Technical Requirements - PowerPoint PPT Presentation

1 / 104
About This Presentation
Title:

Technical Requirements

Description:

Within paint, select File = Set as Wallpaper (Centered) ... Common Desktop Environment (CDE) A GUI interface used by many of the UNIX O/Ss. ... – PowerPoint PPT presentation

Number of Views:465
Avg rating:3.0/5.0
Slides: 105
Provided by: sandyp8
Category:

less

Transcript and Presenter's Notes

Title: Technical Requirements


1
FAISSR
  • Technical Requirements
  • What is feasible?
  • How do I Configure Security Features?

This presentation was produced for the Florida
Association of IS Security Representatives
(FAISSR). Any reference to products are for
example only and are not an endorsement by
FAISSR. CAUTION - Not all of the information in
this presentation has been tested.
Implementation of the suggestions contained in
this presentation must be validated by the ISSM
and approved by the CSA.
3-Apr-2001
2
Before we Start .
DISCLAIMER
  • This presentation is intended as a Starting Point
    only
  • Not everything in this presentation has been
    verified (tested)
  • Viewgraphs that define events to be audited are a
    first cut suggestion to meet the minimum
    requirements

3
Technical Security Features
  • Technical Security Features now required by
    Chapter 8
  • Logon Authentication
  • Session Controls
  • Access Controls
  • Audit
  • When technically feasible ??

4
The Questions .
SGI IRIX
?
 
5
Windows 95/98
6
Windows 95/98
  • Logon Banner
  • Use MS Paint to create a Bitmap Image (.bmp) with
    the DoD Banner. Within paint, select File Set
    as Wallpaper (Centered)
  • Windows 95/98 is not capable of implementing any
    other technical security features

7
Windows NT
8
Windows NT
   
  • Logon Banner
  • Execute the registry editor (regedit)
  • Edit the key HKEY_LOCAL_MACHINE\Software\Microsoft
    \WindowsNT\CurrentVersion\Winlogon

 
9
Windows NT
   
  • Account Controls
  • User Manager for Domains
  • Disable the Guest Account

10
Windows NT
   
  • Password and Logon Controls
  • User Manager for Domains
  • Policies Account Policies

 
11
Windows NT
   
  • Audit Policies
  • User Manager for Domains
  • Policies Audit Policies

 
12
Windows NT
  • Access Controls NTFS versus FAT
  • You must convert to an NTFS file system in order
    to perform auditing of access to files
  • Execute the convert utility from the DOS prompt.
  • When executed on the system disk, it will perform
    the conversion during the next boot.

13
Windows NT
  • Access Controls
  • Setting permissions on Files/Directories
  • Bring up the File Properties window
  • Right click on the File Properties

14
Windows NT
  • Access Controls
  • Select Permissions Security
  • Allow Authenticated Users to - Read Execute,
    List Folder Contents, Read
  • Remove Everyone
  • Users that have
  • not authenticated

15
Windows NT
  • Access Controls
  • In addition to permissions on files, privileged
    and non-privileged users may be controlled
    through
  • Granting or denying access to built-in groups
    with pre-defined privileges Administrators,
    Backup Operators, Poser Users, Server Operators,
    Account Operators, Print Operators.
  • Granting or denying access to User Rights through
    the User Rights Policy window in User Manager
    for Domains
  • The RunAs service, executed from the DOS prompt
    allows someone with knowledge of an account
    password to execute a program as another user
    (e.g. Administrator)

16
Windows NT
  • Specifying Files/Directories to be Audited
  • Bring up the File Properties window
  • Right click on the File Properties

17
Windows NT
  • Specifying Files/Directories to be Audited
  • Add
  • Select Everyone Add OK

18
Windows NT
  • Specifying Files/Directories to be Audited
  • Replace Auditing on Sub-Directories - Yes
  • Replace Auditing on Existing Files - Yes
  • Enable all Fails

