Technical Requirements

1
FAISSR

• Technical Requirements
• What is feasible?
• How do I Configure Security Features?

This presentation was produced for the Florida
Association of IS Security Representatives
(FAISSR). Any reference to products are for
example only and are not an endorsement by
FAISSR. CAUTION - Not all of the information in
this presentation has been tested.
Implementation of the suggestions contained in
this presentation must be validated by the ISSM
and approved by the CSA.
3-Apr-2001
2
Before we Start .
DISCLAIMER

• This presentation is intended as a Starting Point
  only
• Not everything in this presentation has been
  verified (tested)
• Viewgraphs that define events to be audited are a
  first cut suggestion to meet the minimum
  requirements

3
Technical Security Features

• Technical Security Features now required by
  Chapter 8
• Logon Authentication
• Session Controls
• Access Controls
• Audit
• When technically feasible ??

4
The Questions .
SGI IRIX
?
 
5
UNIX - General
6
UNIX - General

• There are multiple flavors of UNIX, but all of
  them have some features in common.
• These section discusses the common features
  within all UNIX operating systems.

7
UNIX - General

• Logon Banner
• Command Line Login - Edit the file /etc/issue and
  place the DoD banner in this file. This will
  display a banner for command-line logins (e.g.
  telnet).
• Common Desktop Environment (CDE) A GUI
  interface used by many of the UNIX O/Ss. To add
  the DoD login banner to the CDE login
• Copy the file Xresources from /usr/dt/config to
  /etc/dt/config
• Update the Xresources resource in
  /etc/dt/config/Xconfig to point to the new
  location (/etc/dt/config/Xresources)
• Edit the DtlogingreetinglabelString within the
  Xresources file. Place the banner here.

8
UNIX - General

• Account Controls
• All UNIX O/Ss have some account information in
  the /etc/passwd file.
• Some UNIX implementations store the encrypted
  passwords and other information in a shadow
  password file.
• Most (not all) UNIX O/Ss prompt you to specify
  the password for the privileged root account
  during installation.
• There are several accounts within UNIX that
  should be disabled from login access. Examples
  include bin, sys, adm, nobody, and lp (if the
  system is not a print server).

9
UNIX - General

• Password Controls
• By default UNIX passwords are required to contain
  at least 2 alphabetic characters and 1 numeric or
  special character. Passwords must also differ by
  the previous password by at least 3 characters.
• Refer to individual UNIX implementations for
  imposing other password restrictions.

10
UNIX - General

• Access Controls
• All UNIX O/Ss provide basic file permissions of
  read, write, and execute, for owner, group, and
  all others (world). Most come configured with
  reasonable permissions already set, refer to your
  documentation.
• Some UNIX O/Ss provide the ability to set Access
  Control Lists (ACLs) that provide the ability to
  control access on a per user basis.
• Some UNIX O/Ss provide additional capabilities to
  delegate root type privileges to normal users.

11
UNIX - General

• System Audit Logs
• Syslog
• General purpose log for recording of system
  events. Includes messages generated by many of
  the UNIX system processes. Some of these events
  may be security relevant. For example, some
  record login and su attempts. Note Most
  information in this log will not be security
  relevant.
• Each UNIX O/S may differ as to where messages
  generated by syslog are recorded. The
  configuration for what the syslog facility is to
  record and where it is to record the messages is
  always found in /etc/syslog.conf.

12
UNIX - General

• System Audit Logs
• wtmp
• Binary file containing all logins, logouts, and
  system reboots.
• The last command is used to display the contents
  of the wtmp file.
• utmp
• Binary file containing information on who is
  currently logged into the system.
• The who command is used to display the contents
  of the utmp file.

13
UNIX - General

• System Audit Logs
• Failed logins log
• A file containing records of failed login events.
  
• Each UNIX O/S differs in its implementation.
• Su Log
• File containing both successful and failed
  attempts to use the su (switch user) command.
• Each UNIX O/S differs in its implementation.

14
UNIX - General

• Example output of last command

Account Logged in from Date/Time
Duration
(dayshoursmin)
15
UNIX - General

• What to look for with the last command
• Unauthorized users/accounts
• Activity in accounts when there should not be
  (I.e person on vacation)
• Activity at unusual times (3 AM, when the person
  works first shift)
• Logins from unauthorized or unknown hosts/systems
• Accounts left logged in for days
• Direct logins to root when you have multiple
  administrators with root access They should
  login to the non-privileged account, then su to
  root.

