auditing | Eikonal Blog

2011.07.08

Auditing Unix Security

Filed under: infosec, passwords, security hardening, security testing, unix, VA (Vulnerability Assessment) — Tags: auditing, auditing unix, seccheck, unix security — sandokan65 @ 12:50

Lynis – http://www.rootkit.nl/
CIS Scoring tools – http://www.cisecurity.org/
OpenSCAP – http://www.open-scap.org/

Misc

“UNIX/Linux local audit tool” by Seán Boran (author of “IT Security Cookbook” – http://www.boran.com/security/index.html) – http://www.boran.com/security/sp/solaris/audit_tool.html – scripts made for Solaris
Several unix auditing scrips by Marc Heuse (circa 2001) – http://web.archive.org/web/20050426143820/http://www.suse.de/~marc/audit/: audit_aix.sh, audit_hpux10.sh, audit_hpux11.sh, audit_nokia.sh, audit_oracle.sql, audit_solaris.sh, audit_suse.sh
- expire_users.sh – a script to run as a cron job to disable user accounts which are unused for a specified time – http://web.archive.org/web/20050426075316/http://www.suse.de/~marc/expire_users.sh
- checkneverlogin.sh – A script which checks if some user accounts on the system were never used. (Note that is an updated version which skips some stuff if you are not root, the old one is now part of the seccheck package on SuSE.) – http://web.archive.org/web/20050426075316/http://www.suse.de/~marc/checkneverlogin.sh
- aix2shadow.pl – This script converts the AIX /etc/security/passwd format to a “regular” /etc/shadow format – so you can use an unshadow software and then crack passwords. – http://web.archive.org/web/20050426075316/http://www.suse.de/~marc/aix2shadow.pl
seccheck – http://freshmeat.net/projects/seccheck/ – Seccheck is a feature rich, modular, host-level security checker for Solaris 10. Easily expandable with customised modules, Seccheck produces highly detailed reports based around known and published security best-practices and guidelines. It also produces recommendations on how to fix flagged security issues.

Comments (1)

2011.01.05

Auditing MS Windows

Filed under: compliance, infosec, windows — Tags: Active Directory, AD, audit, auditing, cmdlets, Commandlets, continuous audit, cygwin, dumpevt, dumpsec, foundstone, fport, MBSA, mkgroup, mkpasswd, nessus, NetCheck, netstat, powershell, ScriptCenter, Scriptomatic, security, security audits, Shavlik, somarsoft, sysinternals, windows assessment, windows audit, WMI, WMI Diagnosis Utility — sandokan65 @ 15:48

Articles

“Using PowerShell to Continuously Audit Security of Active Directory” by Derek Melber (WindowsSecurity.com; 2010.12.15+20) – http://www.windowsecurity.com/articles/Using-PowerShell-Continuously-Audit-Security-Active-Directory.html
- Get-AD by Niklas Goude (2010.01.04) – http://gallery.technet.microsoft.com/scriptcenter/en-us/81865fd8-6bdf-44d6-844b-01f262dc853e
- “Checklist: Top 5 Windows domain settings to audit” by Derek Melber (SearchWindowsServer.com; 2005.12.08) – http://searchwindowsserver.techtarget.com/feature/Checklist-Top-5-Windows-domain-settings-to-audit
  - 1) Domain Account Policy: Password Policy, Account Lockout Policy and Kerberos Policy. Password complexity, minimal length of the passwords, password expiration, password reuse.
  - 2) Local user rights on domain member servers.
  - 3) Anonymous Connections: Computer Configuration > Windows Settings > Security Settings > Local Policies >Security Options
  - 4) Authentication Protocols
  - 5) Administrator Account
- “Windows 2000 Auditing” – http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
- “Windows & Active Directory Auditing” by Derek Melber (WindowsSecurity.com; 2005.11.22) – http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
- “Auditing user accounts ” by Derek Melber (WindowsSecurity.com; 2005.08.04)- http://www.windowsecurity.com/articles/auditing-user-accounts.html
- “Auditing Users and Groups with the Windows Security Log” by Randall F. Smith (WindowsSecurity.com; 2004.09.02) – http://www.windowsecurity.com/articles/auditing-users-groups-windows-security-log.html
- SANS Institute: Automated Auditing in a Windows 2000 Environment – http://www.sans.org/security-resources/auto_audit.php

