Current Document and Section   Other Documents     Documentation     Gateway Services Guide   User Guide DNS and Domains Release Notes Howtos

Services - Security Audits

[edit] Overview

A software bug, an error in a dynamic web page, an un-patched server, or weak passwords can lead to a compromised server. Unfortunately, unwanted intrusions can go undetected. When activated, the Security Audit performs a daily integrity check and notifies you of any irregularities.

[edit] Requirements

• The Web Services software module must be running and firewall open

[edit] Activation

• Login to your account
• Click on Systems in the top navigation bar
• Select the target system from the list of active systems in your account
• Click on Security Audits in the menu

[edit] Configuration

To enable the Security Audits service, simply select on and click on the update button.

[edit] Status Reports

You will receive an e-mail when the security audit detects a change on your system. If no system changes are detected, you will not receive any reports.

[edit] How It Works

The goal of the security audit is to pick up clues that typically result from a server being compromised. This can be determined by:

• Detecting changes in critical files and directories
• Checking for a change in the number of hidden files and directories
• Monitoring the inventory of setuid/setguids files
• Detecting a change in the number of superuser accounts
• Auditing the number of accounts without passwords

On a daily basis, the security audit will

• Connect to your system
• Make sure the audit tools have not been tampered with
• Signal the system to run the audit
• Wait for the audit to complete
• Save a simple hash of the results in our database

The system will send an e-mail alert if any irregularities occur during this process.

[edit] Detecting File Changes with Aide

The Security Audit uses Aide (a Tripwire replacement) to create a snapshot of important system files. The database contains file permissions, modification times, file size, etc. You can take a look at this database on your machine (usually in /usr/local/suva/suvlets/net/pointclark/SecurityAudit/db/aide.db).

Thankfully, we do not need to store the entire file offline... all we do is compute a hash (a unique identifier) of the file and send this result back to our database. On the next system check, this hash is checked to make sure nothing has tampered with the Aide database.

The Aide software (which is also checked for tampering) can then run its normal audit knowing that the database is intact. Other system checks use the same model.

Give It a Test... Wait at least 24 hours for the security audit to run at least once. You can then "tamper" with one of your system files. For instance run the touch command on /usr/bin/last. (This command simply changes the timestamp on the file). You will receive an alert on the next audit.