guide to operating system security chapter 12 security through monitoring and auditing
TRANSCRIPT
Guide to Operating System Security
Chapter 12
Security through Monitoring and Auditing
2 Guide to Operating System Security
Objectives
Understand the relationship between baselining and hardening
Explain intrusion-detection methods Use audit trails and logs Monitor logged-on users Monitor a network
3 Guide to Operating System Security
Baselining and Hardening
Baselines Measurement standards for hardware, software,
and network operations Used to establish performance statistics under
varying loads or circumstances
4 Guide to Operating System Security
Overview of Intrusion Detection
Detects and reports possible network and computer system intrusions or attacks
Main approaches Passive Active Network-based Inspectors Auditors Decoys and honeypots
5 Guide to Operating System Security
Passive Intrusion Detection
Detects and records intrusions; does not take action on findings
Effective as long as administrator checks logs Can create filters or traps
Examples of monitored activities Login attempts Changes to files Port scans
6 Guide to Operating System Security
Third-Party Passive Intrusion-Detection Tools
Klaxon Loginlog Lsof Network Flight Recorder RealSecure Dragon Squire PreCis
7 Guide to Operating System Security
Active Intrusion Detection
Detects an attack and sends alert to administrator or takes action to block attack
May use logs, monitoring, and recording devices
8 Guide to Operating System Security
Third-Party ActiveIntrusion-Detection Tools
Entercept AppShield Snort SecureHost StormWatch
9 Guide to Operating System Security
Active Intrusion Detection
10 Guide to Operating System Security
Host-based Intrusion Detection
Software that monitors the computer on which it is loaded Logons Files and folders Applications Network traffic Changes to security
Host wrappers and host-based agents
11 Guide to Operating System Security
Host-based Intrusion Detection
12 Guide to Operating System Security
Network-based Intrusion Detection
Monitors network traffic associated with a specific network segment
Typically places NIC in promiscuous mode
13 Guide to Operating System Security
Network-based Intrusion Detection
14 Guide to Operating System Security
Inspector
Examines captured data, logs, or other recorded information
Determines if an intrusion is occurring or has occurred
Administrator sets up inspection parameters, for example:
Files changed/created under suspicious circumstances Permissions unexpectedly changed Excessive use of computer’s resources
15 Guide to Operating System Security
Auditor
Tracks full range of data and events – normal and suspicious, for example: Every time services are started and stopped Hardware events or problems Every logon attempt Every time permissions are changed Network connection events
Records information to a log
16 Guide to Operating System Security
Decoys and Honeypots
Fully operational computers that contain no information of value
Draw attackers away from critical targets Provide a means to identify and catch or block
attackers before they harm other systems
17 Guide to Operating System Security
Using Audit Trails and Logs
A form of passive intrusion detection used by most operating systems: Windows 2000/XP/2003 Red Hat Linux 9.x NetWare 6.x Mac OS X
18 Guide to Operating System Security
Viewing Logs in Windows 2000/XP/2003 (Continued)
Accessed through Event Viewer Event logs can help identify a security
problem Filter option can help quickly locate a problem
19 Guide to Operating System Security
Viewing Logs in Windows 2000/XP/2003 (Continued)
Principal event logs System Security Application
Event logs for installed services Directory Service DNS Service File Replication
20 Guide to Operating System Security
Event Viewer in Windows Server 2003
21 Guide to Operating System Security
Viewing an Event in Windows Server 2003
22 Guide to Operating System Security
Viewing Logs in Red HatLinux 9.x (Continued)
Offers a range of default logs Log files
Have four rotation levels Managed through syslogd
23 Guide to Operating System Security
Viewing Logs in Red HatLinux 9.x (Continued)
Two ways to view default logs Open LogViewer (Main Menu – System Tools –
System Logs)• Enables creation of a filter on the basis of a keyword
(eg, failed, denied, rejected) Use Emacs or vi editors or use cat command in a
terminal window
24 Guide to Operating System Security
Red Hat Linux 9.x Default Logs (Continued)
Log Name Location and Filename
Description
Boot Log /var/log/boot.log.x Contains messages about processes and events that occur during bootup or shutdown
Cron Log /var/log/cron.x Provides information about jobs that are scheduled to run or that have already run
Kernel Startup Log
/var/log/dmesg.x Shows startup messages sent from the kernel
Mail Log /var/log/maillog.x Contains messages about mail server activities
News Log /var/log/spooler.x Provides messages from the news server
25 Guide to Operating System Security
Red Hat Linux 9.x Default Logs (Continued)
Log Name Location and Filename
Description
RPM Packages Log
/var/log/rpmpkgs.x Shows list of software packages currently installed; updated each day through a job scheduled via cron command
Security Log /var/log/secure.x Provides information about security events and processes
System Log /var/log/messages.x Contains messages related to system activities
Update Agent Log
/var/log/up2date.x Shows updates that have been performed by the Update Agent
XFree86 Log /var/log/xfree86.x.log Contains information about what is installed from XFree86
26 Guide to Operating System Security
Viewing Logs in Red HatLinux 9.x
27 Guide to Operating System Security
Viewing Logs in NetWare 6.x (Continued)
Log Name Location & Filename Description
Access Log SYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ACCESS.TXT
Contains information about access services to the NetWare server
Audit Log SYS:ETC\AUDIT.LOG Contains an audit trial of user account activities
Console Log
SYS:ETC\CONSOLE.LOG Traces activities performed at the server console
Error Log SYS:NOVONYX\SUITESPOT\ ADMIN-SERV\LOGS\ERROR.TXT
Contains error information recorded for the NetWare server
28 Guide to Operating System Security
Viewing Logs in NetWare 6.x (Continued)
Log Name Location & Filename Description
Module Log SYS:ETC\CWCONSOL.LOG Contains a listing of modules that have been loaded
NFS Server Log
SYS:ETC\NFSSERV.LOG Provides information about NFS server services, including changes to a service and communications through TCP and UDP
Schema Instructions Log
SYS:ETC\SCHINST.LOG Tracks schema events, including changes to the schema
29 Guide to Operating System Security
Viewing Logs in Red HatLinux 9.x
30 Guide to Operating System Security
Viewing Logs in Mac OS X (Continued)
Log Name Location and Filename Description
FTP Service Log /var/log/ftp.log Contains information about FTP activity, including sessions, uploads, downloads, etc.
