Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Unit 5: Audit Checklist using CIS Rulers: Procedural, Perimeter, and UNIX The SANS Institute

Copyright 2001 Marchany2 Applying TBS to the real world!  Top Ten Vulnerabilities, the vulnerabilities responsible for most hacks  Apply TBS as an approach to an effective understandable security policy –Basics –Perimeter –Unix –NT –Windows 2000

Copyright 2001 Marchany3 The TBS Audit Layers  A complete IT audit is a set of component audits. You should be able to measure E, D and R times for each layer of the security architecture.  Components –Procedural: E = D+R –Perimeter(Firewall): E = D+R –UNIX: E = D+R –NT/Windows 2000: E =D+R

Copyright 2001 Marchany4 CIS Rulers  Rulers list a set of minimal actions that need to be done on a host system.  This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others)  Can’t develop your own set? Use these! 

Copyright 2001 Marchany5 CIS Rulers: A Security and Audit Checklist  Level 1 –Mandatory Actions required regardless of the host’s location or function.  Level 2 –Dependent on your network topology –Different for switched nets vs. shared nets vs. wireless nets, etc.

Copyright 2001 Marchany6 CIS Rulers: Security Checklist & Audit Plan  Level 3 –Application Specific (WWW, FTP, DB, Auth)  Procedural –Examines the policies in place. –This is the policy review checklist. FTP WWW DB Mail Switched Wireless Non Switched LEVEL 1 Level 3 Level 2

Copyright 2001 Marchany7 CIS Rulers: Procedural  General Administration Policies  Key security tool installed  User Accounts and environment  System Logs  Network File sharing  General Issues  This review is done during the Audit Planning Phase of the audit process

Copyright 2001 Marchany8 CIS Ruler: Procedural  General Administration Policies –Acceptable Use Policy –Backup Policy –Security Administrator duties –Whois Contact Information (Tech/Admin) –System changelogs (Source Revision Control) –Incident Response –Minimum software requirements –User, temp, system account policies –Patches

Copyright 2001 Marchany9 CIS Ruler Example: Backups · Does a backup policy exist? · Do backup logs exist? · What data is backed up · How often data is backed up · Type of backup (full, differential, etc.) · How the backups are scheduled and verified · How the backup media is handled and labeled · How the backup media is stored · How long the backup media is retained · How backup media is rotated and expired · How backup data is recovered

Copyright 2001 Marchany10 CIS Ruler: Procedural  Key security tools installed –Network routers implement minimum filtering requirements –Verify network routers are properly configured and monitored for in/out traffic –Are all firewalls properly configured and monitored for in/out traffic –The above rules prevent DDOS attacks from affecting other nets.

Copyright 2001 Marchany11 CIS Ruler: Procedural  User Accounts and Environment –Remove obsolete user entries from system  System Logs –How long are they kept? Are they secured?  Network file sharing –Review what filesystems this system can access –Review what filesystems this system exports  Policy –Abuse Policy?

Copyright 2001 Marchany12 CIS Ruler: Written Documentation and Policies u Where is it? u Is it available to anyone that needs it? u Is it up to date? u Is anything major missing (SGI policies, but no HP policies)?

Copyright 2001 Marchany13 CIS Ruler Example: Security Policy  Purpose - the reason for the policy.  Related documents – lists any documents (or other policy) that affect the contents of this policy.  Cancellation - identifies any existing policy that is cancelled when this policy becomes effective.  Background - provides amplifying information on the need for the policy.  Scope - states the range of coverage for the policy (to whom or what does the policy apply?).  Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization.  Action - specifies what actions are necessary and when they are to be accomplished.  Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated.

Copyright 2001 Marchany14 Procedural: Incident Response Plan  Are the six Incident Response steps covered? –Preparation –Identification –Containment –Eradication –Recovery –Lessons Learned (if there are no lessons learned documents either the plan isn’t followed or no incidents have occurred).

