Número Actividad de Control Punto de RevisiónUser Management

1

2

Access to the root account should be restricted and should provide an audit trail of activity

Root is the most sensitive account on the Linux system and should be properly secured.

All su (switch user) commands, which allow a user to gain access to the root account, should be monitored and reviewed in a timely manner, in accordance with corporate standards

Every account defined on the system his clearly identifiable with a user.

Accounts are defined on the system according to security standards.

Providing access on the server to users without a business need significantly increase security risks.

2

3

4

Every account defined on the system his clearly identifiable with a user.

Users with domain-wide access may have excessive privileges (i.e. privilege beyond their job responsibilities) They may perform unauthorized functions or access sensitive files.

Controls are in place over user and groups that are managed on the system to prevent unauthorized or privileged access.

Access to the command line via a shell increases the risk that users access unauthorized commands, data, and configuration files.

The system is securely configured to maximize security and reduce the risk of system compromise

Allowing users to log into the system directly as root from any host on the network, including PCs, increases the risk that an unauthorized user will gain privileged access to the system.

4

Password Management5

6

The system is securely configured to maximize security and reduce the risk of system compromise

Allowing users to log into the system directly as root from any host on the network, including PCs, increases the risk that an unauthorized user will gain privileged access to the system.

All interactive logon accounts (shell accounts) on a UNIX server should require a password and encrypted passwords should be stored in shadow password files.

The /etc/passwd file can be read by any user on the system in order for programs to function properly. If encrypted passwords are stored in this file, then any user can copy encrypted passwords and try to crack them.

Password minimum length should be set according to corporate standards and industry good practices,

A minimum password length should be defined. This can be defined to be mandatory for all users. Even so, corporate standards should encourage users to build their passwords using capital letters, special symbols and numbers.

6

7

Auditing, Logging & Monitoring8

Password minimum length should be set according to corporate standards and industry good practices,

A minimum password length should be defined. This can be defined to be mandatory for all users. Even so, corporate standards should encourage users to build their passwords using capital letters, special symbols and numbers.

Passwords lifetime and length should prevent compromise

Password lifetime and length settings should minimize the risk of password compromise

A manageable audit trail is maintained, reviewed and secured to detect unauthorized or malicious activity on the system.

Insufficient logging will result in a lack of an audit trail in the event of an unauthorized access. With good logging and monitoring administrators are often given early warnings for hardware and software errors or problems.

9

File System Access and Management10

11

Failed login attempts should be monitored. Review repeated failures for the same account in order to prevent a brute force attack.

If repeated failed login attempts are detected, this could mean that a password guessing or a brute force attack has been attempted. Review if after too many login attempts, the account didn't successfully login.

Changes on sensitive configuration files, such as those used for user administration or scheduled jobs, should be known and premeditated. Unwanted changes on those files may result in a complete system loss of control.

Sensitive system files should not change without the administrator’s consent. Sensitive configuration files hold data that can be used to compromise the system.

Sensitive files and directories are secured to prevent unauthorized access.

Regularly scheduled commands can be specified according to instructions found in "crontab" files.

11

12

13

Sensitive files and directories are secured to prevent unauthorized access.

If “crontab” is used to schedule financially significant jobs, then access to these jobs should be properly restricted

Only authorized users should have access to the scheduling system

 All directories and files accessed by the standard job scheduling programs (i.e. cron and at) should be restricted from all users not requiring this access.

Permissions on key files and directories are restricted as possible.

13 Permissions on key files and directories are restricted as possible.

Root access or access to sensitive files and resources might be obtained by a user with command-line access if permissions and ownership are weak on these directories.

14

Network Controls15

16

17

Access to program and data files should be appropriately restricted

All programs that run with high levels of privilege should be appropriately secured, documented and checked periodically for changes

Exported file systems are not be exported with the 'root' option.

The 'root' option allows a user to access a NFS exported file system with root privileges.

Remote access to computer systems (via network connections or dial-up) should be appropriately restricted.

