安徽省商品住宅銷售Title

1、Building Your IT Security ChecklistSample checklist/audit plans for Unix, NT and Windows 2000 Active Directory1What have we just done?uThe Top 20 threats meet our risk criteria:Have a high probability of occurringResult in the loss of a critical serviceBe extremely expensive to fix laterResult in he

2、avy, negative publicity2Applying TBS to the real world!nTBS = Time Based SecuritynTop Ten Vulnerabilities, the vulnerabilities responsible for most hacksnApply TBS as an approach to an effective understandable security policynBasicsnPerimeternUnixnNTnWindows 20003The TBS Audit LayersnA complete IT a

3、udit/security checklist is a set of component audits/checklists. You should be able to measure E, D and R times for each layer of the security architecture.nComponentsnProcedural: E = D+RnPerimeter(Firewall): E = D+RnUNIX: E = D+RnNT/Windows 2000: E =D+R4CIS Rulers5CIS Rulers: A Security and Audit C

4、hecklistnLevel 1 nMandatory Actions required regardless of the hosts location or function.nLevel 2nDependent on your network topologynDifferent for switched nets vs. shared nets vs. wireless nets, etc.6CIS Rulers: Security Checklist & Audit PlanFTP WWW DB MailSwitched Wireless Non SwitchedLEVEL

5、1Level 3Level 27CIS Rulers: ProceduralnGeneral Administration PoliciesnKey security tool installednUser Accounts and environmentnSystem LogsnNetwork File sharingnGeneral Email IssuesnThis review is done during the Audit Planning Phase of the audit process8CIS Ruler: ProceduralnGeneral Administration

6、 PoliciesnAcceptable Use PolicynBackup PolicynSecurity Administrator dutiesnWhois Contact Information (Tech/Admin)nSystem changelogs (Source Revision Control)nIncident ResponsenMinimum software requirementsnUser, temp, system account policiesnPatches9CIS Ruler Example: Backups Does a backup policy e

7、xist? Do backup logs exist? What data is backed up How often data is backed up Type of backup (full, differential, etc.) How the backups are scheduled and verified How the backup media is handled and labeled How the backup media is stored How long the backup media is retained How backup media is rot

8、ated and expired How backup data is recovered 10CIS Ruler: ProceduralnKey security tools installednNetwork routers implement minimum filtering requirementsnVerify network routers are properly configured and monitored for in/out trafficnAre all firewalls properly configured and monitored for in/out t

9、rafficnThe above rules prevent DDOS attacks from affecting other nets.11CIS Ruler: ProceduralnUser Accounts and EnvironmentnRemove obsolete user entries from systemnSystem LogsnHow long are they kept? Are they secured?nNetwork file sharingnReview what filesystems this system can accessnReview what f

10、ilesystems this system exportsnEmail PolicynAbuse Policy?12CIS Ruler: Written Documentation, PoliciesuWhere is it?uIs it available to anyone that needs it?uIs it up to date?uIs anything major missing (SGI policies, but no HP policies)?13CIS Ruler Example: Security PolicynPurpose - the reason for the

11、 policy.nRelated documents lists any documents (or other policy) that affect the contents of this policy.nCancellation - identifies any existing policy that is cancelled when this policy becomes effective.nBackground - provides amplifying information on the need for the policy.14CIS Ruler:nScope - s

12、tates the range of coverage for the policy (to whom or what does the policy apply?).nPolicy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be

13、prudent, expedient, and/or advantageous to the organization.nAction - specifies what actions are necessary and when they are to be accomplished.nResponsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be r

14、eviewed and updated.15Procedural: Incident Response Plan nAre the six Incident Response steps covered?nPreparationnIdentificationnContainmentnEradicationnRecoverynLessons Learned (if there are no lessons learned documents either the plan isnt followed or no incidents have occurred).16Procedural: Tra

15、ining & EducationnDo technical people have the training to do their job competently?nAre there standards their skills can be measured against?nAre there standards of compliance that ensure they are using their training in accordance with policy?17Procedural: Physical SecuritynConsoles in physica

16、lly secure areas?nFire suppression?nBackups? Offsite backups?nNetwork components secured?nPhone wiring secured?18Procedural: Windows 2000nThese are based on the SANS “Securing Windows 2000” booklet.nLeast Privilege PrinciplenAvoid granting unnecessary Admin privs.nLimit Domain Trust.nRestrict modems

