INF526: Secure Systems Administration · • Puppet – Written in Ruby. – Can run on multiple...

INF526: Secure Systems Administration

Configuration ManagementProf. Clifford Neuman

Lecture 1129 March 2017OHE100C

Class Presentation Schedule3/29 Mariam Fahad Bubeshait - Configuration Management4/5 Mohammed Alsubaie – SIEM and Intrusion Detection4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics4/19 Andrew Gronski - Accreditation and acceptance testing

1

Configuration ManagementA process for consistently establishing and maintaining the characteristics of the components of a system relevant for the proper functioning of a system.

– Proper functioning includes:• Security• Updates and security patches.• Detection and prevention of unauthorized changes.

– Components includes all system assets:• Hardware• Software• Credentials• Licenses

– Characteristics includes:• Accounts• Settings• Polices.

2

Purpose of CM• To Maintain Consistency of a system and its attributes

with a technical baseline over the systems life.

• CM is part of system’s security assurance cycle.

• Reduce the management workload for a collection of systems.

• Reduce the attack surface of a collection of systems by reducing the differences between individual systems within the collection.

Configuration ManagementExample Attack Scenarios for Misconfigured Systems• An app server admin console was automatically installed

and was not removed. An attacker discovered the standard admin pages and succeeded to log in with default passwords.

• Directory listing is not disabled on a server. An attacker discovered she can simply list directories to find any file.

• An app server with sample applications that have well known security flaws attackers can use to compromise the server.

Slide by Fumiko UeharaINF526 Students Summer 2016

Any More?Out of Date?

Vulnerable Apps?

It Starts with an Inventory

• Catalog of systems– What is approved for connection

• Prevent access by uncatalogued systems– For each system:

• Serial Number, Tag, MACs, IPs• Location, Owner, Admin• Make/Model, Hardware Features• Include routers, hubs, printers, other network

attached items.• Purpose• Software (OS, patches, applications, etc)

16

It Starts with an Inventory

• Catalog of software– What is approved for use

• Detect unauthorized installs– For each system:

• Name, Version, Patch Level• Checksum• License information• System requirements• Security considerations/implications

• Anything else

16

Aspects of Configuration Management• Organizational and Process

– Change Management– Admission Policy

• Technical– Dependency Management– Patch Management (also organizational)

• Live evaluation and detection– Admission Control– Whitelists– Change detection

16

Organization aspects of CM• Identify configuration items to be controlled

– document user requirements, system design and development, software version, interface control, data flows and network diagrams, test plans and procedures, etc.

– Use schema or comply with organizational policy to provide unique identifiers for each item.

• Identify the level of CM to be controlled, and determine the hierarchy of each level– nature of the system, configuration items, components,

etc.• Identify all baselines to be managed

– user requirements, system requirements, design, development, experimentation, sustainment, etc.

16


Configuration Control• Develop a process to track all configuration item changes

and intrusion in appropriate baseline.• Build or provide specifications to build work products from

the software configuration management system, or physical products from the hardware configuration management system.

• Purchase or develop tools for version control of source code, providing version control tracking to the line of code level. Implement an engineering release system to provide hardware version control.

16


Configuration Status Accounting• Publish periodic reports describing the

current configuration of each configuration item.

• Applies to all installed hardware, software, and other controlled assets during the entire life of the system.

• The reports should include software version and details of hardware in the system and testing.

16


Configuration Audits• Performing periodic verifications of

operational baselines for completeness.• Assure that both functional and physical

configuration meets the requirements.• Tools, scripts or logs can be used when a

change has occurred in a configuration.

16


Technical Aspects of CM• Dependency Managers

– Linux package managers• Patch Management

– Software update options– Software update center (linux)– Windows updates– App Stores

• Special Tools– Secuinia, others (later)

• New attack vectors– When to update

16

Tools: CM, evaluation and detection

• Live evaluation and detection– Admission Control– Whitelists– Change detection

16

Automated Tools: Ansible• Free software developed by Red Hat• Written in Python, can run on multiple

platforms• Use Playbook written in YAML to perform tasks• Use SSH to communicate from the

management machine.• Target servers do not need to install agent files

16


Automated Tools: Ansible• Example of tasks and handlers

– Install WordPress configuration file, and restart httpd

tasks:- name: install WordPress configuration filetemplate: src=wordpress.conf dest=/etc/httpd/conf.d/wordpress.conf

notify:- restart httpd

handlers:- name: restart httpdservice: name=httpd state=restarted

16


Some other Tools• Chef

– Written in Ruby, can be easily customized.– Can run on multiple platforms.