Copyright 2001 Marchany15

Copyright 2001 Marchany16

Copyright 2001 Marchany17 Procedural: Training & Education  Do technical people have the training to do their job competently?  Are there standards their skills can be measured against?  Are there standards of compliance that ensure they are using their training in accordance with policy?

Copyright 2001 Marchany18 Procedural: Physical Security  Consoles in physically secure areas?  Fire suppression?  Backups? Offsite backups?  Network components secured?  Phone wiring secured?

Copyright 2001 Marchany19 Procedural: Windows 2000  These are based on the SANS “Securing Windows 2000” booklet.  Least Privilege Principle  Avoid granting unnecessary Admin privs.  Limit Domain Trust.  Restrict modems in workstations and servers.  Limit access to sniffer software (Network Monitor).

Copyright 2001 Marchany20 Procedural: Windows 2000  Keep system software updated.  Update and Practice a Recovery Plan.  Require strong passwords.  Require password protected screen savers.  Establish Auditing and Review Policies.  Require Administrators to have a User and Administrator account.  Require antivirus software.  Install host based IDS.  Perform periodical low-level security audits.

Copyright 2001 Marchany21 CIS Procedural Ruler Review  Procedural rulers give you a starting point for determining your site’s policy pie  These policies include acceptable use, privacy, incident response, accountability, backup and any other appropriate action  The CIS procedural ruler is a consensus list of practices done at the charter members sites.

Copyright 2001 Marchany22 CIS Level 1 Ruler: Unix  Patches  Key Security Tools Installed  System Access, authentication, authorization  User Accounts and Environment  Kernel Level TCP/IP tuning  Kernel Tuning

Copyright 2001 Marchany23 CIS Level 1 Ruler: Unix  Batch Utilities: at/cron  UMASK issues  File/Directory Permissions/Access  System Logging  SSH  Minimize network services

Copyright 2001 Marchany24 CIS Level 1 Ruler: Unix  Minimize RPC network services  Minimize standalone network services  General Issues  X11/CDE  General Administration Policies  Specific Servers –www, ftp, DB, Mail, NFS, Directory, Print, Syslog

Copyright 2001 Marchany25 CIS Level 1 Unix Ruler - Patches  Define a regular procedure for checking, assessing, testing and applying the latest vendor recommended and security patches.  Keep 3 rd party application patches updated.  Why? –The first line of defense is proper patch/Service Pack installation. –Patches are living and need to be updated regularly

Copyright 2001 Marchany26 CIS Level 1 Unix Ruler: Security Tools  These tools help decrease your detection time, D  Install the latest version of TCP Wrappers on appropriate network services  SSH for login, file copy and X11 encryption  Install crypto file signature function to monitor changes in critical system binaries and config files (tripwire)

Copyright 2001 Marchany27 CIS Level 1 Unix Ruler: Security Tools  Install Portsentry or similar personal FW software  Run NTP or some other time sync tool  Run “logcheck” or similar syslog analysis or monitoring tool  Install the latest version of sudo

Copyright 2001 Marchany28 CIS Level 1 Unix Ruler: Access, Authorization  No trusted hosts features:.rhosts,.shosts or /etc/hosts.equiv  Create appropriate banner for any network interactive service  Restrict direct root login to system console  Verify shadow password file format is used  Verify PAM configuration

Copyright 2001 Marchany29 CIS Level 1 Unix Ruler: Kernel- Level TCP/IP Tuning  System handling of ICMP packets is secured  System handling of source routed packets secured  System handling of broadcast packets secured  Use strong TCP Initial Sequence Numbers  Harden against TCP SYN Flood attacks

Copyright 2001 Marchany30 CIS Level 1 Unix Ruler: Kernel Level Tuning, Batch Utilities  Enable kernel level auditing  Enable stack protection  Ensure ulimits are defined in /etc/profile and /etc/.login  Restrict batch file access to authorized users  Ensure cron files only readable by root or cron user