Individual .rhosts and .netrc files should not exist or should be empty

If there is no strong business need for rwall, then it should be disabled.

The rwall service has no proper authentication therefore it represents a risk and must be deactivated.

17

18

19

20

21 NFS exports are done in a secure way.

If there is no strong business need for rwall, then it should be disabled.

The rwall service has no proper authentication therefore it represents a risk and must be deactivated.

At least a strong business need exists, tftp service should be disabled.

The tftp service offers no authentication at all but yet the possibility of accessing data; therefore it represents a risk and should be deactivated.

The system is securely configured to maximize security and reduce the risk of system compromise

Without the existence of the /etc/ftpusers file, any user listed in the /etc/passwd file can transfer files across the network. This increases the risk that unauthorized files are transferred across the network.

Remote access without user’s authentication should not be permitted.

"Remote access should require authentication and should be done by using secure tools, such as SSH.

Remote access without authentication may allow spoofing."

File systems exported trough NFS follow the defined security standards.

21 NFS exports are done in a secure way.

22

System Configuration23

File systems exported trough NFS follow the defined security standards.

Network services do not pose a security risk on the system.

Network services should be set according to security standards.

The system has an adequate level of patches

The system should be protected with security patches according to the documented patching procedure.

23 The system has an adequate level of patches

The system should be protected with security patches according to the documented patching procedure.

Procedimiento de validación Resultado

No existen usuarios duplicados.

NIS or NIS+ no se utilizan.

 Inspect the /etc/password file for all user profiles. Ascertain which users have the special authorities (i.e., root or equivalent – a UID of “0”) and determine whether the number of users is appropriate. Inquire with the system administrator to understand if any SU groups have been setup to access privileged accounts. If there have been groups setup, obtain the group files, understand who is in the group and what access they have to the IDs. Also, review the accounts listed in the /var/adm/sulog file that are accessing the root account, to ensure that these users are appropriate

Solo root tiene UID de 0 en etc/passwd.Pero adicionalmente, se ha inspeccionado el archivo de etc/groups para determinar los accesos a comandos "su" del grupo root, y solamente el usuario root forma parte de este grupo.Por otro lado, se verificó /var/log/messages grep su para revisar las cuentas que acceden a root, en lo que se determinó que no accedieron mediante su a root.

Issue the command # “cat /var/log/messages | grep su” to understand who has been accessing root.

Obtain the /etc/passwd file in a text file. The following command can be used: # cat /etc/passwd  Ensure users have individual accounts and are not sharing accounts (look for the first colon separated field).  If NIS or NIS+ is being used, request the NIS map in a text file.

Si bien no existen usuarios compartiendo cuentas, existen cuentas nombradas de forma genérica que no permiten la identificación y autenticación del usuario, de forma adecuada. No bostante, estos archivos son utilizados solamente por usuarios de PMI Desarrollo y Tecnología de PMB y otros países, ya que requieren acceder principalmente para temas relacionados a las actualizaciones de FINMAS.

The following command can be used to list the NIS or NIS+ password database: #ypcat passwd (for NIS) # niscat passwd.org_dir | more (for NIS+) Check the listing for duplicate UID codes (the UID is the third colon separated field).

Por ejemplo para los paises solo existe una cuenta de acceso creada, pero puede ser que la utilicen más de un usuario. No obstante la responsabilidad de estas cuentas está a cargo de PMI.

Joe:*:20:100:info:/home/joe:/usr/bin/csh

csh - 'C shell'ksh - 'Korn shell'sh - 'Bourne shell'

rsh - 'restricted Bourne shell'rksh - 'restricted Korn shell'

Console, vc y tty están listados.

-:root:ALL EXCEPT LOCAL

Inspect the list of all local user accounts in the /etc/passwd directory or NIS map. Review the list with the system administrator to validate and verify the business function for each account on the server. Additionally, ensure each user in the /etc/passwd file has a unique UID and that UID's are not shared. The UIDs are the third attribute an /etc/passwd file and can be seen below as '20'.

