Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing.

Published byRodger Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing."— Presentation transcript:

1 Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing

2 2 Guide to Operating System Security Objectives Understand the relationship between baselining and hardening Explain intrusion-detection methods Use audit trails and logs Monitor logged-on users Monitor a network

3 3 Guide to Operating System Security Baselining and Hardening Baselines  Measurement standards for hardware, software, and network operations  Used to establish performance statistics under varying loads or circumstances

4 4 Guide to Operating System Security Overview of Intrusion Detection Detects and reports possible network and computer system intrusions or attacks Main approaches  Passive  Active  Network-based  Inspectors  Auditors  Decoys and honeypots

5 5 Guide to Operating System Security Passive Intrusion Detection Detects and records intrusions; does not take action on findings Effective as long as administrator checks logs  Can create filters or traps Examples of monitored activities  Login attempts  Changes to files  Port scans

6 6 Guide to Operating System Security Third-Party Passive Intrusion-Detection Tools Klaxon Loginlog Lsof Network Flight Recorder RealSecure Dragon Squire PreCis

7 7 Guide to Operating System Security Active Intrusion Detection Detects an attack and sends alert to administrator or takes action to block attack May use logs, monitoring, and recording devices

8 8 Guide to Operating System Security Third-Party Active Intrusion-Detection Tools Entercept AppShield Snort SecureHost StormWatch

9 9 Guide to Operating System Security Active Intrusion Detection

10 10 Guide to Operating System Security Host-based Intrusion Detection Software that monitors the computer on which it is loaded  Logons  Files and folders  Applications  Network traffic  Changes to security Host wrappers and host-based agents

11 11 Guide to Operating System Security Host-based Intrusion Detection

12 12 Guide to Operating System Security Network-based Intrusion Detection Monitors network traffic associated with a specific network segment Typically places NIC in promiscuous mode

13 13 Guide to Operating System Security Network-based Intrusion Detection

14 14 Guide to Operating System Security Inspector Examines captured data, logs, or other recorded information Determines if an intrusion is occurring or has occurred Administrator sets up inspection parameters, for example:  Files changed/created under suspicious circumstances  Permissions unexpectedly changed  Excessive use of computer’s resources

15 15 Guide to Operating System Security Auditor Tracks full range of data and events – normal and suspicious, for example:  Every time services are started and stopped  Hardware events or problems  Every logon attempt  Every time permissions are changed  Network connection events Records information to a log

16 16 Guide to Operating System Security Decoys and Honeypots Fully operational computers that contain no information of value Draw attackers away from critical targets Provide a means to identify and catch or block attackers before they harm other systems

17 17 Guide to Operating System Security Using Audit Trails and Logs A form of passive intrusion detection used by most operating systems:  Windows 2000/XP/2003  Red Hat Linux 9.x  NetWare 6.x  Mac OS X

18 18 Guide to Operating System Security Viewing Logs in Windows 2000/XP/2003 (Continued) Accessed through Event Viewer Event logs can help identify a security problem Filter option can help quickly locate a problem

19 19 Guide to Operating System Security Viewing Logs in Windows 2000/XP/2003 (Continued) Principal event logs  System  Security  Application Event logs for installed services  Directory Service  DNS Service  File Replication

20 20 Guide to Operating System Security Event Viewer in Windows Server 2003

21 21 Guide to Operating System Security Viewing an Event in Windows Server 2003

22 22 Guide to Operating System Security Viewing Logs in Red Hat Linux 9.x (Continued) Offers a range of default logs Log files  Have four rotation levels  Managed through syslogd

23 23 Guide to Operating System Security Viewing Logs in Red Hat Linux 9.x (Continued) Two ways to view default logs  Open LogViewer (Main Menu – System Tools – System Logs) Enables creation of a filter on the basis of a keyword (eg, failed, denied, rejected)  Use Emacs or vi editors or use cat command in a terminal window

