©2000 Deloitte & Touche LLP. Deloitte & Touche refers to Deloitte & Touche LLP and related entities.
San Francisco Chapter
Establishing Effective
Audit Control Objectives for UNIX
Morning Session
Rick Allen CISSP
Manager Strategic Security Services

Course Introduction

Overview

This course provides a broad overview of Unix
This course provides a broad overview of Unix
security audit technology presented at an advanced
security audit technology presented at an advanced
fast paced level.
fast paced level.

Audience



Security Officers, Internal Auditors, and
Security Officers, Internal Auditors, and
Systems Implementers in organizations
Systems Implementers in organizations
that rely upon complex networked Unix
that rely upon complex networked Unix
systems environments
systems environments

Course Objectives
At the end of the course the student will:
1.
1.
Enhance understanding of Unix & network
Enhance understanding of Unix & network
systems security & audit issues
systems security & audit issues
2.
2.
Understand Unix default systems & network
Understand Unix default systems & network
configurations
configurations
3.
3.
Identify key objectives and tasks in planning a
Identify key objectives and tasks in planning a
Unix audit including basic shell commands used
Unix audit including basic shell commands used
in the audit
in the audit
4.
4.
Understand basic and intermediate Unix
Understand basic and intermediate Unix
control objectives
control objectives
5.
5.

Build Unix Control Objectives into a more
Build Unix Control Objectives into a more
effective audit plan
effective audit plan
6.
6.
Develop a detailed control activities testing
Develop a detailed control activities testing
matrix for the Unix audit
matrix for the Unix audit
Morning Course Agenda
Over the next three hours we will learn about:
2.
2.
Approaching Unix Systems Architecture from
Approaching Unix Systems Architecture from
a Security and Audit point of view
a Security and Audit point of view
3.
3.
Understanding the associated security risks
Understanding the associated security risks
& impact of default Unix systems
& impact of default Unix systems
environments
environments


4.
4.

Understanding the basis of Unix &
Understanding the basis of Unix &
TCP/IP control objectives
TCP/IP control objectives
1.
1.
Audit planning considerations in reviewing Unix
Audit planning considerations in reviewing Unix
and network systems environments
and network systems environments
Context & Expectation
Management
I.T. Audit Roles, Responsibilities & Member Perceptions
1.
1.
Unix professionals find limited value in
Unix professionals find limited value in
traditional audit approaches
traditional audit approaches
2.
2.
Enhancing levels of technical credibility in the
Enhancing levels of technical credibility in the
Unix audit program is key to success
Unix audit program is key to success
3.
3.
Elements of a successful integrated audit
Elements of a successful integrated audit
approach include enhanced client relations and

approach include enhanced client relations and
communications
communications

To become effective in leveraging the integrated
To become effective in leveraging the integrated
audit approach the auditor should gain insights
audit approach the auditor should gain insights
into member perceptions
into member perceptions
Context & Expectation
Management
I.T. Audit Roles, Responsibilities & Member Perceptions
4.
4.
Traditional audit approaches are best suited for
Traditional audit approaches are best suited for
auditing application level control assurance to
auditing application level control assurance to
obtain overall control reliance strategies
obtain overall control reliance strategies
5.
5.
Integrated audit approaches are best suited for
Integrated audit approaches are best suited for
auditing critical infrastructure controls against
auditing critical infrastructure controls against
industry and security best practices
industry and security best practices
6.

6.
Delivering integrated audit approach plans
Delivering integrated audit approach plans
establishes audit as a value added consultant
establishes audit as a value added consultant
while protecting independence of governance
while protecting independence of governance
and oversight roles
and oversight roles
Unix Audit Considerations
1.
1.
The Hacker who breaks into a system will probably
The Hacker who breaks into a system will probably
be someone known to the organization
be someone known to the organization

“
“
Inside Jobs” & Sabotage
Inside Jobs” & Sabotage

Planting time & logic bombs
Planting time & logic bombs

Changing root passwords on critical systems,
Changing root passwords on critical systems,
recovery is problematic
recovery is problematic


If you are hacked you probably do not care by
If you are hacked you probably do not care by
whom or for what motivation
whom or for what motivation
2.
2.
Trust no one, or be careful about whom you are
Trust no one, or be careful about whom you are
required to trust
required to trust

Large simple webs of trust betray
Large simple webs of trust betray
weaknesses in the network
weaknesses in the network
3.
3.
Don’t trust yourself, or verify everything you do
Don’t trust yourself, or verify everything you do

