Technical Requirements

1
FAISSR

• Technical Requirements
• What is feasible?
• How do I Configure Security Features?

This presentation was produced for the Florida
Association of IS Security Representatives
(FAISSR). Any reference to products are for
example only and are not an endorsement by
FAISSR. CAUTION - Not all of the information in
this presentation has been tested.
Implementation of the suggestions contained in
this presentation must be validated by the ISSM
and approved by the CSA.
3-Apr-2001
2
Before we Start .
DISCLAIMER

• This presentation is intended as a Starting Point
  only
• Not everything in this presentation has been
  verified (tested)
• Viewgraphs that define events to be audited are a
  first cut suggestion to meet the minimum
  requirements

3
Technical Security Features

• Technical Security Features now required by
  Chapter 8
• Logon Authentication
• Session Controls
• Access Controls
• Audit
• When technically feasible ??

4
The Questions .
SGI IRIX
?
 
5
Windows 95/98
6
Windows 95/98

• Logon Banner
• Use MS Paint to create a Bitmap Image (.bmp) with
  the DoD Banner. Within paint, select File Set
  as Wallpaper (Centered)
• Windows 95/98 is not capable of implementing any
  other technical security features

7
Windows NT
8
Windows NT
   

• Logon Banner
• Execute the registry editor (regedit)

• Edit the key HKEY_LOCAL_MACHINE\Software\Microsoft
  \WindowsNT\CurrentVersion\Winlogon

 
9
Windows NT
   

• Account Controls
• User Manager for Domains

• Disable the Guest Account

10
Windows NT
   

• Password and Logon Controls
• User Manager for Domains
• Policies Account Policies

 
11
Windows NT
   

• Audit Policies
• User Manager for Domains
• Policies Audit Policies

 
12
Windows NT

• Access Controls NTFS versus FAT
• You must convert to an NTFS file system in order
  to perform auditing of access to files
• Execute the convert utility from the DOS prompt.
• When executed on the system disk, it will perform
  the conversion during the next boot.

13
Windows NT

• Access Controls
• Setting permissions on Files/Directories
• Bring up the File Properties window
• Right click on the File Properties

14
Windows NT

• Access Controls
• Select Permissions Security
• Allow Authenticated Users to - Read Execute,
  List Folder Contents, Read

• Remove Everyone
• Users that have
• not authenticated

15
Windows NT

• Access Controls
• In addition to permissions on files, privileged
  and non-privileged users may be controlled
  through
• Granting or denying access to built-in groups
  with pre-defined privileges Administrators,
  Backup Operators, Poser Users, Server Operators,
  Account Operators, Print Operators.
• Granting or denying access to User Rights through
  the User Rights Policy window in User Manager
  for Domains
• The RunAs service, executed from the DOS prompt
  allows someone with knowledge of an account
  password to execute a program as another user
  (e.g. Administrator)

16
Windows NT

• Specifying Files/Directories to be Audited
• Bring up the File Properties window
• Right click on the File Properties

17
Windows NT

• Specifying Files/Directories to be Audited
• Add
• Select Everyone Add OK

18
Windows NT

• Specifying Files/Directories to be Audited
• Replace Auditing on Sub-Directories - Yes
• Replace Auditing on Existing Files - Yes
• Enable all Fails

19
Windows NT

• Reviewing NT Audit Files
• Event Viewer
• Security Event Log

20
Windows NT

• Reviewing NT Audit Files
• Double click on individual records

21
Windows NT

• Events of Interest
• 517 Audit Log cleared
• 529 Logon Failure Unknown username or bad
  password
• 531 Logon Failure Account disabled
• 532 Logon Failure Account expired
• 533 Logon Failure Not authorized for this
  system
• 535 Logon Failure Password expired
• 537 Logon Failure Catch all for other reasons
• 539 Logon Failure Account Locked Out due to
  failed attempts
• 578 Privileged Object Operation
• 612 Audit Policy Change
• 624 User Account Created
• 627 Password Change by account owner
• 628 Password Change by privileged user

