Need advise from person who have experience with security auditing.

Printaporn_1 · ‎03-20-2003

Hi,

I need to goto security auditing with external auditor.
any advise in term of documents we should have / checklist log , etc.
Not technial thing that we already have a lot in this forum.
Thanks in advance,

enjoy any little thing in my life

Ravi_8 · ‎03-20-2003

Hi,

I our recent audit we are asked to show about the users created in each machines and procedure to create(not the command)

We had checklist for each machines for users craeted in each machines that is approved by my manager stating the reason

checklist for applying the patches(how often and proof)

we should have the logs(system logs) for atlest last 3 months of each machine.

never give up

John Dvorchak · ‎03-20-2003

Let me take a wild shot at a couple of questions I would want answers to if I were auditing your system(s).

1. Password strength and how often is password change forced. Password strength meaning to enforce non dictionary words, upper and lower case letters, pucntuation etc.

2. Any modems attached and is there a getty on those ports.

3. Do you have monitoring scripts that run out of cron.

4. Does /etc/securetty exist with only "console".

5. Are you using tcp wrappers.

6. Are all unused ports disabled in /etc/inetd.conf

7. Is root and other system accounts in /etc/ftpusers?

8. Do you have a script to search for the presence of a + in everyones .rhosts file.

9. Do you have a system recovery policy and is it tested? i.e. Ignite, fbackup etc.

10. All all users in /etc/password current employees

11. Only allow login with specific users account names, not application like dba, oracle etc. Users must first login then su to that account.

Hope this short list gets you a step up on auditor.

Good Luck

If it has wheels or a skirt, you can't afford it.

U.SivaKumar_2 · ‎03-20-2003

Hi,

Hope I am eligible to answer

1) List of security patches of the OS involved at the customer site.

2) Documents of Known vulnerabities and bugs on OS involved from www.sans.org , www.cert.org etc. These documents can be used to reinforce the your security recommendations after audit

3)Documents authorizing you for Security auditing. very much needed :-)

4)Documents on setup details and if possible configuration of your Customer servers , applications .

Other recommendations are always consult the software people on the site before enforcing or changing any file or directory permissions.

If the site is connected to Internet , then follow a very stringent security auditing and put across strong recommendations.

Create a final report of vulnerabilties classifying them according to the severity. And let the recommendations to follow against every vulnerability.

regards,

U.SivaKumar

Innovations are made when conventions are broken

U.SivaKumar_2 · ‎03-20-2003

Hi,

Hope I am eligible to answer

1) List of security patches of the OS involved at the customer site.

2) Documents of Known vulnerabities and bugs on OS involved from www.sans.org , www.cert.org etc. These documents can be used to reinforce the your security recommendations after audit

3)Documents authorizing you for Security auditing. very much needed :-)

4)Documents on setup details and if possible configuration of your Customer servers , applications .

Other recommendations are always consult the software people on the site before enforcing or changing any file or directory permissions.

If the site is connected to Internet , then follow a very stringent security auditing and put across strong recommendations.

Create a final report of vulnerabilties classifying them according to the severity. And suggest the recommendations to follow against every vulnerability.

regards,

U.SivaKumar

Innovations are made when conventions are broken

Sergejs Svitnevs · ‎03-21-2003

I have found a goog "HP-UX security guide" at:

http://sabernet.home.attbi.com/papers/hp-ux10.html#1.3

Regards,
Sergejs

Volker Borowski · ‎03-23-2003

Hi,

written down desaster Recovery Procedures, stored onsite and as a backup in a safe-deposit at a bank some 10km away from onsite location.

Regular check-out and check-in of Backup Media to offsite locations. Access control for this offsite media. Validation procedure for offsite media.

Checklists to be run against any component involved to dialin of any type (routers, modems, isdn cards). This includes checking for security patches and signing a checklist once a month as well as e-Mail notifications for critical-patches.

And of course the regualar stuff you find all across this forum or the Internet.
I have to highlight my favorite here -> Default Users and passwords.

