Scribd
Upload
39 views38 pages

Introduction To Linux Audit

Uploaded by

hya.hasan95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views38 pages

Introduction To Linux Audit

Uploaded by

hya.hasan95
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Introduction to Linux Audit

Linux Architecture

© 2021 C-DAC, Hyderabad 2


OS Audit In General
• Some common OS Audit topics:
- Manage user accounts
- OS update
- Enable firewall
- Disable guest account
- Monitor logs
- Check file permissions
- Manage services
- Hardening

© 2021 C-DAC, Hyderabad 3


Manage User Accounts
• User Management becomes a critical consideration when
you want to add multiple users to the system
• If the user management on your system is not effective,
you may have to compromise the security and access of
the private and sensitive information residing on your
system

© 2021 C-DAC, Hyderabad 4


Manage User Accounts
• Search for settings in dashboard and click on it

© 2021 C-DAC, Hyderabad 5


Manage User Accounts
• Here, we will go to to user accounts

© 2021 C-DAC, Hyderabad 6


Manage User Accounts

© 2021 C-DAC, Hyderabad 7


OS Updates

© 2021 C-DAC, Hyderabad 8


OS Updates

© 2021 C-DAC, Hyderabad 9


Checking Ubuntu Firewall

© 2021 C-DAC, Hyderabad 10


Checking Ubuntu Firewall

© 2021 C-DAC, Hyderabad 11


Checking Password Policies

© 2021 C-DAC, Hyderabad 12


Audit Password History Policy

© 2021 C-DAC, Hyderabad 13


Account Lockout Policy

© 2021 C-DAC, Hyderabad 14


Monitor Logs

© 2021 C-DAC, Hyderabad 15


Check File Permissions
• Linux is a multi-user operating system, so it has security
to prevent people from accessing each other’s
confidential files

© 2021 C-DAC, Hyderabad 16


Check File Permissions
• View file permission, ls –l myfile

© 2021 C-DAC, Hyderabad 17


Check File Permissions

© 2021 C-DAC, Hyderabad 18


Check File Permissions
⚫ Define access rights of various users to each file
⚫ View file permissions with the ls –l command:
drwxr-xr-x 2 elvis elvis 4096 Jan 12 18:32 Desktop
-rw-rw-r-- 1 elvis elvis 102 Jan 13 14:37 numbers
⚫ Note: 10 permission bits
- Bit 1 (leftmost): file type
- Bits 2-4 : owner’s permissions (read, write, and execute)
- Bits 5-7 : group’s permissions (read, write, and execute)
- Bits 8-10 : world’s permissions (read, write, and execute)
© 2021 C-DAC, Hyderabad 19
Check File Permissions
⚫ Use the chmod command:
chmod 777 file rwxrwxrwx

chmod 755 file rwxr-xr-x

chmod 644 file rw-r--r--

chmod 600 file rw-------

chmod 000 file ---------

© 2021 C-DAC, Hyderabad 20


Checking Auditd Service Status

© 2021 C-DAC, Hyderabad 21


Managing Services

• Auditd or audit daemon, is a


userspace component to the
Linux Auditing System
• It’s responsible for writing
audit records to the disk

© 2021 C-DAC, Hyderabad 22


User Database
• Stored in /etc/passwd
• Each line contains the account information for a single
user:
- Username
- UID
- GID
- Home directory
- Default shell

© 2021 C-DAC, Hyderabad 23


File Structure
• SURENDRA:X:1000:1000:SURENDRA
HOME:/HOME/SURENDRA:/BIN/BASH
• User login name
• Password
• UID
• GID
• Comment
• User home directory
• Default Shell
© 2021 C-DAC, Hyderabad 24
Securing A Linux Server
• Best Practices:
- Patches
- Accounts
- Audit
- Services
- Firewall
- Malware defense
- Mandatory Access Controls
• Security guides and tools

© 2021 C-DAC, Hyderabad 25


Linux Patching
• As with Windows, patches for the Linux OS and its
applications and libraries are released often
• Tools:
- Debian (including Ubuntu): apt-get/aptitude
- RHEL, Fedora, CentOS: yum

© 2021 C-DAC, Hyderabad 26


Accounts
• Delete/disable unnecessary accounts
- Users settings GUI
- useradd/userdel commands
• Never have any account with no/default password
- Change all passwords to good ones
• Account policies:
- /etc/pam.d/common-password – password policies
-change command - used to view/set password expiration
options of individual users

© 2021 C-DAC, Hyderabad 27


Logging
• Most log files are text files located in /var/log:
- auth.log- account log in and log out
- lastlog- binary file used by lastlog program to display most
recent log in of all users
- wtmp- binary file used by last program to display listing of last
users logged in
• Certain applications also store their logs in
subdirectories in /var/log:
- Apache, mysql, etc

© 2021 C-DAC, Hyderabad 28


Reviewing Logs
• Manually inspect log files
- System Log Viewer GUI
• Automated tools:
- Logwatch http://www.logwatch.org
• Logcheck/Logsentry
- http://sourceforge.net/projects/sentrytools/

© 2021 C-DAC, Hyderabad 29


Services
• Delete/disable unnecessary services and programs
- The services GUI
- Starting/stopping of all services is controlled by scripts in
/etc/rcX.d (where X is a run level 0-6)
- Use invoke-rc.d program to start/stop services immediately
sudo invoke-rc.d apache2 stop
- Use update-rc.d program to enable/disable a service at boot
time

© 2021 C-DAC, Hyderabad 30


Services
• Secure all necessary services
• Don’t install untrusted software
- Consider the source
- Consider the signature

© 2021 C-DAC, Hyderabad 31


Host-based Firewall
• Uncomplicated Firewall (ufw) – firewall configuration
utility
- $ sudo ufw allow ssh/tcp
- $ sudo ufw logging on
- $ sudo ufw enable
- $ sudo ufw status
• Rules and configuration stored in /etc/ufw

© 2021 C-DAC, Hyderabad 32


Host-based Firewall
• Block all unnecessary/unauthorized traffic
• Allow traffic to necessary services
• Other network security options:
- TCP Wrappers- network access control list
- PortSentry- protect against port scans

© 2021 C-DAC, Hyderabad 33


Malicious Software Defence
⚫ Clam
(http://www.clamav.net/lang/en/download/packages/packages
-linux/)
• Avast! (http://www.avast.com/linux-home-edition)
• AVG (http://free.avg.com/in-en/download.prd-alf)
• Chkrootkit (http://www.chkrootkit.org/)

© 2021 C-DAC, Hyderabad 34


Mandatory Access Controls
• Users (thorough file permissions) can define discretionary
access controls (DAC) on files
• Mandatory Access Controls (MAC) are rules enforced by the
system regardless of the users’ DAC
• Several on-going projects:
- Security-Enhanced Linux
- GRSecurity
- Linux Intrusion Detection System
- Rule-Set Based Access Control

© 2021 C-DAC, Hyderabad 35


SELinux
• Project originally developed by National Security Agency
to implement Mandatory Access Controls within the Linux
Kernel
• Incorporated into 2.6 Linux kernel
• System Checks DAC then MAC policy before granting
access to a resource
• Ubuntu supports SELinux (but it is not installed by default)

© 2021 C-DAC, Hyderabad 36


Linux Security Guides
• Many are available
• Ubuntu Community:
https://help.ubuntu.com/community/Security

© 2021 C-DAC, Hyderabad 37


Thank You

© 2021 C-DAC, Hyderabad 38

You might also like