Welcome!

Linux Authors: Liz McMillan, Pat Romanski, Carmen Gonzalez, Lori MacVittie, Elizabeth White

Related Topics: Linux

Linux: Article

The Challenges of the Linux Audit

Steps for a secure system

As a decision maker in your IT organization, you're aware that your Linux systems share is growing (if your enterprise follows today's business trend). Linux installations are now available on every major hardware platform. New projects in development include Linux systems in an increasing share, and you're challenged with incorporating these Linux systems seamlessly into your operations and business processing.

These Linux systems must also now be included as part of your IT audit. IT audits are increasingly performed by cross-functional teams rather than by operations, networks, applications, or database management teams. The cross-functional audit teams have the scope and purview to examine each area of operations. Since your skilled operations teams aren't responsible for policing their own house, they can remain focused on their core skill sets.

The audit teams make scheduled passes, with strategic focus on physical security, network security, applications security, systems security, and whatever else is part of your enterprise security plan. The report is digested and parsed by the audit team leader or information security manager, who tactfully disseminates the information to the appropriate team leaders.

The first challenge emerging from this vision of corporate information systems unity is that the operations teams will potentially mistrust, hate, fear, or otherwise loathe the audit teams. This humanistic certainty is based on the perception that someone is trying to find something wrong so that blame can be assigned. Overcoming this challenge, while not a typical strategic audit goal, is important since you want the audit teams to have unfettered access, and you want their work to be supported and adopted by the operations teams. The audit teams' reports must become meaningful input for operations teams, who will review a report and mitigate the threats instead of putting out fires later because important audit information was not heeded.

Using your vision, sensibility, and other executive powers, you've attained respectful buy-in from the teams - you can now move forward to meet other challenges.

The Audit

One problem identified during Linux audits is that too many people know the root password and other elevated-privilege account passwords. These passwords are the electronic keys to the kingdom in Linux, and taking back control of these accounts is a top audit priority. Typically, everyone who has the root password knows why they shouldn't pass it out or overuse it.

There's limited accountability in most native Linux operating systems, including the lack of a cogent audit trail. The native auditability is primarily centered around the syslog and sulog facilities, which cannot describe the interactive actions of the root user with the system at the level required by the HIPPA, Sarbanes-Oxley, and NISPOM Chapter 8 requirements, to mention only a few. For example, Figure 1 shows a sample sulog, revealing a not very detailed snapshot of users using su on a system.

While they're better than nothing, the sample log entries don't describe what actions were taken after the SU command occurred. (For the uninitiated, the + or - tells you if the SU request was successful.)

The syslog example may be roughly equivalent (see Figure 2).

The example in Figure 2 also indicates privilege being elevated, but does not describe (or require) a reason. Additionally, the file(s) produced by the syslog daemon may contain information not germane to your audit, but again, some information is certainly better than nothing. You can significantly improve the auditability in your enterprise by adding third-party software that captures all standard input, output, and errors, including everything the user does with the elevated privilege.

The example below is from a policy created on a Linux system (salmon.mydomain. com), using a Symark product called PowerBroker, (version 3.2.1). It provides a root shell for any user authorized to run the command pbrun GIMMIEROOT. The policy creates an audit file akin to others available in some third-party products to give you more auditability when users gain or use elevated privilege. This particular product will log all standard input, output, and errors, as well as a complete report regarding the secured task:

$ pbrun GIMMIEROOT
Enter your reason for accessing this policy:
I need to edit the /etc/passwd file

Figure 3 shows what the resultant logfile includes. Note that the "who, what, when, where, and why" are evident in the log output.

I truncated the log file, but you can see that your audit team has the ability to see it, and to tell the who, what, when, where, and why for any elevated-privilege or vital-asset access. In addition to third-party products, Linux vendors are working hard to provide this functionality. This functionality significantly improves your teams' ability to take back the root and other elevated-privilege accounts by granting elevated privilege only when the user accesses certain commands or assets (within their normal job descriptions, for example). When access is complete, normal privilege resumes, and the user never knows the elevated password.

