[ Pobierz całość w formacie PDF ]

the name of Sun Security Bulletins.
The last aspect of the work of CERT is to make available suitable
security tools (taken from the Public Domain Shareware area) on
CERT s own FTP server.
Forum of Incident Response Teams (FIRST)
FIRST is an association of the response teams (RTs) of which CERT is
the most important example. Assignments are described here. FIRST
serves as the central clearing house for problems that appear only in a
limited area, and serves as the information broker to resolve the
problems.
Local RTs are concerned about the information flow within their own
country, and pass the information in English on to all other FIRST
organizations. This provides an opportunity to get even regional
problems (such as an implementation of ISDN) to a manufacturer.
Evaluating Security Levels 5-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
5
Module Checklist
Having completed this module, you should be able to:
Identify three organizations supporting the standardization of
security for operating systems like the Solaris environment and
what each is mainly responsible for.
Briefly describe the classification system defined in the Orange
Book for evaluating the security of a system.
What is the organization that serves as a clearinghouse for worms,
viruses, and critical system failures?
5-8 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
Auditing 6
Objectives
Upon completion of this module, you will be able to:
Successfully activate the system daemon process responsible for
supporting the auditing functionality.
Customize auditing files to satisfy local requirements.
Describe the major functional components of the Solaris BSM
architecture.
Configure the necessary administrative files to implement device
allocation functionality.
List the ways in which accounting assists system administrators.
List the commands used to generate raw data and the files these
commands create.
List the commands used to generate reports from the raw data
collected.
Describe the steps needed to start accounting.
6-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
6
Philosophy
Level of Importance
One of the most valuable tools available to a security administrator
using the Solaris 2.x system is the ability to monitor and record all
system activities. This ability is particularly valuable when you
consider potential legal action that may be taken by anyone who has
experienced a computer break-in.
One of the most difficult types of cases to prosecute in the court
systems today is that involving computer breaches or system
intrusions. Prosecution is made difficult by the fact that computer
technology, and its possible exploitation, is far ahead of the laws
governing society today.
The lines are not drawn so clearly in the area of computer intrusions.
Many states and countries take different positions on what constitutes
a crime in the electronic community.
Even if there were definitive criteria that could be universally applied,
there would still be the difficult task of proving with evidence that a
crime was committed.
As more statistical data is made available to the public regarding the
frequency and number of attacks, the more it becomes obvious that
absolute protection is virtually impossible.
When you understand this reality you will appreciate the level of
importance that should be attributed to the consistent application of
system auditing.
6-2 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
6
Capabilities
Features
The Solaris implementation of auditing is based on user login
identification and authentication.
Once a user has been identified and authenticated through the login
process, a unique audit ID will be associated with the user s process.
All processes spawned from that terminal group will inherit that same
audit ID. It will continue to be associated with that user even if thesu
command is executed. All actions performed by the user on the system
will be tracked by this audit ID.
The benefits of implementing auditing are:
Detection of suspicious or unauthorized system activity
Monitoring security-related events
Recording security-related events in an audit trail
Security administrators have flexibility in selecting which activities
will be monitored. They also can define how detailed the selection can
be.
Once the auditing information has been generated and processed, it
can be viewed by using audit reduction and interpretation utilities.
The built-in robustness of the product enables audit records to be
examined based on the following criteria:
An individual user or group of users
A specific event on a specific day or period of days
A set of events on a specific day or period of days
Auditing 6-3
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
6
Architecture
Major Components
The Solaris SHIELD"! Basic Security Module (BSM) provides the
security features defined as C2 in the Trusted Computer System
Evaluation Criteria (TCSEC).
The Basic Security Module can be viewed as having two logical
subsystems. The first subsystem covered in this module is referred to
as security auditing. The second is device-allocation.
The addition of these features will automatically increase the level of
security offered by the Solaris operating system.
The security auditing feature is best understood when examined from
a component level. The main component of this subsystem is a
daemon process known as auditd. It exists as an executable in the
path of /usr/sbin/auditd.
The major functions performed by the auditd daemon are:
Open and close audit log files in directories specified by the
security administrator.
Extrapolate audit data from the kernel and record in an audit log.
Communicate administrative or operational failures to the
responsible administrator.
A command-line interface is provided for administrative controls.
Once the initial environment is set up, this daemon can be started and
stopped by using the same techniques employed with other Solaris 2.x
system services.
6-4 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
6
Architecture
Major Components (Continued)
Events
Any system action that is capable of being audited is defined as an
audit event within BSM. Most often these events are initiated by the
logged-in user and may have security relevance. All events being
audited are defined as single line entries inside the file
/etc/security/audit_event.
These audit events are further categorized as follows:
Kernel events [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • helpmilo.pev.pl
  •