One of the biggest cases of security incidents is a result of unpatched systems. The failure to patch vulnerable systems in a timely manner results in major risk to the organization.

The vast majority of security attacks and compromises across the Internet today are only successful because of the number of unpatched systems. This is especially the case with self propagating attacks (for example Worms) which rely on a combination of unpatched systems and poor Anti-Virus control processes to take hold initially and to subsequently propagate. Many of the Worms and Virus infections within organizations are still completed by “old” Malware which has had fixes associated with it for many years.

It is essential to develop patch deployment procedures that establish well defined processes within the organization to identify, test, and deploy patches as they are released. This step makes the patch maintenance process much more cost effective.

The patching of system vulnerabilities has become one of the most expensive and time-consuming recurring administrative tasks in the enterprise. The process is also prone to failure, as Viruses and Worms often use unpatched vulnerabilities as the initial entry point into a protected network, and then use other techniques for propagating once inside. Thus, any of the following factors could invalidate the process:

Unpatched systems can result in other costs to the organization:

Table 17.1 may be used as an example Business Application Patching Matrix for a UNIX system.

When you are developing a patch maintenance process, always ensure that the following points have been taken into account when patching security vulnerabilities:

Every morning the {systems operator} is to notify {Administrator/ Owner} of any new patches that have been released for the following products:

{Example Only – Add Products being monitored}

All URLs to any new patches that are released are to be forwarded through to the following people:

(Insert Contact Person)

Any new Security patches are then to be downloaded to http://intranet.company.com/Support/Patches

(Please note that if no new patches are available an e-mail is to be circulated to all communicating this.)

If a new patch is released, the system owner is to assign the release to a team member by sending an email to a team member designated as responsible for releasing the software to {Insert Group name} stating the following:

A new security patch called [patchname] has been downloaded and is available at http://Intrant.Company.com/Support/Patches{Patch.xxx}. Please install it on all relevant servers.

Note that once the patch is available, it must be released within four (4) hours of initially being downloaded or before noon on Monday if the issue was identified and a patch released over a weekend. Systems engineers should raise an Impact Item for this change (See Procedures for further details), test in QA, mail impacted parties as an informational stating a message similar to that shown in the following example:

All,

The following security patch will be released at [time]. I will be contacting some of you regarding this change to test for any application impact.

Please call me if you have any questions.

Regards [Engineer]

The following are a small selection of vendors that you may need to obtain patches from. It is essential that a complete list of all vendors utilized by the organization included in the UNIX patch procedures.

It is essential to always ensure that servers are hardened (that is, patched and unused services removed) prior to having a system “go live.” The auditor's role is to verify that any new system is configured against the baseline standard. A default install of nearly any Operating Systems leaves a vast number of services running which, at best, are feasible to never be used, or at worst, leave ports open to external break-ins. The first stage in removing unneeded services is to work out which services are running on a host and to decide which are essential services needed for the operation of the system. UNIX is no different. In fact, the primary difference with UNIX is that although it starts with many enabled services, it can be quite simple to turn these off and configure the host as a bastion running only a single service.

In many cases it is also possible to further restrict the individual services on the host. Many services are configurable with access control conditions or lists to further restrict the services needed on a host. A good example of this would be restricting access via SSH to an administrative LAN using the SSH server configuration directives. Client systems and desktops as well as Servers and network devices come installed with excessive services enabled by default which does not aid in securing a system. The removal of unnecessary services is needed. It is important to remember that this not only makes the system more secure but increases a system's efficiency and thus:

In this pursuit, netstat is one of the most effective tools available to the auditor. This tool lists all active connections in addition to the ports where programs are listening for connections. Simply use the command “netstat -p -a –inet” for a listing of this information. Note however that many versions of UNIX did not support the “netstat –p” option. Consequently on the systems it may be necessary to use other tools in order to find process information. Read your system manual for more information.

This process will vary dependant on the version of UNIX or Linux being run. Most settings are contained within configuration files though some UNIX's (such as HP-UX) have a registry system. Always ensure that you have thoroughly investigated the system that you are going to audit before you start the audit.

UNIX uses “portmap” to register Remote Procedure Call (RPC) programs. If an application wishes to connect to an RPC-based application, it will first query the portmapper for information about the application. This is done in order to save on low numbered ports. The portmapper allows multiple ports to be assigned as they are needed. Unfortunately, the portmapper service may be named in a variety of ways. For this reason it is essential that a checklist is created for your specific system. Many of the aforementioned sites such as SANS, CIS and NIST have created comprehensive lists dedicated to a number of operating systems. Portmapper may be designated under UNIX as portmap, rpc.bind, portmapper or several other possibilities.