Asimismo, se han identificado usuarios con más de un ientificador asignado en el FTP que son las cuentas administradas por PMI y las cuentas utilizadas por GTI, usuarios sin formularios de autorización. El detalle a continuación:

Review the local password file or NIS map to determine accounts with shell (command line) access. Review these accounts with the system administrator to verify that these users require shell access. In addition, inquire with the system administrator if user access is restricted. Command line access can be restricted through the use of restricted shells or through the use of login scripts.

No todas las cuentas de usuario requieren de shell access, están limitadas a /sbin/nologin y /usr/bin/rssh (secure shell). Solamente la cuenta root tiene acceso a bin/bash.

Common shells that typically allow a user to gain access to the command line include the following:

Common shells that typically restrict command line access:

Review the /etc/securetty file to ensure that only the console tty is listed.

Alternately, you may review the /etc/security/access.conf file and ensure that, at least, the root account is disabled for remote logins. The following line should be present for that:

Ninguna restricción está listada en -:root:ALL EXCEPT LOCAL; ni en -:whell: ALL EXCEPT LOCAL.

I:\RUSCENA\Trabajo\6. Auditoria

Servers_SO\Informacion TI\

Linux\FTP\Punto1\passwd.xlsx

-:whell: ALL EXCEPT LOCAL

El servicio de NIS no se está ejecutando.

joe:9DgBXb2cnG3xA:11460::::::

Usually, the group 'wheel' includes all administrator accounts. It is a good practice to deny access to this group. The following line should be present for that:

If the entry has a # sign in front of it, that means that the entry is commented out and is not enforced. If the entry is commented out, inquire with the system administrator as to the reason and any mitigating controls that have been put into place to reduce the risk of remote root logins.

Root puede loguearse remotamente, ya que está activado: #-:whell: ALL EXCEPT LOCAL

Obtain the /etc/passwd and /etc/shadow files and examine the 'password' field for each account to ensure an encrypted password is located in the field. Review the /etc/passwd file to verify that there are no encrypted passwords stored in it. If the /etc/passwd file contains an 'X' or '*' where the encrypted passwords would reside, the server is shadowed and the encrypted passwords are stored in the /etc/shadow file. Review the /etc/shadow file to verify that it contains the encrypted passwords.

Los passwords de las cuentas en passwd se encuentran encriptadas, se hace uso de shadow para resguardarlo.

An example of the encrypted password for the 'joe' user ID is listed below in the 2nd attribute:

No existen contraseñas sin password, el mecanismo de autenticación que se utiliza es MD5.

If NIS is running, obtain the NIS map and examine the entries to ensure an encrypted password is present for all accounts allowed to access the server.

Las contraseñas de acceso de las cuentas no se consideran débiles se ha podido determinar a través de un programa de crakeo john de ripper, a través de ataques de diccionario.

Accounts without passwords can also be found using the following command: awk -F: '($2 == "") { print $1 }' /etc/shadow

 # ypcat passwd (for NIS) # niscat passwd.org_dir | more (for NIS+)

"Verify the /etc/login.defs file and ensure that the PASS_MIN_LEN variable is within corporate guidelines..

PASS_MIN_LEN es 5, pero debería acomodarse a lo estándar de dominio o servidores que es 8.

Issue the following command: # cat /etc/login.defs | grep PASS_MIN_LEN

Bitmap Image

- User login & logout times

If possible, run a password cracker program over user's passwords to ensure non trivial passwords are being used.

Review the /etc/login.defs file to ensure that the parameters which set minimum password length (PASS_MIN_LEN), minimum password lifetime (PASS_MIN_DAYS) and maximum password lifetime (PASS_MAX_DAYS) are appropriate

PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 5PASS_WARN_AGE 7

Son políticas estándar que deben ser cambiadas a por ejemplo: 62, 2, 8, respectivamente para estar de acuerdo a las políticas de dominio.El último es correcto.

