guide to operating system security chapter 12 security through monitoring and auditing

Guide to Operating System Security

Chapter 12

Security through Monitoring and Auditing

2 Guide to Operating System Security

Objectives

Understand the relationship between baselining and hardening

Explain intrusion-detection methods Use audit trails and logs Monitor logged-on users Monitor a network


Baselining and Hardening

Baselines Measurement standards for hardware, software,

and network operations Used to establish performance statistics under

varying loads or circumstances


Overview of Intrusion Detection

Detects and reports possible network and computer system intrusions or attacks

Main approaches Passive Active Network-based Inspectors Auditors Decoys and honeypots


Passive Intrusion Detection

Detects and records intrusions; does not take action on findings

Effective as long as administrator checks logs Can create filters or traps

Examples of monitored activities Login attempts Changes to files Port scans


Third-Party Passive Intrusion-Detection Tools

Klaxon Loginlog Lsof Network Flight Recorder RealSecure Dragon Squire PreCis


Active Intrusion Detection

Detects an attack and sends alert to administrator or takes action to block attack

May use logs, monitoring, and recording devices


Third-Party ActiveIntrusion-Detection Tools

Entercept AppShield Snort SecureHost StormWatch


Active Intrusion Detection


Host-based Intrusion Detection

Software that monitors the computer on which it is loaded Logons Files and folders Applications Network traffic Changes to security

Host wrappers and host-based agents


Host-based Intrusion Detection


Network-based Intrusion Detection

Monitors network traffic associated with a specific network segment

Typically places NIC in promiscuous mode


Network-based Intrusion Detection


Inspector

Examines captured data, logs, or other recorded information

Determines if an intrusion is occurring or has occurred

Administrator sets up inspection parameters, for example:

Files changed/created under suspicious circumstances Permissions unexpectedly changed Excessive use of computer’s resources


Auditor

Tracks full range of data and events – normal and suspicious, for example: Every time services are started and stopped Hardware events or problems Every logon attempt Every time permissions are changed Network connection events

Records information to a log


Decoys and Honeypots

Fully operational computers that contain no information of value

Draw attackers away from critical targets Provide a means to identify and catch or block

attackers before they harm other systems


Using Audit Trails and Logs

A form of passive intrusion detection used by most operating systems: Windows 2000/XP/2003 Red Hat Linux 9.x NetWare 6.x Mac OS X


Viewing Logs in Windows 2000/XP/2003 (Continued)

Accessed through Event Viewer Event logs can help identify a security

problem Filter option can help quickly locate a problem


Viewing Logs in Windows 2000/XP/2003 (Continued)

Principal event logs System Security Application

Event logs for installed services Directory Service DNS Service File Replication


Event Viewer in Windows Server 2003


Viewing an Event in Windows Server 2003


Viewing Logs in Red HatLinux 9.x (Continued)

Offers a range of default logs Log files

Have four rotation levels Managed through syslogd


Viewing Logs in Red HatLinux 9.x (Continued)

Two ways to view default logs Open LogViewer (Main Menu – System Tools –

System Logs)• Enables creation of a filter on the basis of a keyword

(eg, failed, denied, rejected) Use Emacs or vi editors or use cat command in a

terminal window


Red Hat Linux 9.x Default Logs (Continued)

Log Name Location and Filename

Description

Boot Log /var/log/boot.log.x Contains messages about processes and events that occur during bootup or shutdown

Cron Log /var/log/cron.x Provides information about jobs that are scheduled to run or that have already run

Kernel Startup Log

/var/log/dmesg.x Shows startup messages sent from the kernel

Mail Log /var/log/maillog.x Contains messages about mail server activities

News Log /var/log/spooler.x Provides messages from the news server


Red Hat Linux 9.x Default Logs (Continued)

Log Name Location and Filename

Description

RPM Packages Log

/var/log/rpmpkgs.x Shows list of software packages currently installed; updated each day through a job scheduled via cron command

Security Log /var/log/secure.x Provides information about security events and processes

System Log /var/log/messages.x Contains messages related to system activities

Update Agent Log

/var/log/up2date.x Shows updates that have been performed by the Update Agent

XFree86 Log /var/log/xfree86.x.log Contains information about what is installed from XFree86


Viewing Logs in Red HatLinux 9.x


Viewing Logs in NetWare 6.x (Continued)

Log Name Location & Filename Description

Access Log SYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ACCESS.TXT

Contains information about access services to the NetWare server

Audit Log SYS:ETC\AUDIT.LOG Contains an audit trial of user account activities

Console Log

SYS:ETC\CONSOLE.LOG Traces activities performed at the server console

Error Log SYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ERROR.TXT

Contains error information recorded for the NetWare server


Viewing Logs in NetWare 6.x (Continued)

Log Name Location & Filename Description

Module Log SYS:ETC\CWCONSOL.LOG Contains a listing of modules that have been loaded

NFS Server Log

SYS:ETC\NFSSERV.LOG Provides information about NFS server services, including changes to a service and communications through TCP and UDP

Schema Instructions Log

SYS:ETC\SCHINST.LOG Tracks schema events, including changes to the schema


Viewing Logs in Red HatLinux 9.x


Viewing Logs in Mac OS X (Continued)

Log Name Location and Filename Description

FTP Service Log /var/log/ftp.log Contains information about FTP activity, including sessions, uploads, downloads, etc.