Stop think & verify!
Stop think & verify!
Unix Audit Considerations
4.
4.
Make would be intruders believe they will be caught
Make would be intruders believe they will be caught

Information is the merchandise of the computer age
Information is the merchandise of the computer age


Means to deter must be visible such as banners and
Means to deter must be visible such as banners and
messages. Technical and operational countermeasures
messages. Technical and operational countermeasures
must be transparent for maximum effectiveness
must be transparent for maximum effectiveness
5.
5.
Protect in Layers
Protect in Layers

The Hacker’s Electronic Playbook runs the various system
The Hacker’s Electronic Playbook runs the various system
and network layers
and network layers

To provide security you must forward deploy adequate
To provide security you must forward deploy adequate
protection controls
protection controls

Understand Defense in depth concepts that single
Understand Defense in depth concepts that single
controls are not resilient but as a group provide multiple
controls are not resilient but as a group provide multiple
layers of defense
layers of defense
Unix Audit Considerations
7.

7.
Make Security a part of the Initial Design
Make Security a part of the Initial Design

Its always more difficult to retrofit than to
Its always more difficult to retrofit than to
proactively design
proactively design

Minimum Security Baseline Configurations are a
Minimum Security Baseline Configurations are a
must have
must have
8.
8.
Disable Unneeded Services, Packages and
Disable Unneeded Services, Packages and
Features
Features

Unix systems are shipped with all network
Unix systems are shipped with all network
services enabled and default permissions
services enabled and default permissions
6.
6.
While planning your security strategy presume the
While planning your security strategy presume the
complete failure of any single security layer
complete failure of any single security layer


Properly designed layer protected system
Properly designed layer protected system
application or service should presume a complete
application or service should presume a complete
or temporary failure of one layer of security
or temporary failure of one layer of security
Unix Audit Considerations
9.
9.
Before Connecting, Understand and Secure
Before Connecting, Understand and Secure

No matter how urgent - make the time to
No matter how urgent - make the time to
assess security prior to production release of
assess security prior to production release of
tools, applications and features
tools, applications and features

Holistic Security practices can enable the
Holistic Security practices can enable the
business case and mitigate risk while meeting
business case and mitigate risk while meeting
time to market objectives
time to market objectives
10.
10.
Prepare for the Worst
Prepare for the Worst


Assume that hackers are already
Assume that hackers are already
scheming to break into your site
scheming to break into your site

Preparation will diminish the security
Preparation will diminish the security
risk of intrusion and compromise
risk of intrusion and compromise

Quantify risk in dollar loss terms
Quantify risk in dollar loss terms
Innovative thinking about security systems administration &
Innovative thinking about security systems administration &
integrating the audit approach
integrating the audit approach
Unix Architecture Principles


Minimize Number of Failure Points
Minimize Number of Failure Points


(Shorten & Limit Critical Paths)
(Shorten & Limit Critical Paths)
Includes Minimum Security Baseline Configurations
Includes Minimum Security Baseline Configurations
Keep services close to those being served
Keep services close to those being served

Act locally communicate globally
Act locally communicate globally
Vertically align
Vertically align
services with
services with
applications,
applications,
function and
function and
mission
mission
Network
Network
Partitioning
Partitioning
Unix Systems Architecture
What is an architecture?

The collection of elements that work together to fulfill the
intended objective. The Unix operating system is a vast
array of elements each providing a feature or function of
architecture.
Examples:

A local area file-sharing system for a workgroup

A software development platform connected to
A software development platform connected to
an interactive service provider

an interactive service provider

An extranet deployed over public networks to
connect various system types over global
geographies

Your organizations interactive services &
applications – B2B, B2C and so on
Sample Systems Architecture
Unix
Unix
Web
Web
Servers
Servers
Internal Unix
Internal Unix
Clients
Clients
Load Balancer
Load Balancer
External
External
Unix
Unix
Clients
Clients
Unix Firewall
Unix Firewall
Perimeter Router &

Perimeter Router &
Internet
Internet
Interior Router
Interior Router
Interior Network
Interior Network
Switch
Switch
Unix Systems Architecture
Simple vs. Complex Architectures?


