Auditing UNIX/Linux Systems

The UNIX operating system has been around since the 1970’s and is used for everything from web and database servers to desktop workstations. It is still the most widely used operating system on the Internet, due to its wide adoption as a web server.

In recent years, the UNIX community has been enhanced by the arrival of open source software such as GNU/Linux, providing an operating system based on the principles of UNIX, but free from any manufacturer dependency or restrictive usage rights. UNIX has for many years had a reputation for being difficult to administer and to secure, partly because of the wide range of versions covered by the generic name ‘UNIX’. In practice, a UNIX system can be administered and secured as easily as any other operating system, provided that the administrator knows where the critical control information is stored and how to maintain it.

In this intensive two day course from our popular ‘Need to Know’ series, you will learn about the internals of UNIX, how its different versions provide security and control of users, groups and files, and how to extract sufficient audit data from a UNIX system to carry out an audit review. You will learn where the key UNIX control files are stored, how different manufacturers such as Sun, IBM and HP have modified the structure of UNIX to their own requirements, and why they have done so. You will perform a UNIX audit, using the built-in commands supplied with UNIX, building a set of audit automation scripts as you do so, and guided by our comprehensive UNIX audit program.

At the end of the event, you will have all the essential knowledge required to plan and conduct a successful UNIX or Linux audit. A hands-on version of the course is available, to give you practical experience of a UNIX audit.

Suggested duration: 2 days, but can be customised to your requirements.

Agenda

Introduction – Principles of UNIX

UNIX versions – why they are different
Standard UNIX & Linux
AIX variations
Solaris variations

Operating system processes and software
How to list system and user processes
Interpreting the process commands
Listing installed software and packages

System Start-up files
The UNIX boot process
Run levels and what they mean
Security issues of UNIX start-up files
Run level control files and how to audit them
New service controls - the svcadm command in Solaris

The UNIX file system
Disks and file systems
The UNIX file system standard
The main directories and their locations
UNIX standard file and directory permissions
UNIX extended access control lists and their uses
How Solaris, Linux and AIX handle access control lists

UNIX Logon controls
Default login settings
‘Per user’ login controls
User login files
How Solaris, Linux and AIX user login controls work
Controlling high-privilege users – su and sudo
Password history and account lockout
Pluggable Authentication Modules (PAM) and what they do

User and Group Management
Group definition files
Group membership and how it affects security

The UNIX auditing system and how it works
AIX auditing
Solaris auditing

Unix Networking
UNIX and TCP/IP
Network configuration files
Remote commands – rsh, rcp, rlogin
Telnet and its security issues
Secure remote UNIX administration via SSH
The network service control files
How to list UNIX network services

UNIX graphical interfaces
X-Window security
The XDM display manager and how it is secured

Practical steps to the audit of a UNIX system
Where to start
Listing users and groups
Using built-in UNIX administration commands
The Trusted Computing Base in AIX and Solaris
System integrity checking commands
Shell scripting for auditors
Key files and directories to inspect