22
Windows NT

• Security Configuration Editor
• Enables you to create a security configuration
  template and apply that template to multiple
  machines
• Available with Windows NT 4.0 Resource Kit

23
Windows 2000
24
Windows 2000
   

• Windows 2000 Security Features are similar to
  Windows NT
• All Security Policy Information is stored within
  Active Directory
• Different User Interface
• Domain Security Policy
• Active Directory Users and Computers

25
Windows 2000
   

• Domain Security Policy

26
Windows 2000
   

• Password Policies

27
Windows 2000
   

• Password Policies

28
Windows 2000
   

• Account Lockout Policies

29
Windows 2000
   

• Account Lockout Policies

• When you set the lockout threshold to 5, the
  lockout duration and lockout reset policies will
  default to 30. You will need to change them to 5.

30
Windows 2000
   

• Audit Policies

31
Windows 2000
   

• Audit Policies

32
Windows 2000
   

• Audit Policies

• Also
• Process Tracking Disable
• Privilege Use Audit both Success and Failure

33
Windows 2000
   

• Local Policies Set Logon Banner

34
Windows 2000
   

• Active Directory Users and Computers
• Disable the Guest Account

35
Windows 2000
   

• Access Controls
• Same as Windows NT - File permissions, assignment
  of users to privileged groups (new groups Cert
  publishers, Enterprise Admins, and Schema Admins)
  , and assignment of user rights. The RunAs
  services now has a GUI interface and is called
  the Secondary Logon Service (SLS)
• Configuring files to be audited
• Same as Windows NT
• Security Configuration Editor
• Built into Windows 2000
• Snap-in to Management Console
• Comes with pre-defined security templates that
  may be customized

36
Windows 2000

• Reviewing Windows 2000 Audit Files
• Event Viewer
• Pretend this is a screen shot from Windows 2000,
  essentially the same as Windows NT

37
UNIX - General
38
UNIX - General

• There are multiple flavors of UNIX, but all of
  them have some features in common.
• These section discusses the common features
  within all UNIX operating systems.

39
UNIX - General

• Logon Banner
• Command Line Login - Edit the file /etc/issue and
  place the DoD banner in this file. This will
  display a banner for command-line logins (e.g.
  telnet).
• Common Desktop Environment (CDE) A GUI
  interface used by many of the UNIX O/Ss. To add
  the DoD login banner to the CDE login
• Copy the file Xresources from /usr/dt/config to
  /etc/dt/config
• Update the Xresources resource in
  /etc/dt/config/Xconfig to point to the new
  location (/etc/dt/config/Xresources)
• Edit the DtlogingreetinglabelString within the
  Xresources file. Place the banner here.

40
UNIX - General

• Account Controls
• All UNIX O/Ss have some account information in
  the /etc/passwd file.
• Some UNIX implementations store the encrypted
  passwords and other information in a shadow
  password file.
• Most (not all) UNIX O/Ss prompt you to specify
  the password for the privileged root account
  during installation.
• There are several accounts within UNIX that
  should be disabled from login access. Examples
  include bin, sys, adm, nobody, and lp (if the
  system is not a print server).

41
UNIX - General

• Password Controls
• By default UNIX passwords are required to contain
  at least 2 alphabetic characters and 1 numeric or
  special character. Passwords must also differ by
  the previous password by at least 3 characters.
• Refer to individual UNIX implementations for
  imposing other password restrictions.

42
UNIX - General

• Access Controls
• All UNIX O/Ss provide basic file permissions of
  read, write, and execute, for owner, group, and
  all others (world). Most come configured with
  reasonable permissions already set, refer to your
  documentation.
• Some UNIX O/Ss provide the ability to set Access
  Control Lists (ACLs) that provide the ability to
  control access on a per user basis.
• Some UNIX O/Ss provide additional capabilities to
  delegate root type privileges to normal users.