A Hacker when given a choice would choose a
A Hacker when given a choice would choose a
complex
complex


system or cluster of systems in an architecture to attack for
system or cluster of systems in an architecture to attack for
the following…
the following…

Complex systems inherently contain more
Complex systems inherently contain more
components and targets of interest
components and targets of interest

Complex systems have greater likelihood that poor or

Complex systems have greater likelihood that poor or
misconfigured designs are present
misconfigured designs are present

A poorly designed or misconfigured element can be an
A poorly designed or misconfigured element can be an
invitation to attack or exploitation
invitation to attack or exploitation

Attacks against complex systems are more likely to go
Attacks against complex systems are more likely to go
unnoticed
unnoticed. Yet attacks are often directed at simple
architectures to gain additional footholds
Unix Core Architecture
Unix is made of three core elements

Kernal
Kernal
Shell
Shell
File System
File System

Kernal
Kernal
is the heart of the Unix operating system.
is the heart of the Unix operating system.
It role includes managing memory usage, system
It role includes managing memory usage, system

hardware and software.
hardware and software.

Its low level language is below the shell syntax
Its low level language is below the shell syntax
which maintains processes
which maintains processes

Shell
Shell
is a higher level language handling command
is a higher level language handling command
interpretation and syntax parsing.
interpretation and syntax parsing.

Shell syntax is used to develop scripts that provide
Shell syntax is used to develop scripts that provide
high level programming functionality.
high level programming functionality.



Common shells include the C Shell, Korn Shell
Common shells include the C Shell, Korn Shell
and Bourne Shell
and Bourne Shell
Unix Core Architecture
The File System

File Systems in Unix divide into 3 categories

File Systems in Unix divide into 3 categories

Directories Ordinary Files Special Files
Directories Ordinary Files Special Files




/ root
/ root
system level
system level
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/unix
/unix
/etc
/etc

/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
|
|
|
|
|
|
|
|
/john
/john
/cathy
/cathy
|
|
|
|
|
|
|
|

|
|
|
|
|
|
.profile
.profile
/mail
/mail
/pers
/pers
/games
/games
/bin
/bin
/data
/data
Unix Core Architecture
The Basic File System
/ root
/ root
system level
system level
|
|
|
|
|
|

|
|
|
|
|
|
|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
/unix is the kernal
/unix is the kernal
/etc contains sysadmin files, most are available to regular users also
/etc contains sysadmin files, most are available to regular users also
contains the /passwd file. Other files in /etc include:
contains the /passwd file. Other files in /etc include:
/etc/passwd
/etc/passwd

/etc/utmp
/etc/utmp
/etc/adm/sulog
/etc/adm/sulog
/etc/motd
/etc/motd
/etc/group
/etc/group
/etc/conf
/etc/conf
/etc/profile
/etc/profile
Unix Core Architecture
The Basic File System
/ root
/ root
system level
system level
|
|
|
|
|
|
|
|
|
|
|
|

|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
/unix is the kernal
/unix is the kernal
/dev – contains files for physical devices such as printer and disk
/dev – contains files for physical devices such as printer and disk
drives
drives
/tmp – temporary file
/tmp – temporary file
/lib – directory that contains programs for high level languages
/lib – directory that contains programs for high level languages
/usr – this directory contains directories for each user on the system
/usr – this directory contains directories for each user on the system
/bin – contains commands and executable programs
/bin – contains commands and executable programs

Unix Core Architecture
Basic File System Navigation 1
/ root
/ root
system level
system level
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib

/usr
/usr
/bin
/bin
|
|
|
|
|
|
|
|
/john
/john
/cathy
/cathy
|
|
|
|
|
|
|
|
|
|
|
|
|
|

.profile
.profile
/mail
/mail
/pers
/pers
/games
/games
/bin
/bin
/data
/data
Going back one directory up type in:
Going back one directory up type in:
$ cd
$ cd
Or going back to your parent directory just type in “cd”
Or going back to your parent directory just type in “cd”
Unix Core Architecture
Basic File System Navigation 2
/ root
/ root
system level
system level
|
|
|
|
|
|

|
|
|
|
|
|
|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
|
|
|
|
|
|
|
|

/john
/john
/cathy
/cathy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.profile
.profile
/mail
/mail
/pers
/pers
/games
/games
/bin
/bin
/data
/data