The portmapper application is actually an RPC program as well. The distinction is that it always listens on ports 111 TCP and UDP. On certain operating systems such as Solaris, portmapper may also listen on some other high numbered ports. The role the portmapper service is to provide a directory services. These permit applications to register their versions and the port numbers such that applications that may query the portmapper to discover if the service is active and which port number it is associated with. This then allows the application to connect to that port.

The tool “rpcinfo” is a standard tool available on practically all varieties of UNIX. The primary commands that the auditor will need to know include:

Network services on UNIX start in a variety of different ways. A common method used by many applications is the “Super Daemon”. A daemon on a UNIX system is a process or service that is initiated and which subsequently continues to run without further interaction. It may initiate further actions from time to time or may wait for a network connection before taking any other action. SMTP (the mail daemon) is an example of such a service. The mail forwarder will bind socket (generally to TCP port 25) and wait for a connection from another mail server before it does anything.

The two super daemons are inetd and xinetd. inetd has no access control built into itself by default. It was the original version of the software. Although both versions may be found on most UNIX systems, the added functionality and increased security of xinetd makes it the better choice. The configuration of xinetd is not the same as that for inetd. Instead of a separate consideration file (as is used by inetd), xinetd relies on a particular directory (usually “/etc/xinetd.d”). This directory generally contains an individual confederation file for each of the services that are available and which are set to run at boot on the system. The auditor needs to note that services may be run even without a valid configurations file and in some instances services may not be running where there is a valid configurations file. In some instances services may have a configurations file that is marked “disable = yes”!

The primary reason for choosing xinetd over inetd is that xinetd integrates TCPWrappers into xinetd in order to allow access controls for the individual services. This means that access control through ACLs is offered by the “Super Daemon” without a requirement to call tcpd for each of the services as they are launched.

And the majority of systems (unless specially configured), inetd services will not have particularly strong authentication methods associated with them. Further, inetd –based services do not generally log individual accesses to syslog. TCPwrappers adds the capability to screen access based on the client's IP address creating a simple host-based firewall. This also has the capability to log both successful attempts to access the service and also failed attempts. These logs will contain the IP address of the system that has accessed or attempted to access the service. Configuring the access control lists (ACLs) used by TCPwrappers does potentially take some time and a fair bit of planning. The upside however is that once this file is in place and running the system will be far more secure. One of the key principles of defense in depth is to not rely on single points of failure. Your site may have firewalls at different points on the network, but the addition of access control lists on the system increase the security further for very little cost.

Connect-session statistics allow an organization to bill, track or charge access based on the tangible connect time. Connect-session accounting data, associated with user login and logout, is composed by the init and login commands. When a user logs into the UNIX system, the login program makes an entry in the “wtmp” file. This file will contain the following user information:

This data can be utilized in the production of reports containing information valuable to both the auditor and system administrator. Some of the information that can be extracted includes:

It is also possible to gather statistics about individual processes using system accounting. Some areas that may be collected include:

Many UNIX systems maintain statistical information in a “pacct” or process account database or accounting file. This database is commonly found in the “/var/adm/pacct” file, but like many UNIX log files, this will vary from system to system. The accounting file is used by many of the system and process accounting commands. When a process terminates, the kernel writes information explicit to the particular process into the “pacct” file. This file consists of the following information:

When system accounting is installed and running on a UNIX system, commands to display, report, and summarize process information will be available. Commands such as “ckpacct” can be used by the administrator or auditor to ensure that the process accounting file (“pacct”) remains under a set size and thus is stopped from either growing too large or possibly impacting system performance in other ways.

System accounting provides the ability for the auditor to receive information concerning the disk utilization of the users. As it is possible to restrict users to a specified disk usage limit, the auditor may need to validate usage through a disk quota system. This may be monitored and tested to ensure users are adhering to limits. This allows an unwary client to be charged fees that are correctly associated with another account. Disk usage commands perform three basic functions:

Note: it is necessary to be aware that users can avoid charges and quota restrictions for disk usage by changing the ownership of their files to that of another user. The “chown” command provides a simple method for users to change ownership of files. Coupled with the ability to set access permissions (such as through the use of the “chmod” command), a user could create a file owned by another party that they could still access.

Printer usage data is stored in the “qacct” file (this is commonly located in “/var/adm/qacct” on many systems though this varies). The “qacct” file is created using an ASCII format. The qdaemon writes ASCII data to the “qacct” file following the completion of a print job. This file records printer queue data from each print session and should at a minimum contain the following fields:

To accumulate accounting data, the UNIX system needs to have a number of command entries installed into the ““crontab” file (e.g. the “/var/spool/cron/crontabs/adm” file on many UNIX'es but this will change from system to system). The cron file of the adm user is configured to own the whole of the accounting files and processes. These commands have been designed to be run using cron in a batch mode. It is still possible to execute these commands manually from a command line or script.