Review the output of the /etc/syslog.conf file. This file will show what events are logged and where the information is sent. Inquire of the system administrator to determine what is monitored and how the logs are reviewed.

*.info;mail.none;authpriv.none;cron.none /var/log/messagesLos mensajes informativos de todas las aplicaciones se loguean No loguea mensajes del sistema de mail (ok ya que no aplica)No loguea programas de autorización privadosNo loguea cron y atLa carpeta de logueos es messages.NOTA: DEBERIAN LOGUEARSE LOS MENSAJES DE AUTENTICACION AUTH

# The authpriv file has restricted access. authpriv.* /var/log/secure # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log *.* @10.2.0.30

By default, system alerts are sent to the console and root account. System emergencies are broadcast to all users. Information alerts are sent to the syslog file. These are the standard alerts and do not capture security events.

Make sure entries within the syslog.conf file do not have a '#' pound in front of them, commenting them out and making them inactive.

The following activities should be logged and configured:

- Track all su/root usage through separate sulog or existing log facilities

- Separating logs from potentially compromised host (especially true for Internet hosts or large environments)

No existe el archivo crontabs.

Check the /var/log/messages and verify that login failures are monitored. Query the system administrator about login failures.

No se registran los mensajes de intentos fallidos de accesos y otros en /var/log/messages.Solo se registran en el syslog los accesos exitosos (comando LAST), tampoco se monitorean lo logs que se registran, se espera adquirir una herramienta para su análisis y monitoreo a cargo del Encargado de Seguridad Informática.

Review the system sensitive files, such as /etc/passwd, /etc/shadow, /etc/group, etc/inetd.conf, the "r" files, cron files, startup files (placed on the /etc/rc* directories) and specific system configuration files in order to ensure they don't have write permissions for non administrator users. Check with the system's administrator if a control is performed to ensure those files do not suffer unwanted changes.

Sólo existen permisos de escritura para usuario root: -rw-r--r-- 1 root root 4316 Apr 9 10:04 /etc/passwd

Sólo existen permisos de lectura para usuario root en shadow: -r-------- 1 root root 2960 Apr 9 12:49 /etc/shadow

Sólo existen permisos de escritura para usuario root: -rw-r--r-- 1 root root 1325 Apr 9 10:03 /etc/group

Si bien los usuarios comunes no tienen permisos de lectura y escritura pueden navegar en la carpetas y obtener información. Hay que restringir estos accesos.

Existen permisos de escritura y ejecución sólo para usuario root y su grupo root, en los scripts de inicio del sistema para directorios y sus links: lrwxrwxrwx 1 root root 7 Apr 23 2011 /etc/rc -> rc.d/rclrwxrwxrwx 1 root root 10 Apr 23 2011 /etc/rc0.d -> rc.d/rc0.dlrwxrwxrwx 1 root root 10 Apr 23 2011 /etc/rc1.d -> rc.d/rc1.dlrwxrwxrwx 1 root root 10 Apr 23 2011 /etc/rc2.d -> rc.d/rc2.dlrwxrwxrwx 1 root root 10 Apr 23 2011 /etc/rc3.d -> rc.d/rc3.dlrwxrwxrwx 1 root root 10 Apr 23 2011 /etc/rc4.d -> rc.d/rc4.d

Review the permissions on the /var/spool/cron/crontabs/* files to verify that they are owned by the user for which they are named or root and are readable and writeable only by this owner or root. Review

Bitmap Image

/etc/at.allow

/etc/at.deny/etc/cron.allow

/etc/cron.deny

Issue the command: ls -l <file>

# cat <file>

writeable only by this owner or root. Review the contents of the crontab files and compile a list of programs that are executed from within these files. Verify that all programs in Check restrictive permissions on the following files (follow the vendor recommendations):

ls -l /etc/at.allow - No existe archivo

ls -l /etc/at.deny-rw------- 1 root root 1 Jan 26 2010 /etc/at.deny

Los usuarios detallados en él no pueden ejecutar at (ni atrm, ni atq)

ls -l /etc/cron.deny-rw-r--r-- 1 root root 0 Dec 6 2010 /etc/cron.deny

Los usuarios detallados en él no pueden ejecutar crontab.