$ ls /usr/john
$ ls /usr/john
Mail
Mail
Pers
Pers
Games
Games
Bin
Bin
Data
Data
Listing file directories assuming your in the parent directory:
Listing file directories assuming your in the parent directory:
Unix Core Architecture
Basic File System Navigation 3
/ root
/ root
system level
system level
|
|
|
|
|
|
|
|
|
|

|
|
|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
|
|
|
|
|
|
|
|
/john
/john
/cathy
/cathy

|
|
|
|
|
|
|
|
|
|
|
|
|
|
.profile
.profile
/mail
/mail
/pers
/pers
/games
/games
/bin
/bin
/data
/data
$ ls –la /usr/john
$ ls –la /usr/john
Total 60
Total 60

-rwxr-x
-rwxr-x
5 john bluebox 10 april 9 7:04 mail
5 john bluebox 10 april 9 7:04 mail
drxw
drxw
7 john bluebox 30 april 2 4:09 pers
7 john bluebox 30 april 2 4:09 pers
Note: The total 60 tells you the amount of disk space used in
Note: The total 60 tells you the amount of disk space used in
the directory
the directory
The first column is read in 3 groups of 3
The first column is read in 3 groups of 3
The first group specifies the permissions of the user, the
The first group specifies the permissions of the user, the
second for groups, the third for others.
second for groups, the third for others.
Unix Core Architecture
Basic File System Navigation 4
/ root
/ root
system level
system level
|
|
|
|
|
|

|
|
|
|
|
|
|
|
/unix
/unix
/etc
/etc
/dev
/dev
/tmp
/tmp
/lib
/lib
/usr
/usr
/bin
/bin
|
|
|
|
|
|
|
|

/john
/john
/cathy
/cathy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.profile
.profile
/mail
/mail
/pers
/pers
/games
/games
/bin
/bin
/data
/data

The CHMOD command changes permission of a directory
The CHMOD command changes permission of a directory
or a file. You can use symbolic or octal notation.
or a file. You can use symbolic or octal notation.
$ chmod o+r mail OR
$ chmod o+r mail OR
$ chmod 754 mail
$ chmod 754 mail
$ ls –la mail
$ ls –la mail
-rwxr-xr
-rwxr-xr
5 john bluebox 10 april 9 7:04 mail
5 john bluebox 10 april 9 7:04 mail
Unix Core Architecture
Key Concepts to keep in mind

Virtually
Virtually
all
all
information stored on a Unix system
information stored on a Unix system
is stored in the
is stored in the
file system
file system




The file system consists of the operating system
The file system consists of the operating system
(kernel), system files, application programs and data
(kernel), system files, application programs and data

Device files such as memory, disks and peripherals
Device files such as memory, disks and peripherals
are actually part of the file system.
are actually part of the file system.

File system Permission and access controls are
File system Permission and access controls are
provided for all files including networking and device
provided for all files including networking and device
files
files

Example: Indirect device references
Example: Indirect device references
/dev/dsk/c0t3d0s0
/dev/dsk/c0t3d0s0
is
is
actually a logical link to:
actually a logical link to:
/ /devices/iommu@f,e0000000/sbus@f,e0001000/espdma@f,800000
/ /devices/iommu@f,e0000000/sbus@f,e0001000/espdma@f,800000
/sd@3,0:a
/sd@3,0:a
Unix Core Elements &

Systems Defaults
Why this is important. Anatomy of a systems hack!

Attacker selects target by company or computing /
Attacker selects target by company or computing /
network environment
network environment

Goals is to Identify targets Internet footprint
Goals is to Identify targets Internet footprint

Attacker searches for system identifiers using basic
Attacker searches for system identifiers using basic
and stealth techniques to evade detection
and stealth techniques to evade detection

Version Numbers and Service Banners
Version Numbers and Service Banners

IP Address and Host/Domain Name Info
IP Address and Host/Domain Name Info

Identify potential targets in decreasing order of
Identify potential targets in decreasing order of
likelihood of penetration
likelihood of penetration

Default Unix systems can be “owned” in a
Default Unix systems can be “owned” in a
matter of minutes

matter of minutes
Understanding Unix System
Defaults
First steps in building effective control objectives!

Finishing a full Unix systems installation
Finishing a full Unix systems installation


Servers use Entire Distribution
Servers use Entire Distribution


Power Work Stations use Developer Distribution
Power Work Stations use Developer Distribution

Once complete with default file system partitioning
Once complete with default file system partitioning
now in place its time to configure the system
now in place its time to configure the system


Low End Work Stations use End User Distribution
Low End Work Stations use End User Distribution