The following system accounting commands may be run on either from the command line or in an automated startup script:

Manually executed commands are designed to be run from the command line. These commands provide various functions, as described in the following list:

The UNIX file system commonly distinguishes three classifications of users:

The previous section on access controls showed us how UNIX privileges and the access to files may be granted with access control lists (ACLs). The simplicity of the UNIX privilege system can make it extremely difficult to configure privileges in UNIX. Conversely it also makes them relatively simple to audit. The UNIX directory command, “ls –al” supplies the means to list all files and their attributes. The biggest advantage for an auditor is the capability to use scripting to capture the same information without having to actually visit the host. A baseline audit process may be created using tailored scripts that the audit team can save to a CD or DVD with statically linked binaries. Each time there is a requirement for an audit, the same process can be run. The benefits of this method are twofold. First, subsequent audits require less effort. Next, results of the audit can be compared over time. The initial order can be construed as a baseline and the results compared to future audits to both verify the integrity of the system and to monitor improvements. A further benefit of this method is that a comparison may be run from the tools on the system against the results derived from the tools on the disk.

Generally, it would be expected that no variation would result from the execution of either version of the tools. In the event that a Trojan or root kit found its way onto the server, the addition of a simple “diff” command would be invaluable. In the event that the diff command returned no output, it would be likely that no Trojan was on the system (excepting kernel and lower level software). If on the other hand there was a variation in the results, one would instantly know that something was wrong with the system.

The primary benefit of any audit control that may be scripted is that it also may be automated. The creation of such a script and the association for a predetermined configuration file for the script economizes the auditors of valuable time allowing them to cover a wider range of systems and provide a more effective service. The selection of what to audit for on a file system will vary from site to site. There are a number of common configuration files associated with each version of UNIX and also a number of files and directories common to any organization. The integration of best practice tools such as those provided (see the Appendixes for further details) by the Centre for Internet Security, SANS, NIST and the US Department of Defense provide a suitable baseline for the creation of an individual system audit checklist.

TCPwrappers works in conjunction with the “/etc/hosts.allow” and “/etc/hosts.deny” files in order to restrict access to specific network services. The configuration of these services is provided through separate allow or deny statements. Together, this allows for an extremely granular set of access control lists. As an example, the subsequent configurations file denies access to everyone (in “/etc/hosts.deny”) creating in effect a default deny rule. In the succeeding “/etc/hosts.allow” configuration file, access to chosen trusted hosts is selectively allowed.

Several other UNIX network applications and services have the ability to restrict access. The Apache web server can use the “access.conf” to restrict access at the directory-level to hosts and domains. Further, SSH incorporates the ability to restrict access to selective hosts and address ranges in the server configuration file.

Secure Shell (ssh) is a “program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels”. (Fsecure)

Ssh should always be used to replace all the first-generation tools such as telnet, rexec, rlogin and rcp. This is even more critical in insecure environments such as when used across the Internet as it is possible that an attacker could be eavesdropping on the network with packet sniffers. Older style protocols such as Telnet send authentication information and subsequent communications in clear text. Not only is there a problem with packet sniffing, but an attacker could also hijack the session.

Ssh provides the capability to offer public key encrypted tunnels that provide protection against packet sniffing and hijacked connections. These tunnels may be used to encapsulate other protocols allowing for the provision of secure X11 sessions and the capability to redirect TCP/IP ports. As such, other TCP/IP traffic may be encrypted through the introduction of an Ssh –based tunnel. There are both open source and commercial Ssh clients and server software for UNIX. In addition, Windows and Macintosh clients also exist in both the commercial and open source realms.

It is essential to identify network services running on a UNIX host as a part of any audit. To do this, the auditor needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the auditor needs to be familiar with.

The tool provided within Solaris UNIX for tuning kernel parameters is the command “ndd”. This is far more limited with respect to kernel tuning as Solaris “ndd” only supports the TCP/IP kernel drivers. This tool is valuable to the auditor as it can be used not only to set the values of parameters for these drivers, but also to display the current configuration.

The tar command is short for tape archiving, the storing of entire file systems onto magnetic tape, which was the origin of the command. However, the command has become a tool to simply combine a few files into a single file allowing for straightforward storage and distribution of backups, archives and even applications.

The process used to combine multiple files (and remember, directories are also files in UNIX) into a single file is supplied by the command:

The “f” parameter lets “tar” know that you want to create a tape archive and not to just concatenate a number of files. The “v” parameter places “tar” into verbose mode which reports all files as they are added.