19
Windows NT
  • Reviewing NT Audit Files
  • Event Viewer
  • Security Event Log

20
Windows NT
  • Reviewing NT Audit Files
  • Double click on individual records

21
Windows NT
  • Events of Interest
  • 517 Audit Log cleared
  • 529 Logon Failure Unknown username or bad
    password
  • 531 Logon Failure Account disabled
  • 532 Logon Failure Account expired
  • 533 Logon Failure Not authorized for this
    system
  • 535 Logon Failure Password expired
  • 537 Logon Failure Catch all for other reasons
  • 539 Logon Failure Account Locked Out due to
    failed attempts
  • 578 Privileged Object Operation
  • 612 Audit Policy Change
  • 624 User Account Created
  • 627 Password Change by account owner
  • 628 Password Change by privileged user

22
Windows NT
  • Security Configuration Editor
  • Enables you to create a security configuration
    template and apply that template to multiple
    machines
  • Available with Windows NT 4.0 Resource Kit

23
Windows 2000
24
Windows 2000
   
  • Windows 2000 Security Features are similar to
    Windows NT
  • All Security Policy Information is stored within
    Active Directory
  • Different User Interface
  • Domain Security Policy
  • Active Directory Users and Computers

25
Windows 2000
   
  • Domain Security Policy

26
Windows 2000
   
  • Password Policies

27
Windows 2000
   
  • Password Policies

28
Windows 2000
   
  • Account Lockout Policies

29
Windows 2000
   
  • Account Lockout Policies
  • When you set the lockout threshold to 5, the
    lockout duration and lockout reset policies will
    default to 30. You will need to change them to 5.

30
Windows 2000
   
  • Audit Policies

31
Windows 2000
   
  • Audit Policies

32
Windows 2000
   
  • Audit Policies
  • Also
  • Process Tracking Disable
  • Privilege Use Audit both Success and Failure

33
Windows 2000
   
  • Local Policies Set Logon Banner

34
Windows 2000
   
  • Active Directory Users and Computers
  • Disable the Guest Account

35
Windows 2000
   
  • Access Controls
  • Same as Windows NT - File permissions, assignment
    of users to privileged groups (new groups Cert
    publishers, Enterprise Admins, and Schema Admins)
    , and assignment of user rights. The RunAs
    services now has a GUI interface and is called
    the Secondary Logon Service (SLS)
  • Configuring files to be audited
  • Same as Windows NT
  • Security Configuration Editor
  • Built into Windows 2000
  • Snap-in to Management Console
  • Comes with pre-defined security templates that
    may be customized

36
Windows 2000
  • Reviewing Windows 2000 Audit Files
  • Event Viewer
  • Pretend this is a screen shot from Windows 2000,
    essentially the same as Windows NT

37
UNIX - General
38
UNIX - General
  • There are multiple flavors of UNIX, but all of
    them have some features in common.
  • These section discusses the common features
    within all UNIX operating systems.

39
UNIX - General
  • Logon Banner
  • Command Line Login - Edit the file /etc/issue and
    place the DoD banner in this file. This will
    display a banner for command-line logins (e.g.
    telnet).
  • Common Desktop Environment (CDE) A GUI
    interface used by many of the UNIX O/Ss. To add
    the DoD login banner to the CDE login
  • Copy the file Xresources from /usr/dt/config to
    /etc/dt/config
  • Update the Xresources resource in
    /etc/dt/config/Xconfig to point to the new
    location (/etc/dt/config/Xresources)
  • Edit the DtlogingreetinglabelString within the
    Xresources file. Place the banner here.

40
UNIX - General
  • Account Controls
  • All UNIX O/Ss have some account information in
    the /etc/passwd file.
  • Some UNIX implementations store the encrypted
    passwords and other information in a shadow
    password file.
  • Most (not all) UNIX O/Ss prompt you to specify
    the password for the privileged root account
    during installation.
  • There are several accounts within UNIX that
    should be disabled from login access. Examples
    include bin, sys, adm, nobody, and lp (if the
    system is not a print server).

41
UNIX - General
  • Password Controls
  • By default UNIX passwords are required to contain
    at least 2 alphabetic characters and 1 numeric or
    special character. Passwords must also differ by
    the previous password by at least 3 characters.
  • Refer to individual UNIX implementations for
    imposing other password restrictions.

42
UNIX - General
  • Access Controls
  • All UNIX O/Ss provide basic file permissions of
    read, write, and execute, for owner, group, and
    all others (world). Most come configured with
    reasonable permissions already set, refer to your
    documentation.
  • Some UNIX O/Ss provide the ability to set Access
    Control Lists (ACLs) that provide the ability to
    control access on a per user basis.
  • Some UNIX O/Ss provide additional capabilities to
    delegate root type privileges to normal users.

