Guide to Operating
System Security
Chapter 12
Security through Monitoring
and Auditing
Objectives





Understand the relationship between
baselining and hardening
Explain intrusion-detection methods
Use audit trails and logs
Monitor logged-on users
Monitor a network
Guide to Operating System Security
2
Baselining and Hardening

Baselines


Measurement standards for hardware, software,
and network operations
Used to establish performance statistics under
varying loads or circumstances
Guide to Operating System Security
3
Overview of Intrusion Detection


Detects and reports possible network and
computer system intrusions or attacks
Main approaches






Passive
Active
Network-based
Inspectors
Auditors
Decoys and honeypots
Guide to Operating System Security
4
Passive Intrusion Detection


Detects and records intrusions; does not take
action on findings
Effective as long as administrator checks logs


Can create filters or traps
Examples of monitored activities



Login attempts
Changes to files
Port scans
Guide to Operating System Security
5
Third-Party Passive
Intrusion-Detection Tools







Klaxon
Loginlog
Lsof
Network Flight Recorder
RealSecure
Dragon Squire
PreCis
Guide to Operating System Security
6
Active Intrusion Detection


Detects an attack and sends alert to
administrator or takes action to block attack
May use logs, monitoring, and recording
devices
Guide to Operating System Security
7
Third-Party Active
Intrusion-Detection Tools





Entercept
AppShield
Snort
SecureHost
StormWatch
Guide to Operating System Security
8
Active Intrusion Detection
Guide to Operating System Security
9
Host-based Intrusion Detection

Software that monitors the computer on which
it is loaded






Logons
Files and folders
Applications
Network traffic
Changes to security
Host wrappers and host-based agents
Guide to Operating System Security
10
Host-based Intrusion Detection
Guide to Operating System Security
11
Network-based Intrusion
Detection


Monitors network traffic associated with a
specific network segment
Typically places NIC in promiscuous mode
Guide to Operating System Security
12
Network-based Intrusion
Detection
Guide to Operating System Security
13
Inspector



Examines captured data, logs, or other recorded
information
Determines if an intrusion is occurring or has
occurred
Administrator sets up inspection parameters, for
example:



Files changed/created under suspicious circumstances
Permissions unexpectedly changed
Excessive use of computer’s resources
Guide to Operating System Security
14
Auditor

Tracks full range of data and events – normal
and suspicious, for example:






Every time services are started and stopped
Hardware events or problems
Every logon attempt
Every time permissions are changed
Network connection events
Records information to a log
Guide to Operating System Security
15
Decoys and Honeypots



Fully operational computers that contain no
information of value
Draw attackers away from critical targets
Provide a means to identify and catch or block
attackers before they harm other systems
Guide to Operating System Security
16
Using Audit Trails and Logs

A form of passive intrusion detection used by
most operating systems:




Windows 2000/XP/2003
Red Hat Linux 9.x
NetWare 6.x
Mac OS X
Guide to Operating System Security
17
Viewing Logs in Windows
2000/XP/2003 (Continued)



Accessed through Event Viewer
Event logs can help identify a security problem
Filter option can help quickly locate a problem
Guide to Operating System Security
18
Viewing Logs in Windows
2000/XP/2003 (Continued)

Principal event logs




System
Security
Application
Event logs for installed services



Directory Service
DNS Service
File Replication
Guide to Operating System Security
19
Event Viewer in Windows
Server 2003
Guide to Operating System Security
20
Viewing an Event in Windows
Server 2003
Guide to Operating System Security
21
Viewing Logs in Red Hat
Linux 9.x (Continued)


Offers a range of default logs
Log files


Have four rotation levels
Managed through syslogd
Guide to Operating System Security
22
Viewing Logs in Red Hat
Linux 9.x (Continued)