16
UNIX - General

• Example output of su log

17
UNIX - General

• What to look for in the su log
• Failures may indicate unauthorized attempts to
  access an account.
• Persons accessing an account they are not
  authorized to access. For example an su to the
  root account from a non-privileged user.
• Be aware, that this does not always indicate a
  problem. A privileged administrator may be
  assisting a user with a problem, and needed to
  access the root account while sitting at that
  persons workstation/terminal. Question your
  admins, before jumping to conclusions.

18
UNIX - General

• Example log of Failed logins

• What to look for?
• Multiple failed logins

19
SUN - Solaris
20
Sun - Solaris

• Account Password Controls
• By default Solaris uses both the /etc/passwd file
  and the /etc/shadow file. Encrypted passwords are
  stored in the shadow file.
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l username
• To force a password change at initial login
• passwd f username

21
Sun - Solaris

• Accounts Password Controls
• By default passwords are required to contain at
  least 2 alphabetic characters and 1 numeric or
  special character
• Edit the file /etc/default/passwd to establish
  password length and lifetime constraints
• MAXWEEKS52
• MINWEEKS 0
• WARNWEEKS2
• PASSLENGTH8
• By default, failed login attempts are set to 5 in
  the file /etc/default/login

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
22
Sun - Solaris

• Access Controls
• Solaris offers basic UNIX permissions
• Solaris also offers ACLs to grant more granular
  access to specific users
• Membership in the sysadmin group (14) permits
  access to certain administration tools

23
Sun - Solaris

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/messages
• Logins logouts By default all logins are
  recorded to /var/adm/wtmpx and may be read with
  the last command.
• Su log By default, as specified in
  /etc/default/su, all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog.

24
Sun - Solaris

• System Audit Logs
• Failed logins Recording of failed logins must
  be enabled
• touch /var/adm/loginlog
• chown root /var/adm/loginlog
• chgrp sys /var/adm/loginlog
• chmod 600 /var/ad/loginlog
• Once the loginlog has been created, failed logins
  will be recorded to this ascii file.

25
Sun - Solaris

• The Basic Security Module (BSM) must be enabled
  to obtain detailed auditing of file accesses. To
  do this
• /etc/security/bsmconv
• Edit the /etc/security/audit_control file
• flagslo,ad,-fr,-fw,-fc,-fd,-cl
• lo all logins and logouts
• ad All administrative events
• -fr Failed read attempts
• -fw Failed write attempts
• -fc Failed creation attempts
• -fd Failed deletion attempts
• -cl Failed close attempts
• Reboot the system ( /usr/sbin/reboot)

26
Sun - Solaris

• Viewing BSM audit records
• By default all audit records are stored in the
  path /var/audit
• auditreduce is used to merge together and filter
  audit records from one or more audit files and
  select specific types of records (e.g. events,
  users, date/time)
• praudit converts the binary files to human
  readable ascii output
• Examples
• auditreduce o file/etc/security praudit
• auditreduce u pattons c ad d 20010401 praudit
  
• Note Refer to the man pages for auditreduce
  praudit

27
Sun - Solaris

• Example output of BSM auditing

explorer auditreduce -u sandy praudit file,Thu
29 Mar 2001 015227 PM EST, 0 msec,
header,102,2,open(2) - read,,Thu 29 Mar 2001
015227 PM EST, 172114000 msec
path,/usr/dt/lib/nls/msg/en_US.ISO8859-1
subject,sandy,root,root,root,root,791,791,0 0
explorerreturn,failure No such file or
directory,-1 header,81,2,login - local,,Thu 29
Mar 2001 015227 PM EST, 262111000 msec
subject,sandy,sandy,staff,sandy,staff,791,791,0 0
explorer text,successful login return,success,0

28
HP HP-UX
29
HP-UX

• Account Password Controls
• In order to enable certain account password
  policies you must convert to Trusted Mode.
• After conversion to Trusted Mode, encrypted
  password and other security relevant information
  for each account will be in a separate file for
  each account in the path
• /tcb/files/auth/X/account name where X is
  the beginning letter of the account name
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l username

30
HP-UX

• Account Password Controls
• Converting to Trusted Mode
• Invoke SAM (System Administration Manager)

Note NIS and HP Trusted mode are not compatible
31
HP-UX

• Account Password Controls
• Converting to Trusted Mode
• From within SAM, select Auditing Security
• A message will display informing you that the
  system will be converted to Trusted Mode

32
HP-UX

• Account Password Controls
• Select Auditing and Security
• Select System Security Policies

33
HP-UX

• Account Password Controls
• Select Password Format Policies

34
HP-UX

• Account Password Controls
• Select Password Aging Policies
• Set Password expiration to 365 days

35
HP-UX

• Account Password Controls
• Select Terminal Security Policies
• Set Unsuccessful login tries to 5