So you're familiar with elevated-access audit control; is your audit team is as well? Basic audit tenants include reading the documentation to determine what to audit, but what documentation do you have that describes who can access what, when, where, and why?

Your systems, applications, and networks team can collaborate to create a document like Table 1.

Your teams may have used any visualization method, but the output is a matrix of your systems (vertical axis), and your user community (horizontal axis). Notice that each login/access method is described, as well as which system each user can access, from which system, by which method. Once users are on the systems, executable commands are listed, as well as any elevated privilege required. With this documentation, your audit team now knows which systems to go to, which accounts to scrutinize, which commands should normally be allowed as the user, and which commands require elevated privilege. This documentation is simple but effective in meeting the requirement to report upward and manage outward.

Another important problem that surfaces in a Linux audit is the publication of passwords, which often happens inadvertently via secure applications scripts (Web startup or shutdown, middleware startup or shutdown, database startup or shutdown, etc.).

Information synchronization routines (such as NIS or LDAP v2) also place assets at risk, as they pass account, system, and other enterprise information around the LAN or WAN in clear case. (In the case of passwords specifically, the encrypted value is sent, but agile information bandits know the difference between a crypt, bigcrypt, or MD-5 hash. When the rest of the information is in clear case, encrypting only the password may provide little safety.)

Once passwords are obtained by a nontrusted source (someone leaves a file containing a password world-readable, for example), valuable assets are at risk on numerous fronts, including easy access to critical files/data. When an asset can be accessed by a user in masquerade, the asset is at risk. The insertion of a Trojan program, the destruction of an application, and the alteration of data are all undesirable options. Whether compromised by the pad of paper in the machine room, the e-mail to the group alias with a defunct (but still receptive) recipient, the generic account password used by consultants nationwide when installing the new software on your enterprise server, or some other method, the untrusted source now has the ability to log in to one or more systems as someone other than themselves. No audit could save you at this point, as activity performed under the guise of a trusted user is now suspect.

Fortunately, your systems audit includes the regular checking for ownership, permissions, checksums, and other embedded safety mechanisms to keep data and applications in a known good state. Program files, executables, even operating system and patch levels are being recorded and compared from audit to audit, and maintained at the most current secure levels. The LDAP directory is scrutinized for the dysfunction that occurs between Human Resources and Information Systems, causing transferred or even terminated employees to be removed to systems, but allowed to remain in the LDAP directory. This step eliminates the ability for a transferred or terminated employee to gain access to assets via an LDAP-credentialed application. You have delegated and empowered effectively, your audit team is passing back the appropriate report to the systems managers, and the integrity of the systems and programs is secure.

Conclusion

As a quick summary, your internal teams periodically perform these audits:
  • Physical security
  • Operating system
  • Network security
  • Others as you require
Each team has a specific focus and reports to you for dissemination and mitigation. A periodic review of your documentation will reveal newly emerging systems, network components, or applications requiring audits, and your appropriate team will incorporate them as needed. The process feeds itself, as each successive audit both addresses issues and reveals an emerging strength of operations as a cohesive unit, with assets protected in concentric rings of recurring audits.

Your charter to your auditors is multifold, as they assess each aspect of today's increasingly complex information systems nervous system. The audits should be periodic, focused on a specific aspect of the larger picture, and as unintrusive as possible. They should yield a systematic and repeatable report, which is then passed back into the system for assessment and mitigation. Your audit teams use a documentation tool to determine who, what, and how to audit your assets, and the result is that the external audit becomes a quality checkpoint rather than an item causing worry, fear, or loathing.

More Stories By Richard Williams

Richard Williams is director of education for Symark Software in Agoura Hills, California. With over 20 years of experience in systems administration, architecture, and design, Richard oversees the development and delivery of Symark's University Training Program in providing customer support to global enterprise customers.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
John Legg 05/13/04 08:26:22 PM EDT

An impressive solution to Linux (as well as Unix) audits is at www.mase.com Many standard policies as well as customized ones can be monitored very quick and painlessly.

Mark Post 04/22/04 04:42:51 PM EDT

The author apparently isn't familiar with SSL/TLS support in OpenLDAP. Nothing has to pass in clear text when using that feature.