The command to split an archive created by tar into separate files, at the shell prompt is:

The UNIX man pages tell us that “The dump utility is best suited for use in shell scripts, whereas the elfdump(1) command is recommended for more human-readable output.”

This command is an effective means of backing up a UNIX system. See the man pages for the version of UNIX being reviewed for details.

The command “dd” is a widespread UNIX command with the primary purpose of providing low-level (actually bit level) copying and conversion of raw data. “dd” is an abbreviation for “data definition”. This command is used in digital forensics as it can create a “byte-exact” copy of a file, drive sector or even an entire drive (even the deleted files).

Some people have termed “dd” with the name “destroy disk” and “delete data” due to its capability to also write an image back to a drive. This provides the capability to both recover a drive (by restoring an image to another disk) or to “wipe” a disk. The wipe process is accomplished by sending either random data (/dev/random) or zeros (/dev/null) to the drive through “dd”. This is mainly a concern to an auditor in case of forensic audits for investigations or in ensuring that the system administrators are correctly destroying drives that are destined to leave the organization. Many regulations and standards (such as HIPAA and PCI-DSS) require a process to ensure that data has been cleansed. Using “dd” can achieve this.

To use your custom distribution, the first step involves mounting the CD or DVD as a file system. The next stage involves starting a “clean” shell and then setting the application search paths and library load paths. If you don't do this and you forget (or do not use) the complete directory listing when calling an application (for example calling “/bin/sh” against typing “sh” to start a shell), you cannot take reliance as to the security and integrity of the binaries and libraries being called. An example of this process is listed below:

When mounting the CD or DVD also ensure that you have called the device and not just assumed that this is set up correctly. It is possible that a rootkit could intercept mount function calls. Although an attacker could still bypass, this methodology is much more difficult.

Ensuring that the hardware integrity is maintained at an acceptable level requires that the physical environment is adequately secured. This involves controlling access to hardware resources. Theft, damage to resources and unauthorized access to data are all likely occurrences if the hardware has not been protected from physical intrusions.

Local access to any UNIX server will enable an attacker to gain local access to the system with little effort. Consequently, an attacker could gain access to the super user account and potentially install a backdoor rootkit onto the system. Attackers can bypass physical security in a number of ways including:

Additionally, it is good practice to limit access to selected physical locations. If an attacker is able to gain access to these locations, meant escalation to superuser would be easier.

Maintaining the integrity of the UNIX operating system requires frequent patching, inspection of installed programs and security measures such as limiting access to network ports. To ensure that the operating system has not been compromised it is essential that an integrity program such as AIDES or Tripwire is regularly run over the executables stored on the system. It is important to ensure that the integrity database is maintained offline. If an attacker is able to access these files it is possible that they could change them rendering the interior method useless.

Integrity check tools work by maintaining a hash database of the various files. Another way of doing this would be to automate checks using a read-only source that can be mounted periodically and set to send out alerts if any files have changed without authorisation. One of the key controls necessary in maintaining system integrity is the use of secured and trusted time sources.

There are a number of standards that help in providing the concepts necessary for evaluating a site's data integrity requirements. A number of these will be provided in the section at the end of this chapter covering the creation of a checklist for UNIX. It is not possible to cover the level integrity in detail outside an individual organization as a requirement will vary not only from site to site but from server to server and over time. The creation and maintenance of and effective process is necessary to ensure the continued maintenance of a site's data integrity.

In making a checklist investigate the various techniques that may be used to help ensure security of the data residing on a UNIX system.

Effective use of the find command can make any audit engagement much simpler. Some key points to consider when searching for files are detailed below:

CIS provides a large number of Benchmarks for not only UNIX but many other systems (and is consistently mentioned throughout this book). CIS offers both Benchmarks and also a number of tools that may be used to validate a system. The site is www.cisecurity.org

The site has a number of benchmarks and standards for not only generic UNIX'es but also specific types (such as HP-UX, Solaris, and Redhat Linux).

The SANS Institute has a wealth of information available that will aid in the creation of a checklist as well as many documents that detail how to run the various tools.

The SANS reading room (www.sans.org/reading_room/) has a number of papers that have been made freely available:

SANS Score (Security Consensus Operational Readiness Evaluation) is directly associated with CIS.

The US Government (through the NSA, DISA and NIST) has a large number of security configuration guidance papers and Benchmarks.

As shown in Figure 17.5, NIST runs the US “National Vulnerability Database” (see http://nvd.nist.gov/chklst_detail.cfm?config_id=58), which is associated with the UNIX Security Checklist from DISA (http://iase.disa.mil/stigs/checklist).