Presentation is loading. Please wait.

Presentation is loading. Please wait.

SYSTEM AUDITING Presenter Name George Bailey, MS, CISSP, GCIH – Security / Technical Operations Purdue Healthcare Advisors Josh Gillam – IT Auditor.

Similar presentations


Presentation on theme: "SYSTEM AUDITING Presenter Name George Bailey, MS, CISSP, GCIH – Security / Technical Operations Purdue Healthcare Advisors Josh Gillam – IT Auditor."— Presentation transcript:

1 SYSTEM AUDITING Presenter Name George Bailey, MS, CISSP, GCIH – Security / Technical Operations Purdue Healthcare Advisors Josh Gillam – IT Purdue University / Internal Audit FOR THE SYSTEMS ADMINISTRATORS

2 SYSTEM AUDITING  Confirmation that certain process or system requirement is being fulfilled  Generally performed by a variety of tasks  Manually testing of a setting or control  Automated testing / probing for configuration settings  Monitoring of process, application, or user behaviors  Reviewing system / application logs, configuration files, etc.

3 TOPICS  Auditing Hosts & Networks with NMAP  OS benchmarking / auditing with CIS-CAT  Validating configuration / vulnerability status with Metasploit Framework Purdue Research Foundation 2012

4 NMAP  What is it?  Why use it?  Where to get it?  How to use it? Purdue Research Foundation 2012

5 NETWORK MAPPER “NMAP” Port scanner OS fingerprinter Scans a particular target for all / select open ports  Identifies service type and version listening Very invasive and very powerful  NSE and Lua make extends nmap’s capabilities Purdue Research Foundation 2012

6 TRINITY USES NMAP, SHOULDN’T YOU? Network exploration tool and port scanner Security audits Network inventory Upgrade schedules Monitoring host/service uptime Reduce the number of hosts on a network to be audited or investigated Specify how each host is to be identified as interesting Firewall considerations Purdue Research Foundation 2012

7 NMAP IS OPEN & FREE Open source tool available by default in many linux distributions. Source and install packages available for mainstream OSes Command line and GUI versions or Backtrack and other live environments Very active forum and community: for mail lists and archives Purdue Research Foundation 2012

8 HOW NMAP WORKS Nmap uses many port scanning mechanisms: Both TCP & UDP OS detection, version detection Ping sweeps TCP full connect Stealth Scan XMAS Scan and half open scan Purdue Research Foundation 2012

9 NMAP EXAMPLES # nmap scanme.nmap.org Default scan # nmap –A scanme.nmap.org Performs OS & detection, traceroute info # nmap –sV scanme.nmap.org Performs service version detection # nmap -sS –sV /24 –P0 Performs stealth (SYN) scan of a class C network while determining service versions without pinging the host # nmap –sS –sV /24 –p80 Performs a stealth (SYN) scan of a class C network while performing service detection and scanning port 80  Zenmap is available for those preferring a GUI interface  Purdue Research Foundation 2012

10 NMAP OUTPUT nmap scanme.nmap.org Starting Nmap 5.51 ( ) at :08 Eastern Daylight Time Nmap scan report for scanme.nmap.org ( ) Host is up (0.083s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 1433/tcp filtered ms-sql-s 1434/tcp filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds Scanning multiple systems can produce massive and cumbersome amounts of data to analyze Learn Perl, grep & awk Ndiff: used to compare nmap output files Google: Nmap parsing tools…lots of options! PBNJ is my favorite. Purdue Research Foundation 2012

11 NMAP OUTPUT FORMATS Normal (STDN Out) – Produces a text output Use the –oN filename flag Grepable format – Produces a text output that Use the –oG filename flag XML format – Produces a XML formatted file Use the –oX filename flag Purdue Research Foundation 2012

12 CIS-CAT What is it? Why use it? Where to get it? How to use it? Purdue Research Foundation 2012

13 CONFIGURATION ASSESSMENT TOOL CIS-CAT BY CENTER FOR INTERNET SECURITY CIS-CAT is an automated assessment tool that supports a wide variety of operating systems and applications Checks to see what security features of the assessment system are enabled Commercial product with lots of community and back-end support Free to Purdue System Admin through University’s membership