17、 in workstations and servers.nLimit access to sniffer software (Network Monitor).19Procedural: Windows 2000nKeep system software updated.nUpdate and Practice a Recovery Plan.nRequire strong passwords.nRequire password protected screen savers.nEstablish Auditing and Review Policies.nRequire Administr

18、ators to have a User and Administrator account.nRequire antivirus software.nInstall host based IDS.nPerform periodical low-level security audits.20CIS Procedural Ruler ReviewnProcedural rulers give you a starting point for determining your sites policy pienThese policies include acceptable use, priv

19、acy, incident response, accountability, backup and any other appropriate actionnThe CIS procedural ruler is a consensus list of practices done at the charter members sites.21CIS Rulers for Solaris and LinuxnThis section explains the items listed in the CIS Security Benchmarks for Solaris and Linux.n

20、The commands are very similar and the strategy is the same for both OS.nWell be hardening the Solaris system in the lab portion of this course.22CIS Level 1 Ruler: UnixnPatchesnKey Security Tools InstallednSystem Access, authentication, authorizationnUser Accounts and EnvironmentnKernel Level TCP/IP

21、 tuningnKernel Tuning23CIS Level 1 Ruler: UnixnBatch Utilities: at/cronnUMASK issuesnFile/Directory Permissions/AccessnSystem LoggingnSSHnMinimize network services24CIS Level 1 Ruler: Unix25CIS Level 1 Unix Ruler - PatchesnDefine a regular procedure for checking, assessing, testing and applying the

22、latest vendor recommended and security patches.nKeep 3rd party application patches updated.nWhy?nThe first line of defense is proper patch/Service Pack installation.nPatches are living and need to be updated regularly26CIS Level 1 Unix Ruler: Security ToolsnThese tools help decrease your detection t

23、ime, DnInstall the latest version of TCP Wrappers on appropriate network servicesnSSH for login, file copy and X11 encryptionnInstall crypto file signature function to monitor changes in critical system binaries and config files (tripwire)27CIS Level 1 Unix Ruler: Security ToolsnInstall Portsentry o

24、r similar personal FW softwarenRun NTP or some other time sync toolnRun “l(fā)ogcheck” or similar syslog analysis or monitoring toolnInstall the latest version of sudo28CIS Level 1 Unix Ruler: Access, AuthorizationnNo trusted hosts features: .rhosts, .shosts or /etc/hosts.equivnCreate appropriate banner

25、 for any network interactive servicenRestrict direct root login to system consolenVerify shadow password file format is usednVerify PAM configuration29CIS Level 1 Unix Ruler: Kernel TCP/IP TuningnSystem handling of ICMP packets is securednSystem handling of source routed packets securednSystem handl

26、ing of broadcast packets securednUse strong TCP Initial Sequence NumbersnHarden against TCP SYN Flood attacks30CIS Level 1 Unix Ruler: Kernel , Batch UtilitiesnEnable kernel level auditingnEnable stack protectionnEnsure ulimits are defined in /etc/profile and /etc/.loginnRestrict batch file access t

27、o authorized usersnEnsure cron files only readable by root or cron user31CIS Level 1 Unix Ruler: UMASK, File Perms, AccessnSet daemon umask to 022 or stricternSet user default umask (022 or 027)nConsole EEPROM password enabled?nCheck /dev entries for sane ownership and permissionsnMount all filesyst

28、ems RO or NOSUIDnAll filesystems except / mounted NODEV32CIS Level 1 Unix Ruler: File Perms and AccessnVerify passwd, group, shadow file permsnVerify SUID, SGID system binariesnDisable SUID, SGID on binaries only used by rootnNo World-write dirs in roots search pathnSticky bit set on all temp direct

29、oriesnNo NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled33See what we can find /usr/bin/find / -local -type f -name .rhosts -exec ls -al ; -exec cat ; 2 (.rhosts) /usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal ; 2 (SUID files) /usr/bin/find / -local -type f -u

30、ser root -perm -2000 -exec ls -dal ; 2 (SGID files) find /(-local o prune) -perm 000002 print find /name .netrc -print find / -perm 1000 34Audit Report ExampleAudit MethodLs la (list files) against critical files to determine their permissionsFindingSeveral system configuration files in /etc are wri

