INF526: Secure Systems Administration · • Puppet – Written in Ruby. – Can run on multiple...
Transcript of INF526: Secure Systems Administration · • Puppet – Written in Ruby. – Can run on multiple...
INF526: Secure Systems Administration
Configuration ManagementProf. Clifford Neuman
Lecture 1129 March 2017OHE100C
Class Presentation Schedule3/29 Mariam Fahad Bubeshait - Configuration Management4/5 Mohammed Alsubaie – SIEM and Intrusion Detection4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics4/19 Andrew Gronski - Accreditation and acceptance testing
1
Configuration ManagementA process for consistently establishing and maintaining the characteristics of the components of a system relevant for the proper functioning of a system.
– Proper functioning includes:• Security• Updates and security patches.• Detection and prevention of unauthorized changes.
– Components includes all system assets:• Hardware• Software• Credentials• Licenses
– Characteristics includes:• Accounts• Settings• Polices.
2
Purpose of CM• To Maintain Consistency of a system and its attributes
with a technical baseline over the systems life.
• CM is part of system’s security assurance cycle.
• Reduce the management workload for a collection of systems.
• Reduce the attack surface of a collection of systems by reducing the differences between individual systems within the collection.
Configuration ManagementExample Attack Scenarios for Misconfigured Systems• An app server admin console was automatically installed
and was not removed. An attacker discovered the standard admin pages and succeeded to log in with default passwords.
• Directory listing is not disabled on a server. An attacker discovered she can simply list directories to find any file.
• An app server with sample applications that have well known security flaws attackers can use to compromise the server.
Slide by Fumiko UeharaINF526 Students Summer 2016
Any More?Out of Date?
Vulnerable Apps?
It Starts with an Inventory
• Catalog of systems– What is approved for connection
• Prevent access by uncatalogued systems– For each system:
• Serial Number, Tag, MACs, IPs• Location, Owner, Admin• Make/Model, Hardware Features• Include routers, hubs, printers, other network
attached items.• Purpose• Software (OS, patches, applications, etc)
16
It Starts with an Inventory
• Catalog of software– What is approved for use
• Detect unauthorized installs– For each system:
• Name, Version, Patch Level• Checksum• License information• System requirements• Security considerations/implications
• Anything else
16
Aspects of Configuration Management• Organizational and Process
– Change Management– Admission Policy
• Technical– Dependency Management– Patch Management (also organizational)
• Live evaluation and detection– Admission Control– Whitelists– Change detection
16
Organization aspects of CM• Identify configuration items to be controlled
– document user requirements, system design and development, software version, interface control, data flows and network diagrams, test plans and procedures, etc.
– Use schema or comply with organizational policy to provide unique identifiers for each item.
• Identify the level of CM to be controlled, and determine the hierarchy of each level– nature of the system, configuration items, components,
etc.• Identify all baselines to be managed
– user requirements, system requirements, design, development, experimentation, sustainment, etc.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Configuration Control• Develop a process to track all configuration item changes
and intrusion in appropriate baseline.• Build or provide specifications to build work products from
the software configuration management system, or physical products from the hardware configuration management system.
• Purchase or develop tools for version control of source code, providing version control tracking to the line of code level. Implement an engineering release system to provide hardware version control.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Configuration Status Accounting• Publish periodic reports describing the
current configuration of each configuration item.
• Applies to all installed hardware, software, and other controlled assets during the entire life of the system.
• The reports should include software version and details of hardware in the system and testing.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Configuration Audits• Performing periodic verifications of
operational baselines for completeness.• Assure that both functional and physical
configuration meets the requirements.• Tools, scripts or logs can be used when a
change has occurred in a configuration.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Technical Aspects of CM• Dependency Managers
– Linux package managers• Patch Management
– Software update options– Software update center (linux)– Windows updates– App Stores
• Special Tools– Secuinia, others (later)
• New attack vectors– When to update
16
Tools: CM, evaluation and detection
• Live evaluation and detection– Admission Control– Whitelists– Change detection
16
Automated Tools: Ansible• Free software developed by Red Hat• Written in Python, can run on multiple
platforms• Use Playbook written in YAML to perform tasks• Use SSH to communicate from the
management machine.• Target servers do not need to install agent files
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Automated Tools: Ansible• Example of tasks and handlers
– Install WordPress configuration file, and restart httpd
tasks:- name: install WordPress configuration filetemplate: src=wordpress.conf dest=/etc/httpd/conf.d/wordpress.conf
notify:- restart httpd
handlers:- name: restart httpdservice: name=httpd state=restarted
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Some other Tools• Chef
– Written in Ruby, can be easily customized.– Can run on multiple platforms.