Copyright 2001 Marchany31 CIS Level 1 Unix Ruler: UMASK, File Perms, Access  Set daemon umask to 022 or stricter  Set user default umask (022 or 027)  Console EEPROM password enabled?  Check /dev entries for sane ownership and permissions  Mount all filesystems RO or NOSUID  All filesystems except / mounted NODEV

Copyright 2001 Marchany32 CIS Level 1 Unix Ruler: File Perms and Access  Verify passwd, group, shadow file perms  Verify SUID, SGID system binaries  Disable SUID, SGID on binaries only used by root  No World-write dirs in root’s search path  Sticky bit set on all temp directories  No NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled

Copyright 2001 Marchany33 See what we can find  / usr/bin/find / -local -type f -name '.rhosts' -exec ls -al {} \; -exec cat {} \; 2 (.rhosts) /usr/bin/find / -local -type f -user root -perm exec ls -dal {} \; 2 (SUID files) /usr/bin/find / -local -type f -user root -perm exec ls -dal {} \; 2 (SGID files) find /\(-local –o –prune\) -perm – –print find /name.netrc -print find / -perm –1000

Copyright 2001 Marchany34 Audit Report Example Audit Method Ls –la (list files) against critical files to determine their permissions Finding Several system configuration files in /etc are writable Risk Level: High Security Implication The /etc directory is critical for establishing the operating configuration of many system services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands. Recommendation  Change permissions of all files in /etc to be writable by root or bin only.

Copyright 2001 Marchany35 /dev Permissions Exhibit # ls –l /dev total 72 -rwxr-xr-x 1 root root Sep MAKEDEV crw root sys 14, 4 Apr audio crw root sys 14, 20 Apr audio1 brw-rw root disk 32, 0 May cm206cd crw--w--w- 1 root root 5, 1 May 26 15:17 console brw root floppy 2, 1 May fd1 brw-rw root disk 16, 0 May gscd brw-rw root disk 3, 0 May hda brw-rw root disk 3, 1 May hda1 brw-rw root disk 3, 10 May hda10 brw-rw root disk 3, 11 May hda11 brw-rw root disk 3, 12 May hda12 brw-rw root disk 3, 13 May hda13 brw-rw root disk 3, 14 May hda14 brw-rw root disk 3, 15 May hda15 brw-rw root disk 3, 16 May hda16

Copyright 2001 Marchany36 World-Writeable and SUID/SGID Files Audit Method Find commands were executed on the servers to locate all files with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropriate files for later analysis. Finding A large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all users to have write permission. Security Implication World-writeable files allow any user or an intruder to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized user or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: High Recommendation  Review all world-writeable and SUID/SGID files on the system. Using freeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to identify changes and ensure that such changes are approved.  NFS shared files, especially files in /usr, /opt and /var should be exported ‘read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of SUID privilege on NFS mounted files.

Copyright 2001 Marchany37 CIS Level 1 Unix Ruler: System Logging and SSH  Capture messages sent to syslog AUTH facility (enable system logging)  Copy syslogs to central syslog server  Audit failed logins and SU attempts  Enable system accounting  Logins allowed via SSH only (no rsh, rlogin, ftp or telnet)

Copyright 2001 Marchany38 CIS Level 1 Unix Ruler: Reduce Services (/etc/inetd.conf)  Disable name (UDP)  Disable exec/rexec (TCP)  Disable login/rlogin (TCP)  Disable uucp (TCP)  Disable systat (TCP)  Disable netstat (TCP)  Disable time (TCP/UDP)

Copyright 2001 Marchany39 CIS Level 1 Unix Ruler: Reduce Net Services (/etc/inetd.conf)  Disable echo (TCP)  Disable discard (TCP/UDP)  Disable daytime (TCP/UDP)  Disable chargen (TCP/UDP)  Disable rusersd (RPC)  Disable sprayd (RPC)  Disable rwall (RPC)

Copyright 2001 Marchany40 CIS Level 1 Ruler: Reduce Net Services (/etc/inetd.conf)  Disable rstatd (RPC)  Disable rexd (RPC)  Use TCP Wrappers for all enabled network services (TCP/UDP)

Copyright 2001 Marchany41 Sample /etc/inetd.conf # Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd This is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of the file is in the notes pages.

