Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Operating System Security Solution

Published byRussell Cox Modified over 6 years ago

Similar presentations

Presentation on theme: "An Operating System Security Solution"— Presentation transcript:

1 An Operating System Security Solution
Overview - SOE Harden An Operating System Security Solution September 2014 1

2 Challenge We Had Global need to collect data from, and produce reports for, all of CSC managed servers. Data is required by MCS support teams, regional managers, account teams, etc. to satisfy CSC, our clients, and our vendors, that we are meeting contractual obligations Real time Information Access Centralize Administration of Information Data valuable for Transformation/New Business exercises Cross-Infrastructure Monitoring Infrastructure forecasting

3 Processes the data and makes the reports available at PS web console
Solution Architecture Store & Forward Server Presentation Server Firewall Unix Core SOE Clients SFS collects the data captured on clients and forwards to the Presentation Server with the help of TI Server & Client. Processes the data and makes the reports available at PS web console Tier-1 Tier-2 Tier-3

4 UnixSOE Enterprise Suite v9.x
Bundle of In-house Developed & Open source Tools for Consistent Unix System Administration Collects data in a single repository, significantly reducing the labor required to produce both regular and ad-hoc reports Supported on 19 UNIX Flavors & respective versions along with 4 Vmware ESX variants 3 Regional Presentation Server to Collect data

5 CSC’s Unix Server Management Tools
Data Collection Tools Harden Hardens the system to Account / CSC Baseline Security Standard. PatchTT Patch tracking and patch compliance reporting on the servers. Auto-Config Collects system hardware/software/ configuration/Currency data. Caper Provides performance and capacity management data Caper LPAR This tool is, an extension of UNIX Caper, only meant for IBM LPAR Systems Caper-Vmware Remotely collects ESX & its virtual machine’s performance data. vAuto-Config Collect Virtual configuration data from ESX, Frame and Global Zones. DBAPTT Audits Oracle versions and security patches on Unix hosts. System Management Tools CFengine Cfengine is an automation framework for system administration OpenSSH Provides secure data transfer and remote login. Perl Standard SOE scripting language. Rsync Provides fast incremental file transfer. Sudo Provides controlled access to super user commands. Syslog-ng A new generation log management tool. lsof "list open files", which is used to report a list of all open files and the processes that opened them.

6 Overview – SOE Harden Managing compliance issues imposed by regulations and statutory requirements To address Operating System’s Governance, Risk, and Compliance (GRC) requirements To provide Operating System security compliance reports to internal and external auditors. Maintain standardization Customized solution for CSC Environment To address Rapidly fluctuating demand for infrastructure & services More business value with minimum investment 6

7 Harden - UNIX OS Security
UNIX OS Security Auditing & Remediation Policy Based tool Perform 600+ Checks using 41 modules Security Standardization Scalability Supported on multiple OS/Hardware architectures Leverage existing CSC IT Infrastructure 7

8 Harden - UNIX OS Security
Multiple Supported Modes Audit Mode provide scan results & suggest corrective actions Interactive Mode allow to chose what all remediation you want to make Auto Mode remediate the scan findings without user intervention Exemption mode allow you to exempt specific checks Easy to Use & Deploy Step 1- Create Policy file : your own or use CSC Baseline Security Policy file Step 2 -Download harden client software known as Harden SIP & Install on target server Step 3 (Optional)- Download policy file on target box Step 4- Audit or impart OS security as defined in the policy file Reporting Local & Centralized System Specific & Account Specific 8

