安徽省商品住宅銷售Title

1、Building Your IT Security ChecklistSample checklist/audit plans for Unix, NT and Windows 2000 Active Directory銷售信 1Copyright 2001 MarchanyWhat have we just done?The Top 20 threats meet our risk criteria:Have a high probability of occurringResult in the loss of a critical serviceBe extremely expensiv

2、e to fix laterResult in heavy, negative publicity2Copyright 2001 MarchanyApplying TBS to the real world!TBS = Time Based SecurityTop Ten Vulnerabilities, the vulnerabilities responsible for most hacksApply TBS as an approach to an effective understandable security policyBasicsPerimeterUnixNTWindows

3、20003Copyright 2001 MarchanyThe TBS Audit LayersA complete IT audit/security checklist is a set of component audits/checklists. You should be able to measure E, D and R times for each layer of the security architecture.ComponentsProcedural: E = D+RPerimeter(Firewall): E = D+RUNIX: E = D+RNT/Windows

4、2000: E =D+R4Copyright 2001 MarchanyCIS RulersRulers list a set of minimal actions that need to be done on a host system.This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil

5、, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others)Cant develop your own set? Use these!5Copyright 2001 MarchanyCIS Rulers: A Security and Audit ChecklistLevel 1 Mandatory Actions required regardless of the hosts l

6、ocation or function.Level 2Dependent on your network topologyDifferent for switched nets vs. shared nets vs. wireless nets, etc.6Copyright 2001 MarchanyCIS Rulers: Security Checklist & Audit PlanLevel 3Application Specific (WWW, FTP, DB, Auth)ProceduralExamines the policies in place.This is the poli

7、cy review checklist.FTP WWW DB MailSwitched Wireless Non SwitchedLEVEL 1Level 3Level 27Copyright 2001 MarchanyCIS Rulers: ProceduralGeneral Administration PoliciesKey security tool installedUser Accounts and environmentSystem LogsNetwork File sharingGeneral Email IssuesThis review is done during the

8、 Audit Planning Phase of the audit process8Copyright 2001 MarchanyCIS Ruler: ProceduralGeneral Administration PoliciesAcceptable Use PolicyBackup PolicySecurity Administrator dutiesWhois Contact Information (Tech/Admin)System changelogs (Source Revision Control)Incident ResponseMinimum software requ

9、irementsUser, temp, system account policiesPatches9Copyright 2001 MarchanyCIS Ruler Example: Backups Does a backup policy exist? Do backup logs exist? What data is backed up How often data is backed up Type of backup (full, differential, etc.) How the backups are scheduled and verified How the backu

10、p media is handled and labeled How the backup media is stored How long the backup media is retained How backup media is rotated and expired How backup data is recovered 10Copyright 2001 MarchanyCIS Ruler: ProceduralKey security tools installedNetwork routers implement minimum filtering requirementsV

11、erify network routers are properly configured and monitored for in/out trafficAre all firewalls properly configured and monitored for in/out trafficThe above rules prevent DDOS attacks from affecting other nets.11Copyright 2001 MarchanyCIS Ruler: ProceduralUser Accounts and EnvironmentRemove obsolet

12、e user entries from systemSystem LogsHow long are they kept? Are they secured?Network file sharingReview what filesystems this system can accessReview what filesystems this system exportsEmail PolicyAbuse Policy?12Copyright 2001 MarchanyCIS Ruler: Written Documentation, PoliciesWhere is it?Is it ava

13、ilable to anyone that needs it?Is it up to date?Is anything major missing (SGI policies, but no HP policies)?13Copyright 2001 MarchanyCIS Ruler Example: Security PolicyPurpose - the reason for the policy.Related documents lists any documents (or other policy) that affect the contents of this policy.