24 24 Guide to Operating System Security Red Hat Linux 9.x Default Logs (Continued) Log NameLocation and Filename Description Boot Log/var/log/boot.log.xContains messages about processes and events that occur during bootup or shutdown Cron Log/var/log/cron.xProvides information about jobs that are scheduled to run or that have already run Kernel Startup Log /var/log/dmesg.xShows startup messages sent from the kernel Mail Log/var/log/maillog.xContains messages about mail server activities News Log/var/log/spooler.xProvides messages from the news server

25 25 Guide to Operating System Security Red Hat Linux 9.x Default Logs (Continued) Log NameLocation and Filename Description RPM Packages Log /var/log/rpmpkgs.xShows list of software packages currently installed; updated each day through a job scheduled via cron command Security Log/var/log/secure.xProvides information about security events and processes System Log/var/log/messages.xContains messages related to system activities Update Agent Log /var/log/up2date.xShows updates that have been performed by the Update Agent XFree86 Log/var/log/xfree86.x.logContains information about what is installed from XFree86

26 26 Guide to Operating System Security Viewing Logs in Red Hat Linux 9.x

27 27 Guide to Operating System Security Viewing Logs in NetWare 6.x (Continued) Log NameLocation & FilenameDescription Access LogSYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ACCESS.TXT Contains information about access services to the NetWare server Audit LogSYS:ETC\AUDIT.LOGContains an audit trial of user account activities Console Log SYS:ETC\CONSOLE.LOGTraces activities performed at the server console Error LogSYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ERROR.TXT Contains error information recorded for the NetWare server

28 28 Guide to Operating System Security Viewing Logs in NetWare 6.x (Continued) Log NameLocation & FilenameDescription Module LogSYS:ETC\CWCONSOL.LOGContains a listing of modules that have been loaded NFS Server Log SYS:ETC\NFSSERV.LOGProvides information about NFS server services, including changes to a service and communications through TCP and UDP Schema Instructions Log SYS:ETC\SCHINST.LOGTracks schema events, including changes to the schema

29 29 Guide to Operating System Security Viewing Logs in Red Hat Linux 9.x

30 30 Guide to Operating System Security Viewing Logs in Mac OS X (Continued) Log NameLocation and FilenameDescription FTP Service Log/var/log/ftp.logContains information about FTP activity, including sessions, uploads, downloads, etc. Last.Login Log/var/log/lastlogProvides information about last login activities Directory Service Log /var/log/lookupd.logProvides log of lookupd (look up directory services) daemon, including requests relating to user accounts, printers, and Internet resources Mail.Service Log/var/log/mail.logStores messages about e-mail activities

31 31 Guide to Operating System Security Viewing Logs in Mac OS X (Continued) Log NameLocation and FilenameDescription Network Information Log /var/log/netinfo.logTracks messages related to network activity Print Service Log /var/log/lpr.logContains information about printing activities Security Log/var/log/secure.logProvides information about security events System Log/var/log/system.logContains information about system events, including processes that are started or stopped, buffering activities, console messages, etc.

32 32 Guide to Operating System Security Viewing Logs in Mac OS X

33 33 Guide to Operating System Security Reasons for Monitoring Logged-on Users Assess how many users are typically logged on at given points in time  Baseline information  To determine when a shutdown would have the least impact Be aware of security or misuse problems

34 34 Guide to Operating System Security Monitoring Users in Windows 2000/XP/2003 Use Computer Management tool to access Shared Folders  Shared Folder options Shares Sessions Open Files Use Task Manager (Windows XP and Windows Server 2003)

35 35 Guide to Operating System Security Monitoring Users in Windows XP Professional

36 36 Guide to Operating System Security Monitoring Users in Windows 2000 Server

37 37 Guide to Operating System Security Monitoring Users in Windows XP Professional

38 38 Guide to Operating System Security Monitoring Users in Red Hat Linux 9.x Use the who command

