This chapter covers several methods for auditing Unix hosts and their variants. The most important thing to take away is the concepts. Because there are so many variants, it is impossible to list every occurrence you'll run across. Here is a list of the items we reviewed in this chapter:
Checklist for Auditing Account Management and Password Controls
qReview and evaluate procedures for creating Unix or Linux user accounts and ensure that accounts are created only when there's a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.
qEnsure that all UID's in the password file(s) are unique.
qEnsure that passwords are shadowed and use strong hashes where possible.
qEvaluate the file permissions for the password and shadow password files.
qReview and evaluate the strength of system passwords.
qEvaluate the use of password controls such as aging.
7. Review the process used by the system administrator(s) for setting initial passwords for new users and communicating those passwords.
qEnsure that each account is associated with and can be traced easily to a specific employee.
9. Ensure that invalid shells have been placed on all disabled accounts.
qReview and evaluate super user (root-level) access.
11. Review and evaluate the use of groups, and determine the restrictiveness of their use.
qEvaluate the use of passwords at the group level.
13. Review and evaluate the security of directories in the default path used by the system administrator when adding new users. Evaluate the use of the "current directory" in the path.
qReview and evaluate the security of directories in root's path. Evaluate the use of the "current directory" in the path.
15. Review and evaluate the security of user home directories and config files. They generally should be writable only by the owner.
Checklist for Auditing File Security and Controls
qEvaluate the file permissions for a judgmental sample of critical files and their related directories.
qLook for open directories (directories with permission set to drwxrwxrwx) on the system, and determine whether they should have the sticky bit set.
qEvaluate the security of all SUID files on the system, especially those that are SUID to "root."
qReview and evaluate security over the kernel.
qEnsure that all files have a legal owner in the /etc/passwd file.
qEnsure the chown command cannot be used by users to compromise user accounts.
qObtain and evaluate the default umask value for the server.
qExamine the system's crontabs, especially root's, for unusual or suspicious entries.
qReview the security of the files referenced within crontab entries, particularly root's. Ensure that the entries refer to files that are owned by and writable only by the owner of the crontab. Also ensure that no crons are being run from open directories (permissions set to drwxrwxrwx).
qExamine the system's scheduled atjobs for unusual or suspicious entries.
Checklist for Auditing Network Security and Controls
qDetermine what network services are enabled on the system, and validate their necessity with the system administrator. For necessary services, review and evaluate procedures for assessing vulnerabilities associated with those services and keeping them patched.
qExecute a network vulnerability-scanning tool in order to check for current vulnerabilities in the environment.
qReview and evaluate the use of trusted access via the /etc/hosts .equiv file and user .rhosts files. Ensure that trusted access is not used or, if deemed to be absolutely necessary, is restricted to the extent possible.
qIf anonymous FTP is enabled and genuinely needed, ensure that it is locked down properly.
qIf NFS is enabled and genuinely needed, ensure that it is secured properly.
qReview for the use of secure protocols.
qReview and evaluate the use of .netrc files.
qEnsure that a legal warning banner is displayed when connecting to the system.
qReview and evaluate the use of modems on the server.
Checklist for Auditing Audit Logs
qReview controls for preventing direct "root" logins.
qReview the su and sudo command logs to ensure that when these commands are used, they are logged with the date, time, and user who typed the command.
qEvaluate the syslog in order to ensure that adequate information is being captured.
qEvaluate the security and retention of the wtmp log, sulog, syslog, and any other relevant audit logs.
qEvaluate security over the utmp file.
Checklist for Auditing Security Monitoring and Other Controls
qReview and evaluate system administrator procedures for monitoring the state of security on the system.
qIf you are auditing a larger Unix/Linux environment (as opposed to one or two isolated systems), determine whether there is a standard build for new systems and whether that baseline has adequate security settings. Consider auditing a system freshly created from the baseline.
qPerform steps from Chapter 4 as they pertain to the system you are auditing.