• Puppet– Written in Ruby.– Can run on multiple platforms.– for large scale systems

• CFEngine– Can run on multiple platforms.– Describe the final state in which one wants to end up. The agent then ensures

that the necessary steps are taken to end up.• Microsoft PowerShell DSC

– Standard since PowerShell 5.0 (Windows 8.1), desired scale configuration

16


Automated Tools Detection: Tripwire• Open source and enterprise developed by Tripwire, Inc.

– Two versions, Open Source Version is not mainained or upgraded

• Detect changes to file system objects

• When first initialized, scans the file system and stores information in a database. Later, the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user by emails.

16


File Integrity Monitoring• Act of validating the integrity of operating

system and application software files• Calculate file signatures (Hash values)

and compare it to baseline• Should be performed periodically

16


Tripwire Enterprise

16


Management Console

GUI

CUI

Network MonitoringSoftware

APIweb browser

command line

Servers Network Devices Database Servers VirtualizedEnvironments

File IntegrityManagement

Network DevicesMonitoring

Configuration Management on

Database

Virtualized Endpoint Monitoring

Configuration ManagementDatabase

・Network Management Tools・Software information

Open Source Integrity Tools• Tripwire (some versions)

– runs on Linux• AFICK

– Another File Integrity ChecKer– Perl based, deployment on Windows, Linux,

Unix, Solaris.• AIDE

– Advanced Intrusion Detection Environment– runs on Linux

16


Hash Algorithms for File Signatures

16


md5

sha1

sha256

sha512

md160

tiger

whirlpool

gost

crc32

haval

Tripwire ✔ ✔ ✔ ✔

AFICK ✔ ✔ ✔ ✔

AIDE ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

File Signature Bypass Issues• Default MD5 signature can be bypassed

by tools.• Having a wide variety of simultaneous

cryptographic generation algorithms can help to detect evasion through signature weaknesses.

16


How was detected change caused• Tripwire, AFICK and AIDE note that

something has happened– Modified? Executed?

• Need correlation with other logs※Enterprise version does

16


Protecting the Tools• Tripwire

– Require two passphrases longer than eight characters• AFICK

– Calculate MD5 signature of itself right after the first installation

– Can boot from CDROM• AIDE

– Signed and stored in the Ubuntu repository, automatically verified during the download and installation

16


Placement of CM Functions• Central to the Enterprise

• On each system

• In the Network

• On storage or other servers

• Relationship to SIEM

16

Minimization in CM• Create a few standard configurations

– Fewer different systems to configure and possibly get wrong.

• Automate the configuration of machines within groups.– So that you don’t leave one out of the update cycle

16

Push vs Pull• Most end user systems pull updates

– Windows updates– Linux software updater

• Much server infrastructure changes based on a push model.– Ansible (red hat)

16

Configuration Management

Mariam Bubshait

Resources Secure Provisioning

Provision: to setup or supply credentials or other access to resources

Systems users and controls should be properly provisioned before they areallowed to connect to your system

It is important that you:

Configure your resources on your network to support a specific function

Establish a known secure baseline for your devices/systems per your securitypolicies

Make sure that systems are up to a specific level of security required beforeallowing them to connect to your systems

Test the system to verify that they consistently function properly and Make surethat your security controls are working to keep out unauthorized individuals

monitor unauthorized changes on your network or specific systems

If change is needed, follow a structured approach using configuration management(CM)

Configuration Management (CM)

Definition: CM refers to the process of systematically handling changes to a system in a way that it maintains integrity over time.