14、Cancellation - identifies any existing policy that is cancelled when this policy becomes effective.Background - provides amplifying information on the need for the policy.14Copyright 2001 MarchanyCIS Ruler:Scope - states the range of coverage for the policy (to whom or what does the policy apply?).P

15、olicy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization.Action - specifies what ac

16、tions are necessary and when they are to be accomplished.Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated.15Copyright 2001 MarchanyProcedural: Incident Response Plan Are the

17、six Incident Response steps covered?PreparationIdentificationContainmentEradicationRecoveryLessons Learned (if there are no lessons learned documents either the plan isnt followed or no incidents have occurred).16Copyright 2001 MarchanyProcedural: Training & EducationDo technical people have the tra

18、ining to do their job competently?Are there standards their skills can be measured against?Are there standards of compliance that ensure they are using their training in accordance with policy?17Copyright 2001 MarchanyProcedural: Physical SecurityConsoles in physically secure areas?Fire suppression?

19、Backups? Offsite backups?Network components secured?Phone wiring secured?18Copyright 2001 MarchanyProcedural: Windows 2000These are based on the SANS “Securing Windows 2000” booklet.Least Privilege PrincipleAvoid granting unnecessary Admin privs.Limit Domain Trust.Restrict modems in workstations and

20、 servers.Limit access to sniffer software (Network Monitor).19Copyright 2001 MarchanyProcedural: Windows 2000Keep system software updated.Update and Practice a Recovery Plan.Require strong passwords.Require password protected screen savers.Establish Auditing and Review Policies.Require Administrator

21、s to have a User and Administrator account.Require antivirus software.Install host based IDS.Perform periodical low-level security audits.20Copyright 2001 MarchanyCIS Procedural Ruler ReviewProcedural rulers give you a starting point for determining your sites policy pieThese policies include accept

22、able use, privacy, incident response, accountability, backup and any other appropriate actionThe CIS procedural ruler is a consensus list of practices done at the charter members sites.21Copyright 2001 MarchanyCIS Rulers for Solaris and LinuxThis section explains the items listed in the CIS Security

23、 Benchmarks for Solaris and Linux.The commands are very similar and the strategy is the same for both OS.Well be hardening the Solaris system in the lab portion of this course.22Copyright 2001 MarchanyCIS Level 1 Ruler: UnixPatchesKey Security Tools InstalledSystem Access, authentication, authorizat

24、ionUser Accounts and EnvironmentKernel Level TCP/IP tuningKernel Tuning23Copyright 2001 MarchanyCIS Level 1 Ruler: UnixBatch Utilities: at/cronUMASK issuesFile/Directory Permissions/AccessSystem LoggingSSHMinimize network services24Copyright 2001 MarchanyCIS Level 1 Ruler: UnixMinimize RPC network s

25、ervicesMinimize standalone network servicesGeneral Email IssuesX11/CDE General Administration PoliciesSpecific Serverswww, ftp, DB, Mail, NFS, Directory, Print, Syslog25Copyright 2001 MarchanyCIS Level 1 Unix Ruler - PatchesDefine a regular procedure for checking, assessing, testing and applying the

26、 latest vendor recommended and security patches.Keep 3rd party application patches updated.Why?The first line of defense is proper patch/Service Pack installation.Patches are living and need to be updated regularly26Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Security ToolsThese tools help decrea

27、se your detection time, DInstall the latest version of TCP Wrappers on appropriate network servicesSSH for login, file copy and X11 encryptionInstall crypto file signature function to monitor changes in critical system binaries and config files (tripwire)27Copyright 2001 MarchanyCIS Level 1 Unix Rul

28、er: Security ToolsInstall Portsentry or similar personal FW softwareRun NTP or some other time sync toolRun “l(fā)ogcheck” or similar syslog analysis or monitoring toolInstall the latest version of sudo28Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Access, AuthorizationNo trusted hosts features: .rhos

29、ts, .shosts or /etc/hosts.equivCreate appropriate banner for any network interactive serviceRestrict direct root login to system consoleVerify shadow password file format is usedVerify PAM configuration29Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Kernel TCP/IP TuningSystem handling of ICMP packe

30、ts is securedSystem handling of source routed packets securedSystem handling of broadcast packets securedUse strong TCP Initial Sequence NumbersHarden against TCP SYN Flood attacks30Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Kernel , Batch UtilitiesEnable kernel level auditingEnable stack protec

31、tionEnsure ulimits are defined in /etc/profile and /etc/.loginRestrict batch file access to authorized usersEnsure cron files only readable by root or cron user31Copyright 2001 MarchanyCIS Level 1 Unix Ruler: UMASK, File Perms, AccessSet daemon umask to 022 or stricterSet user default umask (022 or

