System Auditing
description
Transcript of System Auditing
SYSTEM AUDITING
Presenter NameGeorge Bailey, MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors
Josh Gillam – IT Auditor @ Purdue University / Internal Audit
FOR THESYSTEMS ADMINISTRATORS
SYSTEM AUDITING
Confirmation that certain process or system requirement is being fulfilled
Generally performed by a variety of tasks
Manually testing of a setting or control
Automated testing / probing for configuration settings
Monitoring of process, application, or user behaviors
Reviewing system / application logs, configuration files, etc.
Purdue Research Foundation 2012
TOPICS
Auditing Hosts & Networks with NMAP
OS benchmarking / auditing with CIS-CAT
Validating configuration / vulnerability status with Metasploit Framework
Purdue Research Foundation 2012
NMAP
What is it? Why use it? Where to get it? How to use it?
Purdue Research Foundation 2012
NETWORK MAPPER“NMAP”
Port scanner OS fingerprinter Scans a particular target for all / select open ports
Identifies service type and version listening Very invasive and very powerful
NSE and Lua make extends nmap’s capabilities
Purdue Research Foundation 2012
TRINITY USES NMAP, SHOULDN’T YOU?
Network exploration tool and port scanner• Security audits• Network inventory• Upgrade schedules• Monitoring host/service uptime
Reduce the number of hosts on a network to be audited or investigated Specify how each host is to be identified as interesting Firewall considerations
NMAP IS OPEN & FREEHTTP://WWW.INSECURE.ORG/ Open source tool available by default in
many linux distributions. Source and install packages available for mainstream OSes
Command line and GUI versions http://nmap.org/download.html or
http://www.insecure.org/ Backtrack and other live environments Very active forum and community:
http://seclists.org/ for mail lists and archives
Purdue Research Foundation 2012
Purdue Research Foundation 2012
HOW NMAP WORKS Nmap uses many port scanning mechanisms:
• Both TCP & UDP • OS detection, version detection • Ping sweeps • TCP full connect • Stealth Scan • XMAS Scan • and half open scan
Purdue Research Foundation 2012
NMAP EXAMPLES# nmap scanme.nmap.org
• Default scan# nmap –A scanme.nmap.org
• Performs OS & detection, traceroute info# nmap –sV scanme.nmap.org
• Performs service version detection# nmap -sS –sV 128.46.4.0/24 –P0
• Performs stealth (SYN) scan of a class C network while determining service versions without pinging the host
# nmap –sS –sV 128.46.4.0/24 –p80• Performs a stealth (SYN) scan of a class C network while performing service detection and scanning port 80
Zenmap is available for those preferring a GUI interface http://nmap.org/zenmap/
Purdue Research Foundation 2012
NMAP OUTPUTnmap scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-01 13:08 Eastern Daylight Time Nmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.083s latency).Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http135/tcp filtered msrpc139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds593/tcp filtered http-rpc-epmap1433/tcp filtered ms-sql-s1434/tcp filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds
Scanning multiple systems can produce massive and cumbersome amounts of data to analyze• Learn Perl, grep & awk• Ndiff: used to compare nmap output files• Google: Nmap parsing tools…lots of options! PBNJ is my favorite.
Purdue Research Foundation 2012
NMAP OUTPUT FORMATS
Normal (STDN Out) – Produces a text output
• Use the –oN filename flagGrepable format – Produces a text output that
• Use the –oG filename flagXML format – Produces a XML formatted file
• Use the –oX filename flag
Purdue Research Foundation 2012
CIS-CAT
What is it? Why use it? Where to get it? How to use it?
CONFIGURATION ASSESSMENT TOOLCIS-CAT BY CENTER FOR INTERNET SECURITY
CIS-CAT is an automated assessment tool that supports a wide variety of operating systems and applications
Checks to see what security features of the assessment system are enabled
Commercial product with lots of community and back-end support
Free to Purdue System Admin through University’s membership
WHY USE CIS-CAT?
CIS-CAT is created by security minded folks to assess built-in security features of an operating system or supported applications
Provides recommendations and manual testing criteria
Updated regularly (at least quarterly) Supports both GUI and CLI
environments Can be automated via GPO
Issue: Requires Java JRE 1.5 or newer.