43
UNIX - General
  • System Audit Logs
  • Syslog
  • General purpose log for recording of system
    events. Includes messages generated by many of
    the UNIX system processes. Some of these events
    may be security relevant. For example, some
    record login and su attempts. Note Most
    information in this log will not be security
    relevant.
  • Each UNIX O/S may differ as to where messages
    generated by syslog are recorded. The
    configuration for what the syslog facility is to
    record and where it is to record the messages is
    always found in /etc/syslog.conf.

44
UNIX - General
  • System Audit Logs
  • wtmp
  • Binary file containing all logins, logouts, and
    system reboots.
  • The last command is used to display the contents
    of the wtmp file.
  • utmp
  • Binary file containing information on who is
    currently logged into the system.
  • The who command is used to display the contents
    of the utmp file.

45
UNIX - General
  • System Audit Logs
  • Failed logins log
  • A file containing records of failed login events.
  • Each UNIX O/S differs in its implementation.
  • Su Log
  • File containing both successful and failed
    attempts to use the su (switch user) command.
  • Each UNIX O/S differs in its implementation.

46
UNIX - General
  • Example output of last command

Account Logged in from Date/Time
Duration
(dayshoursmin)
47
UNIX - General
  • What to look for with the last command
  • Unauthorized users/accounts
  • Activity in accounts when there should not be
    (I.e person on vacation)
  • Activity at unusual times (3 AM, when the person
    works first shift)
  • Logins from unauthorized or unknown hosts/systems
  • Accounts left logged in for days
  • Direct logins to root when you have multiple
    administrators with root access They should
    login to the non-privileged account, then su to
    root.

48
UNIX - General
  • Example output of su log

49
UNIX - General
  • What to look for in the su log
  • Failures may indicate unauthorized attempts to
    access an account.
  • Persons accessing an account they are not
    authorized to access. For example an su to the
    root account from a non-privileged user.
  • Be aware, that this does not always indicate a
    problem. A privileged administrator may be
    assisting a user with a problem, and needed to
    access the root account while sitting at that
    persons workstation/terminal. Question your
    admins, before jumping to conclusions.

50
UNIX - General
  • Example log of Failed logins
  • What to look for?
  • Multiple failed logins

51
SUN - Solaris
52
Sun - Solaris
  • Account Password Controls
  • By default Solaris uses both the /etc/passwd file
    and the /etc/shadow file. Encrypted passwords are
    stored in the shadow file.
  • To disable an account use the passwd command with
    the l option (lock account).
  • Example passwd l username
  • To force a password change at initial login
  • passwd f username

53
Sun - Solaris
  • Accounts Password Controls
  • By default passwords are required to contain at
    least 2 alphabetic characters and 1 numeric or
    special character
  • Edit the file /etc/default/passwd to establish
    password length and lifetime constraints
  • MAXWEEKS52
  • MINWEEKS 0
  • WARNWEEKS2
  • PASSLENGTH8
  • By default, failed login attempts are set to 5 in
    the file /etc/default/login

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
54
Sun - Solaris
  • Access Controls
  • Solaris offers basic UNIX permissions
  • Solaris also offers ACLs to grant more granular
    access to specific users
  • Membership in the sysadmin group (14) permits
    access to certain administration tools

55
Sun - Solaris
  • System Audit Logs
  • System log By default the syslog records
    messages to /var/adm/messages
  • Logins logouts By default all logins are
    recorded to /var/adm/wtmpx and may be read with
    the last command.
  • Su log By default, as specified in
    /etc/default/su, all attempts (successful
    failed) to su are written to the ascii file
    /var/adm/sulog.

56
Sun - Solaris
  • System Audit Logs
  • Failed logins Recording of failed logins must
    be enabled
  • touch /var/adm/loginlog
  • chown root /var/adm/loginlog
  • chgrp sys /var/adm/loginlog
  • chmod 600 /var/ad/loginlog
  • Once the loginlog has been created, failed logins
    will be recorded to this ascii file.

