Auditing Unix and Linux operating systems is the process of evaluating and assessing the security of these systems to ensure they are configured and maintained in a secure manner. The audit checks the systems against established security policies, best practices, and industry standards.
The purpose of auditing is to identify potential security risks and vulnerabilities and make recommendations for improving the security posture of the systems. The audit can cover various aspects of the system, including the configuration of the operating system, file permissions, network security, software patches and updates, user management, and data backup and recovery procedures.
Scope of Unix/Linux OS:
The scope of auditing Unix and Linux operating systems can vary depending on the specific needs of an organization, but typically includes the following areas:
- Operating system configuration: Evaluating the security configuration of the Unix/Linux OS, including file permissions, system accounts, and network settings.
- User management: Reviewing the management of user accounts, passwords, and access control measures to ensure they are secure.
- Network security: Assessing the security of the network, including firewalls, routing, and remote access.
- Data backup and recovery: Evaluating the procedures in place for backing up and recovering data, including data integrity and confidentiality.
- Software patches and updates: Checking for and installing the latest software patches and updates to address known vulnerabilities.
- Physical security: Evaluating the physical security of the systems, including access controls, environmental controls, and backup power.
- Logs and event management: Review the logs and events generated by the systems to identify potential security incidents.
Tools and Technology
- Nessus
- NMAP
- Chkrootkit
- Crack and John the Ripper
- Tiger and TARA
- Shell/Awk/etc
Steps of Auditing Unix and Linux operating systems
Technically audit steps are divided into five sections:
- Account management and password controls
- File security and controls
- Network security and controls
- Audit logs
- Security monitoring and general controls
The operations involved in auditing Unix and Linux operating systems typically include the following steps:
- Preparation: Gathering information about the systems to be audited, including network diagrams, inventory of software and hardware, and documentation of policies and procedures.
- Scanning: Conduct initial scans to identify open ports, installed software, and other details about the systems.
- Assessment: Evaluating the systems against established security policies and best practices, including analyzing system configuration files, user accounts, and permissions, network security, and data backup and recovery procedures.
- Testing: Verifying the findings of the assessment by conducting penetration testing, vulnerability scans, or other methods to simulate real-world attacks and identify any security weaknesses.
- Reporting: Documenting the findings of the audit and providing recommendations for improving the security posture of the systems.
- Remediation: Implementing the recommendations made during the audit to improve the security of the systems.
- Follow-up: Performing follow-up assessments to verify that the remediation efforts have been successful and that the systems remain secure.
Checklist for Auditing Account Management and Password Controls
- Review and evaluate procedures for creating Unix or Linux user accounts and ensure that accounts are created only when there’s a legitimate business need. Also, review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.
- Ensure that all UIDs in the password file(s) are unique.
- Ensure that passwords are shadowed and use strong hashes where possible.
- Evaluate the file permissions for the password and shadow password files.
- Review and evaluate the strength of system passwords.
- Evaluate the use of password controls such as aging.
- Review the process used by the system administrator(s) for setting initial passwords for new users and communicating those passwords.
- Ensure that each account is associated with and can be traced easily to a specific employee.
- Ensure that invalid shells have been placed on all disabled accounts.
- Review and evaluate access to superuser (“root”-level) accounts and other administrative accounts.
- Review and evaluate the use of groups, and determine the restrictiveness of their use.
- Evaluate the use of passwords at the group level.
- Review and evaluate the security of directories in the default path used by the system administrator when adding new users. Evaluate the use of the “current directory” in the path.
- Review and evaluate the security of directories in the root’s path. Evaluate the use of the “current directory” in the path.
- Review and evaluate the security of user home directories and config files. They generally should be writable only by the owner.
Checklist for Auditing File Security and Controls
- Evaluate the file permissions for a judgmental sample of critical files and their related directories.
- Look for open directories (directories with permission set to
drwxrwxrwx
) on the system, and determine whether they should have the sticky bit set. - Evaluate the security of all SUID files on the system, especially those that are SUID to “root.”
- Review and evaluate security over the kernel.
- Ensure that all files have a legal owner in the
/etc/passwd
file. - Ensure that the
chown
command cannot be used by users to compromise user accounts. - Obtain and evaluate the default
umask
value for the server. - Examine the system’s crontabs, especially the “root” crontab, for unusual or suspicious entries.
- Review the security of the files referenced within crontab entries, particularly the root crontab. Ensure that the entries refer to files that are owned by and writable only by the owner of the crontab and that those files are located in directories that are owned by and writable only by the owner of the crontab.
- Examine the system’s schedule at jobs for unusual or suspicious entries.
Check list for Auditing Network Security and Controls
- Determine what network services are enabled on the system, and validate their necessity with the system administrator. For necessary services, review and evaluate procedures for assessing vulnerabilities associated with those services and keeping them patched.
- Execute a network vulnerability scanning tool to check for current vulnerabilities in the environment.
- Review and evaluate the use of trusted access via the
/etc/hosts
.equiv
file and user.rhosts
files. Ensure that trusted access is not used or, if deemed to be absolutely necessary, is restricted to the extent possible. - Review and evaluate the usage of trusted access via SSH keys.
- If anonymous FTP is enabled and genuinely needed, ensure that it is locked down properly.
- If NFS is enabled and genuinely needed, ensure that it is secured properly.
- Review for the use of secure protocols.
- Review and evaluate the use of .netrc files.
- Ensure that a legal warning banner is displayed when a user connects to the system.
- Review and evaluate the use of modems on the server.
Checklist for Auditing Audit Logs
- Review controls for preventing direct “root” logins.
- Review the
su
andsudo
command logs to ensure that when these commands are used, they are logged with the date, time, and user who typed the command. - Evaluate the
syslog
to ensure that adequate information is being captured. - Evaluate the security and retention of the
wtmp
log,sulog
,syslog
, and any other relevant audit logs. - Evaluate security over the
utmp
file.
Checklist for Auditing Security Monitoring and General Controls
- Review and evaluate system administrator procedures for monitoring the state of security on the system.
- If you are auditing a larger Unix/Linux environment (as opposed to one or two isolated systems), determine whether a standard build exists for new systems and whether that baseline has adequate security settings. Consider auditing a system freshly created from the baseline.
- Perform steps from Chapter 4 as they pertain to the system you are auditing.
Conclusion:
The Unix/Linux OS was thoroughly evaluated and found to be in compliance with established security policies and best practices. Recommendations were made to further improve the system’s security posture, including patches for known vulnerabilities, strengthening of user permissions and access control measures, and review of data backup and recovery procedures. Overall, the audit highlights the importance of maintaining the security of Unix/Linux systems and provides practical steps to enhance their security posture.