Security Monitoring

The whole area of security is a huge subject. Entire books are dedicated to security alone. Security is usually broken down into two categories: network security and host-based security. This section focuses on host-based (or system) security, so that you can monitor and detect activities that could compromise system, application, or data availability. Host-based security intrusions usually are the most problematic . As a system administrator, you should monitor the system for activities that would prevent the system from doing what it is intended to do.

Security Overview

The level of security needed for your system depends on what you are trying to protect. Both the US government and European Information Technology Security Evaluation Criteria (ITSEC) have defined sets of security levels. The most common level is C2, which is the de facto standard for secure UNIX systems. Level B1 security, which is more secure than C2, is often required in government, military, and commercial applications. HP-UX, for example, operates in two modes of security: standard mode, which has no security, and trusted mode, which is C2-level compliant. Each level of security has different requirements.

Regardless of the level of security you are trying to provide in your environment, several categories for system security apply to all levels. The requirements in each category are more restrictive as you increase the security level. These categories are authentication, authorization, access control, data security, and physical security.

Before describing each of these categories, you need to know that implementing a host-based security plan will include defining policies for preventing intrusions and for monitoring to detect intrusions. Password policies are an example of the many policies that should be defined and enforced to try to prevent intrusions. When monitoring to detect intrusions, detection systems need to be told what to monitor.

After you implement intrusion-prevention policies, you need to put security monitoring and intrusion-detection monitors in place. You want these monitors to tell you when an intrusion was attempted, is occurring, or has occurred. The following are the system security categories that apply to all security levels, along with a description of what can be done to prevent and detect intrusions:

• Authentication: Usually done to verify a user's ID prior to allowing access to a system or resource. Authentication is usually accomplished with a password, which serves as proof that a user is who they claim to be. Password length and complexity restrictions, as well as password lifetime limits, are some of the devices that can be used to make getting past authentication checks more difficult for unauthorized users. More secure measures include hiding the password file, which contains encrypted passwords.

• Authorization: The process of granting privileges to individual users. UNIX has two main classes of users. Root users (or superusers) have authorization to do almost anything on a system, including administer the system, perform backups , and bypass security controls. Regular users have ordinary access to programs and data. Authorization can be controlled by using time-based authorization, whereby users are restricted to certain hours of the day. Fine-grained authorization allows root access to be restricted to more narrow tasks, giving users only as much power as they need to accomplish their tasks . This provides more control over system security. HP-UX has a special version of SAM, called restricted SAM, which allows restricted use by authorized users, allowing you to delegate limited authority. Monitoring for failed login attempts and super-user logins is important, to see whether anyone is gaining or attempting to gain unauthorized access to the system. IT/O is one product that provides this capability.

• Access control policies: Used to define which users have access to various system resources, including files, programs, and printers. Access control is generally handled through UNIX file permissions, which define read, write, and execute permissions by user, group , and everyone. Access Control Lists (ACLs) are also used to grant file access to users on a list. Or, ACLs can be used to list those users who don't have access rights to a file. You can check a file's access rights by using the ls command. You may want to monitor access rights for changes that allow other users to access these restricted files.

• Data security: Helps you to protect critical data. This includes backups, which can protect against accidental data loss, and data encryption, which can protect the privacy of information.

• Physical security: Covers the physical protection of system resources against deliberate or accidental threats. This includes ensuring against even simple threats, such as someone tripping on an exposed power cord.

Security Monitoring Tools

Auditing is a way to log security-related events on a per-user basis. It can be set up to monitor system calls, specific users, password policies, logins, superuser logins, failed login attempts, and so forth. Because auditing incurs lots of system overhead, you should try to limit it to the most critical security- related events. On HP-UX, auditing is available only in trusted mode. Auditing can be enabled on HP-UX using SAM. Although the system itself provides the library routines for auditing, data reduction and analysis tools are useful for extracting relevant information from audit logs.

Some of the common tools for looking at audit logs are:

• OmniGuard/ITA (Axent Technologies): Used to detect intruders and abuse. It uses data from log files and listens for SNMP traps to feed into its rules engine when detecting intruders. It can also monitor file-level accesses .

• Stalker (Haystack Labs): Analyzes and compares audit logs to its database, to detect system misuse, attacks, and known system vulnerabilities. It can collect and store audit logs from multiple UNIX systems at a centralized server.

MEMCO Software provides SeOS Access Control, which provides more granular root capabilities. Narrow capabilities can be granted to users to perform specific tasks. This means that you don't need to grant a user full root capabilities, which can be dangerous, just to perform system backups, for example.

You can make some simple checks to help protect your system. Check the /etc/ hosts .equiv and /.rhosts files to ensure that the remote host systems listed are authorized to access the sys tem. Also, the optional file /var/adm/inetd.sec can be used to explicitly deny or allow access to specific network services, so you should verify that this file is configured correctly.