Tools

Windows Inventory – Windows PC Auditing Software – http://winventory.sourceforge.net/ – superseded by Open-AudIT [OR NOT since that project still does not have available Windows script]
Open-AudIT – http://www.open-audit.org/ – the replacement for Windows Inventory
Script Repository (Microsoft TechNet) – http://gallery.technet.microsoft.com/ScriptCenter/
WMI tools:
- Scriptomatic 2.0 (Microsoft) – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12028 – Utility that helps you write WMI scripts for system administration.
- Windows PowerShell Scriptomatic – http://www.microsoft.com/download/en/details.aspx?id=24121
- WMI Administrative Tools – http://www.microsoft.com/download/en/details.aspx?id=24045
- The WMI Diagnosis Utility – http://www.microsoft.com/download/en/details.aspx?id=7684
- WMI Code Creator v1.0 – http://www.microsoft.com/download/en/details.aspx?id=8572
MBSA – http://technet.microsoft.com/en-us/security/cc184924.aspx [FREE}
Shavlik’s NetCheck – http://www.shavlik.com/products.aspx [COMMERCIAL]
Oval Interpreter – http://oval.mitre.org
Nessus Local Plug-ins
Use of Powershell in Nessus scripts:
- “Compliance Auditing with PowerShell” by Paul Asadoorian (Tenable blog; 2012.04.26) – http://blog.tenablesecurity.com/2012/04/compliance-auditing-with-microsoft-powershell.html
- “File Integrity Auditing with Nessus” by Paul Asadoorian (Tenable blog; 2012.05.18) – http://blog.tenablesecurity.com/2012/05/file-integrity-auditing-with-nessus.html
Sysinternals suite – http://technet.microsoft.com/sysinternals [FREE}

What to audit

1) List of domain users. Their user groups (who belongs to what groups).
2) Logging parameters: number of unsuccessful retries before account lock-out, number of minutes the account is temporary disabled (due to sequence of failed logon attempts), …
3) Password parameters: minimal password length, used character sets, password complexity requirement (is it enforced or not), password expiration, …
4) Auditing parameters: are all account logon attempts being logged? Are changes in account privileges (e.g. adding users to different groups) being logged? Are additions, removals or renaming of accounts being logged? Are privilege violations being logged (e.g. user trying to access resources [files, applications, shares] that they do not have right to access)? Are changes to security policies being logged? Are changes to user passwords being logged? Are changes in account status (e.g. disabling and enabling accounts) logged? etc
5) Inspect the content of system logs.
- Manual inspection
- use dumpevt by SomarSoft (http://www.systemtools.com/somarsoft/?somarsoft.com)
6) List of services
7) Look at the open network connections.
- netstat -a
- netstat -a -b -o -v
- FPort by FoundStone – http://www.mcafee.com/us/downloads/free-tools/index.aspx
- APorts – http://download.cnet.com/1770-20_4-0.html?query=Active+Ports&searchtype=downloads
\8) Registry checkup
- DumpReg (dump registry) by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com

Tools

DumpSec

SomarSoft’s DumpSec/DumpAcl – http://www.systemtools.com/somarsoft/?somarsoft.com

DumpEvt

DumpEvt is a command line tool by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com

Syntax:

c:>dumpevt
2011.01.06 13:23:28
Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc.
Copy 07353, registered to (this program is now free of charge)
==>Missing /logfile parameter
Dump eventlog in format suitable for importing into database
Messages written to stdout
Dump output written to file specified by /outfile or /outdir
Parameters:
  /logfile=type      eventlog to dump; can be app, sec, sys, dns, dir, or rpl
  /logfile=type=path backed up eventlog file to dump
  /outfile=path      create new file or append to end of existing file
  /outdir=path       create new .tmp file in specified directory
  /all               dump all recs (default is recs added since last dump
  /computer=name     dump eventlog for specified computer (default is local)
  /reg=local_machine use HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER
  /clear             clear event log after successful dump
Specify formatting parameters in DUMPEVT.INI file
See dumpevt.hlp for complete documentation
Visit http://www.somarsoft.com for latest version

