SYSTEM AUDITING

Presenter Name

George Bailey, MS, CISSP, GCIH – Security / Technical Operations Manager @ Purdue Healthcare Advisors

Josh Gillam – IT Auditor @ Purdue University / Internal Audit

FOR THESYSTEMS ADMINISTRATORS

SYSTEM AUDITING

Confirmation that certain process or system requirement is being fulfilled

Generally performed by a variety of tasks

Manually testing of a setting or control

Automated testing / probing for configuration settings

Monitoring of process, application, or user behaviors

Reviewing system / application logs, configuration files, etc.

Purdue Research Foundation 2012

TOPICS

Auditing Hosts & Networks with NMAP

OS benchmarking / auditing with CIS-CAT

Validating configuration / vulnerability status with Metasploit Framework

Purdue Research Foundation 2012

NMAP

What is it? Why use it? Where to get it? How to use it?

Purdue Research Foundation 2012

NETWORK MAPPER“NMAP”

Port scanner

OS fingerprinter

Scans a particular target for all / select open ports

Identifies service type and version listening

Very invasive and very powerful

NSE and Lua make extends nmap’s capabilities

Purdue Research Foundation 2012

TRINITY USES NMAP, SHOULDN’T YOU?

Network exploration tool and port scanner

• Security audits

• Network inventory

• Upgrade schedules

• Monitoring host/service uptime

Reduce the number of hosts on a network to be audited or investigated

Specify how each host is to be identified as interesting

Firewall considerations

NMAP IS OPEN & FREEHTTP://WWW.INSECURE.ORG/

Open source tool available by default in many linux distributions. Source and install packages available for mainstream OSes

Command line and GUI versions http://nmap.org/download.html or

http://www.insecure.org/ Backtrack and other live environments Very active forum and community:

http://seclists.org/ for mail lists and archives

Purdue Research Foundation 2012

Purdue Research Foundation 2012

HOW NMAP WORKS Nmap uses many port scanning mechanisms:

• Both TCP & UDP • OS detection, version detection • Ping sweeps • TCP full connect • Stealth Scan • XMAS Scan • and half open scan

Purdue Research Foundation 2012

NMAP EXAMPLES# nmap scanme.nmap.org

• Default scan# nmap –A scanme.nmap.org

• Performs OS & detection, traceroute info# nmap –sV scanme.nmap.org

• Performs service version detection# nmap -sS –sV 128.46.4.0/24 –P0

• Performs stealth (SYN) scan of a class C network while determining service versions without pinging the host

# nmap –sS –sV 128.46.4.0/24 –p80• Performs a stealth (SYN) scan of a class C network while performing service detection and scanning port 80

Zenmap is available for those preferring a GUI interface http://nmap.org/zenmap/

Purdue Research Foundation 2012

NMAP OUTPUTnmap scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-01 13:08 Eastern Daylight Time Nmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.083s latency).Not shown: 992 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http135/tcp filtered msrpc139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds593/tcp filtered http-rpc-epmap1433/tcp filtered ms-sql-s1434/tcp filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds

Scanning multiple systems can produce massive and cumbersome amounts of data to analyze• Learn Perl, grep & awk• Ndiff: used to compare nmap output files• Google: Nmap parsing tools…lots of options! PBNJ is my favorite.

Purdue Research Foundation 2012

NMAP OUTPUT FORMATS

Normal (STDN Out) – Produces a text output

• Use the –oN filename flag

Grepable format – Produces a text output that

• Use the –oG filename flag

XML format – Produces a XML formatted file

• Use the –oX filename flag

Purdue Research Foundation 2012

CIS-CAT

What is it? Why use it? Where to get it? How to use it?

CONFIGURATION ASSESSMENT TOOLCIS-CAT BY CENTER FOR INTERNET SECURITY

CIS-CAT is an automated assessment tool that supports a wide variety of operating systems and applications

Checks to see what security features of the assessment system are enabled

Commercial product with lots of community and back-end support

Free to Purdue System Admin through University’s membership

WHY USE CIS-CAT?

CIS-CAT is created by security minded folks to assess built-in security features of an operating system or supported applications

Provides recommendations and manual testing criteria

Updated regularly (at least quarterly)

Supports both GUI and CLI environments

Can be automated via GPO

Issue: Requires Java JRE 1.5 or newer.