39 39 Guide to Operating System Security who Command Options OptionDescription -aDisplays all users -bShows the time when the system was last booted -iShows the amount of time each user process has been idle -qProvides a quick list of logged-on users, and provides a user count -rShows the run level -sDisplays a short listing of usernames, line in use, and logon time -uDisplays the long listing of usernames, line in use, logon time, and process number --helpDisplays help information about the who command -HDisplays who information with column headers

40 40 Guide to Operating System Security Monitoring Users in Red Hat Linux 9.x

41 41 Guide to Operating System Security Monitoring Users in NetWare 6.x MONITOR  Connections  Loaded modules  File open/lock  Other server-monitoring functions NetWare Remote Manager  View current connections  View files opened by particular users  Send messages to a particular user or all users  Clear connections

42 42 Guide to Operating System Security Monitoring Users in Mac OS X Use the who command in a terminal window  Supports few options (primarily -H and -u) Process Viewer

43 43 Guide to Operating System Security Monitoring a Network Network Monitor  Network monitoring software with the most features  Comes with Windows 2000 Server and Windows Server 2003

44 44 Guide to Operating System Security Why Network Monitoring Is Important Networks are dynamic Administrator must distinguish an attack from an equipment malfunction Establish and use benchmarks to help quickly identify and resolve problems

45 45 Guide to Operating System Security Using Microsoft Network Monitor Uses Network Monitor Driver to monitor network from server’s NIC (promiscuous mode) Sample activities that can be monitored  Percent network utilization  Frames and bytes transported per second  Network station statistics  NIC statistics  Error data

46 46 Guide to Operating System Security Network Monitor Driver Detects many forms of network traffic Captures packets and frames for analysis and reporting by Network Monitor

47 47 Guide to Operating System Security Using Microsoft Network Monitor Start from Administrative Tools menu Four panes of information  Graph  Total Statistics  Session Statistics  Station Statistics View captured information

48 48 Guide to Operating System Security Using Microsoft Network Monitor

49 49 Guide to Operating System Security Network Monitor Panes PaneInformation Provided in Pane GraphProvides bar graphs for %Network Utilization, Frames Per Second, Bytes Per Second, Broadcasts Per Second, and Multicasts Per Second Total Statistics Provides total statistics about network activity that originates from or is sent to the computer (station) using Network Monitor; includes statistics for Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics Session Statistics Provides statistics about traffic from other computers on the network: MAC (device) address of each computer's NIC and data about number of frames sent from and received by each computer Station Statistics Provides total statistics on all communicating network stations: Network (device) address of each communicating computer, Frames Sent, Frames Received, Bytes Sent, Bytes Received, Directed Frames Sent, Multicasts Sent, and Broadcasts Sent

50 50 Guide to Operating System Security Viewing Capture Summary Data

51 51 Guide to Operating System Security Creating a Filter in Network Monitor Two property types  Service Access Point (SAP)  Ethertype (ETYPE)

52 52 Guide to Operating System Security Using Capture Trigger Software performs a specific function when a predefined situation occurs

53 53 Guide to Operating System Security Using Network Monitor to Set Baselines From the Graph pane  % Network Utilization  Frames Per Second  Broadcasts Per Second  Multicasts Per Second

54 54 Guide to Operating System Security Summary (Continued) Creating baselines to help quickly identify when an attack is occurring Intrusion-detection methods  Employed through an operating system  Third-party software Using auditing and logging tools to track intrusion events

55 55 Guide to Operating System Security Summary Monitoring user activities  GUI-based Computer Management tool in Windows 2000/XP/2003  who command in Red Hat Linux and Mac OS X Network monitoring with Microsoft Network Monitor

Download ppt "Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Hands-On Microsoft Windows Server 2003 Administration Chapter 10 Monitoring and Troubleshooting Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 10 Monitoring and Troubleshooting Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 14 Chapter 14: Server Monitoring and Optimization.

Chapter 14 Chapter 14: Server Monitoring and Optimization.
Chapter 15 Chapter 15: Network Monitoring and Tuning.

Chapter 15 Chapter 15: Network Monitoring and Tuning.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Thirteen Performing Network.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Thirteen Performing Network.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.

Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.

Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google