57
Sun - Solaris
  • The Basic Security Module (BSM) must be enabled
    to obtain detailed auditing of file accesses. To
    do this
  • /etc/security/bsmconv
  • Edit the /etc/security/audit_control file
  • flagslo,ad,-fr,-fw,-fc,-fd,-cl
  • lo all logins and logouts
  • ad All administrative events
  • -fr Failed read attempts
  • -fw Failed write attempts
  • -fc Failed creation attempts
  • -fd Failed deletion attempts
  • -cl Failed close attempts
  • Reboot the system ( /usr/sbin/reboot)

58
Sun - Solaris
  • Viewing BSM audit records
  • By default all audit records are stored in the
    path /var/audit
  • auditreduce is used to merge together and filter
    audit records from one or more audit files and
    select specific types of records (e.g. events,
    users, date/time)
  • praudit converts the binary files to human
    readable ascii output
  • Examples
  • auditreduce o file/etc/security praudit
  • auditreduce u pattons c ad d 20010401 praudit
  • Note Refer to the man pages for auditreduce
    praudit

59
Sun - Solaris
  • Example output of BSM auditing

explorer auditreduce -u sandy praudit file,Thu
29 Mar 2001 015227 PM EST, 0 msec,
header,102,2,open(2) - read,,Thu 29 Mar 2001
015227 PM EST, 172114000 msec
path,/usr/dt/lib/nls/msg/en_US.ISO8859-1
subject,sandy,root,root,root,root,791,791,0 0
explorerreturn,failure No such file or
directory,-1 header,81,2,login - local,,Thu 29
Mar 2001 015227 PM EST, 262111000 msec
subject,sandy,sandy,staff,sandy,staff,791,791,0 0
explorer text,successful login return,success,0

60
HP HP-UX
61
HP-UX
  • Account Password Controls
  • In order to enable certain account password
    policies you must convert to Trusted Mode.
  • After conversion to Trusted Mode, encrypted
    password and other security relevant information
    for each account will be in a separate file for
    each account in the path
  • /tcb/files/auth/X/account name where X is
    the beginning letter of the account name
  • To disable an account use the passwd command with
    the l option (lock account).
  • Example passwd l username

62
HP-UX
  • Account Password Controls
  • Converting to Trusted Mode
  • Invoke SAM (System Administration Manager)

Note NIS and HP Trusted mode are not compatible
63
HP-UX
  • Account Password Controls
  • Converting to Trusted Mode
  • From within SAM, select Auditing Security
  • A message will display informing you that the
    system will be converted to Trusted Mode

64
HP-UX
  • Account Password Controls
  • Select Auditing and Security
  • Select System Security Policies

65
HP-UX
  • Account Password Controls
  • Select Password Format Policies

66
HP-UX
  • Account Password Controls
  • Select Password Aging Policies
  • Set Password expiration to 365 days

67
HP-UX
  • Account Password Controls
  • Select Terminal Security Policies
  • Set Unsuccessful login tries to 5

68
Sun - Solaris
  • Access Controls
  • HP-UX offers basic UNIX permissions
  • HP-UX also offers ACLs to grant more granular
    access to specific users
  • The System Administration Manager (SAM) may be
    configured to allow normal users to access
    specific areas in SAM. Refer to documentation on
    Restricted SAM

69
HP-UX
  • System Audit Logs
  • System log By default the syslog records
    messages to /var/adm/syslog/syslog.log
  • Logins logouts By default all logins are
    recorded to /var/adm/wtmp and may be read with
    the last command.
  • Su log By default all attempts (successful
    failed) to su are written to the ascii file
    /var/adm/sulog
  • Failed logins By default failed logins are
    written to /var/adm/btmp and may be read with the
    lastb command

70
HP-UX
  • Trusted Mode auditing must be configured to
    obtain detailed audit records of file accesses.
  • In SAM Select Auditing Security
  • Select Audited System Calls

71
HP-UX
  • From the Actions pull-down menu, select Turn
    Auditing On
  • Highlight a System Call, then from the Actions
    menu select Audit choice (success, failure, or
    both)

Note This is the Audit Event screen
72
HP-UX
  • Audit the following System Calls
  • audctl Success Fail
  • audswitch Success fail
  • setevent Success Fail
  • close Failed only
  • creat Failed only
  • rmdir Failed only
  • mkdir Failed only
  • mknod Failed only
  • login Success Failed
  • unlink Failed only
  • open Failed only

