AUDITING and SECURITY
Jim Patterson, CISSP, CBCP, CRM
Jefferson Wells
Introduction
The goals of Security (CIA):

Confidentiality

Integrity

Availability
(They are mutually dependent)
 Avoid Audit Findings
Security Considerations


Identify Assets
 Network Discovery
 AD Discovery
 DHCP and DNS Imports
 File Import (from existing sources)
Assess Vulnerabilities
 How are vulnerability definitions updated, frequency
 Map vulnerabilities to industry/vendor nomenclature
 Types of vulnerabilities found (configuration and
patch)
 When to do the assessment
Security Considerations

Remediate Vulnerabilities
 How are remediations updated, frequency
 Configuration and patch-based remediations
 Use of industry/vendor nomenclature
 Different remediation policies for different classes of
assets
 Different remediation schedules for different classes of
assets
 Manage rebooting of different classes of assets
Secured Network Model
The Internet
IDS
Activity Reporting
and Analysis
Firewall
Application
DMZs
IDS
ISOC
IDS Mgmt
FW Mgmt
Firewall
Firewall
Mainframe
Firewall
Firewall
Firewall
IDS
Open
Systems
IDS
IDS
IDS
IDS
Customer
Sites
Remote Locations,
Remote Access, and
Vendors
Enterprise Architecture
Central Console
- XP/2000/2003
UNIX/Windows
2003
2000
NT
Distributed Proxy
- XP/2000/2003
XP/2000
Reporting
Database
DMZ
Windows Server
- NT
- 2000
- 2003
ODBC
SSL
XP/2000
Solaris
Linux
AIX
HP-UX
System Reach (Mainframe, Windows, UNIX and Linux
UNIX Server
- Solaris
- Linux
- AIX
- HP-UX
Applications Overview
Consumer Access Web Server
P51WEB02/03
HTTPS
Consumer Access
APDWBE03/04/05
BIB Web Server
Translation Server
APDTRN01/02/03/04/05/06
Service Provider Manager
HTTPS
MVS
OD
BC
EPS Database
Windows 2000 Servers
ADO
ODBC
HTTPS
HTTP
NT 4.0
Metavante Mainframe
Business
Express
O
DB
C
HTTPS
Business Internet Banking
OF
X/
HT XML
TP
FileXChange
FW
Active
Server
Pages
Windows 2000 Servers
MoneyLine
Framework
IP
P/ s
TC cket
So
M
CO
TCP/IP
APDSNA03
APDSNA04
SNA
M
/X
FX TTP
O H
SDK
COM
ACH Funds
Transfer
(Connectware)
L
COM
WebSrvItf
SNA Servers
ISAPI
Gateway
ISAPIExport
SQL
Server 7
Windows 2000 Servers
Cash Con
ECMailer
Email Connector
Servu_FTP
Cut
P51EPSDB01A
FileXChange
ODBC
Enroll/Entitle,
ACH, Wire,
Balance
User Setup,
OFX Routing,
Audit Addenda
FT
P
Oracle 7
Update
NT Cut Service (Northern
Trust)
Key
Hosted in
Ann Arbor
Cash Con
NT Scheduler
Hosted in
Milwaukee
NT 4.0
NT 4.0 /SMTP
PDCOFX
Utility Server
APDWFX01/02
BE Mail
Partner Billing
Client Billing
Funds Transfer
Updater
File Master
Finder Files
Setup
Bill Pay
Order Fulfillment
OpenVMS
Business Express
ABS101/02
Oracle 8
OpenVMS
Oracle8
ProdWebDB
Admin Workstation
(BIB/CA)
System Security Categories
Examples:
- File Share Programs (Kazaa)
- Public Instant Messaging
- Desktop Sharing Applications
- Custom List
Status:
- Enabled
Key Operating System
Security Patches Applied
Examples:
- Users
- Groups
- Password Settings
- Many Others
Examples:
- USB Hard Drives
- Unauthorized Modems
- Wireless NIC Cards
- Modems with Auto-Answer On
- Custom List
Status:
- Enabled
- Latest Version
- Latest Definitions
- Most Recent
- Most Critical
Audit and Compliance
Security configuration settings
Antivirus status
Security patch status
Personal firewall status
System Security
Audit and Compliance
Unauthorized software
Unauthorized hardware
Industry-known vulnerabilities
Enforcement
Access Control
Patching
Audit and Compliance
is not focused on
Risk Management
Asset Management
Configuration Management
Event Management Model
Historical
Event
Repository
Operations
Desktops
Query/Reporting
Firewalls
Database
Intrusion
Detection
Manager
of Managers
Event
Collector
Systems
Intrusion
Detected!
Notification
Applications
Auditing System Components
Logger
System
Log
Higher-level
Audit
Events
Analyzer
Notifier
Actions:
Email
Popup
Reconfig
Report
Audit System Structure

