Professional Documents
Culture Documents
Administration
IT Audit Preparation
2006-08-21
Presentation Conventions
Names (files, users, daemons) are usually in bold:
/etc/syslog.conf
System dependent or variable items are usually in italics:
/var/sadm/patch/patchnumber/log
File entries and output are in mono-spaced type:
> root 8036 c Tue Apr 26 23:59:00 2005
< root
8036 c Tue Apr 26 23:59:59 2005
marks a line wrapped to fit on the slide:
mv Solaris_9_Recommended_Patch_Cluster_log
Solaris_9_Recommended_Patch_Cluster_log.yyyymmdd
marks a horizontal tab (09 hex)
Reference OE is Solaris 9
Introduction
Suggestions for preparing your system prior to
running script from auditor’s office and before
auditor’s port scan.
Based on script supplied by schools most
recently audited; script name is comcol06.
Primary focus is on audit, not on making your
system more secure.
Introduction continued
Comments within the script help with what the
auditors are looking for, but sometimes may
have to guess.
References to ‘website’ refer to IIPS page
http://nciips.cc.nc.us/Standards.html section
“Helpful information and scripts for your
next audit”
Solution Methods
Single-shot command, i.e. find blah-blah
–exec (usually not recommended). If you use,
keep a log of what you have done.
Ad-hoc custom scripts
Sun applications such as Solaris® Security
Toolkit, or individual Sun scripts from the toolkit
(fixmodes, nddconfig, etc.)
Third-party security applications: YASSP, TITAN
(4.0 for Solaris 9), etc.
Cfengine configuration program.
1 – 37 Introduction
Notes on how to execute; directions
refer to previous version of file
(comcol05).
Prints host name and domain name,
etc.
38-48 list /etc/syslog.conf
Presumably looking at configuration to see if the
system is logging repeated login failures.
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit
/var/adm/messages
Default /etc/syslog.conf line 12:
*.err;kern.notice;auth.notice /dev/sysmsg
Patchadd is terminating.
71 – 86 List /etc/inetd.conf
Checking to see if services with known
vulnerabilities have been commented out.
inetd.conf is the configuration file for the inetd
daemon.
inetd is the server process for some Internet
standard services (but not all).
Will start services only when requested and if
they are listed in inetd.conf.
This file will also effect the auditor’s port scan.
List /etc/inetd.conf continued
Two types of services are listed in inetd.conf:
Standard socket-based services that use the
well-known port numbers; these match the
service name listed in /etc/services.
Non-standard services that use a service
name instead of a well-known port, based on
RFC 1078 TCP Port Service Multiplexor
(TCPMUX). In other words, RPC services.
List /etc/inetd.conf continued
For example the inetd.conf entry
shell stream tcp nowait root
/usr/sbin/in.rshd in.rshd
in inetd.conf corresponds to the
/etc/services entry:
shell 514/tcp
A request on tcp port 514 will result in
inetd running the remote shell in.rshd
found in /usr/sbin as root.
List /etc/inetd.conf continued
An RPC entry follows the service name
with a ‘/’ and version number, etc. For
example the inetd.conf entry
rquotad/1 tli rpc/datagram_v
wait root /usr/lib/nfs/rquotad
rquotad
is the entry for UFS disk quotas for NFS
clients.
rpcbind listens in port 111, and handles a
request for the service based on the
services name.
Removing Services from inetd.conf
/etc/cron.d/cron.allow:
Usually should have only root, lp, and sys.
If using cron to resize Datatel files, either add datatel
user or run with “su – datatel –c” option.
/etc/cron.d/at.allow: Either do not have, or have
root as only entry.
/etc/cron.d/cron.deny and /etc/cron.d/at.deny:
Should not exist.
268 – 274 List Files Without a
Legal Owner
See standard C1 File Ownership
Guidelines.
Will put delete.user script on website to
help.
275 – 285 List perms and contents
of /var/adm/*log
Make sure to have /var/adm/loginlog:
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
Note that the script command will list every
file in /var/adm ending in ‘log.’
286 – 295 List perms and contents
of /etc/default/login
Make sure to uncomment line
‘CONSOLE=/dev/console’ to prevent remote
root login.
Most of the other entries can set elsewhere or
are defaults.
If you want to log every single failed login
attempt, change SYSLOG_FAILED_LOGINS to 0
as well as RETRIES.
296 – 314 List perms and contents
(last 100 lines) of /var/adm/sulog