Note Auditing can be selected based upon events
(a group of system calls) or individual system
calls. Auditing by system call will reduce the
volumes of audit records.
73
HP-UX
  • Reviewing Trusted Mode Audit Records
  • From the Actions menu, select View Audit Log

74
HP-UX
  • Sample output Audit Record
  • All users are selected.
  • All events are selected.
  • All ttys are selected.
  • Selecting successful failed events.
  • TIME PID E EVENT PPID AID
    RUID RGID EUID EGID TTY
  •  

  • 971007 134234 7869 S 5 602 528
    20 20 20 20 ?????
  • Eventopen Userpattons Real Grpuser
    Eff.Grpuser
  •  
  • RETURN_VALUE 1 5
  • PARAM 1 (file path) 1 (cnode)
  • 0x40000003 (dev)
  • 391 (inode)
  • (path) /etc/utmp
  • PARAM 2 (int) 258
  • PARAM 3 (int) 420


75
HP-UX
  • More on HP-UX auditing
  • The location of the audit files is /etc/security
  • Auditing may also be configured and controlled
    from the command line
  • audsys Starts/stops auditing sets and displays
    audit files
  • audevent Changes or displays events and system
    calls to be audited
  • audisp Displays audit records
  • Note Refer to man pages for info on these
    commands

76
SGI - IRIX
77
SGI - IRIX
  • Account Password Controls
  • By default IRIX uses the /etc/passwd file, the
    /etc/shadow file is optional (via pwconv command)
  • The default IRIX installation has NO PASSWORDS on
    the following accounts. You should immediately
    set a password or lock the account.
  • rootSuperuser
  • lpPrint Spooler Owner
  • nuucpRemote UUCP User
  • EZsetupSystem Setup
  • demosDemonstration User
  • OutOfBoxOut of Box Experience
  • guestGuest Account
  • 4Dgifts4Dgifts Account

78
SGI - IRIX
  • Account Password Controls
  • To disable an account use the passwd command with
    the l option (lock account).
  • Example passwd l sys
  • To set a password expiration date on an account,
    use the passwd command with the x option
    (expire).
  • Example passwd x 365 spatton

Note If you are running NIS, Password expiration
of 1 year (365 days) is not enforceable
79
SGI - IRIX
  • Account Password Controls
  • To enable the login restrictions described below,
    the visual login process must be disabled with
    the chkconfig command
  • To configure login restrictions and auditing edit
    the following parameters in the file
    /etc/default/login
  • MAXTRYS5 (failed login attempts)
  • DISABLETIME300 (disable for 5 minutes)
  • SYSLOGALL (log both success failed logins)
  • PASSREQ (require a password to be set)

80
SGI - IRIX
  • Access Controls
  • IRIX offers basic UNIX permissions
  • IRIX offers ACLs to grant more granular access to
    specific users
  • IRIX also offers a Least Privilege Capabilities
    function
  • Configured via the /etc/capability file
  • Allows definition of default and maximum
    privileged capabilities

81
SGI - IRIX
  • System Audit Logs
  • System log By default the syslog records
    messages to /var/adm/syslog
  • Logins logouts
  • By default all tty sessions are recorded to
    /var/adm/wtmpx and may be read with the last
    command (excludes users only running X
    applications from their desktop).
  • By default, all logins are also recorded to
    /var/adm/syslog.

82
SGI IRIX
  • System Audit Logs
  • Su log All attempts (successful failed) to su
    are written to the file specified in
    /etc/default/su (default is /var/adm/sulog).
  • Failed logins By default, all failed logins
    are recorded to /var/adm/syslog

83
SGI - IRIX
  • To enable detailed auditing of file accesses you
    must install the IRIX audit sub system
  • Use Inst to install the eoe.we.audit software
    package from the distribution media
  • To enable auditing chkconfig audit on
  • IRIX provides a default auditing environment in
    /etc/config/sat_select.options
  • Events to audit may be changed with the satconfig
    utility (GUI interface) or with the sat_select
    command
  • The location of audit files is configurable with
    the command satd f path