Logger


Analyzer


Records information, usually controlled by
parameters
Analyzes logged information looking for
something
Notifier

Reports results of analysis
Logger

Type, quantity of information recorded
controlled by system or program
configuration parameters


Tuning what is audited
May be human readable or not


If not, usually viewing tools supplied
Space available, portability influence storage
format
Example: RACF



Security enhancement package for IBM’s
MVS/VM
Logs failed access attempts, use of
privilege to change security levels, and (if
desired) RACF interactions
View events with LISTUSERS commands
Example: Windows NT




Different logs for different types of events
 System event logs record system crashes, component failures,
and other system events
 Application event logs record events that applications request be
recorded
 Security event log records security-critical events such as
logging in and out, system file accesses, and other events
Logs are binary; use event viewer to see them
If log full, can have system shut down, logging disabled, or logs
overwritten
Logging enabled by SACLs and Windows Policy
June 1, 2004
Computer Security: Art and Science
16
Windows NT Sample Entry
Date:2/12/2000
Source:
Time:
13:03
Category:
Type:
Success
EventID:
User:WINDSOR\Administrator
Computer:
WINDSOR
Security
Detailed Tracking
592
Description:
A new process has been created:
New Process ID:
2216594592
Image File Name:
\Program Files\Internet Explorer\IEXPLORE.EXE
Creator Process ID:
2217918496
User Name:
Administrator
FDomain:
WINDSOR
Logon ID:
(0x0,0x14B4c4)
[would be in graphical format]
June 1, 2004
Computer Security: Art and Science
17
Syslog

De facto standard in Unix and networking




RFC 3164
UDP transport
Log locally or send to collecting server
Limited normalization
June 1, 2004
Computer Security: Art and Science
18
Syslog Format

PRI field

Facility – part of system generating log




Severity – fully ordered list




June 1, 2004
0 – Emergency
3 – Error
6 – Informational
Header


0 – kernel
2 – mail system
6 – line printer
Time stamp & Host name
Msg
Computer Security: Art and Science
19
Top 10 Things to Audit in a Win2k Domain

Local Security Policy of one DC




1. Password
2. Lockout policy
3. Audit policy
 Account Management, Account Logon, System Policy, Policy
Changes
 Failure AND Success!
Active Directory Users and Computers

4. Important group memberships
 Domain Admins, Administrators, Account Ops, Server Ops,
Backup Ops
 If the root domain of the forest also check: Enterprise Admins,
Schema Admins, DNSAdmins
Top 10 Things to Audit in a Win2k Domain


One or more Domain Controllers

5. Service Pack Level

6. Dangerous Services
One or more Member Servers




7. Audit Policy
 Account Logon, Account Management, System Policy, Policy
Change
8. Service Pack Level
9. Dangerous Services
10. Administrator account
Examples

Using swatch to find instances of telnet from tcpd logs:
/telnet/&!/localhost/&!/*.site.com/

Query set overlap control in databases


If too much overlap between current query and past queries, do not answer
Intrusion detection analysis engine (director)

June 1, 2004
Takes data from sensors and determines if an intrusion is occurring
Computer Security: Art and Science
23
Examples

Using swatch to notify of telnets
/telnet/&!/localhost/&!/*.site.com/

Query set overlap control in databases


mail staff
Prevents response from being given if too much
overlap occurs
Three failed logins in a row disable user
account

June 1, 2004
Notifier disables account, notifies sysadmin
Computer Security: Art and Science
25
Examples

Using swatch to find instances of telnet from tcpd logs:
/telnet/&!/localhost/&!/*.site.com/

Query set overlap control in databases


If too much overlap between current query and past queries, do not answer
Intrusion detection analysis engine (director)

June 1, 2004
Takes data from sensors and determines if an intrusion is occurring
Computer Security: Art and Science
27
Application Logging

Applications logs made by applications


Applications control what is logged
Typically use high-level abstractions such as:
su: bishop to root on /dev/ttyp0

Does not include detailed, system call level
information such as results, parameters, etc.
System Logging

Log system events such as kernel actions
 Typically use low-level events
3876 ktrace
3876 ktrace
3876 ktrace
3876 su
3876 su
3876 su
3876 su
3876 su
3876 su
3876 su