43
UNIX - General

• System Audit Logs
• Syslog
• General purpose log for recording of system
  events. Includes messages generated by many of
  the UNIX system processes. Some of these events
  may be security relevant. For example, some
  record login and su attempts. Note Most
  information in this log will not be security
  relevant.
• Each UNIX O/S may differ as to where messages
  generated by syslog are recorded. The
  configuration for what the syslog facility is to
  record and where it is to record the messages is
  always found in /etc/syslog.conf.

44
UNIX - General

• System Audit Logs
• wtmp
• Binary file containing all logins, logouts, and
  system reboots.
• The last command is used to display the contents
  of the wtmp file.
• utmp
• Binary file containing information on who is
  currently logged into the system.
• The who command is used to display the contents
  of the utmp file.

45
UNIX - General

• System Audit Logs
• Failed logins log
• A file containing records of failed login events.
  
• Each UNIX O/S differs in its implementation.
• Su Log
• File containing both successful and failed
  attempts to use the su (switch user) command.
• Each UNIX O/S differs in its implementation.

46
UNIX - General

• Example output of last command

Account Logged in from Date/Time
Duration
(dayshoursmin)
47
UNIX - General

• What to look for with the last command
• Unauthorized users/accounts
• Activity in accounts when there should not be
  (I.e person on vacation)
• Activity at unusual times (3 AM, when the person
  works first shift)
• Logins from unauthorized or unknown hosts/systems
• Accounts left logged in for days
• Direct logins to root when you have multiple
  administrators with root access They should
  login to the non-privileged account, then su to
  root.

48
UNIX - General

• Example output of su log

49
UNIX - General

• What to look for in the su log
• Failures may indicate unauthorized attempts to
  access an account.
• Persons accessing an account they are not
  authorized to access. For example an su to the
  root account from a non-privileged user.
• Be aware, that this does not always indicate a
  problem. A privileged administrator may be
  assisting a user with a problem, and needed to
  access the root account while sitting at that
  persons workstation/terminal. Question your
  admins, before jumping to conclusions.

50
UNIX - General

• Example log of Failed logins

• What to look for?
• Multiple failed logins

51
SUN - Solaris
52
Sun - Solaris

• Account Password Controls
• By default Solaris uses both the /etc/passwd file
  and the /etc/shadow file. Encrypted passwords are
  stored in the shadow file.
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l username
• To force a password change at initial login
• passwd f username

53
Sun - Solaris

• Accounts Password Controls
• By default passwords are required to contain at
  least 2 alphabetic characters and 1 numeric or
  special character
• Edit the file /etc/default/passwd to establish
  password length and lifetime constraints
• MAXWEEKS52
• MINWEEKS 0
• WARNWEEKS2
• PASSLENGTH8
• By default, failed login attempts are set to 5 in
  the file /etc/default/login

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
54
Sun - Solaris

• Access Controls
• Solaris offers basic UNIX permissions
• Solaris also offers ACLs to grant more granular
  access to specific users
• Membership in the sysadmin group (14) permits
  access to certain administration tools

55
Sun - Solaris

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/messages
• Logins logouts By default all logins are
  recorded to /var/adm/wtmpx and may be read with
  the last command.
• Su log By default, as specified in
  /etc/default/su, all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog.

56
Sun - Solaris

• System Audit Logs
• Failed logins Recording of failed logins must
  be enabled
• touch /var/adm/loginlog
• chown root /var/adm/loginlog
• chgrp sys /var/adm/loginlog
• chmod 600 /var/ad/loginlog
• Once the loginlog has been created, failed logins
  will be recorded to this ascii file.