31、tableRisk Level: HighSecurity Implication The /etc directory is critical for establishing the operating configuration of many system services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands.Recommendatio

32、n Change permissions of all files in /etc to be writable by root or bin only.35/dev Permissions Exhibit# ls l /devtotal 72-rwxr-xr-x 1 root root 26450 Sep 24 1999 MAKEDEVcrw- 1 root sys 14, 4 Apr 17 1999 audiocrw- 1 root sys 14, 20 Apr 17 1999 audio1brw-rw- 1 root disk 32, 0 May 5 1998 cm206cdcrw-w-

33、w- 1 root root 5, 1 May 26 15:17 consolebrw- 1 root floppy 2, 1 May 5 1998 fd1brw-rw- 1 root disk 16, 0 May 5 1998 gscdbrw-rw- 1 root disk 3, 0 May 5 1998 hdabrw-rw- 1 root disk 3, 1 May 5 1998 hda1brw-rw- 1 root disk 3, 10 May 5 1998 hda10brw-rw- 1 root disk 3, 11 May 5 1998 hda11brw-rw- 1 root dis

34、k 3, 12 May 5 1998 hda12brw-rw- 1 root disk 3, 13 May 5 1998 hda13brw-rw- 1 root disk 3, 14 May 5 1998 hda14brw-rw- 1 root disk 3, 15 May 5 1998 hda15brw-rw- 1 root disk 3, 16 May 5 1998 hda1636World-Writeable and SUID/SGID FilesAudit MethodFind commands were executed on the servers to locate all fi

35、les with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropriate files for later analysis. FindingA large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all us

36、ers to have write permission. Security Implication World-writeable files allow any user or an intruder to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUI

37、D/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized user or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: High Recommendation Review all world-writeable and SUID/SGID files on the system. Using fr

38、eeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to

39、identify changes and ensure that such changes are approved. NFS shared files, especially files in /usr, /opt and /var should be exported read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid

40、 option to prevent the inadvertent granting of SUID privilege on NFS mounted files.37CIS Level 1 Unix Ruler: System Logging and SSHnCapture messages sent to syslog AUTH facility (enable system logging)nCopy syslogs to central syslog servernAudit failed logins and SU attemptsnEnable system accounting

41、nLogins allowed via SSH only (no rsh, rlogin, ftp or telnet)38CIS Level 1 Unix Ruler: Reduce /etc/inetd.confnDisable name (UDP)nDisable exec/rexec (TCP)nDisable login/rlogin (TCP)nDisable uucp (TCP)nDisable systat (TCP)nDisable netstat (TCP)nDisable time (TCP/UDP)39CIS Level 1 Unix Ruler: Reduce /et

42、c/inetd.confnDisable echo (TCP)nDisable discard (TCP/UDP)nDisable daytime (TCP/UDP)nDisable chargen (TCP/UDP)nDisable rusersd (RPC)nDisable sprayd (RPC)nDisable rwall (RPC)40CIS Level 1 Ruler: Reduce /etc/inetd.confnDisable rstatd (RPC)nDisable rexd (RPC)nUse TCP Wrappers for all enabled network ser

43、vices (TCP/UDP)41Sample /etc/inetd.conf# Shell, login, exec, comsat and talk are BSD protocols.#shell stream tcp nowait root /usr/sbin/tcpd in.rshdlogin stream tcp nowait root /usr/sbin/tcpd in.rlogind#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd#comsat dgram udp wait root /usr/sbin/tcpd sat

44、talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkdntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkdThis is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of th

45、e file is in the notes pages.42CIS Level 1 Unix Ruler: Restrict RPCnRestrict NFS client request to originate from privileged portsnNo filesystem should be exported with root accessnExport list restricted to specific range of addressesnExport RO if possiblenExport NOSUID if possible43CIS Level 1 Unix

46、 Ruler: Email, X11/CDEnUse Sendmail v8.9.3 or later. (v8.11.6 is current 6/01/02)nRestrict sendmail prog mailernVerify privileged and checksums for mail programsnEnsure X server is started with XauthnUse SSH to access X programs on remote hosts44CIS Level 1 Unix Ruler: User Accts, EnvironmentnEnforc