Sólo la cuenta de superusuario está permitida para acceder a todos los directorios y archivos mediante tareas de trabajos programados.

Review the contents and existence of the files. The files specify who can and cannot use the commands at, cron and batch.

Review permits on directories directly under /, /usr, /etc, /sbin, /usr/bin, /usr/lib, /usr/libexec, /var/spool, /dev, /var/spool/cron, /etc/*.d, /var/log and /usr/sbin and ensure the owner and the permissions set on them are as restrictive as possible.

/, sólo accede root /usr, sólo accede root

/etc, además de root, el grupo disk tiene permisos de escritura en el archivo dumpdates _: -rw-rw-r-- 1 root disk 0 Mar 6 2011 dumpdates. En este archivo se registra información de las copias de cada sistema de archivos, su nivel, y la fecha de realización

/sbin, además de root, el grupo ecryptfs de tiene permisos de ejecutar el archivo de ayuda de montar el disco: -rwsr-x--- 1 root ecryptfs 15136 Sep 3 2009 mount.ecryptfs_private

/usr/bin, además de root, los grupos slocate, mail, screen, nobody, tty tienen acceso a los comandos de usuario en bin: locate, lockfile, procmail, screen, ssh-agent, wall, write.

/usr/lib, solo accede root a las bibliotecas de usuarios/usr/libexec, sólo root accede

Issue the command # ls -la and verify the directories permits and owner. Ensure they are as restrictive as possible. Inspect the owner and groups and verify that they are only writeable by root, bin, or sys (i.e., privileged IDs).

/var/spool, además de root tienen acceso el usuario daemon y snmp, asimismo, los grupos lp y mail./dev, además de root tienen acceso grupos disk, lp, floppy, kmen, tty, uucp , y el uuario vcsa/var/spool/cron, solo root accede/etc/*.d, además de root el grupo daemon/var/log , además de root el grupo utmp y sys con el usuario lp/usr/sbin, además de root el grupo smmsp y apache

Existen accesos a archivos que del sistema mediante las cuentas de ftppublico y ftpreportes. Se debe restringir de alguna forma el uso de estas aplicaciones. Asimismo a carpetas de PMI desarrollo donde se guardan ejecutables. Ver pestaña (a).

$ find / -type f -perm -4000 -exec ls -l {} \;$ find / -type f -perm -2000 -exec ls -l {} \;

No existe el archivo /etc/exports

Run:

To find for SUID and SGID files, issue the following command:

Ningún permiso es otorgado para SUID o SGID. Solo root tiene acceso a estos privilegios.

$ find / -type f \( -perm -2000 -o -perm -4000 \) -print

If a more detailed view is needed, the following commands will show detailed information about SUID and SGID files respectively:

Determine why these permissions are set for the listed files.

Review the /etc/exports file in order to determine whether any NFS exports are configured with the 'root' or ‘no_root_squash’ option .

Review the environment for any trusted hosts: .rhosts files in user's HOME directories should not be allowed; /etc/hosts.equiv file should be eliminated; .netrc files should not be permitted. Have the system administrator run a command that will search the Linux environment for any .rhosts, hosts.equiv and .netrc files. If any of these three types of files exist, inquire with the system administrator as to why they exist. In some instances, applications require some of these files for communication purposes.

/etc/hosts.equiv ha sido elliminadono existen .rhosts filesno existen .netrc files

Review the super server (inetd or xinetd) configuration and ensure rwall service is deactivated.

rwall solo permitido para root.root 8245 0.0 0.2 61188 744 pts/0 R+ 15:17 0:00 grep wall

# ps axu | grep wall]

Run:# ps axu | grep tftp

- root- bin- sys- uucp- sync- any guest accounts- accounts with restricted shell

No existen archivos rhosts.