57
Sun - Solaris

• The Basic Security Module (BSM) must be enabled
  to obtain detailed auditing of file accesses. To
  do this
• /etc/security/bsmconv
• Edit the /etc/security/audit_control file
• flagslo,ad,-fr,-fw,-fc,-fd,-cl
• lo all logins and logouts
• ad All administrative events
• -fr Failed read attempts
• -fw Failed write attempts
• -fc Failed creation attempts
• -fd Failed deletion attempts
• -cl Failed close attempts
• Reboot the system ( /usr/sbin/reboot)

58
Sun - Solaris

• Viewing BSM audit records
• By default all audit records are stored in the
  path /var/audit
• auditreduce is used to merge together and filter
  audit records from one or more audit files and
  select specific types of records (e.g. events,
  users, date/time)
• praudit converts the binary files to human
  readable ascii output
• Examples
• auditreduce o file/etc/security praudit
• auditreduce u pattons c ad d 20010401 praudit
  
• Note Refer to the man pages for auditreduce
  praudit

59
Sun - Solaris

• Example output of BSM auditing

explorer auditreduce -u sandy praudit file,Thu
29 Mar 2001 015227 PM EST, 0 msec,
header,102,2,open(2) - read,,Thu 29 Mar 2001
015227 PM EST, 172114000 msec
path,/usr/dt/lib/nls/msg/en_US.ISO8859-1
subject,sandy,root,root,root,root,791,791,0 0
explorerreturn,failure No such file or
directory,-1 header,81,2,login - local,,Thu 29
Mar 2001 015227 PM EST, 262111000 msec
subject,sandy,sandy,staff,sandy,staff,791,791,0 0
explorer text,successful login return,success,0

60
HP HP-UX
61
HP-UX

• Account Password Controls
• In order to enable certain account password
  policies you must convert to Trusted Mode.
• After conversion to Trusted Mode, encrypted
  password and other security relevant information
  for each account will be in a separate file for
  each account in the path
• /tcb/files/auth/X/account name where X is
  the beginning letter of the account name
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l username

62
HP-UX

• Account Password Controls
• Converting to Trusted Mode
• Invoke SAM (System Administration Manager)

Note NIS and HP Trusted mode are not compatible
63
HP-UX

• Account Password Controls
• Converting to Trusted Mode
• From within SAM, select Auditing Security
• A message will display informing you that the
  system will be converted to Trusted Mode

64
HP-UX

• Account Password Controls
• Select Auditing and Security
• Select System Security Policies

65
HP-UX

• Account Password Controls
• Select Password Format Policies

66
HP-UX

• Account Password Controls
• Select Password Aging Policies
• Set Password expiration to 365 days

67
HP-UX

• Account Password Controls
• Select Terminal Security Policies
• Set Unsuccessful login tries to 5

68
Sun - Solaris

• Access Controls
• HP-UX offers basic UNIX permissions
• HP-UX also offers ACLs to grant more granular
  access to specific users
• The System Administration Manager (SAM) may be
  configured to allow normal users to access
  specific areas in SAM. Refer to documentation on
  Restricted SAM

69
HP-UX

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/syslog/syslog.log
• Logins logouts By default all logins are
  recorded to /var/adm/wtmp and may be read with
  the last command.
• Su log By default all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog
• Failed logins By default failed logins are
  written to /var/adm/btmp and may be read with the
  lastb command

70
HP-UX

• Trusted Mode auditing must be configured to
  obtain detailed audit records of file accesses.
• In SAM Select Auditing Security
• Select Audited System Calls

71
HP-UX

• From the Actions pull-down menu, select Turn
  Auditing On
• Highlight a System Call, then from the Actions
  menu select Audit choice (success, failure, or
  both)

Note This is the Audit Event screen
72
HP-UX

• Audit the following System Calls
• audctl Success Fail
• audswitch Success fail
• setevent Success Fail
• close Failed only
• creat Failed only
• rmdir Failed only
• mkdir Failed only
• mknod Failed only
• login Success Failed
• unlink Failed only
• open Failed only

Note Auditing can be selected based upon events
(a group of system calls) or individual system
calls. Auditing by system call will reduce the
volumes of audit records.
73
HP-UX

