Auditing a System
- Solaris provides the Basic Security Module (BSM) which is not turned on by default in Solaris. The BSM can be turned on by running the /etc/security/bsmconv script.
- The file /etc/security/audit_control is used to define the audit configuration.
- Complete information on this file can be found by looking at the man pages(man audit_control).
- The command audit -n can be used to close the current audit record file and begin a new file. The command praudit <audit file name> is used to review the audit file contents.
- Extensive logging facility in syslog.
- syslog us a daemon that runs and logs information the way it is configured to do so.
- The syslog configuration is in /etc/syslog.conf file.
- Log files should only be seen by root and no one should modify the log files.
- Most syslog.conf files direct logging messages to /var/log/messages or /var/adm/log/ messages. A good syslog.conf will also include the following configuration command (tells Unix to gather information on login attempts, su attempts, reboots, and other security-related events):
- The command will also allow TCP Wrappers to log information to auth.log and ensure you create /var/log/auth.log to capture this information:
#touch /var/log/auth.log #chown root /var/log/auth.log #chmod 600 /var/log/auth.log
- On Solaris, if you create a file called /var/adm/loginlog you can also capture failed login attempts. Create the file as follows:
#touch /var/adm/loginlog #chmod 600 /var/adm/loginlog #chown root /var/adm/loginlog #chgrp sys /var/adm/loginlog
- Ensure that /var has sufficient disk space to capture the log files.
- If /var is on the same partition with /, the root file system may get filled up if the logs get too big.
- Any files that begins with a dot(.) does not show up in a standard ls.
- If ls -a is used, all hidden files will show up.
- Naming a directory “…” may allow it to go unnoticed.
- Adding a space after the third dot(in other words “…”) makes the directory hard to examine unless you know about the space.
- To find all of the hidden directories and files on your system, use the following command:
#find / -name '.*' -ls
SUID and SGID Files
- Files that have Set UID(SUID) or Set Group ID(SGID) permissions are allowed to change their effective user or group ID during execution.
- To find all the SUID and SGID files, issue the following commands:
#find / -type f -perm -04000 -ls #find / -type f -perm -02000 -ls
- If SUID or SGID files are world-writable, the attacker may be able to create excess priviledges for himself. To find all the world-writable files, issue the following command:
#find / -perm -2 -type f -ls
Looking for Suspicious Signs
- If the command ifconfig -a is issued when an interface is in this mode, the interface should be reported as in the PROMISC state.
- Shows what network connections are listening on a Unix system.
- The command to use is netstat -an.
- The “n” argument tells netstat not to resolve IP addresses.
- netstat does not tell you which process is holding the port open and lsof finding which process is linked to a particular port can become an arduous task.
- It shows a list of all the open ports and which process is holding the port open.
- Show all of the active processes on a system.
- The best way to determine if a file has been replaced is to use a cryptographic checksum.