Last.Login Log /var/log/lastlog Provides information about last login activities
Directory Service Log
/var/log/lookupd.log Provides log of lookupd (look up directory services) daemon, including requests relating to user accounts, printers, and Internet resources
Mail.Service Log /var/log/mail.log Stores messages about e-mail activities
31 Guide to Operating System Security
Viewing Logs in Mac OS X (Continued)
Log Name Location and Filename Description
Network Information Log
/var/log/netinfo.log Tracks messages related to network activity
Print Service Log
/var/log/lpr.log Contains information about printing activities
Security Log /var/log/secure.log Provides information about security events
System Log /var/log/system.log Contains information about system events, including processes that are started or stopped, buffering activities, console messages, etc.
32 Guide to Operating System Security
Viewing Logs in Mac OS X
33 Guide to Operating System Security
Reasons for MonitoringLogged-on Users
Assess how many users are typically logged on at given points in time Baseline information To determine when a shutdown would have the
least impact Be aware of security or misuse problems
34 Guide to Operating System Security
Monitoring Users in Windows 2000/XP/2003
Use Computer Management tool to access Shared Folders Shared Folder options
• Shares• Sessions• Open Files
Use Task Manager (Windows XP and Windows Server 2003)
35 Guide to Operating System Security
Monitoring Users inWindows XP Professional
36 Guide to Operating System Security
Monitoring Users inWindows 2000 Server
37 Guide to Operating System Security
Monitoring Users inWindows XP Professional
38 Guide to Operating System Security
Monitoring Users in Red HatLinux 9.x
Use the who command
39 Guide to Operating System Security
who Command OptionsOption Description
-a Displays all users
-b Shows the time when the system was last booted
-i Shows the amount of time each user process has been idle
-q Provides a quick list of logged-on users, and provides a user count
-r Shows the run level
-s Displays a short listing of usernames, line in use, and logon time
-u Displays the long listing of usernames, line in use, logon time, and process number
--help Displays help information about the who command
-H Displays who information with column headers
40 Guide to Operating System Security
Monitoring Users in Red HatLinux 9.x
41 Guide to Operating System Security
Monitoring Users inNetWare 6.x
MONITOR Connections Loaded modules File open/lock Other server-monitoring functions
NetWare Remote Manager View current connections View files opened by particular users Send messages to a particular user or all users Clear connections
42 Guide to Operating System Security
Monitoring Users in Mac OS X
Use the who command in a terminal window Supports few options (primarily -H and -u)
Process Viewer
43 Guide to Operating System Security
Monitoring a Network
Network Monitor Network monitoring software with the most
features Comes with Windows 2000 Server and Windows
Server 2003
44 Guide to Operating System Security
Why Network Monitoring Is Important
Networks are dynamic Administrator must distinguish an attack from
an equipment malfunction Establish and use benchmarks to help quickly
identify and resolve problems
45 Guide to Operating System Security
Using Microsoft Network Monitor
Uses Network Monitor Driver to monitor network from server’s NIC (promiscuous mode)
Sample activities that can be monitored Percent network utilization Frames and bytes transported per second Network station statistics NIC statistics Error data
46 Guide to Operating System Security
Network Monitor Driver
Detects many forms of network traffic Captures packets and frames for analysis and
reporting by Network Monitor
47 Guide to Operating System Security
Using Microsoft Network Monitor
Start from Administrative Tools menu Four panes of information
Graph Total Statistics Session Statistics Station Statistics
View captured information
48 Guide to Operating System Security
Using Microsoft Network Monitor
49 Guide to Operating System Security
Network Monitor PanesPane Information Provided in Pane
Graph Provides bar graphs for %Network Utilization, Frames Per Second, Bytes Per Second, Broadcasts Per Second, and Multicasts Per Second
Total Statistics
Provides total statistics about network activity that originates from or is sent to the computer (station) using Network Monitor; includes statistics for Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics
Session Statistics
Provides statistics about traffic from other computers on the network: MAC (device) address of each computer's NIC and data about number of frames sent from and received by each computer
Station Statistics
Provides total statistics on all communicating network stations: Network (device) address of each communicating computer, Frames Sent, Frames Received, Bytes Sent, Bytes Received, Directed Frames Sent, Multicasts Sent, and Broadcasts Sent
50 Guide to Operating System Security
Viewing Capture Summary Data
51 Guide to Operating System Security
Creating a Filter in Network Monitor
Two property types Service Access Point (SAP) Ethertype (ETYPE)
52 Guide to Operating System Security
Using Capture Trigger
Software performs a specific function when a predefined situation occurs
53 Guide to Operating System Security
Using Network Monitor to Set Baselines
From the Graph pane % Network Utilization Frames Per Second Broadcasts Per Second Multicasts Per Second
54 Guide to Operating System Security
Summary (Continued)
Creating baselines to help quickly identify when an attack is occurring
Intrusion-detection methods Employed through an operating system Third-party software
Using auditing and logging tools to track intrusion events
55 Guide to Operating System Security
Summary
Monitoring user activities GUI-based Computer Management tool in
Windows 2000/XP/2003 who command in Red Hat Linux and Mac OS X
Network monitoring with Microsoft Network Monitor