• Puppet– Written in Ruby.– Can run on multiple platforms.– for large scale systems
• CFEngine– Can run on multiple platforms.– Describe the final state in which one wants to end up. The agent then ensures
that the necessary steps are taken to end up.• Microsoft PowerShell DSC
– Standard since PowerShell 5.0 (Windows 8.1), desired scale configuration
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Automated Tools Detection: Tripwire• Open source and enterprise developed by Tripwire, Inc.
– Two versions, Open Source Version is not mainained or upgraded
• Detect changes to file system objects
• When first initialized, scans the file system and stores information in a database. Later, the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user by emails.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
File Integrity Monitoring• Act of validating the integrity of operating
system and application software files• Calculate file signatures (Hash values)
and compare it to baseline• Should be performed periodically
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Tripwire Enterprise
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Management Console
GUI
CUI
Network MonitoringSoftware
APIweb browser
command line
Servers Network Devices Database Servers VirtualizedEnvironments
File IntegrityManagement
Network DevicesMonitoring
Configuration Management on
Database
Virtualized Endpoint Monitoring
Configuration ManagementDatabase
・Network Management Tools・Software information
Open Source Integrity Tools• Tripwire (some versions)
– runs on Linux• AFICK
– Another File Integrity ChecKer– Perl based, deployment on Windows, Linux,
Unix, Solaris.• AIDE
– Advanced Intrusion Detection Environment– runs on Linux
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Hash Algorithms for File Signatures
16
Slide by Fumiko UeharaINF526 Students Summer 2016
md5
sha1
sha256
sha512
md160
tiger
whirlpool
gost
crc32
haval
Tripwire ✔ ✔ ✔ ✔
AFICK ✔ ✔ ✔ ✔
AIDE ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
File Signature Bypass Issues• Default MD5 signature can be bypassed
by tools.• Having a wide variety of simultaneous
cryptographic generation algorithms can help to detect evasion through signature weaknesses.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
How was detected change caused• Tripwire, AFICK and AIDE note that
something has happened– Modified? Executed?
• Need correlation with other logs※Enterprise version does
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Protecting the Tools• Tripwire
– Require two passphrases longer than eight characters• AFICK
– Calculate MD5 signature of itself right after the first installation
– Can boot from CDROM• AIDE
– Signed and stored in the Ubuntu repository, automatically verified during the download and installation
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Placement of CM Functions• Central to the Enterprise
• On each system
• In the Network
• On storage or other servers
• Relationship to SIEM
16
Minimization in CM• Create a few standard configurations
– Fewer different systems to configure and possibly get wrong.
• Automate the configuration of machines within groups.– So that you don’t leave one out of the update cycle
16
Push vs Pull• Most end user systems pull updates
– Windows updates– Linux software updater
• Much server infrastructure changes based on a push model.– Ansible (red hat)
16
Configuration Management
Mariam Bubshait
Resources Secure Provisioning
Provision: to setup or supply credentials or other access to resources
Systems users and controls should be properly provisioned before they areallowed to connect to your system
It is important that you:
Configure your resources on your network to support a specific function
Establish a known secure baseline for your devices/systems per your securitypolicies
Make sure that systems are up to a specific level of security required beforeallowing them to connect to your systems
Test the system to verify that they consistently function properly and Make surethat your security controls are working to keep out unauthorized individuals
monitor unauthorized changes on your network or specific systems
If change is needed, follow a structured approach using configuration management(CM)
Configuration Management (CM)
Definition: CM refers to the process of systematically handling changes to a system in a way that it maintains integrity over time.