32、027)Console EEPROM password enabled?Check /dev entries for sane ownership and permissionsMount all filesystems RO or NOSUIDAll filesystems except / mounted NODEV32Copyright 2001 MarchanyCIS Level 1 Unix Ruler: File Perms and AccessVerify passwd, group, shadow file permsVerify SUID, SGID system binar

33、iesDisable SUID, SGID on binaries only used by rootNo World-write dirs in roots search pathSticky bit set on all temp directoriesNo NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled33Copyright 2001 MarchanySee what we can find/usr/bin/find / -local -type f -name .rhosts -exec ls -al

34、 ; -exec cat ; 2 (.rhosts)/usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal ; 2 (SUID files) /usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal ; 2 (SGID files) find /(-local o prune) -perm 000002 print find /name .netrc -print find / -perm 1000 34Copyright 2001 Ma

35、rchanyAudit Report ExampleAudit MethodLs la (list files) against critical files to determine their permissionsFindingSeveral system configuration files in /etc are writableRisk Level: HighSecurity Implication The /etc directory is critical for establishing the operating configuration of many system

36、services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands.Recommendation Change permissions of all files in /etc to be writable by root or bin only.35Copyright 2001 Marchany/dev Permissions Exhibit# ls l

37、/devtotal 72-rwxr-xr-x 1 root root 26450 Sep 24 1999 MAKEDEVcrw 1 root sys 14, 4 Apr 17 1999 audiocrw 1 root sys 14, 20 Apr 17 1999 audio1brw-rw 1 root disk 32, 0 May 5 1998 cm206cdcrw-w-w- 1 root root 5, 1 May 26 15:17 consolebrw 1 root floppy 2, 1 May 5 1998 fd1brw-rw 1 root disk 16, 0 May 5 1998

38、gscdbrw-rw 1 root disk 3, 0 May 5 1998 hdabrw-rw 1 root disk 3, 1 May 5 1998 hda1brw-rw 1 root disk 3, 10 May 5 1998 hda10brw-rw 1 root disk 3, 11 May 5 1998 hda11brw-rw 1 root disk 3, 12 May 5 1998 hda12brw-rw 1 root disk 3, 13 May 5 1998 hda13brw-rw 1 root disk 3, 14 May 5 1998 hda14brw-rw 1 root

39、disk 3, 15 May 5 1998 hda15brw-rw 1 root disk 3, 16 May 5 1998 hda1636Copyright 2001 MarchanyWorld-Writeable and SUID/SGID FilesAudit MethodFind commands were executed on the servers to locate all files with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropri

40、ate files for later analysis.FindingA large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all users to have write permission.Security Implication World-writeable files allow any user or an intruder

41、to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized u

42、ser or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: HighRecommendation Review all world-writeable and SUID/SGID files on the system. Using freeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files.

43、 After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to identify changes and ensure that such changes are approved. NFS shared files, especially files in /usr,

44、/opt and /var should be exported read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of SUID privilege on NFS mounted files.37Copyright 2001 Marc

45、hanyCIS Level 1 Unix Ruler: System Logging and SSHCapture messages sent to syslog AUTH facility (enable system logging)Copy syslogs to central syslog serverAudit failed logins and SU attemptsEnable system accountingLogins allowed via SSH only (no rsh, rlogin, ftp or telnet)38Copyright 2001 MarchanyC

46、IS Level 1 Unix Ruler: Reduce /etc/inetd.confDisable name (UDP)Disable exec/rexec (TCP)Disable login/rlogin (TCP)Disable uucp (TCP)Disable systat (TCP)Disable netstat (TCP)Disable time (TCP/UDP)39Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Reduce /etc/inetd.confDisable echo (TCP)Disable discard (

47、TCP/UDP)Disable daytime (TCP/UDP)Disable chargen (TCP/UDP)Disable rusersd (RPC)Disable sprayd (RPC)Disable rwall (RPC)40Copyright 2001 MarchanyCIS Level 1 Ruler: Reduce /etc/inetd.confDisable rstatd (RPC)Disable rexd (RPC)Use TCP Wrappers for all enabled network services (TCP/UDP)41Copyright 2001 Ma