Review /etc/hosts.equiv file. /etc/hosts.equiv no existe

Issue the following commands:

# showmount -e# cat /etc/exports

to ensure that the rwall service is not running as a stand alone daemon.

Review the super server (inetd or xinetd) configuration and ensure tftp service is deactivated.

tftp solo permitido para root.root 8247 0.0 0.2 61188 740 pts/0 R+ 15:17 0:00 grep tftp

to ensure that the tftp service is not running as a stand alone daemon.

If the FTP service is in use, review the contents of the /etc/ftpusers file. The /etc/ftpusers file should be created if it does not already exist. The /etc/ftpusers file restricts the User IDs contained within from logging into the FTP service. At a minimum, the following accounts should be included:

No existe el archivo /etc/ftpusers cualquier cuenta de /etc/passwd puede transferir a ftp, incluidas las cuentas que pueden ser sensibles como root, bin o sys, uucp, sync, guest accounts, cuentas con restricted shells y otras que no deberían.

- any other account that should not be copying files across the network

Note: As with many UNIX server daemons, configuring an ftp server is inherently complicated. For companies or sites with Internet facing ftp servers, please seek expert review advice.

Review all .rhosts files (located at user's home directories). To list existing .rhosts files: # find / -name .rhosts -print

Ensure non authenticated users can remotely access the system.

No se permiten accesos remotos que no requieran de mecanismos de autenticacación. No se confía en hosts remotos confiables.

no existen showmount -e, por lo tanto no existen NFS exports activos. Ni existen información en cat/etc/exports.

Ensure the 'ro' option has been used for all shared filesystems listed in the /etc/exports.

# ps aux

# uname -r

Ver archivo adjunto.

Ensure that filesystems are being exported to a list or range of host (or IP addressses), as opposed to being exported to ‘everyone’.

Review the following with the system administrator to verify that only those services that serve a strong business need are available:

Los servicios habilitados en xinetd.d/* deberían deshabilitarse. Averiguar para los que no son por defecto: /rmcp, /etc/xinetd.d/*

• each service in the /etc/inetd.conf file (in the case that inetd is being used) or the /etc/xinetd.d/* files (in the case that xinetd is being used)

Los servicios habilitados para levantaser en el boot time son propios: init.d, rc*.d, rc.sysinit, rc.local

• each service configured to start at boot time in the startup scripts: # ls -lL /etc/rc*

Para RPC existen los siguientes servicios ejecutándose: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 916 status 100024 1 tcp 919 status

• each service using insecure RPC authentication: # rpcinfo -p

Los cuales no deberían estar ejecutándose.

• the output of the following command, which identifies processes currently running on the server:

" Check the version of the installed kernel by executing the command:

La versión del kernell instalada es: 2.6.18-238.9.1.el5

Los paquetes de actualización instalados son los últimos correspondientes a la versión de Centos, obtenida de la página oficial www.centos.org Release 5.5.

Check the version of the installed software. Depending on the packages the distribution works with, run one of the following commands:

For deb packages (Debian, SuSE, Xandros, etc.): #dpkg -l *

For rpm packages (RedHat, Fedora, Mandrake, etc.):#rpm -qa

Compare the installed versions with each vendor's latest.

C:\Users\respinoza.PMLPZ\D

Remember that manually compiled software will not appear on these commands output. Only those installed as packages will."

Archivos Base

Archivos de consultas al FTP:

Para actualizaciones de paquetes:

C:\Users\respinoza.PMLPZ\D

FTP.rar

Se tiene estos descargos de la gestión pasada:

Respuestas a Auditoría de Sistemas ON PMB - Parte Servidor FTP.msg

Ver correo adjunto anteriormente.

Se tiene estos descargos de la gestión pasada:

Respuestas a Auditoría de Sistemas ON PMB - Parte Servidor FTP.msg

Ver correo adjunto anteriormente.

Ver correo adjunto anteriormente.

sudoers - 10-2-0-7.dat