Example:

c>dumpevt /logfile=sec /outfile=20100106-system7-seclog.txt
2011.01.06 13:31:36
Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc.
Copy 07353, registered to (this program is now free of charge)
LogType=Security
Computer=(local)
SystemRoot=C:\WINDOWS
Outfile=20100106-system7-seclog.txt
Use HKEY_CURRENT_USER for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator=  (blank)
ReplaceCR=^
ReplaceLF=`
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
UseGmtTime=no
DumpRecnum=no
==>LastProcessed (0) < Oldest (1), log records lost
process event log records starting with 1
last event log record processed = 1018
Elapsed time= 0.594 seconds, NumRecs=1018

Fport

Example:

c>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
508                  ->  135   TCP
4     System         ->  139   TCP
4     System         ->  445   TCP
1644  dirmngr        ->  1059  TCP   C:\Program Files\GNU\GnuPG\dirmngr.exe
4084                 ->  1080  TCP
3856                 ->  1192  TCP
2428  ccApp          ->  1202  TCP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
0     System         ->  1212  TCP
3652  firefox        ->  2036  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2037  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2044  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2045  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
4     System         ->  6846  TCP
3652  firefox        ->  6896  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3856                 ->  6938  TCP
3856                 ->  6939  TCP
0     System         ->  6945  TCP
4456526               ->  123   UDP
4     System         ->  123   UDP
5177412               ->  137   UDP
4     System         ->  137   UDP
6029362               ->  138   UDP
4     System         ->  138   UDP
3652  firefox        ->  138   UDP   C:\Program Files\Mozilla Firefox\firefox.exe
508                  ->  445   UDP
4     System         ->  500   UDP
3652  firefox        ->  1069  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1103  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1357  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1520  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
4     System         ->  2576  UDP
3856                 ->  62514 UDP

netstat

On Windows XP:

c>netstat -a
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    server7:epmap      interesting.website.org:0      LISTENING
  TCP    server7:microsoft-ds  interesting.website.org:0      LISTENING
  TCP    server7:5556       interesting.website.org:0      LISTENING
  TCP    server7:1059       interesting.website.org:0      LISTENING
  TCP    server7:1080       interesting.website.org:0      LISTENING
  TCP    server7:1202       interesting.website.org:0      LISTENING
  TCP    server7:2036       localhost:2037         ESTABLISHED
  TCP    server7:2037       localhost:2036         ESTABLISHED
  TCP    server7:2044       localhost:2045         ESTABLISHED
  TCP    server7:2045       localhost:2044         ESTABLISHED
  TCP    server7:62514      interesting.website.org:0      LISTENING
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:1192       strangemachine:netbios-ssn  ESTABLISHED
  TCP    server7:6846       alphaomega.com:microsoft-ds  ESTABLISHED
  TCP    server7:7061       server2:8585       ESTABLISHED
  TCP    server7:7062       server2:8585       ESTABLISHED
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:7067       strangemachine:netbios-ssn  SYN_SENT
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:7068       strangemachine:netbios-ssn  SYN_SENT
  UDP    server7:microsoft-ds  *:*
  UDP    server7:isakmp     *:*
  UDP    server7:4500       *:*
  UDP    server7:52311      *:*
  UDP    server7:ntp        *:*
  UDP    server7:1025       *:*
  UDP    server7:1069       *:*
  UDP    server7:1103       *:*
  UDP    server7:1357       *:*
  UDP    server7:1520       *:*
  UDP    server7:1900       *:*
  UDP    server7:2576       *:*
  UDP    server7:62514      *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*

Getting list of users and groups

Inside Cygwin, there are commands mkpasswd and mkgroup. These can build the Cygwin’s /etc/passwd and /etc/group from either local system or from the domain the system is on.

mkpasswd -l > local-users.txt
mkpasswd -d -l > domain-users.txt
mkgroup -l > local-groups.txt
mkgroup -d -l > domain-groups.txt

Comments (2)

Eikonal Blog

2011.07.08

Auditing Unix Security

Misc

2011.01.05

Auditing MS Windows

Articles

Tools

What to audit

Tools

DumpSec

DumpEvt

Fport

netstat

Getting list of users and groups

Categories

Archives

Email Subscription

Recent Posts

art and fun

Blogroll

free thinkers

health

infosec & privacy

it

knowledge management

life

mathematics & physics & astro, oh my!

mind & brain

past

science

skils & hacks

society & technology

unix