topic Re: Security Audit Tools in Operating System - HP-UX

Security Audit Tools

swtw — Sat, 01 Nov 2008 21:49:08 GMT

Hi all,

I would like to find out from the experts, beside Bastille, what other security tools are recommended to be used in auditing a HPUX 11i system?

TIA.

Re: Security Audit Tools

VK2COT — Sun, 02 Nov 2008 23:32:44 GMT

Hello,

Bastille is not much of an auditing tool.
It is more for tightening security.

It seems you are asking about tools to
audit the setup of an HP-UX server.

There are many. For example, you could easily
build a Linux-based server with
literally hundreds of tools:

http://backtrack.unixheads.org/

Boot off this image and all the tools are there.

If you want to learn more about the best
tools just go to:

http://sectools.org/

Regards,

VK2COT

Re: Security Audit Tools

Emil Velez — Mon, 03 Nov 2008 02:51:06 GMT

You can turn on auditing and use the audsys to audit either users, systemcalls.

the audsys command is used to specify what to audit and the auddisp command is used to display audit records.

Auditing on 11.23 does not require conversion to trusted systems if you have Trusted Migration and SMSE security loaded.

Re: Security Audit Tools

swtw — Mon, 03 Nov 2008 08:32:43 GMT

Thanks for the response.

I am actually looking for security tools that can scan UX security-related settings.

I have use Bastille and it does perform a list of test. Does UX has any other tools beside Bastille that can perform a more comprehensive sets of test?

Re: Security Audit Tools

Robert Fritz — Mon, 03 Nov 2008 17:57:54 GMT

Hi there,

Ever since Bastille 3.0, where we added auditing to Bastille, I think Bastille is the most comprehensive tool I've seen for host-based HP-UX security auditing (with respect to hardening policy). Other general engines include cis-cat from CIS and Medusa, though those are less comprehensive, and more error prone. SWA (Software Assistant, configured by Bastille), audits security-patch-level.

Of course there's always off-host tools to check for vulnerabilities (vs. hardening policy) like Nessus, though the false-positive rate on those can be annoying.

If you want real-time monitoring, some others mentioned that there are some included monitoring tools like kernel-level monitoring (audsys, configured by Bastille). Also there's log modes for IPFilter, and you'll also find that HIDS does some decent logging.

Is there a concern with Bastille, or were you just trying to get a sense of the "field?" Note that Bastille's audit and lock-down scope will be significantly expanded in the next release.

Hope that helps,
Robert

Re: Security Audit Tools

VK2COT — Mon, 03 Nov 2008 21:49:59 GMT

Hello,

You got some additional good recommendations
in the responses.

Note that "Security is NOT A PRODUCT BUT
A PROCESS".

If you are looking at a single product to
resolve all your security issues, than you
have lost the battle already.

For some mission-critical customers, I have
asked to install Symantec Enterprise Security Manager. Works fine. Costs money.

I have also used Tripwire Enterprise.
Good product too.

There are many other commercial products.

When you test and audit any server (in this
case HP-UX), you "attack" it from several
places:

Internal networks
DMZ
External (Internet)

As everyone is aware, most of security
breaches happen inside the companies
(unhappy users, revenge, staff working for competitors, weird people who destroy
things for the sake of fun and thrill).
The problem is that no-one likes to talk
about it. And the media likes hacking
from external sources. That sells better
and looks more "powerful"...

Cheers,

VK2COT

Re: Security Audit Tools

Autocross.US — Thu, 06 Nov 2008 17:58:02 GMT

In addition to Bastille, we use the CIS benchmark tool:

http://www.cisecurity.org/bench_hpux.html

and the DISA Security Readiness Review (SRR) Evaluation Scripts:

http://iase.disa.mil/stigs/SRR/unix.html

Both take several hours to run and can be resource intensive (find commands).

Hope this helps,

Re: Security Audit Tools

Olivier Masse — Thu, 06 Nov 2008 18:56:52 GMT

I wrote a tool many years ago to help our internal auditors find setuid and 777 files on a system. It's easier to use than a standard find (in my opinion). As a bonus, it still works. :). Available here:
http://www.mayoxide.com/ncops/

Checking for file permissions is good in an environment where you have many shell users you don't trust, such as a university, but if you just have a few system administrators, it's a pretty annoying security measure.

One thing you can do, that gives a lot of return on your time investiment, is to run nessus against a system. It will find out many remotely exploitable holes.

Good luck