14 WHY USE CIS-CAT? CIS-CAT is created by security minded folks to assess built-in security features of an operating system or supported applications Provides recommendations and manual testing criteria Updated regularly (at least quarterly) Supports both GUI and CLI environments Can be automated via GPO  Issue: Requires Java JRE 1.5 or newer. Sampling of Supported Systems / Applications Apache Tomcat Apple OSX 10.5 Apple OSX 10.6 Debian Linux HP-UX 11i IBM AIX Microsoft Windows 2003 Microsoft Windows 2008 Microsoft Windows XP Microsoft Windows 7 Mozilla Firefox Oracle Database 11g Oracle Database 9i-10g RedHat Enterprise Linux 4 RedHat Enterprise Linux 5 Slackware Linux 10.2 Solaris 10 Solaris SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 VMware ESX 3.5 VMware ESX 4

15 WHERE DO I GET CIS-CAT? Can be downloaded from the Center for Internet Security’s web page https://community.cisecurity.org/ Request an account from the login page (takes a day or so to get approved) $ annual membership if you are not a Purdue Employee. ~36MB foot print, includes CIS-CAT Jar file, documentation, and all centrally maintained benchmarks. ry?tier=4&product=&category=&authority =&keyword= For NIST provided benchmarks ry?tier=4&product=&category=&authority =&keyword

16 HOW TO USE CIS-CAT  Interactively by:  Executing ciscat.jar with or without flags  Execute a canned script  Cis-cat.bat (windows)  Cis-cat.sh (unix)  Cis-cat-jump.bat (jump drive)  Remotely via command line  Via GPO and a centralized share  Via cron and a centralized mount  Via CLI with remote web services

17 HOW TO USE CIS-CAT FROM THE CLI CLI OPTIONS (i.e.,CISCAT.JAR –Help) This is CIS-CAT version usage: Options Tip -a,--accept-terms Accepts terms of use -ap,--aggregation-period The width of a dashboard aggregation, ex. 1M, 13W, 20D -ar,--aggregate-reports Create a CIS-CAT Dashboard by aggregating all the XML reports in the specified directory -b,--benchmark Path to benchmark to run -c,--reset Reset preferences -csv,--report-csv Creates a CSV report -d,--benchmark-dir Override default location for benchmarks. Used with --list and --find -f,--find Interactively select a benchmark -h,--help Prints help for this application -l,--list List all benchmarks in default benchmark location -n,--report-no-html No HTML report will be created, by default an HTML report is created -p,--profile Title of benchmark profile to evaluate -r,--results-dir Directory to save results in -rn,--report-name The base name of the report, no extension -s,--status Status information is displayed -t,--report-txt Creates a text report -u,--report-upload Sends a HTTP POST with the XML report to the specified URL. POST parameter name is ciscat-report -ui,--ignore-certificate-errors Ignores any SSL certificate errors during report upload -v,--version Display CIS-CAT version and JRE information -vs,--verify-signature Verify that the XML benchmarks have valid signatures -x,--report-xml Creates an XML report -y,--report-all-tests Causes the HTML and text reports to show all tests. Only applicable tests are displayed by default

18 CIS-CAT OUTPUT  Multiple output files are supported HTML – Great for clients or end users CSV – Great when assessing multiple systems at one time, less space required TXT – Just the facts Mam XML – Used when importing to other auditing systems / frameworks  Output is named after the host being assessed  Dashboards can be generated by processing a series of CIS-CAT reports  CIS-CAT -> File menu -> Create Dashboard

19 SAMPLE CIS-CAT REPORT HTML REPORT

20 OTHER NOTE WORTHY TOOLS  Metasploit Community Edition   Microsoft Baseline Security Analyzer (MBSA)   Nexpose VA Scanner [Community Edition]   WMIC interface   Nikto – Web Application Scanner   BackTrack – Linix Auditing OS Distro 

21 CONTACT INFORMATION George Bailey Office: Josh Gillam Purdue Research Foundation 2012


Download ppt "SYSTEM AUDITING Presenter Name George Bailey, MS, CISSP, GCIH – Security / Technical Operations Purdue Healthcare Advisors Josh Gillam – IT Auditor."

Similar presentations


Ads by Google