36
Sun - Solaris

• Access Controls
• HP-UX offers basic UNIX permissions
• HP-UX also offers ACLs to grant more granular
  access to specific users
• The System Administration Manager (SAM) may be
  configured to allow normal users to access
  specific areas in SAM. Refer to documentation on
  Restricted SAM

37
HP-UX

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/syslog/syslog.log
• Logins logouts By default all logins are
  recorded to /var/adm/wtmp and may be read with
  the last command.
• Su log By default all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog
• Failed logins By default failed logins are
  written to /var/adm/btmp and may be read with the
  lastb command

38
HP-UX

• Trusted Mode auditing must be configured to
  obtain detailed audit records of file accesses.
• In SAM Select Auditing Security
• Select Audited System Calls

39
HP-UX

• From the Actions pull-down menu, select Turn
  Auditing On
• Highlight a System Call, then from the Actions
  menu select Audit choice (success, failure, or
  both)

Note This is the Audit Event screen
40
HP-UX

• Audit the following System Calls
• audctl Success Fail
• audswitch Success fail
• setevent Success Fail
• close Failed only
• creat Failed only
• rmdir Failed only
• mkdir Failed only
• mknod Failed only
• login Success Failed
• unlink Failed only
• open Failed only

Note Auditing can be selected based upon events
(a group of system calls) or individual system
calls. Auditing by system call will reduce the
volumes of audit records.
41
HP-UX

• Reviewing Trusted Mode Audit Records
• From the Actions menu, select View Audit Log

42
HP-UX

• Sample output Audit Record

• All users are selected.
• All events are selected.
• All ttys are selected.
• Selecting successful failed events.
• TIME PID E EVENT PPID AID
  RUID RGID EUID EGID TTY
•  
• 
  
• 971007 134234 7869 S 5 602 528
  20 20 20 20 ?????
• Eventopen Userpattons Real Grpuser
  Eff.Grpuser
•  
• RETURN_VALUE 1 5
• PARAM 1 (file path) 1 (cnode)
• 0x40000003 (dev)
• 391 (inode)
• (path) /etc/utmp
• PARAM 2 (int) 258
• PARAM 3 (int) 420
• 
  

43
HP-UX

• More on HP-UX auditing
• The location of the audit files is /etc/security
• Auditing may also be configured and controlled
  from the command line
• audsys Starts/stops auditing sets and displays
  audit files
• audevent Changes or displays events and system
  calls to be audited
• audisp Displays audit records
• Note Refer to man pages for info on these
  commands

44
SGI - IRIX
45
SGI - IRIX

• Account Password Controls
• By default IRIX uses the /etc/passwd file, the
  /etc/shadow file is optional (via pwconv command)
• The default IRIX installation has NO PASSWORDS on
  the following accounts. You should immediately
  set a password or lock the account.
• rootSuperuser
• lpPrint Spooler Owner
• nuucpRemote UUCP User
• EZsetupSystem Setup
• demosDemonstration User
• OutOfBoxOut of Box Experience
• guestGuest Account
• 4Dgifts4Dgifts Account

46
SGI - IRIX

• Account Password Controls
• To disable an account use the passwd command with
  the l option (lock account).
• Example passwd l sys
• To set a password expiration date on an account,
  use the passwd command with the x option
  (expire).
• Example passwd x 365 spatton

Note If you are running NIS, Password expiration
of 1 year (365 days) is not enforceable
47
SGI - IRIX

• Account Password Controls
• To enable the login restrictions described below,
  the visual login process must be disabled with
  the chkconfig command
• To configure login restrictions and auditing edit
  the following parameters in the file
  /etc/default/login
• MAXTRYS5 (failed login attempts)
• DISABLETIME300 (disable for 5 minutes)
• SYSLOGALL (log both success failed logins)
• PASSREQ (require a password to be set)

48
SGI - IRIX

• Access Controls
• IRIX offers basic UNIX permissions
• IRIX offers ACLs to grant more granular access to
  specific users
• IRIX also offers a Least Privilege Capabilities
  function
• Configured via the /etc/capability file
• Allows definition of default and maximum
  privileged capabilities

49
SGI - IRIX

• System Audit Logs
• System log By default the syslog records
  messages to /var/adm/syslog
• Logins logouts
• By default all tty sessions are recorded to
  /var/adm/wtmpx and may be read with the last
  command (excludes users only running X
  applications from their desktop).
• By default, all logins are also recorded to
  /var/adm/syslog.

