managing unix accounts in today's complex world: stop the shadow it and be more efficient
TRANSCRIPT
M A N A G I N G U N I X A C C O U N T S I N T O D A Y ’ S C O M P L E X W O R L D – S T O P T H E S H A D O W I T
A N D B E M O R E E F F I C I E N T
B Y C H R I S R AY, C I S S P - I S S M P
1
TABLE OF CONTENTS • State of the Union
• IAM – What the Industry Requires
• Defense in Depth Model
• IAM Evolution
• Scenario I – User Account Management
• Scenario II – Server Management
• Scenario III – Audit Madness!
• Getting Executive Buy-In
• Summary
2
STATE OF THE UNION – INTERNET OF THINGS (OR “THINGIFICATION”)
3
1. 50 to 200 billion connected devices by 2020 “Number of connected devices worldwide will rise from 15 billion today to 50 billion by 2020.” -
Cisco
2. $1.7 trillion in spending by 2020 “Global spending on IoT devices & services will rise from $656 billion in 2014 to $1.7 trillion in
2020.” - IDC
3. The $79 billion smart-home industry “Smart-home industry generated $79.4 billion in revenue in 2014 and is expected to rise
substantially as mainstream awareness of smart appliances rises.” - Harbor Research & Postscapes
4. 90% of cars will be connected by 2020 “By 2020, 90% of cars will be online, compared with just 2% in 2012 supporting in-car infotainment,
autonomous-driving, and embedded OS markets” - Telefonica
5. 173.4 million wearable devices by 2019 “Global wearable device shipments will surge from 76.1 million in 2015 to 173.4 million units by
2019.” - IDC
The wearables market will connect to the smart-home and connected-car markets and
open the doors to new automation solutions. Cars can be unlocked, started, or even
summoned by a smartwatch. Wearables can also be used to open smart-home locks,
automatically turn lights on and off, and communicate remotely with smart appliances.
Chart source: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
State of the Union – Information Security
After Verizon breach, 1.5 million
customer records put up for sale
Verizon Enterprise's security
expertise gets put to the test. by Jon Brodkin - Mar 24, 2016 3:58pm CDT
4
IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS
PR.AC-1: Identities and credentials are
managed for authorized devices and
users • CCS CSC 16
• COBIT 5 DSS05.04, DSS06.03
• ISA 62443-2-1:2009 4.3.3.5.1
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4,
SR 1.5, SR 1.7, SR 1.8, SR 1.9
• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,
A.9.3.1, A.9.4.2, A.9.4.3
• NIST SP 800-53 Rev. 4 AC-2, IA Family
• HIPAA Security Rule 45 C.F.R. §§
164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C),
164.308(a)(4)(i), 164.308(a)(4)(ii)(B),
164.308(a)(4)(ii)(C ), 164.312(a)(2)(i),
164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d)
PR.AC-4: Access permissions are managed, incorporating
the principles of least privilege and separation of duties • CCS CSC 12, 15
• ISA 62443-2-1:2009 4.3.3.7.3
• ISA 62443-3-3:2013 SR 2.1
• ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4
• NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC6, AC-16
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3), 164.308(a)(4),
164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PR.MA-2: Remote maintenance of organizational assets
is approved, logged, and performed in a manner that
prevents unauthorized access • COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,
4.4.4.6.8
• ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
• NIST SP 800-53 Rev. 4 MA-4
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(3)(ii)(A), 164.310(d)(1),
164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(2)(ii),
164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e), 164.308(a)(1)(ii)(D)
DE.CM-3: Personnel activity is monitored to detect
potential cybersecurity events • ISA 62443-3-3:2013 SR 6.2
• ISO/IEC 27001:2013 A.12.4.1
• NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
• HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A),
164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) 5
Payment Card Industry, Data Security Standards (PCI-DSS)
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
8.1.3 Immediately revoke access for any terminated users.
10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.
10.2.5.a Verify use of identification and authentication mechanisms is logged.
10.2.5.b Verify all elevation of privileges is logged.
10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.
IAM – REGULATION REQUIREMENTS FOR UNIX ADMINS
6
DEFENSE IN DEPTH MODEL – WHERE DOES IAM FIT IN?
• Model resides across all environments
regardless of platform
• Control challenges to focus on:
– IAM Provisioning / Deprovisioning
– Granular Access Controls – “Least
Privilege”
– Policy Enforcement – e.g Password
Complexity
– Logging / Auditing
– Non-repudiation
• What about enabling the business?
7
IAM PROCESS
8
Many kinds of users access these systems,
including:
• Employees.
• Contractors.
• Partners.
• Vendors.
• Customers.
Insiders: including employees and
contractors.
Outsiders: including customers,
partners and vendors.
SCENARIO I – USER ACCOUNT MANAGEMENT
Scenario: When users and administrators need access to a system, a user account needs to be created on each host
in order to provide system access for the user. Rights for these users accounts are not granular which gives the user
more access than is needed. Privileged account passwords must be changed immediately when a person changes
departments or leaves the company.
Challenge:
• New User Accounts (Provisioning) – How do I set up multiple user accounts for administrators and ensure ongoing consistency
to main directory (e.g. Peoplesoft, Windows AD, etc.)?
• Removing User Accounts (Deprovisioning) – How do I promptly remove a person’s access when they change departments or are
no longer with the company?
– How do I change all of my generic privileged account passwords that the person may have had knowledge of?
• Authorization – How do I limit what an administrator can have access to?
• Password Policy – How can I enforce the company’s password policy?