Copyright 2001 Marchany42 Output Example Fingerd running Audit Method Telnet localhost 79 to connect with the local system’s finger daemon Finding Fingerd is active Risk Level: Low Security Implication Finger can be used to gain reconnaissance information about the system including the last login time, where a user is logged in from, information about their shell. This information could be used to set up either a social engineering or trust model based attack. Recommendation  If finger is not a business critical application in this environment, disable finger or replace with free tools such as sfinger.

Copyright 2001 Marchany43 CIS Level 1 Unix Ruler: Reduce RPC Network Services  Restrict NFS client request to originate from privileged ports  No filesystem should be exported with root access  Export list restricted to specific range of addresses  Export RO if possible  Export NOSUID if possible

Copyright 2001 Marchany44 CIS Level 1 Unix Ruler: , X11/CDE  Use Sendmail v8.9.3 or later. (v is current 6/15/01)  Restrict sendmail ‘prog’ mailer  Verify privileged and checksums for mail programs  Ensure X server is started with Xauth  Use SSH to access X programs on remote hosts

Copyright 2001 Marchany45 CIS Level 1 Unix Ruler: User Accts, Environment  Enforce strong passwords  No null passwords  Remove root equivalent users (UID=0)  No “.” in root PATH  No.files world or group writable  Remove.netrc,.exrc,.dbxrc files  User $HOME dirs should be < 755

Copyright 2001 Marchany46 TBS Example Using E=D+R Security policy: automated script to check password file for users with UID 0 (superuser access) returns user ”zippy”. Syslog is checked: Apr 15 21:07:59 6C: goodnhacked.com telnetd[5020]: connect from some.com Apr 15 21:08:18 6E: goodnhacked.com login[5021]: as zippy IDS returns: 21:07:16.63 badguy.com > goodnhacked.com.5135: udp 21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp is SGI Object Server with a known vulnerability

Copyright 2001 Marchany47 CIS Level 1 Ruler Review  The previous action items should be done on any Unix system on your network regardless of its function  A similar checklist is being developed for Windows  The Level 1 rulers impose a minimum security standard on all Unix and Windows 2000 systems.

Copyright 2001 Marchany48 CIS Level 2 Rulers  Once Level 1 rulers have been applied, you pick the appropriate Level 2 ruler.  This is very organization specific. What works at my site might not apply at yours.  Additional service may be disabled if they aren’t needed.

Copyright 2001 Marchany49 CIS Level 2 Ruler: Unix  Kernel-level TCP/IP tuning  Physical Console Security  SSH  Minimize network services  Minimize RPC network services  General issues  X11/CDE

Copyright 2001 Marchany50 CIS Level 2 Ruler: Unix  Kernel Tuning –Network options for non-router machines –Disable multicast  Physical Console Security –Enable EEPROM password. Who knows it?  SSH –Restrictively configure it

Copyright 2001 Marchany51 CIS Level 2 Ruler: Unix  Minimize Network Services –Disable inetd entirely –Disable FTP –Disable Telnet –Disable rsh/rlogin –Disable comsat –Disable talk –Disable tftp

Copyright 2001 Marchany52 CIS Level 2 Ruler: Unix  Minimize network services –Disable tftp –Disable finger –Disable sadmin –Disable rquotad –Disable CDE Tooltalk server (ttdbserverd) –Disable RPC/UDP/TCP ufs –Disable kcms_server

Copyright 2001 Marchany53 CIS Level 2 Ruler: Unix  Disable fontserver  Disable cachefs service  Disable Kerberos server  Disable printer server  Disable gssd  Disable CDE dtspc  Disable rpc.cmsd calendar server

Copyright 2001 Marchany54 CIS Level 2 Ruler: Unix  Minimize Network Services –If FTP service is enabled, see additional level 3 requirements for FTP servers –If tftp is enabled, use the security option –If sadmind is enabled, use the security option