@ThingsExpo Stories
@ThingsExpo has been named the Top 5 Most Influential Internet of Things Brand by Onalytica in the ‘The Internet of Things Landscape 2015: Top 100 Individuals and Brands.' Onalytica analyzed Twitter conversations around the #IoT debate to uncover the most influential brands and individuals driving the conversation. Onalytica captured data from 56,224 users. The PageRank based methodology they use to extract influencers on a particular topic (tweets mentioning #InternetofThings or #IoT in this case) takes into account the number and quality of contextual references that a user receives.
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS – software, platform, and infrastructure as a service.
Enterprise IoT is an exciting and chaotic space with a lot of potential to transform how the enterprise resources are managed. In his session at @ThingsExpo, Hari Srinivasan, Sr Product Manager at Cisco, will describe the challenges in enabling mass adoption of IoT, and share perspectives and insights on architectures/standards/protocols that are necessary to build a healthy ecosystem and lay the foundation to for a wide variety of exciting IoT use cases in the years to come.
Avnet, Inc. has announced that it ranked No. 4 on the InformationWeek Elite 100 – a list of the top business technology innovators in the U.S. Avnet was recognized for the development of an innovative cloud-based training system that serves as the foundation for Avnet Academy – the company’s education and training organization focused on technical training around top IT vendor technologies. The development of this system allowed Avnet to quickly expand its IT-related training capabilities around the world, while creating a new service that Avnet and its IT solution providers can offer to their...
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the M2M space. This really allows some room for influential individuals to create more high value inter...
SYS-CON Events announced today that B2Cloud, a provider of enterprise resource planning software, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. B2cloud develops the software you need. They have the ideal tools to help you work with your clients. B2Cloud’s main solutions include AGIS – ERP, CLOHC, AGIS – Invoice, and IZUM
It's time to put the "Thing" back in IoT. Whether it’s drones, robots, self-driving cars, ... There are multiple incredible examples of the power of IoT nowadays that are shadowed by announcements of yet another twist on statistics, databases, .... Sorry, I meant, Big Data(TM), tiered storage(TM), complex systems(TM), smart nations(TM), .... In his session at WebRTC Summit, Dr Alex Gouaillard, CTO and Co-Founder of Temasys, will discuss the concrete, cool, examples of IoT already happening today, and how mixing all those different sources of visual and audio input can make your life happier ...
The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and easy to use. MangoApps has been named a "Market Leader" by Ovum Research and a "Cool Vendor" by Gartner...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immediate and actionable interpretation of events as they happen. Another aspect concerns how to deliver ...
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
In his session at WebRTC Summit, Peter Dunkley, Technical Director at Acision, will look at creating interactive communications via the web by adding messaging, file transfer, and group communication (group chat and audio/video conferencing) into the web experience. He will also discuss potential applications of this technology in areas including B2B, B2C, P2P, and gaming. Peter Dunkley is Technical Director at Acision. He graduated from The University of Edinburgh in 2000 with a BSc (Hons) in Computer Science. After graduation Peter worked on a PSTN switch developing signalling stacks for SS...
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, and physical persons. In the IoT vision, every new "thing" - sensor, actuator, data source, data con...
What if, during a snow emergency, an on-the-ground sensor could automatically trigger a relevant emergency notification related to snowfall and road impact. And then, after it’s triggered, that notification is delivered intelligently to individuals based on an extensive set of rules designed to alert the most available and capable responders. This “what if” question about “smart highways” is short-sighted. We are already there, and we are only getting started. While mainstream attention is paid to machine-to-machine communications, new technologies are being developed to make these communica...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover how hardware commoditization, the ubiquitous nature of connectivity, and the emergence of Big Data a...
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
There are lots of challenges in IoT around secure, scalable and business friendly infrastructure for enterprises. For large corporations, IoT implementations are one of the top priorities of the decade. All industries are seeing a competitive need to sustain by investing in IoT initiatives. The value addition comes from improved customer service, innovative product and additional revenue streams. The data from these IP-connected devices can be leveraged for a variety of business applications as well as responsive action controls. The various architectural building blocks of an IoT ...