50
SGI IRIX

• System Audit Logs
• Su log All attempts (successful failed) to su
  are written to the file specified in
  /etc/default/su (default is /var/adm/sulog).
• Failed logins By default, all failed logins
  are recorded to /var/adm/syslog

51
SGI - IRIX

• To enable detailed auditing of file accesses you
  must install the IRIX audit sub system
• Use Inst to install the eoe.we.audit software
  package from the distribution media
• To enable auditing chkconfig audit on
• IRIX provides a default auditing environment in
  /etc/config/sat_select.options
• Events to audit may be changed with the satconfig
  utility (GUI interface) or with the sat_select
  command
• The location of audit files is configurable with
  the command satd f path

52
SGI - IRIX

• Audit the following
• sat_access_denied
• sat_open (failed only)
• sat_open_ro (failed only)
• sat_file_crt_del (failed only)
• sat_file_crt_del2 (failed only)
• sat_sysacct
• sat_close (failed only)
• sat_check_priv
• sat_control
• sat_ae_identity

Note Unable to determine how to audit only
failed attempts
53
SGI - IRIX

• Viewing IRIX audit records
• sat_reduce is used to filter audit records
• -P flag to sat_reduce filters for attempted
  violations
• -e flag to sat_reduce filters for specific events
• -u flag to sat_reduce filters for a specific user
• sat_interpret converts the binary files to human
  readable ascii output
• sat_summarize provides a short listing of what
  types of records are in the audit trail and how
  many there are of each type
• Examples
• sat_reduce P satfile sat_summarize u
  username
• sat_reduce e sat_access_denied satfile
  sat_summarize
• Note Refer to the man pages for the above
  commands

54
SGI - IRIX

• Sample Audit record from IRIX audit subsystem
• Event type sat_ae_identity
• Outcome Failure
• Sequence number 5
• Time of event Mon Mar 11 124613.33 PST 1991
• System call syssgi,SGI_SATWRITE
• Error status 0 (No error)
• SAT ID anamaria
• Identity event LOGIN-/dev/ttyq4anamariaThat
  user gave an invalid label.

55
IBM - AIX
56
IBM - AIX

• Account Password Controls
• By default AIX uses the /etc/passwd file, the
  shadow file /etc/security/password is optional.
  Accounts are administered through the Security
  Management Interface Tool (SMIT)
• Password restrictions may be set by editing the
  default stanza in the file /etc/security/user
• maxage52
• minalpha1
• minother1
• minlen8
• Failed login attempts are configurable in
  /etc/security/login.config for Failed
  Logins,Retry Delay,Interval, and Reenable Delay
• The login banner may also be customized in
  /etc/security/login.config in the herald
  parameters stanza

Note If you are running NIS, Password expiration
of 1 year (52 weeks) is not enforceable
57
IBM - AIX

• Access Controls
• AIX offers basic UNIX permissions
• AIX offers ACLs to grant more granular access to
  specific users

58
IBM-AIX

• System Audit Logs
• System log By default the syslog records
  messages to /var/log/messages
• Logins logouts By default all logins are
  recorded to /var/adm/wtmp and may be read with
  the last command.
• Su log By default all attempts (successful
  failed) to su are written to the ascii file
  /var/adm/sulog
• Failed logins By default failed logins are
  written to /etc/security/failedlogin and may be
  read with who /etc/security/failedlogin

59
IBM -AIX

• AIX has a configurable audit subsystem
• The primary audit configuration parameters are
  maintained in the /etc/security/audit/config file
• Events to be audited are maintained in
  /etc/security/events
• Objects (files) to be audited are maintained in
  /etc/security/objects (Good news!)
• Starting and stopping the audit subsystem
• Audit start (start audit)
• Audit shutdown (stop audit)
• Audit off (temporarily suspend)
• Audit on (resume)
• Audit query (show status)

60
IBM - AIX

• Events to audit
• PROC_Privilege
• FILE_Open
• FILE_Write
• FILE_Close
• FILE_Unlink
• FS_Rmdir
• FS_Mkdir
• USER_Login
• USER_Logout
• USER_Su
• USER_Create
• USER_Mod
• USER_Remove
• PASSWORD_Change

61
IBM-AIX

• The default audit trail (bin mode) is written to
  /audit/trail
• The auditselect and auditpr commands are used to
  select (filter) and display audit records. Refer
  to the man pages.

62
One more slide .

• What I havent told you .
• How to control the size and maintenance of audit
  files. Make sure you research this and plan for
  plenty of disk space!
• Be aware that these audit systems can be
  configured to shut down auditing if a disk fills
  up .. Or shut down the system
• The impact on performance from auditing.
• A strategy to archive all of the audit files so
  they can be kept for the required time periods