Copyright 2001 Marchany55 CIS Level 2 Ruler: Unix  Minimize RPC network services –Disable NFS server –Disable Automounter –Disable NFS client services –Add ports 2049, 4045 to privileged port list –Disable NIS –Disable NIS+ –Replace rpcbind with more secure version

Copyright 2001 Marchany56 CIS Level 2 Ruler: Unix  General Issues –Don’t run sendmail on machines that don’t receive mail –Remove mail aliases which send data to programs (Vacation)  X11/CDE –Disable CDE if not needed –Use the SECURITY extension for X-Server to restrict access

Copyright 2001 Marchany57 CIS Level 2 Ruler Review  Level 2 rulers are site specific.  They are more sensitive to vendor software requirements. For example, a vendor product may require that you enable the dreaded r-commands. You have no choice so you keep an eye on that vulnerability.  They may impose stricter standards.

Copyright 2001 Marchany58 CIS Level 3 Ruler Example: Perimeter Defense  Scope of Impact – The whole site  Probability of Impact – 100% if connected to the Internet  Wide variety of opinions  Every site has a Firewall (FW) of some sort. It may be a packet filtering router or a fancy stateful FW.  What about wireless nets?

Copyright 2001 Marchany59 Firewalls: Where’s the Threat?  FW look to the outside for threats.  Can be circumvented by wireless world.  Don’t prevent internal attacks.  Useless? NO! It’s a component of your layered defense. Remember the TBS Layered Defense equations.  Personal FW software is GOOD! –Makes wireless nets more secure!  What if crimes are committed by someone inside the firewall.

Copyright 2001 Marchany60 Firewalls require management.  Someone has to manage the firewall. –Someone has to assure that the firewall is configured properly. –Someone has to assure that all new applications don’t violate security policies. –Someone has to review firewall logs. –Firewalls generate a HUGE number of logs.

Copyright 2001 Marchany61 Sample Firewall Ruler  Firewalls are one part of a layered defense which should include: –A properly configured border router. –A virus detection solution. –An authentication system for trust management. –Properly configured operating systems and Internet applications. Personal FW software installed on all hosts. –An Intrusion Detection System  Firewalls require monitoring and change control management.

Copyright 2001 Marchany62 TBS and the Perimeter E= D + R Perimeter defenses are the an effective method of “shrinking” D and R and decreasing E. INTERNET ISP E Front End Critical systems located on a screened subnet off of one leg of a firewall. Firewall DNS

Copyright 2001 Marchany63 Example: D&R at the Perimeter Oct 12 01:04:26 ucc3.edu 45725: 8w5d^I: %SEC-6-IPACCESSLOGP: list 190 denied tcp (2235) -> (3128), 1 packet Oct 12 01:10:14 ucc3.edu 45730: 8w5d^I: %SEC-6-IPACCESSLOGP: list 190 denied tcp (2235) -> (3128), 3 packets This is a log file from a Cisco router on the perimeter, it indicates the router has blocked two attempts to destination port is 3128, the SQUID Proxy. Note: “denied” implies D and R are working. The times are very small!

Copyright 2001 Marchany64 Pulling the perimeter together  Top Ten blocking, egress filtering  Additional requirements from your site’s security policy  The notes contain a minimal Perimeter audit plan! Top Ten recommendations are shown in notes pages. There are examples of implementations based on this security policy at: ( practicals )

Copyright 2001 Marchany65 Section Review  Establishing and testing perimeter defenses is a good way to reduce D and R time.  Top Ten vulnerabilities are generally agreed to be a priority. Top Ten blocking recommendations are the foundation of a security checklist for perimeters  CVE names help ensure sysadmins and auditors are referring to the same threat

Copyright 2001 Marchany66 CIS Unix Ruler Review  CIS Rulers are a good starting point for developing a Unix audit plan  Level 1 ruler defines minimum security standards for all Unix systems  Level 2-3 rulers are more network and function specific  Procedural rulers address policy issues

Copyright 2001 Marchany67 Course Revision History