CALL
NAMI
NAMI
RET
CALL
RET
CALL
RET
CALL
RET
execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8)
"/usr/bin/su"
"/usr/libexec/ld-elf.so.1"
xecve 0
__sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0)
__sysctl 0
mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)
mmap 671473664/0x2805e000
geteuid
geteuid 0
Does not include high-level abstractions such as loading
libraries
Contrast



Differ in focus
 Application logging focuses on application events, like failure
to supply proper password, and the broad operation (what
was the reason for the access attempt?)
 System logging focuses on system events, like memory
mapping or file accesses, and the underlying causes (why
did access fail?)
System logs usually much bigger than application logs
Can do both, try to correlate them
Access Control
Collection of mechanisms that permits managers of a system to exercise a directing
influence over the behavior, use and content of the system
 System Access Control
 Password and other authentication
 System Auditing
 Discretionary Access Control (DAC)
 Access Control List
 Mandatory Access Control (MAC)
 Reference Monitor
UNIX File System
 Ordinary files
 Directory files
 Special files
Basic Access Control
From an ls -l command you will see following

1
: Type of file.

2 – 4 : Owner’s permission.

5 – 7 : Group’s permission.

8 – 10 : Other’s permission.
PERMISSION
MEANING
- rwx rwx rwx
File. Everyone can read, write and execute this.
- rwx r-x r-x
File. Everyone can read and execute this but only the owner can write
to it.
- r-- r-- ---
File. The owner and everyone in his group can only read this file, but
the others have no access to it.
d rw- rw- rw-
Directory. Everyone can read and write. No one including the owner
can traverse it.
l rwx r-x r-x
Link. The permissions for a link generally do not matter.
Access Control List - UNIX

An access control list (ACL) is an ordered list of access control entries
(ACEs) that define the protections that apply to an object and its properties

ACLs entry contains
•
•
•
Attributes:
Defines special file modes such as SETUID, SETGID
& Sticky bit
Base permissions:
Reflect the basic access rights
Extended permissions:
specify, permit, deny
Access Control List
.
ACL Entries
Description
1. attributes: setuid,setgid,stickybit
Special file modes.
2. base permissions
Standard Unix file permissions.
3. owner(owner_user): rwx
owner and access rights
4. (owner_group): r-x
group and access rights
5. others: r--
other's rights
6. extended permissions
Additional ACL entries.
7. enabled
enabled or disabled
8. permit --x u:some_user, g:some_group
Permits access to the specified user-group
combination in a boolean
AND manner.
9. deny rwx g:a_group
Forbids access to
the specified user-group combination in a
boolean AND manner.
Auditing
 Is a feature which provides accountability to all system activities
from file access to network and database
 Each audit event such as user login is formatted into fields such as
the event type, user id, file names and time
 Audit events
•
•
Administrative event class



Security administrator events
System administrator events
Operator events
Audit event class

Describes the operation of the audit system itself
Windows File System

Supports two file system

FAT (File Allocation Table)
 File system does not record security information such as
owner or access permission of a file or directory

NTFS (New Technology Files System)
 Supports a variety of multi-user security models

NTFS Vs FAT




Fault tolerance
Access Control by directory or file
Can compress individual or directories
POSIX support
Access Control List - Windows

Data structure of an ACL



ACL size - # of bytes of memory allocated
ACL Revision – revision # for the ACL’s data structure
ACE Count - # of ACE’s in the ACL
Access Control Entries
Contains the following access control information
•
A security identifier (SID)
•
An access mask – specifies access rights
•
•
A set of bit flags that determines which child objects can
inherit the ACE
A flag that indicates the type of ACE
ACE Types
 3 Generic types
Type
Description
Access-denied
Used in a DACL to deny access.
Access-allowed
Used in a DACL to allow access.
System-audit
Used in a SACL to log attempts to access.
 3 Object-Specific ACE types
Type
Description
Access-denied, objectspecific
Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified
type of child object.
Access-allowed, objectspecific
Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified
type of child object.
System-audit, objectspecific
Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a
specified type of child object
Access Rights


Generic Access Rights
Standard Access Rights
Constant in Win32 API
Meaning
GENERIC_ALL
Read, write, and execute access
GENERIC_EXECUTE
Execute access
GENERIC_READ
Read access
GENERIC_WRITE
Write access
Constant in Win32 API
Meaning
DELETE
The right to delete the object.
READ_CONTROL
The right to read the information in the object's security descriptor, not including the
information in the SACL.
SYNCHRONIZE
The right to use the object for synchronization. Some object types do not support
this access right.
WRITE_DAC
The right to modify the DACL in the object's security descriptor.
WRITE_OWNER
The right to change the owner in the object's security descriptor.