• Reviewing Trusted Mode Audit Records
• From the Actions menu, select View Audit Log

74
HP-UX

• Sample output Audit Record

• All users are selected.
• All events are selected.
• All ttys are selected.
• Selecting successful failed events.
• TIME PID E EVENT PPID AID
  RUID RGID EUID EGID TTY
•  
• 
  
• 971007 134234 7869 S 5 602 528
  20 20 20 20 ?????
• Eventopen Userpattons Real Grpuser
  Eff.Grpuser
•  
• RETURN_VALUE 1 5
• PARAM 1 (file path) 1 (cnode)
• 0x40000003 (dev)
• 391 (inode)
• (path) /etc/utmp
• PARAM 2 (int) 258
• PARAM 3 (int) 420
• 
  

75
HP-UX

• More on HP-UX auditing
• The location of the audit files is /etc/security
• Auditing may also be configured and controlled
  from the command line
• audsys Starts/stops auditing sets and displays
  audit files
• audevent Changes or displays events and system
  calls to be audited
• audisp Displays audit records
• Note Refer to man pages for info on these
  commands

76
SGI - IRIX
77
SGI - IRIX

• Account Password Controls
• By default IRIX uses the /etc/passwd file, the
  /etc/shadow file is optional (via pwconv command)
• The default IRIX installation has NO PASSWORDS on
  the following accounts. You should immediately
  set a password or lock the account.
• rootSuperuser
• lpPrint Spooler Owner
• nuucpRemote UUCP User
• EZsetupSystem Setup
• demosDemonstration User
• OutOfBoxOut of Box Experience
• guestGuest Account
• 4Dgifts4Dgifts Account

78
SGI - IRIX

• Account Password Controls
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l sys
• To set a password expiration date on an account,
  use the passwd command with the x option
  (expire).
• Example passwd x 365 spatton

Note If you are running NIS, Password expiration
of 1 year (365 days) is not enforceable
79
SGI - IRIX

• Account Password Controls
• To enable the login restrictions described below,
  the visual login process must be disabled with
  the chkconfig command
• To configure login restrictions and auditing edit
  the following parameters in the file
  /etc/default/login
• MAXTRYS5 (failed login attempts)
• DISABLETIME300 (disable for 5 minutes)
• SYSLOGALL (log both success failed logins)
• PASSREQ (require a password to be set)

80
SGI - IRIX

• Access Controls
• IRIX offers basic UNIX permissions
• IRIX offers ACLs to grant more granular access to
  specific users
• IRIX also offers a Least Privilege Capabilities
  function
• Configured via the /etc/capability file
• Allows definition of default and maximum
  privileged capabilities

81
SGI - IRIX

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/syslog
• Logins logouts
• By default all tty sessions are recorded to
  /var/adm/wtmpx and may be read with the last
  command (excludes users only running X
  applications from their desktop).
• By default, all logins are also recorded to
  /var/adm/syslog.

82
SGI IRIX

• System Audit Logs
• Su log All attempts (successful failed) to su
  are written to the file specified in
  /etc/default/su (default is /var/adm/sulog).
• Failed logins By default, all failed logins
  are recorded to /var/adm/syslog

83
SGI - IRIX

• To enable detailed auditing of file accesses you
  must install the IRIX audit sub system
• Use Inst to install the eoe.we.audit software
  package from the distribution media
• To enable auditing chkconfig audit on
• IRIX provides a default auditing environment in
  /etc/config/sat_select.options
• Events to audit may be changed with the satconfig
  utility (GUI interface) or with the sat_select
  command
• The location of audit files is configurable with
  the command satd f path

84
SGI - IRIX

• Audit the following
• sat_access_denied
• sat_open (failed only)
• sat_open_ro (failed only)
• sat_file_crt_del (failed only)
• sat_file_crt_del2 (failed only)
• sat_sysacct
• sat_close (failed only)
• sat_check_priv
• sat_control
• sat_ae_identity