84
SGI - IRIX
  • Audit the following
  • sat_access_denied
  • sat_open (failed only)
  • sat_open_ro (failed only)
  • sat_file_crt_del (failed only)
  • sat_file_crt_del2 (failed only)
  • sat_sysacct
  • sat_close (failed only)
  • sat_check_priv
  • sat_control
  • sat_ae_identity

Note Unable to determine how to audit only
failed attempts
85
SGI - IRIX
  • Viewing IRIX audit records
  • sat_reduce is used to filter audit records
  • -P flag to sat_reduce filters for attempted
    violations
  • -e flag to sat_reduce filters for specific events
  • -u flag to sat_reduce filters for a specific user
  • sat_interpret converts the binary files to human
    readable ascii output
  • sat_summarize provides a short listing of what
    types of records are in the audit trail and how
    many there are of each type
  • Examples
  • sat_reduce P satfile sat_summarize u
    username
  • sat_reduce e sat_access_denied satfile
    sat_summarize
  • Note Refer to the man pages for the above
    commands

86
SGI - IRIX
  • Sample Audit record from IRIX audit subsystem
  • Event type sat_ae_identity
  • Outcome Failure
  • Sequence number 5
  • Time of event Mon Mar 11 124613.33 PST 1991
  • System call syssgi,SGI_SATWRITE
  • Error status 0 (No error)
  • SAT ID anamaria
  • Identity event LOGIN-/dev/ttyq4anamariaThat
    user gave an invalid label.

87
IBM - AIX
88
IBM - AIX
  • Account Password Controls
  • By default AIX uses the /etc/passwd file, the
    shadow file /etc/security/password is optional.
    Accounts are administered through the Security
    Management Interface Tool (SMIT)
  • Password restrictions may be set by editing the
    default stanza in the file /etc/security/user
  • maxage52
  • minalpha1
  • minother1
  • minlen8
  • Failed login attempts are configurable in
    /etc/security/login.config for Failed
    Logins,Retry Delay,Interval, and Reenable Delay
  • The login banner may also be customized in
    /etc/security/login.config in the herald
    parameters stanza

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
89
IBM - AIX
  • Access Controls
  • AIX offers basic UNIX permissions
  • AIX offers ACLs to grant more granular access to
    specific users

90
IBM-AIX
  • System Audit Logs
  • System log By default the syslog records
    messages to /var/log/messages
  • Logins logouts By default all logins are
    recorded to /var/adm/wtmp and may be read with
    the last command.
  • Su log By default all attempts (successful
    failed) to su are written to the ascii file
    /var/adm/sulog
  • Failed logins By default failed logins are
    written to /etc/security/failedlogin and may be
    read with who /etc/security/failedlogin

91
IBM -AIX
  • AIX has a configurable audit subsystem
  • The primary audit configuration parameters are
    maintained in the /etc/security/audit/config file
  • Events to be audited are maintained in
    /etc/security/events
  • Objects (files) to be audited are maintained in
    /etc/security/objects (Good news!)
  • Starting and stopping the audit subsystem
  • Audit start (start audit)
  • Audit shutdown (stop audit)
  • Audit off (temporarily suspend)
  • Audit on (resume)
  • Audit query (show status)

92
IBM - AIX
  • Events to audit
  • PROC_Privilege
  • FILE_Open
  • FILE_Write
  • FILE_Close
  • FILE_Unlink
  • FS_Rmdir
  • FS_Mkdir
  • USER_Login
  • USER_Logout
  • USER_Su
  • USER_Create
  • USER_Mod
  • USER_Remove
  • PASSWORD_Change

93
IBM-AIX
  • The default audit trail (bin mode) is written to
    /audit/trail
  • The auditselect and auditpr commands are used to
    select (filter) and display audit records. Refer
    to the man pages.

94
OpenVMS
95
OpenVMS
  • Account Password Controls
  • VMS stores account and password information in
    the SYSSYSTEMSYSUAF.DAT file, and is accessed
    through the Authorize utility.
  • On VAXs the default accounts include DEFAULT,
    FIELD, SYSTEM, SYSTEST, and SYSTEST_CLIG. On
    Alpha systems, the default accounts include
    DEFAULT and SYSTEM
  • SYSTEM is the all powerful account in VMS. At
    one time the default password for the SYSTEM
    account was Manager.