Configuration Management can mean:
how your network devices are configured
what version of application you are running
what was the last patch installed on your device/system
baselines hardware and applications that run on your devices/systems
Why configuration management
Mass deployment and fast provisioning: CM tools automate the deployment efficiently and quickly
Faster recovery from critical events: a CM tool should roll back the application automatically to a stable version in case of failure.
Elimination of snowflake servers: By using a configuration management tool, the procedure necessary for bringing up a new server or updating an existing one will be all documented in the provisioning scripts
Replicated environment
Basic Configuration Management
Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
A Configuration Management Plan (CM Plan) is a comprehensive description of the roles, responsibilities, policies, and procedures that apply when managing the configuration of products and systems.
Security Configuration Management (SCM)
The configuration of an information system and its components has a direct impact on the security posture of the system
Changes to the configuration of an information system are often needed to stay up to date with changing business functions and services, and information security needs
These changes can adversely impact the previously established security posture
Security-Focused Configuration Management (SCM) is the management and control of secure configurations for an information system to enable security and facilitate the management of risk.
SCM builds on the general concepts, processes, and activities of configuration management by attention on the implementation and maintenance of the established security requirements of the organization and information systems.
Security Configuration Management (SCM) Roles
identification and recording of configurations that impact the security posture of the information system and the organization
the consideration of security risks in approving the initial configuration
the analysis of security implications of changes to the information system configuration
documentation of the approved/implemented changes.
As changes to information systems are made, baseline configurations are updated, specific configuration settings confirmed, and configuration items tracked, verified, and reported
Configuration Change Management
It is the documented process for managing and controlling changes to the configuration of an information system or its constituent CIs.
It involves:
systematic proposal
Justification
Implementation
test/evaluation
Review
disposition of changes to the system, including upgrades and modifications.
Configuration change control is applied to include changes to components of the information system, changes to the configuration settings for information technology products, emergency/unscheduled changes, and changes to remediate flaws.
Changes are controlled from the time the change is proposed to the implementation and testing of the change
The emphasis here is put on the management of change to maintain the secure, approved baseline of the information system
Tools: SaltStack
is a Python-based open-source configuration management software and remote execution engine
it supports Linux and Windows platforms
Configuration management system called Salt States
Salt functions on a master/minion topology. A master server acts as a central control bus for the clients, which are called minions. The minions connect back to the master. It also can run in a standalone mode
provides configuration management functions by automating the packaging and provisioning of code into an organization's operational IT environment
SaltStack is written in Python so It can use scripts written directly in Python, or can render other scripts, such as those written in YAML or JSON, through the use of the PyDSL Salt renderer
Salt is capable of storing configuration directives, and then instructing other machines to follow those directives by doing things like installing software, making configuration changes to the software, and then reporting back on the progress and success or failures of the installation.
SaltStack CM scenario: installing LAMP stack on Red Hat
SaltStack formulas and states can be used for tasks such as installing a package, configuring and starting a service, setting up users or permissions, and many other common tasks.
set up an Apache web server, and a MySQL database server for the web application to use.
define the database server first
# /srv/salt/mysql.slsmysql:pkg.installed:- name: mysql-serverservice.running:- enable: True- require:- pkg: mysql-server
Because this example does not include any files other than the declaration, we can store it simply as /srv/salt/mysql.sls
SaltStack CM scenario: installing LAMP stack on Red Hat
the Apache installation is more complex, because it includes a configuration file. It is copied up to the web server using file.managed function , which supports enhanced functionality such as templating. To accommodate this, we create an apache/ directory inside of /srv/salt/
# /srv/salt/apache/init.slshttpd:pkg.installed:- name: httpd- file: httpd
service.running:- enable: True- require:- pkg: httpd
file.managed:- name: /etc/conf/httpd/httpd.conf- source: salt://httpd/httpd.conf- require:- pkg: httpd
SaltStack CM scenario: installing LAMP stack on Red Hat
# /srv/salt/top.slsbase:web*:- apache
db*:- mysql
This definition will ensure that any servers whose names start with “web” (such as web01 or even web01.example.com) will have the Apache state applied to them
and any servers whose names start with “db” (such as db01 or db01.example.com) will have the MySQL state applied to them.
