Practical audit advice you can use today.
ESXi and vSphere: Basic Security Audit Questions and Answers
Published: 2013-10-19 (Length: 34:39)
Virtualization is here to stay. That's not to say it's a bad thing, but among the things that we spend some time talking about in the SANS Audit 507 course are the most common and most serious security mis-configurations and hazards that we find in virtualized environments. Also in the course we spend time demystifying the VMWare Best Practices guide and give super clear reasons why some of what it recommends is just plain old bad advice!
This video, however, gives you a brief 34 minute look at one of the lab exercises in that audit/security course. The lab will give you broad-brush familiarity with the vSphere management client, discuss common issues in ESXi configurations in addition to demonstrating how to get specific data that is related to some of the more common problem areas in these systems. For a more detailed discussion into this topic and many others you might consider this class: http://www.sans.org/course/auditing-networks-perimeters-systems
Baselining Startup Processes!
Published: 2013-10-14 (Length: 13:47)
UNIX systems, at least up to a point, tend to be deterministic systems. This is quite different from Windows hosts which are completely non-deterministic.
What this means for the System Administrator and the Auditor is that it is not only possible to accurately baseline which processes should be running on the system but also to tie those processes to specific process ID numbers! Especially when faced with detecting compromise and the possible installation of malware, this becomes an incredibly valuable detection technique. If malware is installed by an attacker it will typically be installed in such a way that it will automatically restart the next time that the system is booted. Since We now have a baseline of which processes should be running and also know precisely which process IDs they should have, even if the malware is hidden we can see that it has displaced the process IDs!
Determining and Identifying UNIX Services
Published: 2013-10-14 (Length: 10:46)
It's pretty important that any system baseline include a list of all network services that are running on the system. Additionally, the baseline should include information on which binary, possibly even which process, is using each port. This information allows system administrators to automatically detect possible compromises in addition to being a very simple system for detecting undocumented changes to systems by the auditors.
In this webcast we'll take a fast look at Netstat, the /etc/services file and lsof to see how we can quickly and easily extract the network service information that is particularly relevant for a baseline.
File Integrity Testing
Published: 2013-10-14 (Length: 20:27)
The installation of a file integrity testing tool should be a part of the standard install of any server class system in your environment. Not only does it allow for simple continuous monitoring and detection of unauthorized configuration changes, but it also allows for rapid damage assessment in the face of a compromise.
This episode will take a fast look at the open source version of Tripwire. We'll examine common configuration errors in addition to discussing how to automate reporting for an auditor effectively without having to give the auditor or security officer root access to the system.
AWK, Backticks and Friends!
Published: 2013-10-14 (Length: 14:53)
In this short webcast we take a look at how to create a very basic shell script that will identify the initial run level of any Linux based system.
Linux systems today have two primary mechanisms that are used to start services during startup. The more traditional system (using inittab) and the more modern Upstart system. This screencast demonstrates logical testing for files, extracting output from a command and assigning it into an environment variable and basic AWK usage.
© 2011, David Hoelzer & EnclaveForensics