Watch Out! • Excessive local accounts remain
• Contractor / 3rd Party support personnel are closely
managed and keep access after leaving company
• Rotating passwords are practiced
• Violations of “least privilege” principle
9
SCENARIO I – USER ACCOUNT MANAGEMENT
Unix operating systems have progressed significantly through the years in
regards to user account management.
• “chmod 777 TopSecretFile” – not recommended! – except on slot machines…
• Red Hat Identity Management (IdM)
– IdM even provides native integration with Active Directory.
• Managing User Accounts Deploy and modify PAM (Pluggable Authentication
Modules) to enforce password policy.
• Solaris 11.3 - Specific extended rights can be applied to file objects, port
numbers, and user IDs. These extended rights replace the set of rights that
are otherwise available, except for the basic set.
Remember: Implement “least privilege” not only for admins but also for partners, contractors and end users.
Look at solutions that synchronize passwords across environments and provide automated provisioning and
deprovisioning of accounts. 10
SCENARIO II – SERVER MANAGEMENT Scenario: Unix administrators must constantly connect to their servers to perform daily
management tasks. Accounts require “root” level access to perform duties. Access is typically “all
or none” in regards to having admin level access. Command line restrictions are not available.
11
Challenge: • Generic accounts – How do I effectively manage my servers
without using generic accounts?
• Remote Access – Given the problem with generic accounts like
“root”, how do I manage the servers remotely if I can’t connect
with “root”?
• Command line – What commands can I restrict users from running?
Watch Out!
Avoid Non-repudiation.
Don’t forget your service accounts.
SCENARIO II – SERVER MANAGEMENT Disable remote “root” access.
• Change the root shell to prevent users from logging in directly as root, the system administrator can
set the root account's shell to /sbin/nologin in the /etc/passwd file.
• To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file
/etc/ssh/sshd_config, and change the line that reads:
#PermitRootLogin yes to read as follows: PermitRootLogin no.
• Use PAM.
Enforce use of “sudo”: sudo <command>.
• Easy to use and adds an extra layer of protection.
• Audit logs of the user’s transactions are saved in /var/log/messages.
• Administrator can allow different users access to specific commands based on their needs.
Command line – what commands are allowed?
• Restrict commands within the shell itself or via sudo configuration file, /etc/sudoers.
12
SCENARIO III – AUDIT MADNESS!
Scenario: Internal Audit, Information Security, Customers, and Regulatory Audits constantly
require evidence of controls around Unix systems. Some scripting is available for automation but
most evidence collection is cumbersome and pulls Admins away from daily operations.
Challenge:
• Logging – How can I show the details of what happened and by whom?
• Auditing – How am I collecting evidence for the constant audits?
Watch out!
• Physical and mental drain on Unix Operations’ teams.
• Do not give audit the ability to simply run their own commands to gather evidence.
13
SCENARIO III – AUDIT MADNESS!
Move logging to centralized server (e.g. syslog server).
Script!
• http://www.orafaq.com/wiki/Scripts
• http://www.isaca.org/Journal/archives/2015/Volume-4/Pages/auditing-linux-unix-server-
operating-systems.aspx
• http://www.softpanorama.org/Security/perl_sec_scripts.shtml
Be proactive – collect evidence periodically (e.g. quarterly) and save for audit.
• Feed into Security Information and Event Management (SIEM) solution when possible.
14
TIPS FOR GETTING EXECUTIVE BUY-IN Show efficiency
• Time saved and resources reduced by having automated solution.
• Reduce overhead associated
Audit Improvements
• Partner with audit (both internal and external) for evidence collection.
• Reduction in audits around privileged account management.
• Identity Management always hot item for Corporate Board Members.
Enabling the business
• Numerous business benefits for more robust Identity Management program.
• Improve Time to Market for internal and external customers.
• Greatly reduce the security risk!
15
SUMMARY
Difficult job for Unix Admins
Know the audit / security requirements
Find ways to automate when possible
Show reduction in work time and risk
16
Helicopter View – BeyondTrust Solutions
PowerBroker Auditor:
Audit for Active Directory
Audit for File Server
Audit for MS Exchange
PowerBroker Auditor:
Audit for Active Directory
Audit for File Server
Audit for MS Exchange
PowerBroker Identity Services:
Single Sign On (AD Bridge)
Policy Mgmt for Unix/Linux/Mac via AD
PowerBroker Identity Services:
Single Sign On (AD Bridge)
Policy Mgmt for Unix/Linux/Mac via AD
Privilege Management:
PowerBroker for Windows
PowerBroker for Unix / Linux
PowerBroker for Mac
Privilege Management:
PowerBroker for Windows
PowerBroker for Unix / Linux
PowerBroker for Mac
Password Safe:
Password Management
Session Management
SSH Key Management
Application Management
Password Safe:
Password Management
Session Management
SSH Key Management
Application Management
Vulnerability Management:
Vulnerability Management
Patch Mgmt for Adobe, Java, etc
Analytic Reporting
Vulnerability Management:
Vulnerability Management
Patch Mgmt for Adobe, Java, etc
Analytic Reporting
PowerBroker for Unix & Linux:
• Eliminates the sharing of privileged credentials and delegate
permissions without exposing credentials
• Tracks, logs and audits activities performed on Unix and
Linux systems for compliance
• System level control provides powerful file and folder
controls, not just command line analysis
• Extends beyond Unix and Linux platforms, helping to reduce
risk across the enterprise
Detailed Forensics and Reporting:
• Searchable Index
• Scheduled Reports
• Custom Reporting
• Single Events Window