Two ways to view default logs

Open LogViewer (Main Menu – System Tools –
System Logs)
•

Enables creation of a filter on the basis of a keyword
(eg, failed, denied, rejected)
Use Emacs or vi editors or use cat command in a
terminal window
Guide to Operating System Security
23
Red Hat Linux 9.x Default Logs
(Continued)
Log Name
Location and
Filename
Description
Boot Log
/var/log/boot.log.x
Contains messages about processes and
events that occur during bootup or
shutdown
Cron Log
/var/log/cron.x
Provides information about jobs that are
scheduled to run or that have already run
Kernel Startup /var/log/dmesg.x
Log
Shows startup messages sent from the
kernel
Mail Log
/var/log/maillog.x
Contains messages about mail server
activities
News Log
/var/log/spooler.x
Provides messages from the news server
Guide to Operating System Security
24
Red Hat Linux 9.x Default Logs
(Continued)
Log Name
Location and
Filename
Description
RPM
Packages Log
/var/log/rpmpkgs.x
Shows list of software packages
currently installed; updated each day
through a job scheduled via cron
command
Security Log
/var/log/secure.x
Provides information about security
events and processes
System Log
/var/log/messages.x
Contains messages related to system
activities
Update Agent
Log
/var/log/up2date.x
Shows updates that have been
performed by the Update Agent
XFree86 Log
/var/log/xfree86.x.log Contains information about what is
installed from XFree86
Guide to Operating System Security
25
Viewing Logs in Red Hat
Linux 9.x
Guide to Operating System Security
26
Viewing Logs in NetWare 6.x
(Continued)
Log Name
Location & Filename
Description
Access Log SYS:NOVONYX\SUITESPOT\
Contains information about
ADMIN-SERV\LOGS\ACCESS.TXT access services to the
NetWare server
Audit Log
SYS:ETC\AUDIT.LOG
Contains an audit trial of
user account activities
Console
Log
SYS:ETC\CONSOLE.LOG
Traces activities performed
at the server console
Error Log
SYS:NOVONYX\SUITESPOT\
ADMIN-SERV\LOGS\ERROR.TXT
Contains error information
recorded for the NetWare
server
Guide to Operating System Security
27
Viewing Logs in NetWare 6.x
(Continued)
Log Name
Location & Filename
Module Log
SYS:ETC\CWCONSOL.LOG Contains a listing of modules that
have been loaded
NFS Server
Log
SYS:ETC\NFSSERV.LOG
Provides information about NFS
server services, including
changes to a service and
communications through TCP and
UDP
Schema
Instructions
Log
SYS:ETC\SCHINST.LOG
Tracks schema events, including
changes to the schema
Guide to Operating System Security
Description
28
Viewing Logs in Red Hat
Linux 9.x
Guide to Operating System Security
29
Viewing Logs in Mac OS X (Continued)
Log Name
Location and Filename
Description
FTP Service Log /var/log/ftp.log
Contains information about FTP
activity, including sessions,
uploads, downloads, etc.
Last.Login Log
/var/log/lastlog
Provides information about last
login activities
Directory
Service Log
/var/log/lookupd.log
Provides log of lookupd (look up
directory services) daemon,
including requests relating to
user accounts, printers, and
Internet resources
Mail.Service Log /var/log/mail.log
Guide to Operating System Security
Stores messages about e-mail
activities
30
Viewing Logs in Mac OS X (Continued)
Log Name
Location and Filename
Description
Network
Information
Log
/var/log/netinfo.log
Tracks messages related to network
activity
Print Service
Log
/var/log/lpr.log
Contains information about printing
activities
Security Log
/var/log/secure.log
Provides information about security
events
System Log
/var/log/system.log
Contains information about system
events, including processes that are
started or stopped, buffering
activities, console messages, etc.
Guide to Operating System Security
31
Viewing Logs in Mac OS X
Guide to Operating System Security
32
Reasons for Monitoring
Logged-on Users

Assess how many users are typically logged on
at given points in time



Baseline information
To determine when a shutdown would have the
least impact
Be aware of security or misuse problems
Guide to Operating System Security
33
Monitoring Users in Windows
2000/XP/2003

Use Computer Management tool to access
Shared Folders

Shared Folder options
•
•
•

Shares
Sessions
Open Files
Use Task Manager (Windows XP and
Windows Server 2003)
Guide to Operating System Security
34
Monitoring Users in
Windows XP Professional
Guide to Operating System Security
35
Monitoring Users in
Windows 2000 Server
Guide to Operating System Security
36
Monitoring Users in
Windows XP Professional
Guide to Operating System Security
37
Monitoring Users in Red Hat
Linux 9.x