And another important one:
Checklist what to do if either
a) Managemant person
b) Sysadmin person
c) any other person
leaves the company in
1) normal way
2) unnormal way (i.e. has to clean his/her desk under observation)
You will not beleave how improtant this one could be....

Good luck for your audit
Volker

Sridhar Bhaskarla · ‎03-23-2003

Hi,

There is no end to the securing a system. Below are some of the guidelines.

1. Trusted system and password controls like expiry, bad attempts etc.,
2. Regular password checking by using "crack".
3. Limiting shared accounts and their direct logins. Minimizing the number of accounts.
4. Disabling ftps
5. Using encrypted data trasmission by secure shells
6. Disabling unnecessary services including ndd's parameters.
7. Restricting the allowed services using inetd.sec or tcp_wrappers
8. File and directory permissions
9. Accounting
10. Regular Scans both network and system.
11. Standard System layouts
12. Security Patches and maintenance of documentation
13. Minimizing the people knowing root passwords

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Steven E. Protter · ‎03-23-2003

Here is a list of products you might want to have installed and working prior to the audit. That list in the last post was top drawer bt, a lot of the things touched in my year 2000 security audit.

Here is the list:

Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Get all these products working you'll be quite secure.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

I'm attaching Chris Vale's doc on exchanging public keys with for the secure shell product. If you have this stuff running and can talk about it intelligently with the auditors, they'll have some nice things to say in their report.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Michael Tully · ‎03-23-2003

There are quite a number of items that have been mentioned already:

I guess I can add to the list:

Check some file permissions on OS filesystems
find / /opt /usr -xdev -type f -perm 666
find / /opt /usr -xdev -type f -perm 777
find / /opt /usr -xdev -type d -perm 777
The man and cat directories should be ok.
Make sure all mountpoint directories do not have permissions any greater than 755

Check 'root's umask, should 022

You should have 'nosuid' for most, if not all mountpoints (excl. /usr and /opt)
Sticky bit setting for /tmp and /var/tmp

Check where the 'root' home directory is. Should NOT be in /
It is suggested that /root isa good place as it is not in / and it is in the / filesystem.

Anyone for a Mutiny ?

John Poff · ‎03-23-2003

Hi,

We went through a security audit last year. They will be asking you a lot of questions about your day to day procedures. How you handle regular activities such as password changes, new user requests, etc. They will ask about your change control procedures. If you are about to go into an audit, there probably isn't time to change much of your standard operating procedure. Probably it is better just to head into it and see what recommendations they come up with. Some may be a bit funny, but they might come up with some good stuff also. We survived ours without any real problems.

Good luck!

JP

Rainer von Bongartz · ‎03-24-2003

Everything said before applied to the auditings we had over the last years.

One point not mentioned yet:

Security officers might be interested in the protection of your data centre. (peoples access,fire and water protection ,power supply etc.)

Regards
Rainer

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...

Andrew Cowan · ‎03-24-2003

Hi,

I specialise in IT Security for a large European Bank, and work closely with the auditors. I would be very suprised if they are in anyway technical, and so I wouldn't worry too much about the latest patch or security setting.
There questions are more likely to be along the lines of:
How do you know who has access to what, and what do you do when a person leaves?
What measures do you take to ensure that the machines have not been compromised etc.
If a security breach occurred, what logging (evidence) is available, etc...

The points that they tend to be the most keen are:
Your security policy is legally enforceable and conforms to the general standard for your industry/sector.
Your policy accurately reflects how people actually behave, and it is generally enforced.
You have procedures that people actually use and understand.

I hope this helps.

G. Vrijhoeven · ‎03-24-2003

Hi,

I think you can find some usefull links at:

http://www.ict-audit.com/

Gideon.

My personal experience is that the management focusus on easy wins, and "forgets" about the bigger picture.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Need advise from person who have experience with security auditing.

Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.

Re: Need advise from person who have experience with security auditing.