Configuration Management can mean:

how your network devices are configured

what version of application you are running

what was the last patch installed on your device/system

baselines hardware and applications that run on your devices/systems

Why configuration management

Mass deployment and fast provisioning: CM tools automate the deployment efficiently and quickly

Faster recovery from critical events: a CM tool should roll back the application automatically to a stable version in case of failure.

Elimination of snowflake servers: By using a configuration management tool, the procedure necessary for bringing up a new server or updating an existing one will be all documented in the provisioning scripts

Replicated environment

Basic Configuration Management

Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.

A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes.

A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

A Configuration Management Plan (CM Plan) is a comprehensive description of the roles, responsibilities, policies, and procedures that apply when managing the configuration of products and systems.

Security Configuration Management (SCM)

The configuration of an information system and its components has a direct impact on the security posture of the system

Changes to the configuration of an information system are often needed to stay up to date with changing business functions and services, and information security needs

These changes can adversely impact the previously established security posture

Security-Focused Configuration Management (SCM) is the management and control of secure configurations for an information system to enable security and facilitate the management of risk.

SCM builds on the general concepts, processes, and activities of configuration management by attention on the implementation and maintenance of the established security requirements of the organization and information systems.

Security Configuration Management (SCM) Roles

identification and recording of configurations that impact the security posture of the information system and the organization

the consideration of security risks in approving the initial configuration

the analysis of security implications of changes to the information system configuration

documentation of the approved/implemented changes.

As changes to information systems are made, baseline configurations are updated, specific configuration settings confirmed, and configuration items tracked, verified, and reported

Configuration Change Management

It is the documented process for managing and controlling changes to the configuration of an information system or its constituent CIs.

It involves:

systematic proposal

Justification

Implementation

test/evaluation

Review

disposition of changes to the system, including upgrades and modifications.

Configuration change control is applied to include changes to components of the information system, changes to the configuration settings for information technology products, emergency/unscheduled changes, and changes to remediate flaws.

Changes are controlled from the time the change is proposed to the implementation and testing of the change

The emphasis here is put on the management of change to maintain the secure, approved baseline of the information system

Tools: SaltStack

is a Python-based open-source configuration management software and remote execution engine

it supports Linux and Windows platforms

Configuration management system called Salt States

Salt functions on a master/minion topology. A master server acts as a central control bus for the clients, which are called minions. The minions connect back to the master. It also can run in a standalone mode

provides configuration management functions by automating the packaging and provisioning of code into an organization's operational IT environment

SaltStack is written in Python so It can use scripts written directly in Python, or can render other scripts, such as those written in YAML or JSON, through the use of the PyDSL Salt renderer

Salt is capable of storing configuration directives, and then instructing other machines to follow those directives by doing things like installing software, making configuration changes to the software, and then reporting back on the progress and success or failures of the installation.

SaltStack CM scenario: installing LAMP stack on Red Hat

SaltStack formulas and states can be used for tasks such as installing a package, configuring and starting a service, setting up users or permissions, and many other common tasks.

set up an Apache web server, and a MySQL database server for the web application to use.

define the database server first

# /srv/salt/mysql.slsmysql:pkg.installed:- name: mysql-serverservice.running:- enable: True- require:- pkg: mysql-server

Because this example does not include any files other than the declaration, we can store it simply as /srv/salt/mysql.sls


the Apache installation is more complex, because it includes a configuration file. It is copied up to the web server using file.managed function , which supports enhanced functionality such as templating. To accommodate this, we create an apache/ directory inside of /srv/salt/

# /srv/salt/apache/init.slshttpd:pkg.installed:- name: httpd- file: httpd

service.running:- enable: True- require:- pkg: httpd

file.managed:- name: /etc/conf/httpd/httpd.conf- source: salt://httpd/httpd.conf- require:- pkg: httpd


# /srv/salt/top.slsbase:web*:- apache

db*:- mysql

This definition will ensure that any servers whose names start with “web” (such as web01 or even web01.example.com) will have the Apache state applied to them

and any servers whose names start with “db” (such as db01 or db01.example.com) will have the MySQL state applied to them.