Last.Login Log /var/log/lastlog Provides information about last login activities

Directory Service Log

/var/log/lookupd.log Provides log of lookupd (look up directory services) daemon, including requests relating to user accounts, printers, and Internet resources

Mail.Service Log /var/log/mail.log Stores messages about e-mail activities


Viewing Logs in Mac OS X (Continued)

Log Name Location and Filename Description

Network Information Log

/var/log/netinfo.log Tracks messages related to network activity

Print Service Log

/var/log/lpr.log Contains information about printing activities

Security Log /var/log/secure.log Provides information about security events

System Log /var/log/system.log Contains information about system events, including processes that are started or stopped, buffering activities, console messages, etc.


Viewing Logs in Mac OS X


Reasons for MonitoringLogged-on Users

Assess how many users are typically logged on at given points in time Baseline information To determine when a shutdown would have the

least impact Be aware of security or misuse problems


Monitoring Users in Windows 2000/XP/2003

Use Computer Management tool to access Shared Folders Shared Folder options

• Shares• Sessions• Open Files

Use Task Manager (Windows XP and Windows Server 2003)


Monitoring Users inWindows XP Professional


Monitoring Users inWindows 2000 Server


Monitoring Users inWindows XP Professional


Monitoring Users in Red HatLinux 9.x

Use the who command


who Command OptionsOption Description

-a Displays all users

-b Shows the time when the system was last booted

-i Shows the amount of time each user process has been idle

-q Provides a quick list of logged-on users, and provides a user count

-r Shows the run level

-s Displays a short listing of usernames, line in use, and logon time

-u Displays the long listing of usernames, line in use, logon time, and process number

--help Displays help information about the who command

-H Displays who information with column headers


Monitoring Users in Red HatLinux 9.x


Monitoring Users inNetWare 6.x

MONITOR Connections Loaded modules File open/lock Other server-monitoring functions

NetWare Remote Manager View current connections View files opened by particular users Send messages to a particular user or all users Clear connections


Monitoring Users in Mac OS X

Use the who command in a terminal window Supports few options (primarily -H and -u)

Process Viewer


Monitoring a Network

Network Monitor Network monitoring software with the most

features Comes with Windows 2000 Server and Windows

Server 2003


Why Network Monitoring Is Important

Networks are dynamic Administrator must distinguish an attack from

an equipment malfunction Establish and use benchmarks to help quickly

identify and resolve problems


Using Microsoft Network Monitor

Uses Network Monitor Driver to monitor network from server’s NIC (promiscuous mode)

Sample activities that can be monitored Percent network utilization Frames and bytes transported per second Network station statistics NIC statistics Error data


Network Monitor Driver

Detects many forms of network traffic Captures packets and frames for analysis and

reporting by Network Monitor



Start from Administrative Tools menu Four panes of information

Graph Total Statistics Session Statistics Station Statistics

View captured information


Network Monitor PanesPane Information Provided in Pane

Graph Provides bar graphs for %Network Utilization, Frames Per Second, Bytes Per Second, Broadcasts Per Second, and Multicasts Per Second

Total Statistics

Provides total statistics about network activity that originates from or is sent to the computer (station) using Network Monitor; includes statistics for Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics

Session Statistics

Provides statistics about traffic from other computers on the network: MAC (device) address of each computer's NIC and data about number of frames sent from and received by each computer

Station Statistics

Provides total statistics on all communicating network stations: Network (device) address of each communicating computer, Frames Sent, Frames Received, Bytes Sent, Bytes Received, Directed Frames Sent, Multicasts Sent, and Broadcasts Sent


Viewing Capture Summary Data


Creating a Filter in Network Monitor

Two property types Service Access Point (SAP) Ethertype (ETYPE)


Using Capture Trigger

Software performs a specific function when a predefined situation occurs


Using Network Monitor to Set Baselines

From the Graph pane % Network Utilization Frames Per Second Broadcasts Per Second Multicasts Per Second


Summary (Continued)

Creating baselines to help quickly identify when an attack is occurring

Intrusion-detection methods Employed through an operating system Third-party software

Using auditing and logging tools to track intrusion events


Summary

Monitoring user activities GUI-based Computer Management tool in

Windows 2000/XP/2003 who command in Red Hat Linux and Mac OS X

Network monitoring with Microsoft Network Monitor

guide to operating system security chapter 12 security through monitoring and auditing

Documents