Objectives
Upon completion of this unit, you should be able to:
1) Understand system performance security goals
2) Describe security domains
3) Describe system faults
4) Explain system fault analysis methods
5) Explain benefits of maintaining system state
6) Describe networking resource concerns
7) Describe data storage resource concerns
8) Describe processing resource concerns
9) Describe log file analysis
System Resources as Services
1) Comuting infrastructure is comprised of roles
- system that serve
- sytems that request
2) System infrastructure is comprised of roles
- Processes that serve
- processes that request
3) Processing infrastructure is comprised of roles
- account that serve
- accounts that request
4) System resources, and their use, must be accounted for as policy of securing the system
Security in Principle
1) Security Domains
- Physical
- Local
- Remote
- Personnel
Security in Practice
1) By design, the system serves available resources
2) By policy, the system preserves available resources
3) Host only services you must, and only to those you must
4) Monitor system resources for vulnerabilities and poor performance
Security Policy: the People
1) Managing human activities
- includes security policy maintenance
2) Who is in charge of what?
3) Who makes final decision about false alarms?
4) When is law-enforcement notified?
Security Policy: the System
1) Managing system activities
2) Regular system monitoring
- Log to an external server in case of compromise
- Monitor logs with logwatch
- Monitor bandwidth usage inbound and outbound
3) Regular backups of system data
Responese Strategies
1) Assume suspected system is untrustworthy
- Do not run programs from the suspected system
- Boot from trusted media to verify breach
- Analyze logs of remote logger and “local” logs
- Check file integrity against read-only backup of rpm database
2) Make an image of the machine for further analysis/evidence-gathering
3) Wipe the machine, re-install and restore from backup
System Faults and Breaches
1) Both effect system performance
2) System performance is the security concern
- a system fault yields an infrastructure void
- an infrastructure void yields opportunity for alternative resource access
- an opportunity for alternative resource access yields unaccountable resource access
- an unaccountable resource access is a breach of security policy
Method of Fault Analysis
1) Characterize the problem
2) Reprodue the problem
3) Find further information
Fault Analysis: Hypothesis
1) Form a series of hypotheses
2) Pick a hypothesis to check
3) Test the hypothesis
Method of Fault Analysis, continued
1) Note the result, the reform or test a new hypothesis if needed
2) If the easier hypothese yield no positive result, further characterize the problem
Fault Analysis: Gathering Data
1) strace
command
2) tail �Cf logfile
3) *.debug in syslog
4) �Cdebug option is application
Benefit of System Monitoring
1) System performance and security may be maintained with regular system monitoring
2) System monitoring includes:
- Network monitoring and analysis
- File system monitoring
- Process monitoring
- Log file analysis
Network Monitoring Utilities
1) Network interface (ip)
- Show what interfaces are available on a system
2) Port scanners (nmap)
- Show what services are available on a system
3) Packets sniffers (tcpdump, wireshark)
- Store and analyszed all network traffic visible to the “sniffering” system
Networking, a Local view
1) The ip utility
- Called by intialization scripts
- Greater capability than ifconfig
2) Use netstat �Cntaupe for a list of:
- active network servers
- established connections
Networking, a Remote view
1) nmap reports active services on ports open to remote connection attempts
- Advanced scanning options available
- Offers remote OS detection
- Scan on small or large subnets
2) Do not use without written permission of the scanned system’s admin!
3) Graphical front-end available (nmapfe)
File System Analysis
1) Regular file system monitoring can prevent:
- Exhausting system resources
- Security breaches due to poor access controls
2) File system monitoring shoudl include:
- Data integrity scans
- Investigating suspect files
3) Utilies: df, du
Typical Problematic Permissions
1) Files without known owners may indicate unauthorized access:
- Locate files and directories with no user or group entries in the /etc/passwd file: find / \( �Cnouser �Co �Cnogroup \)
2) Files/Directories with “other’ write permission (o+w) may indicate a problem
- Locate other-writable files with: find / �Ctype f �Cperm �C002
- Locate other-writable directories with: find / �Ctype d �Cperm �C2
Monitoring Processes
1) Monitoring processes to determine:
- Cause of decreased performance
- If suspicious processes are executing
2) Monitoring utilities
- top
- gnome-system-monitor
- sar
Process Monitoring Utilities
1) top
- view processor activity in real-time
- interactively kill or renice processes
- watch system statistics update through time, either in units or cumulatively
2) GUI system monitoring tools
- gnome-system-monitor: GNOME process, CPU, and memory monitor
- kpm: KDE version of top
System Activity Reporting
1) Frequent reports, over time
- cron spawn sa1 and sa2
- sar reads and generates “human friendly” logs
2) Commonly used for performance tuning
- more accurate statistics
binary “database” collection method
regular intervals
3) Evidence of pattern establishes “normal” activity
Managing Process by Account
1) Use PAM to set controls on account resource limits:
- pam_access.so can be used to limit access by account and location
- pam_time.so can be used to limit access by day and time
- pam_limits.so can be used to limit resources available to process
System Log Files
1) Why monitor log files?
2) Which logs to monitor?
3) Logging services:
- Many daemons send messages to syslogd
- Kernel messages are handled by klogd
Syslogd and klogd Configuration
1) syslogd and klogd are configurd in /etc/syslog.conf
2) Syntax: facility.priority log_location
3) Example: mail.info /dev/tty8
Log File Analysis
1) Should be performed on a regular basis
2) logwatch can be installed to run by crond every hour to report possible issues
3) When looking for anomlies, logwatch uses negative lists
- Discard everything normal
- Analyze the rest
End of Unit 1
1) Questions and Answers
2) Summary
- Address questions
- Perparation for lab
- Goals
- Sequences
- Deliverables
- Please ask the instructor for assistance when needed