Use the who command
Guide to Operating System Security
38
who Command Options
Option
Description
-a
Displays all users
-b
Shows the time when the system was last booted
-i
Shows the amount of time each user process has been idle
-q
Provides a quick list of logged-on users, and provides a user count
-r
Shows the run level
-s
Displays a short listing of usernames, line in use, and logon time
-u
Displays the long listing of usernames, line in use, logon time, and
process number
--help
Displays help information about the who command
-H
Displays who information with column headers
Guide to Operating System Security
39
Monitoring Users in Red Hat
Linux 9.x
Guide to Operating System Security
40
Monitoring Users in
NetWare 6.x

MONITOR





Connections
Loaded modules
File open/lock
Other server-monitoring functions
NetWare Remote Manager




View current connections
View files opened by particular users
Send messages to a particular user or all users
Clear connections
Guide to Operating System Security
41
Monitoring Users in Mac OS X

Use the who command in a terminal window


Supports few options (primarily -H and -u)
Process Viewer
Guide to Operating System Security
42
Monitoring a Network

Network Monitor


Network monitoring software with the most
features
Comes with Windows 2000 Server and Windows
Server 2003
Guide to Operating System Security
43
Why Network Monitoring Is
Important



Networks are dynamic
Administrator must distinguish an attack from
an equipment malfunction
Establish and use benchmarks to help quickly
identify and resolve problems
Guide to Operating System Security
44
Using Microsoft Network
Monitor


Uses Network Monitor Driver to monitor
network from server’s NIC (promiscuous
mode)
Sample activities that can be monitored





Percent network utilization
Frames and bytes transported per second
Network station statistics
NIC statistics
Error data
Guide to Operating System Security
45
Network Monitor Driver


Detects many forms of network traffic
Captures packets and frames for analysis and
reporting by Network Monitor
Guide to Operating System Security
46
Using Microsoft Network
Monitor


Start from Administrative Tools menu
Four panes of information





Graph
Total Statistics
Session Statistics
Station Statistics
View captured information
Guide to Operating System Security
47
Using Microsoft Network
Monitor
Guide to Operating System Security
48
Network Monitor Panes
Pane
Information Provided in Pane
Graph
Provides bar graphs for %Network Utilization, Frames Per Second,
Bytes Per Second, Broadcasts Per Second, and Multicasts Per
Second
Total
Statistics
Provides total statistics about network activity that originates from or
is sent to the computer (station) using Network Monitor; includes
statistics for Network Statistics, Captured Statistics, Per Second
Statistics, Network Card (MAC) Statistics, and Network Card (MAC)
Error Statistics
Session Provides statistics about traffic from other computers on the
Statistics network: MAC (device) address of each computer's NIC and data
about number of frames sent from and received by each computer
Station
Statistics
Provides total statistics on all communicating network stations:
Network (device) address of each communicating computer,
Frames Sent, Frames Received, Bytes Sent, Bytes Received,
Directed Frames Sent, Multicasts Sent, and Broadcasts Sent
Guide to Operating System Security
49
Viewing Capture Summary Data
Guide to Operating System Security
50
Creating a Filter in Network
Monitor

Two property types


Service Access Point (SAP)
Ethertype (ETYPE)
Guide to Operating System Security
51
Using Capture Trigger

Software performs a specific function when a
predefined situation occurs
Guide to Operating System Security
52
Using Network Monitor to Set
Baselines

From the Graph pane




% Network Utilization
Frames Per Second
Broadcasts Per Second
Multicasts Per Second
Guide to Operating System Security
53
Summary (Continued)


Creating baselines to help quickly identify
when an attack is occurring
Intrusion-detection methods



Employed through an operating system
Third-party software
Using auditing and logging tools to track
intrusion events
Guide to Operating System Security
54
Summary

Monitoring user activities



GUI-based Computer Management tool in
Windows 2000/XP/2003
who command in Red Hat Linux and Mac OS X
Network monitoring with Microsoft Network
Monitor
Guide to Operating System Security
55