Note Unable to determine how to audit only
failed attempts
85
SGI - IRIX

• Viewing IRIX audit records
• sat_reduce is used to filter audit records
• -P flag to sat_reduce filters for attempted
  violations
• -e flag to sat_reduce filters for specific events
• -u flag to sat_reduce filters for a specific user
• sat_interpret converts the binary files to human
  readable ascii output
• sat_summarize provides a short listing of what
  types of records are in the audit trail and how
  many there are of each type
• Examples
• sat_reduce P satfile sat_summarize u
  username
• sat_reduce e sat_access_denied satfile
  sat_summarize
• Note Refer to the man pages for the above
  commands

86
SGI - IRIX

• Sample Audit record from IRIX audit subsystem
• Event type sat_ae_identity
• Outcome Failure
• Sequence number 5
• Time of event Mon Mar 11 124613.33 PST 1991
• System call syssgi,SGI_SATWRITE
• Error status 0 (No error)
• SAT ID anamaria
• Identity event LOGIN-/dev/ttyq4anamariaThat
  user gave an invalid label.

87
IBM - AIX
88
IBM - AIX

• Account Password Controls
• By default AIX uses the /etc/passwd file, the
  shadow file /etc/security/password is optional.
  Accounts are administered through the Security
  Management Interface Tool (SMIT)
• Password restrictions may be set by editing the
  default stanza in the file /etc/security/user
• maxage52
• minalpha1
• minother1
• minlen8
• Failed login attempts are configurable in
  /etc/security/login.config for Failed
  Logins,Retry Delay,Interval, and Reenable Delay
• The login banner may also be customized in
  /etc/security/login.config in the herald
  parameters stanza

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
89
IBM - AIX

• Access Controls
• AIX offers basic UNIX permissions
• AIX offers ACLs to grant more granular access to
  specific users

90
IBM-AIX

• System Audit Logs
• System log By default the syslog records
  messages to /var/log/messages
• Logins logouts By default all logins are
  recorded to /var/adm/wtmp and may be read with
  the last command.
• Su log By default all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog
• Failed logins By default failed logins are
  written to /etc/security/failedlogin and may be
  read with who /etc/security/failedlogin

91
IBM -AIX

• AIX has a configurable audit subsystem
• The primary audit configuration parameters are
  maintained in the /etc/security/audit/config file
• Events to be audited are maintained in
  /etc/security/events
• Objects (files) to be audited are maintained in
  /etc/security/objects (Good news!)
• Starting and stopping the audit subsystem
• Audit start (start audit)
• Audit shutdown (stop audit)
• Audit off (temporarily suspend)
• Audit on (resume)
• Audit query (show status)

92
IBM - AIX

• Events to audit
• PROC_Privilege
• FILE_Open
• FILE_Write
• FILE_Close
• FILE_Unlink
• FS_Rmdir
• FS_Mkdir
• USER_Login
• USER_Logout
• USER_Su
• USER_Create
• USER_Mod
• USER_Remove
• PASSWORD_Change

93
IBM-AIX

• The default audit trail (bin mode) is written to
  /audit/trail
• The auditselect and auditpr commands are used to
  select (filter) and display audit records. Refer
  to the man pages.

94
OpenVMS
95
OpenVMS

• Account Password Controls
• VMS stores account and password information in
  the SYSSYSTEMSYSUAF.DAT file, and is accessed
  through the Authorize utility.
• On VAXs the default accounts include DEFAULT,
  FIELD, SYSTEM, SYSTEST, and SYSTEST_CLIG. On
  Alpha systems, the default accounts include
  DEFAULT and SYSTEM
• SYSTEM is the all powerful account in VMS. At
  one time the default password for the SYSTEM
  account was Manager.