Sampling of Supported Systems / Applications
Apache TomcatApple OSX 10.5Apple OSX 10.6Debian LinuxHP-UX 11iIBM AIX 4.3-5.1Microsoft Windows 2003 Microsoft Windows 2008Microsoft Windows XP Microsoft Windows 7 Mozilla FirefoxOracle Database 11g Oracle Database 9i-10g RedHat Enterprise Linux 4RedHat Enterprise Linux 5Slackware Linux 10.2 Solaris 10Solaris 2.5.1-9SUSE Linux Enterprise Server 10SUSE Linux Enterprise Server 9VMware ESX 3.5VMware ESX 4
WHERE DO I GET CIS-CAT?HTTP://WWW.CISECURITY.ORG/
Can be downloaded from the Center for Internet Security’s web page
https://community.cisecurity.org/ Request an account from the login page
(takes a day or so to get approved) $300.00 annual membership if you are
not a Purdue Employee. ~36MB foot print, includes CIS-CAT Jar
file, documentation, and all centrally maintained benchmarks.
http://web.nvd.nist.gov/view/ncp/repository?tier=4&product=&category=&authority=&keyword= For NIST provided benchmarks
HOW TO USE CIS-CAT
Interactively by: Executing ciscat.jar with or
without flags Execute a canned script
Cis-cat.bat (windows) Cis-cat.sh (unix) Cis-cat-jump.bat (jump drive)
Remotely via command line Via GPO and a centralized share Via cron and a centralized mount Via CLI with remote web services
HOW TO USE CIS-CAT FROM THE CLICLI OPTIONS (i.e.,CISCAT.JAR –Help)This is CIS-CAT version 2.2.19usage: Options Tip -a,--accept-terms Accepts terms of use -ap,--aggregation-period <arg> The width of a dashboard aggregation, ex. 1M, 13W, 20D -ar,--aggregate-reports <arg> Create a CIS-CAT Dashboard by aggregating all the XML reports in the specified directory -b,--benchmark <arg> Path to benchmark to run -c,--reset Reset preferences -csv,--report-csv Creates a CSV report -d,--benchmark-dir <arg> Override default location for benchmarks. Used with --list and --find -f,--find Interactively select a benchmark -h,--help Prints help for this application -l,--list List all benchmarks in default benchmark location -n,--report-no-html No HTML report will be created, by default an HTML report is created -p,--profile <arg> Title of benchmark profile to evaluate -r,--results-dir <arg> Directory to save results in -rn,--report-name <arg> The base name of the report, no extension -s,--status Status information is displayed -t,--report-txt Creates a text report -u,--report-upload <arg> Sends a HTTP POST with the XML report to the specified URL. POST parameter name is ciscat-report -ui,--ignore-certificate-errors Ignores any SSL certificate errors during report upload -v,--version Display CIS-CAT version and JRE information -vs,--verify-signature Verify that the XML benchmarks have valid signatures -x,--report-xml Creates an XML report -y,--report-all-tests Causes the HTML and text reports to show all tests. Only applicable tests are displayed by default
CIS-CAT OUTPUT
Multiple output files are supported HTML – Great for clients or end users CSV – Great when assessing multiple systems at one time, less space
required TXT – Just the facts Mam XML – Used when importing to other auditing systems / frameworks
Output is named after the host being assessed
Dashboards can be generated by processing a series of CIS-CAT reports CIS-CAT -> File menu -> Create Dashboard
SAMPLE CIS-CAT REPORTHTML REPORT
OTHER NOTE WORTHY TOOLSHTTP://SECTOOLS.ORG/ Metasploit Community Edition
http://www.rapid7.com/products/metasploit-community.jsp Microsoft Baseline Security Analyzer (MBSA)
http://www.microsoft.com/en-us/download/details.aspx?id=7558 Nexpose VA Scanner [Community Edition]
http://www.rapid7.com/products/nexpose-community-edition.jsp WMIC interface
http://technet.microsoft.com/en-us/library/bb742610.aspx Nikto – Web Application Scanner
http://www.cirt.net/nikto2 BackTrack – Linix Auditing OS Distro
http://www.backtrack-linux.org/
Purdue Research Foundation 2012
CONTACT INFORMATION
George [email protected]
Office: 49-47538
Josh [email protected]