PubsSPs.html
security guidelines from the National Institute of Standards and Technologies
http://sectools.org/
top security tools as generated from a survey of NMAP users
http://seclists.org/
security-oriented mailing lists
http://www.securityfocus.com/
mailing lists, news, vulnerabilities
http://cve.mitre.org/
along with the vulnerability database section of securityfocus, a good site to begin research
on potential vulnerabilities
Thankyou!
Collaborate Contribute Connect
www.isaca.org/knowledge-center
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!