96
OpenVMS
  • Account Password Controls
  • The FIELD and TEST accounts should be disabled
    To disable an account
  • RUN SYSSYSTEMAUTHORIZE
  • UAF MODIFY account name/FLAGSDISUSER
  • To establish password restrictions, use the
    following flags when establishing accounts, or
    modify the default account to have these flags
    set
  • /PWDMINIMUM 8
  • /PWDLIFETIME365
  • /FLAGSGENPWD
  • /GENERATE_PASSWORD

97
OpenVMS
  • Account Password Controls
  • To control failed login attempts
  • Run SYSSYSTEMSYSMAN
  • SYSMANPARAMETERS SET LGI_BRK_LIM 5
  • SYSMANPARAMETERS SET LGI_BRK_TMO 300
  • SYSMANPARAMETERS WRITE CURRENT
  • Login Banner Edit SYSANNOUNCE in the
    site-specific startup command procedure
    SYSMANAGERSYSTARTUP_VMS.COM.

98
OpenVMS
  • Access Controls
  • By default VMS has file access protections that
    control access (read, write, execute, control,
    delete) for System, Owner, Group, and World
  • Optional Access Control Lists may also be set on
    files to grant access to individual user accounts
  • Additional privileges may be added to any account
    with the Authorize utility with the parameters
    /DEFPRIVILEGES and /PRIVILEGES
  • DEFPRIVILEGES are available at login. A user may
    use the SET PROCESS/PRIVILEGES command to
    increase their privileges if authorized.

99
OpenVMS
  • OpenVMS Auditing
  • OpenVMS by default audits the following events
  • ACL Access to objects holding a security ACE
  • Audit Usage of the SET AUDIT comand
  • Authorization Changes to the SYSUAF.DAT file
    and the RIGHTSLIST.DAT file
  • Break-In Multiple failed login attempts
  • Log Failure All failed logins
  • Enable additional auditing with
    SET/AUDIT/ENABLE
  • LOGINS(ALL)
  • LOGOUTS(ALL)
  • PRIVILEGE(SUCCESSSECURITY,FAILURESECURITY)

100
OpenVMS
  • OpenVMS Auditing
  • To enable auditing on specific files use the
    command SET SECURITY/ACLAUDIT

101
OpenVMS
  • By default the audit file is located in
    SYSCOMMONSYSMGR directory and named
    SECURITY.AUDITJOURNAL
  • The audit file may be viewed with the
    ANALYZE/AUDIT command
  • Example
  • ANALYSE/AUDIT/BRIEF SYSMANAGERSECURITY.AUDITJOU
    RNAL
  • Date / Time Type Subtype
    Node Username ID Term
  • -------------------------------------------------
    -----------------------------
  • 1-NOV-1995 160003.37 ACCESS FILE_ACCESS
    HERE SYSTEM 5B600AE4
  • 1-NOV-1995 160059.66 LOGIN SUBPROCESS
    GONE ROBINSON 3BA011D4
  • 1-NOV-1995 160237.31 LOGIN SUBPROCESS
    GONE MILANT 000000D5
  • 1-NOV-1995 160636.40 LOGFAIL LOCAL
    SUPER MBILLS 000000E5 _TTA1
  • Note To see more details use ANALIZE/AUDIT/FULL

102
Macintosh
103
Macintosh
  • The current MAC operating system (MAC OS 9.0) is
    not capable of implementing technical security
    features.
  • The NEW version, OS X, released March 25, 2001 is
    based upon a BSD version of UNIX, named Darwin.
    It will most likely have the typical UNIX
    security features. It is doubtful, that it will
    have an auditing subsystem.

Note With the change to a UNIX O/S, Mac users
should be prepared to start experiencing attacks
from hackers they have never had to deal with!
104
One more slide .
  • What I havent told you .
  • How to control the size and maintenance of audit
    files. Make sure you research this and plan for
    plenty of disk space!
  • Be aware that these audit systems can be
    configured to shut down auditing if a disk fills
    up .. Or shut down the system
  • The impact on performance from auditing.
  • A strategy to archive all of the audit files so
    they can be kept for the required time periods
Write a Comment
User Comments (0)
About PowerShow.com