Sampling of Supported Systems / Applications

Apache TomcatApple OSX 10.5Apple OSX 10.6Debian LinuxHP-UX 11iIBM AIX 4.3-5.1Microsoft Windows 2003 Microsoft Windows 2008Microsoft Windows XP Microsoft Windows 7 Mozilla FirefoxOracle Database 11g Oracle Database 9i-10g RedHat Enterprise Linux 4RedHat Enterprise Linux 5Slackware Linux 10.2 Solaris 10Solaris 2.5.1-9SUSE Linux Enterprise Server 10SUSE Linux Enterprise Server 9VMware ESX 3.5VMware ESX 4

WHERE DO I GET CIS-CAT?HTTP://WWW.CISECURITY.ORG/

Can be downloaded from the Center for Internet Security’s web page

https://community.cisecurity.org/ Request an account from the login page

(takes a day or so to get approved) $300.00 annual membership if you are

not a Purdue Employee. ~36MB foot print, includes CIS-CAT Jar

file, documentation, and all centrally maintained benchmarks.

http://web.nvd.nist.gov/view/ncp/repository?tier=4&product=&category=&authority=&keyword= For NIST provided benchmarks

HOW TO USE CIS-CAT

Interactively by: Executing ciscat.jar with or

without flags Execute a canned script

Cis-cat.bat (windows) Cis-cat.sh (unix) Cis-cat-jump.bat (jump drive)

Remotely via command line Via GPO and a centralized share Via cron and a centralized mount Via CLI with remote web services

HOW TO USE CIS-CAT FROM THE CLICLI OPTIONS (i.e.,CISCAT.JAR –Help)This is CIS-CAT version 2.2.19usage: Options Tip -a,--accept-terms Accepts terms of use -ap,--aggregation-period <arg> The width of a dashboard aggregation, ex. 1M, 13W, 20D -ar,--aggregate-reports <arg> Create a CIS-CAT Dashboard by aggregating all the XML reports in the specified directory -b,--benchmark <arg> Path to benchmark to run -c,--reset Reset preferences -csv,--report-csv Creates a CSV report -d,--benchmark-dir <arg> Override default location for benchmarks. Used with --list and --find -f,--find Interactively select a benchmark -h,--help Prints help for this application -l,--list List all benchmarks in default benchmark location -n,--report-no-html No HTML report will be created, by default an HTML report is created -p,--profile <arg> Title of benchmark profile to evaluate -r,--results-dir <arg> Directory to save results in -rn,--report-name <arg> The base name of the report, no extension -s,--status Status information is displayed -t,--report-txt Creates a text report -u,--report-upload <arg> Sends a HTTP POST with the XML report to the specified URL. POST parameter name is ciscat-report -ui,--ignore-certificate-errors Ignores any SSL certificate errors during report upload -v,--version Display CIS-CAT version and JRE information -vs,--verify-signature Verify that the XML benchmarks have valid signatures -x,--report-xml Creates an XML report -y,--report-all-tests Causes the HTML and text reports to show all tests. Only applicable tests are displayed by default

CIS-CAT OUTPUT

Multiple output files are supported HTML – Great for clients or end users CSV – Great when assessing multiple systems at one time, less space

required TXT – Just the facts Mam XML – Used when importing to other auditing systems / frameworks

Output is named after the host being assessed

Dashboards can be generated by processing a series of CIS-CAT reports CIS-CAT -> File menu -> Create Dashboard

SAMPLE CIS-CAT REPORTHTML REPORT

OTHER NOTE WORTHY TOOLSHTTP://SECTOOLS.ORG/

Metasploit Community Edition http://www.rapid7.com/products/metasploit-community.jsp

Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/en-us/download/details.aspx?id=7558

Nexpose VA Scanner [Community Edition] http://www.rapid7.com/products/nexpose-community-edition.jsp

WMIC interface http://technet.microsoft.com/en-us/library/bb742610.aspx

Nikto – Web Application Scanner http://www.cirt.net/nikto2

BackTrack – Linix Auditing OS Distro http://www.backtrack-linux.org/

Purdue Research Foundation 2012

CONTACT INFORMATION

George Bailey

baileyga@purdue.edu

Office: 49-47538

Josh Gillam

jgillam@purdue.edu