To apply these states to all servers:

salt ‘*’ state.highstate

A highstate is the combination of state data (packages, services, files, etc.) that will be applied to the target system

SaltStack: Addressing configuration drift

if the httpd.conf file gets changed on the server, SaltStack will set it right back where it needs to be, and report to the user what changes were made to enforce the correct state.

But what about package versions?

When a pkg.installed state is declared, SaltStack will check with the underlying package manager to see if that package is already installed.

If it is, then the state has been achieved, and no further action is performed.

if it is not installed, it will tell the package manager to install that package, which will normally search for the latest available version of that package and install that.

SaltStack: Addressing configuration drift

Problem: this can result in a number of servers containing different versions of a package, which can result in issues that can be difficult to troubleshoot.

Solution: set the pkg.latest state instead, to always make sure that all servers are always running the latest version of a package:

httpd:pkg.latest:- name: httpd

New problem: As soon as a new version is made available, all of the servers will try to download and install it. If you’re not expecting a new version, or you haven’t had time to perform your own internal testing.

Solution: lock down packages to a specific version:

httpd:pkg.installed:- name: httpd- version: 2.2.15

This ensures that packages will not be upgraded until the state declaration has been explicitly updated to do so.

Tools: Secunia CSI

is a Windows based Vulnerability and Patch Management Software Solution that completes and targets the Patch Management process.

It combines Vulnerability Intelligence, Vulnerability Scanning, and Patch Creation with Patch Deployment Tool Integration

collect specific metadata from primarily .EXE, .DLL, and .OCX files on the system being scanned.

This data is collected and then sent to Secunia's Secure Data Processing Cloud where it is processed and parsed.

The data is then matched against Secunia File Signatures, metadata to an actual product installation.

This matching process results in an exact version extracted from metadata

The inventory of software is then compared against the unique SecuniaAdvisory and Vulnerability Database

Tools: Secunia CSI

The result is a precise inventory of products, their versions, the security state of each, and a detailing of vulnerabilities and their criticality and impact.

Assess scanning result and patch using WSUS and SCCM

THANK YOUQuestions?

Presentations of Project 1• It is time to wrap up exercise - each group has prepare a report

describing:– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and

how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the

mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).

– A description of the steps taken for pen testing of your system.• We will use 40 minutes of this weeks lecture to demonstrate the operation

of your systems.– Once I have seen the normal operation of the systems, I will plan a session in a future

week in which we will try additional pen-testing.

46

Second Exercise - Criminal Enterprises

• Chosen because of differences in the high level principles.

– Not because I expect you to implement these kinds of systems in your future endeavors.– But you may be called upon to break some of these systems if later employed by government organizations.

• Your organization must:– Accept Bitcoin as payment (not really, but it must accept something that stands in for bitcoin)– Manage an inventory of stolen account identifiers with passwords– Control access to such information– Prevent collection of evidence or intelligence by third parties.– Note, do not deal in any illegal goods, but use dummy information to stand in for such goods. Also,

do not use terms associated with such illegals goods or information in communications, make up new names for this dummy information.

47

Initial Homework Assignment(due before 3/29 class)

• Submit as email to [email protected]• System Structure for Criminal Enterprise Case Study

• Consider the description of the system to be used for the fsecond exercise – as discussed in previous slide.

– Enumerate the classes of data– Enumerate the classes of users– Identify the protection domains– Enumerate the systems (hardware)– Enumerate the systems (software components)

• This write-up is expected to be about 3 pages in length(could be more or less)– It will be shared later with your group members to begin discussion for the

group architecture.

48

mailto:[email protected]

Teams for Second Exercise

• Group A– Enrolled: Srivastav, Binkulaib, Dmytrisin, Alsubaie,

Bubshait, Gronski– Advisors: haiboz, jaskaran, rajattan

• Group B– Enrolled: Guerrerobognoli, Li, Wright-Walker, Jackoski,

Vadlamani, Zhang– Advisors: sajmani, slakkadi, tosirisu, wang907

49

INF526: Secure Systems Administration · • Puppet – Written in Ruby. – Can run on multiple...

Documents

Transcript of INF526: Secure Systems Administration · • Puppet – Written in Ruby. – Can run on multiple...