9 The Functionality – UNIX SOE Harden

10 The Configuration – UNIX SOE Harden
Various Harden Security Modules under different sections System Modules sys_acct_disable.pl sys_kernel.pl sys_sendmail.pl sys_services.pl sys_shadow_security.pl sys_stat.pl sys_trusted.pl File Permissions Modules file_fstab_check.pl file_sys_genperms.pl file_sys_permcheck.pl file_sys_perms.pl Network Modules net_ftp_service.pl net_hosts_equiv.pl net_ip_security.pl net_nfs_exports.pl net_services.pl net_vsftp.pl Authorization Modules auth_fail_logging.pl auth_login_banner.pl auth_pass_change.pl auth_pass_construct.pl auth_pass_dictionary.pl auth_pass_grub.pl auth_pass_history.pl auth_pass_length.pl auth_pass_singleuser.pl auth_root_console.pl User Modules user_default_umask.pl user_dup_check.pl user_group_members.pl user_home_files.pl user_sess_timeout.pl user_shell_check.pl user_sudo_audit.pl user_unused_access.pl Application Modules app_atcron_config.pl app_ssh_config.pl app_sshd_config.pl app_su_config.pl app_syslogd_config.pl app_X_config.pl 10

11 Harden - UNIX OS Security
CSC Baseline Policy CSC Enhanced policy CIS Policy Account Based Policy DISA Policy(new) Harden comes with 9 security policies including CSC baseline (checks for CSC’s baseline security policies) ,CSCEnhanced ,CIS policy,Account Bases policies and now DISA policy. Any one of them based on the requirement can be specified Flexibility of running separately for each module or as a single unit. Run in one of the required modes. Final report with scan results available.

12 CIS:- Center For Internet Security
The Security Benchmarks division helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls. The CIS Security Benchmarks Division develops and distributes: Security Configuration Benchmarks, which describe consensus best practices for the secure configuration of target systems. Configuring IT systems in compliance with these Benchmarks has been shown to eliminate 80-95% of known security vulnerabilities. The Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls. Security Metrics, which offer enterprise IT and security teams insight into their own security process outcomes. CIS.policy shipped in with SOE-Harden defines Policies to make your system CIS benchmark compliant

13 DISA - Defense Information Systems Agency
The DISA Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The implementation guidelines include recommended administrative processes and span the devices' lifecycle. STIG scanning software is used to implement / validate proper configuration. A STIG describes: how to minimize network-based attacks and preventing system access when the attacker is interfacing with the system, either physically at the machine, or over a network. maintenance processes, such as software updates and vulnerability patching. DISA.policy shipped in with SOE-Harden defines Policies to make your system DISA STIG compliant

14 Harden Online Policy File Creation System
Harden Online policy file creation tool helps a user to customize/create the policies based on CSC baseline and Enhanced policies. Easiest way of customizing the policy Link for Online policy file creation tool

15 Harden Online Policy File Creation System
This snapshot shows how to customize or create the new policy based on CSC baseline or Enhanced policies

16 Reports – UNIX Harden System Specific Windows Equivalent
Audit History Report Audit history provides information about status of all the checks whether Pass, Fail and Exempted based on their severity. This report holds the history of system audits on daily basis. Audit Module Summary Report Report provides summarized view of a system audited against each Harden module. It details about the total number of checks Passed, Failed and Exempted for the system in a particular module. All Audit Fails Report It is a quite handy report and easily understandable. Provides information about all the failed checks based on each Harden module with a detailed reason of failure. Administrator can take corrective measures to fix these deviations on any system after reviewing the failure reasons. Harden Audit Report Harden Audit Report is a raw text based audit report as generated at the UNIX system (client) by the harden-client software. It is displayed at web console, so as to facilitate the system administrators to analyze the audit details through web interface without logging on to each host. Windows Equivalent WinCompliance