47、e strong passwordsnNo null passwordsnRemove root equivalent users (UID=0)nNo “.” in root PATHnNo .files world or group writablenRemove .netrc, .exrc, .dbxrc filesnUser $HOME dirs should be .5135: udp 21:07:16.66 .5135 .26617: udp 695135 is SGI Object Server with a known vulnerability46CIS Level 1 Ru

48、ler ReviewnThe previous action items should be done on any Unix system on your network regardless of its functionnA similar checklist is being developed for Windows 2000.nThe Level 1 rulers impose a minimum security standard on all Unix and Windows 2000 systems.47CIS Level 2 RulersnOnce Level 1 rule

49、rs have been applied, you pick the appropriate Level 2 ruler.nThis is very organization specific. What works at my site might not apply at yours.nAdditional service may be disabled if they arent needed.48CIS Level 2 Ruler: UnixnKernel-level TCP/IP tuningnPhysical Console SecuritynSSHnMinimize networ

50、k servicesnMinimize RPC network servicesnGeneral email issuesnX11/CDE49CIS Level 2 Ruler: UnixnKernel TuningnNetwork options for non-router machinesnDisable multicastnPhysical Console SecuritynEnable EEPROM password. Who knows it?nSSHnRestrictively configure it50CIS Level 2 Ruler: UnixnMinimize Netw

51、ork ServicesnDisable inetd entirelynDisable FTPnDisable TelnetnDisable rsh/rloginnDisable comsatnDisable talknDisable tftp51CIS Level 2 Ruler: UnixnMinimize network servicesnDisable tftpnDisable fingernDisable sadminnDisable rquotadnDisable CDE Tooltalk server (ttdbserverd)nDisable RPC/UDP/TCP ufsnD

52、isable kcms_server52CIS Level 2 Ruler: UnixnDisable fontservernDisable cachefs servicenDisable Kerberos servernDisable printer servernDisable gssdnDisable CDE dtspcnDisable rpc.cmsd calendar server53CIS Level 2 Ruler: UnixnMinimize Network ServicesnIf FTP service is enabled, see additional level 3 r

53、equirements for FTP serversnIf tftp is enabled, use the security optionnIf sadmind is enabled, use the security option54CIS Level 2 Ruler: UnixnMinimize RPC network servicesnDisable NFS servernDisable AutomounternDisable NFS client servicesnAdd ports 2049, 4045 to privileged port listnDisable NISnDi

54、sable NIS+nReplace rpcbind with more secure version55CIS Level 2 Ruler: UnixnGeneral Email IssuesnDont run sendmail on machines that dont receive mailnRemove mail aliases which send data to programs (Vacation)nX11/CDEnDisable CDE if not needednUse the SECURITY extension for X-Server to restrict acce

55、ss56CIS Level 2 Ruler ReviewnLevel 2 rulers are site specific.nThey are more sensitive to vendor software requirements. For example, a vendor product may require that you enable the dreaded r-commands. You have no choice so you keep an eye on that vulnerability.nThey may impose stricter standards.57

56、CIS Unix Ruler ReviewnCIS Rulers are a good starting point for developing a Unix audit plan. Solaris, Linux, HP-UX available, AIX under review, CISCO router under reviewnLevel 1 ruler defines minimum security standards for all Unix systemsnLevel 2-3 rulers are more network and function specificnProc

57、edural rulers address policy issues58SummarynThe CIS benchmark document and scanning tool is an excellent resource you should use immediately to strengthen the security of your Solaris and Linux systems.nThe scanning tool provides you with a simple score that you can use to present to management.59L

58、ab ExercisenLets apply the steps in the CIS benchmark to the demonstration system.nWell run the scanning tool to get a baseline, make our mods and rerun the scanning tool to measure our progress.60Appendix 1Audit Checklists forWindowsThe SANS Institute61W2K CIS RulersnCIS Rulers have been developed

59、for Windows 2000 and NT systemsnFormat is similar to the Unix rulers (levels 1-3)nLevel 2, IIS benchmarks are in test at present.nTheyre free!62Sample Windows 2000 Level 2 Ruler63Sample VT Level 2 Ruler: Active Directory ROEnThe Child domain must have at least 1 fulltime peer BDC for the child domai

60、nnThe child domain controllers must meet Microsofts minimum computer hardware requirementsnNo 3rd party of Microsoft add-on software are allowed on child domain controllersnIIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services64Sample VT Level 2 Ruler: A