Other rights like, SACL access rights, Object-specific access
rights, user rights
How Access Control Works?
Automated Tools By Category

Enterprise Vulnerability Management




Hercules AVR (Citadel)
Class 5 AVR (Secure Elements)


Vulnerability Assessment















Retina Network Security Scanner (eEye)
FoundScan Engine (Foundstone)
STAT Scanner (Harris)
Internet Scanner (ISS)
SiteProtector (ISS)
System Scanner (ISS)
Microsoft Baseline Security Analyzer
(Microsoft)
IP360 Vulnerability Management System
(nCircle)
Nessus Scanner (Nessus)
SecureScout SP (NexantiS)
QualysGuard Scanner (Qualys)
SAINT Scanning Engine (Saint)
Lightning Console (Tenable)
NeWT Scanner (Tenable)
WebInspect (SPI Dynamics )
Patch Management





Policy Management





System Management Server (Microsoft)
Windows Update Service (Microsoft)
PatchLink (PatchLink)
Big Fix (BigFix)
UpdateExpert (St. Bernard)
HFNetChk (Shavlik)
Active Directory – Group Policy Objects
(Microsoft)
Security Policy Management (NetIQ)
Enterprise Security Manager (Symantec)
Compliance Center (BindView)
Configuration/Asset Management





System Management Server (Microsoft)
TME (Tivoli)
Unicenter (CA)
Enterprise Configuration Manager
(Configuresoft)
Asset Management Suite (Altiris)
Conclusion

UNIX Vs Windows
 Easy to control system configuration on UNIX
 ACL's are much more complex than traditional UNIX
style permissions
 In basic UNIX, it is impossible to give a number of users
different access rights
System Security Policy Files
OPERATING SYSTEMS
Examples:
» XP (NSA Guidelines)
» Win 2000 (NIST Guidelines, NSA
Guidelines, SANS Step-By-Step)
» Win 2003 (MS Windows Server
2003 Security Guide)
» NT (SANS Guidelines, MS
Security White Paper, US Navy)
» Linux (SANS Step-By-Step)
» Solaris (SANS Step-By-Step)
» AIX (IBM Guidelines)
» HP-UX (HP Guidelines)
» UNIX Samples
» BlockSP2
» Services List
» Services Pack
APPLICATIONS
Examples:
» Applications List
» Internet Explorer
» Word 2000 and Excel 2000 Macro
Settings
» IIS Lockdown Guidelines
» IIS Metabase Sample
INSTALLED HARDWARE /
SOFTWARE
Examples:
» Anti-Virus
» Hardware List
» USB Storage
» Installed Modems
PATCHING
Examples:
» MS Fixes
» SUN Patches
REGULATIONS
Examples:
» Sarbanes-Oxley
» HIPAA
» FISMA
» GLBA
» ISO17799
Perfect World (almost): A Scenario




Anytime a machine joins (or re-joins) the corporate
network, it is automatically quarantined, assessed, and
remediated to bring it into compliance, prior to gaining
access to network resources
Every night, critical vulnerability configuration
compliance checks are performed on all Windows
desktops and remediated if needed
Every Saturday, from 2:00 AM – 3:00 AM, newly
approved patches are automatically applied to all
Windows desktops
Every Sunday from 2:00 AM – 3:00 AM, all Windows and
Unix servers are checked for security policy compliance.
Selected items are remediated, others items generate
alerts
Perfect World (almost): A Scenario




During monthly maintenance intervals, Unix and
Windows servers are fully patched and rebooted if
required
Monthly, a full, automated network assessment is
performed to independently scan for vulnerabilities
Quarterly, remediation policies are reviewed and
updated to incorporate new vulnerability remediations
Critical, zero-day remediations are applied where
needed in the enterprise within an hour of notification
and remedy availability
Contact Information
Patti Walker
Director, Technology Risk Management
Phoenix / Las Vegas
Jim Patterson, CISSP, CBCP, CRM
Technology Risk Management
Phoenix / Las Vegas
(602) 643-1600 (o)
(480) 734-6960 (c)
(602) 643-1606 (f)
(602) 643-1600 (o)
(480) 529-9393 (c)
(602) 643-1606 (f)
Jefferson Wells A Manpower Company
11811 N. Tatum Blvd., Suite 3076
Phoenix, Arizona 85028