17 Reports – UNIX Harden Account Specific Security Compliance Status
Report shows the compliance of each system with relation to the customer’s security policy. It focuses on user account management and system configuration settings. This data is often used or referenced when an account is facing an external audit, as it provides a detailed record that we are managing the systems to the appropriate standard. Security Audit Report Report provides a detailed module based information about all the hosts in an account. It shows the status of each host against each harden module, whether the host is able to stand all the checks of a module or it failed to stand even a single check of a module. If even a single check of a module fails for a host then host is reported as failed for a full module. Report provides a data to analyze about a service which is being most violated in an account, checked through harden modules. CompareUser Snapshot Report uses harden snapshots to compare and display the list of newly added or deleted user accounts between two dates on all the hosts in an account. CompareHarden Snapshot All the UNIX systems are bookmarked for an audit status on a particular day through a script. This status is saved in a database for each host and later on, it can be used to compare the current audit status of all the hosts in an account with any of the multiple snapshots/bookmarks we had in the past. Also, it provides the facility to compare the status of hosts between snapshots taken on two different dates. This helps compare the progress we made to make our systems comply with the defined standard of security settings. Terminated Users This report provides information about the user accounts which are not being used or logged on but still exist on the host. This information helps in regulating housekeeping of the UNIX systems.

18 Highlights in this release of Harden
The version of harden in this release is bundled with UnixSOE Enterprise Suite 9.0 Enhancement of harden with respect to the DISA standards and the feature requests and bug fixes from EMEA. Included checks to ensure correct permissions and ownership for NIS/NIS+/yp files Included checks to ensure proper audit system configurations. Included check to ensure Sendmail logging is set to less than 9 in the sendmail.cf file Included checks to ensure correct permissions and ownership for files executed through a mail aliases file Included checks to verify the rexec daemon must not be running Included checks to verify the system's access control program must be configured to grant or deny system access to specific hosts Included checks to verify the system clock must be synchronized continuously, or at least daily. Included check to ensure system enforces the entire password during authentication Included check to ensure that Internet Network News (INN) server is not running Included check to ensure NFS server must have logging implemented

19 Solution Pack Unix SOE & TI Services
Backup Slides EMEA Platform Service Centre Unix & Linux Server Solutions Team

20 Audit History Report This Report provides information about status of all the checks whether Pass, Fail and Exempted based on their severity. This report holds the history of system audits on daily basis.

21 Audit Module Summary Report
Report provides summarized view of a system audited against each Harden module. It details about the total number of checks Passed, Failed and Exempted for the system in a particular module.

22 All Audit Fail Report It is a quite handy report and easily understandable. Provides information about all the failed checks based on each Harden module with a detailed reason of failure. Administrator can take corrective measures to fix these deviations on any system after reviewing the failure reasons

23 Harden Audit Report Harden Audit Report is a raw text based audit report as generated at the UNIX system (client) by the harden-client software. It is displayed at web console, so as to facilitate the system administrators to analyze the audit details through web interface without logging on to each host.

24 Security Compliance Report
Report shows the compliance of each system with relation to the customer’s security policy. It focuses on user account management and system configuration settings.

25 Security Audit Report Report provides a detailed module based information about all the hosts in an account. It shows the status of each host against each harden module, whether the host is able to stand all the checks of a module or it failed to stand even a single check of a module

26 Audit Module Data Report provides summarized view of an individual Harden module. It details about the list of messages(PASS, FAIL, SKIP, CHCK) for each individual module.

27 Solution Pack Unix SOE & TI Services
Questions & Feedback Product Support Helpline EMEA Platform Service Centre Unix & Linux Server Solutions Team

Download ppt "An Operating System Security Solution"

Similar presentations

High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
Distributed Data Processing

Distributed Data Processing
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Network security policy: best practices

Network security policy: best practices
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
Virtual Machine Management

Virtual Machine Management
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR-100205-a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.

Configuration Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser PR a-RMO, February 5 th, 2010 R. Moser 1 R. Gutleber.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

© 2010 VMware Inc. All rights reserved Patch Management Module 13.

© 2010 VMware Inc. All rights reserved Patch Management Module 13.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Access Training Linux/Unix Power Broker Access Custom Schema Database Access Customer Training Date: 25-JAN-2005.

Access Training Linux/Unix Power Broker Access Custom Schema Database Access Customer Training Date: 25-JAN-2005.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 14: Securing Windows Server 2003. Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Similar presentations

Ads by Google