96
OpenVMS

• Account Password Controls
• The FIELD and TEST accounts should be disabled
  To disable an account
• RUN SYSSYSTEMAUTHORIZE
• UAF MODIFY account name/FLAGSDISUSER
• To establish password restrictions, use the
  following flags when establishing accounts, or
  modify the default account to have these flags
  set
• /PWDMINIMUM 8
• /PWDLIFETIME365
• /FLAGSGENPWD
• /GENERATE_PASSWORD

97
OpenVMS

• Account Password Controls
• To control failed login attempts
• Run SYSSYSTEMSYSMAN
• SYSMANPARAMETERS SET LGI_BRK_LIM 5
• SYSMANPARAMETERS SET LGI_BRK_TMO 300
• SYSMANPARAMETERS WRITE CURRENT
• Login Banner Edit SYSANNOUNCE in the
  site-specific startup command procedure
  SYSMANAGERSYSTARTUP_VMS.COM.

98
OpenVMS

• Access Controls
• By default VMS has file access protections that
  control access (read, write, execute, control,
  delete) for System, Owner, Group, and World
• Optional Access Control Lists may also be set on
  files to grant access to individual user accounts
• Additional privileges may be added to any account
  with the Authorize utility with the parameters
  /DEFPRIVILEGES and /PRIVILEGES
• DEFPRIVILEGES are available at login. A user may
  use the SET PROCESS/PRIVILEGES command to
  increase their privileges if authorized.

99
OpenVMS

• OpenVMS Auditing
• OpenVMS by default audits the following events
• ACL Access to objects holding a security ACE
• Audit Usage of the SET AUDIT comand
• Authorization Changes to the SYSUAF.DAT file
  and the RIGHTSLIST.DAT file
• Break-In Multiple failed login attempts
• Log Failure All failed logins
• Enable additional auditing with
  SET/AUDIT/ENABLE
• LOGINS(ALL)
• LOGOUTS(ALL)
• PRIVILEGE(SUCCESSSECURITY,FAILURESECURITY)

100
OpenVMS

• OpenVMS Auditing
• To enable auditing on specific files use the
  command SET SECURITY/ACLAUDIT

101
OpenVMS

• By default the audit file is located in
  SYSCOMMONSYSMGR directory and named
  SECURITY.AUDITJOURNAL
• The audit file may be viewed with the
  ANALYZE/AUDIT command
• Example
• ANALYSE/AUDIT/BRIEF SYSMANAGERSECURITY.AUDITJOU
  RNAL
• Date / Time Type Subtype
  Node Username ID Term
• -------------------------------------------------
  -----------------------------
• 1-NOV-1995 160003.37 ACCESS FILE_ACCESS
  HERE SYSTEM 5B600AE4
• 1-NOV-1995 160059.66 LOGIN SUBPROCESS
  GONE ROBINSON 3BA011D4
• 1-NOV-1995 160237.31 LOGIN SUBPROCESS
  GONE MILANT 000000D5
• 1-NOV-1995 160636.40 LOGFAIL LOCAL
  SUPER MBILLS 000000E5 _TTA1
• Note To see more details use ANALIZE/AUDIT/FULL

102
Macintosh
103
Macintosh

• The current MAC operating system (MAC OS 9.0) is
  not capable of implementing technical security
  features.
• The NEW version, OS X, released March 25, 2001 is
  based upon a BSD version of UNIX, named Darwin.
  It will most likely have the typical UNIX
  security features. It is doubtful, that it will
  have an auditing subsystem.

Note With the change to a UNIX O/S, Mac users
should be prepared to start experiencing attacks
from hackers they have never had to deal with!
104
One more slide .

• What I havent told you .
• How to control the size and maintenance of audit
  files. Make sure you research this and plan for
  plenty of disk space!
• Be aware that these audit systems can be
  configured to shut down auditing if a disk fills
  up .. Or shut down the system
• The impact on performance from auditing.
• A strategy to archive all of the audit files so
  they can be kept for the required time periods