To apply these states to all servers:
salt ‘*’ state.highstate
A highstate is the combination of state data (packages, services, files, etc.) that will be applied to the target system
SaltStack: Addressing configuration drift
if the httpd.conf file gets changed on the server, SaltStack will set it right back where it needs to be, and report to the user what changes were made to enforce the correct state.
But what about package versions?
When a pkg.installed state is declared, SaltStack will check with the underlying package manager to see if that package is already installed.
If it is, then the state has been achieved, and no further action is performed.
if it is not installed, it will tell the package manager to install that package, which will normally search for the latest available version of that package and install that.
SaltStack: Addressing configuration drift
Problem: this can result in a number of servers containing different versions of a package, which can result in issues that can be difficult to troubleshoot.
Solution: set the pkg.latest state instead, to always make sure that all servers are always running the latest version of a package:
httpd:pkg.latest:- name: httpd
New problem: As soon as a new version is made available, all of the servers will try to download and install it. If you’re not expecting a new version, or you haven’t had time to perform your own internal testing.
Solution: lock down packages to a specific version:
httpd:pkg.installed:- name: httpd- version: 2.2.15
This ensures that packages will not be upgraded until the state declaration has been explicitly updated to do so.
Tools: Secunia CSI
is a Windows based Vulnerability and Patch Management Software Solution that completes and targets the Patch Management process.
It combines Vulnerability Intelligence, Vulnerability Scanning, and Patch Creation with Patch Deployment Tool Integration
collect specific metadata from primarily .EXE, .DLL, and .OCX files on the system being scanned.
This data is collected and then sent to Secunia's Secure Data Processing Cloud where it is processed and parsed.
The data is then matched against Secunia File Signatures, metadata to an actual product installation.
This matching process results in an exact version extracted from metadata
The inventory of software is then compared against the unique SecuniaAdvisory and Vulnerability Database
Tools: Secunia CSI
The result is a precise inventory of products, their versions, the security state of each, and a detailing of vulnerabilities and their criticality and impact.
Assess scanning result and patch using WSUS and SCCM
THANK YOUQuestions?
Presentations of Project 1• It is time to wrap up exercise - each group has prepare a report
describing:– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and
how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the
mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).
– A description of the steps taken for pen testing of your system.• We will use 40 minutes of this weeks lecture to demonstrate the operation
of your systems.– Once I have seen the normal operation of the systems, I will plan a session in a future
week in which we will try additional pen-testing.
46
Second Exercise - Criminal Enterprises
• Chosen because of differences in the high level principles.
– Not because I expect you to implement these kinds of systems in your future endeavors.– But you may be called upon to break some of these systems if later employed by government organizations.
• Your organization must:– Accept Bitcoin as payment (not really, but it must accept something that stands in for bitcoin)– Manage an inventory of stolen account identifiers with passwords– Control access to such information– Prevent collection of evidence or intelligence by third parties.– Note, do not deal in any illegal goods, but use dummy information to stand in for such goods. Also,
do not use terms associated with such illegals goods or information in communications, make up new names for this dummy information.
47
Initial Homework Assignment(due before 3/29 class)
• Submit as email to [email protected]• System Structure for Criminal Enterprise Case Study
• Consider the description of the system to be used for the fsecond exercise – as discussed in previous slide.
– Enumerate the classes of data– Enumerate the classes of users– Identify the protection domains– Enumerate the systems (hardware)– Enumerate the systems (software components)
• This write-up is expected to be about 3 pages in length(could be more or less)– It will be shared later with your group members to begin discussion for the
group architecture.
48
Teams for Second Exercise
• Group A– Enrolled: Srivastav, Binkulaib, Dmytrisin, Alsubaie,
Bubshait, Gronski– Advisors: haiboz, jaskaran, rajattan
• Group B– Enrolled: Guerrerobognoli, Li, Wright-Walker, Jackoski,
Vadlamani, Zhang– Advisors: sajmani, slakkadi, tosirisu, wang907
49