48、rchanySample /etc/inetd.conf# Shell, login, exec, comsat and talk are BSD protocols.#shell stream tcp nowait root /usr/sbin/tcpd in.rshdlogin stream tcp nowait root /usr/sbin/tcpd in.rlogind#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd#comsat dgram udp wait root /usr/sbin/tcpd sattalk dgram

49、udp wait nobody.tty /usr/sbin/tcpd in.talkdntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkdThis is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of the file is i

50、n the notes pages.42Copyright 2001 MarchanyCIS Level 1 Unix Ruler: Restrict RPCRestrict NFS client request to originate from privileged portsNo filesystem should be exported with root accessExport list restricted to specific range of addressesExport RO if possibleExport NOSUID if possible43Copyright

51、 2001 MarchanyCIS Level 1 Unix Ruler: Email, X11/CDEUse Sendmail v8.9.3 or later. (v8.11.6 is current 6/01/02)Restrict sendmail prog mailerVerify privileged and checksums for mail programsEnsure X server is started with XauthUse SSH to access X programs on remote hosts44Copyright 2001 MarchanyCIS Le

52、vel 1 Unix Ruler: User Accts, EnvironmentEnforce strong passwordsNo null passwordsRemove root equivalent users (UID=0)No “.” in root PATHNo .files world or group writableRemove .netrc, .exrc, .dbxrc filesUser $HOME dirs should be .5135: udp 21:07:16.66 .5135 .26617: udp 695135 is SGI Object Server w

53、ith a known vulnerability46Copyright 2001 MarchanyCIS Level 1 Ruler ReviewThe previous action items should be done on any Unix system on your network regardless of its functionA similar checklist is being developed for Windows 2000.The Level 1 rulers impose a minimum security standard on all Unix an

54、d Windows 2000 systems.47Copyright 2001 MarchanyCIS Level 2 RulersOnce Level 1 rulers have been applied, you pick the appropriate Level 2 ruler.This is very organization specific. What works at my site might not apply at yours.Additional service may be disabled if they arent needed.48Copyright 2001

55、MarchanyCIS Level 2 Ruler: UnixKernel-level TCP/IP tuningPhysical Console SecuritySSHMinimize network servicesMinimize RPC network servicesGeneral email issuesX11/CDE49Copyright 2001 MarchanyCIS Level 2 Ruler: UnixKernel TuningNetwork options for non-router machinesDisable multicastPhysical Console

56、SecurityEnable EEPROM password. Who knows it?SSHRestrictively configure it50Copyright 2001 MarchanyCIS Level 2 Ruler: UnixMinimize Network ServicesDisable inetd entirelyDisable FTPDisable TelnetDisable rsh/rloginDisable comsatDisable talkDisable tftp51Copyright 2001 MarchanyCIS Level 2 Ruler: UnixMi

57、nimize network servicesDisable tftpDisable fingerDisable sadminDisable rquotadDisable CDE Tooltalk server (ttdbserverd)Disable RPC/UDP/TCP ufsDisable kcms_server52Copyright 2001 MarchanyCIS Level 2 Ruler: UnixDisable fontserverDisable cachefs serviceDisable Kerberos serverDisable printer serverDisab

58、le gssdDisable CDE dtspcDisable rpc.cmsd calendar server53Copyright 2001 MarchanyCIS Level 2 Ruler: UnixMinimize Network ServicesIf FTP service is enabled, see additional level 3 requirements for FTP serversIf tftp is enabled, use the security optionIf sadmind is enabled, use the security option54Co

59、pyright 2001 MarchanyCIS Level 2 Ruler: UnixMinimize RPC network servicesDisable NFS serverDisable AutomounterDisable NFS client servicesAdd ports 2049, 4045 to privileged port listDisable NISDisable NIS+Replace rpcbind with more secure version55Copyright 2001 MarchanyCIS Level 2 Ruler: UnixGeneral

60、Email IssuesDont run sendmail on machines that dont receive mailRemove mail aliases which send data to programs (Vacation)X11/CDEDisable CDE if not neededUse the SECURITY extension for X-Server to restrict access56Copyright 2001 MarchanyCIS Level 2 Ruler ReviewLevel 2 rulers are site specific.They a