In this lesson, I'll talk about auditing.
Auditing is an independent review of something.
So this could be, you know,
if you're here in the U.S.,
it could be the auditing of your taxes.
For example, it's an independent review of something that you are putting forward.
So let's say that in an organization I accessed a certain folder,
the system is going to say I accessed that folder.
Auditing is important to understand
because we need that independent analysis for systems.
We need auditing to make sure that what we are saying we're doing actually happens,
so we can do that in a number of different ways.
We're going to look at Windows;
we're going to look at Linux,
and then we'll look at an independent review as well.
So auditing within an operating system is pretty easy to look at.
So we can ship all these logs back off to Splunk,
and we'll look at that briefly here in a second.
However, let's look at some logs here, so Windows logs.
We have application security set up system
and forwarded events as our logging information,
so this could be an audit.
Each one of these is saying what happened to the system at a certain time.
So let's look at security.
Notice that especially with security,
we have information here.
Audits success means that we're saying that
this computer logged off at a certain time,
an account was logged off.
So this says it was probably the actual computer itself was logging off;
he was trying to log in to something.
So the security log looks at audit successes and
audit failures to understand what the system is doing as far as security.
This is a giant file and you'll notice that.
Well, Windows only stores 128 megabytes default for logging.
So if you'll notice that even on the server that I only use for testing, you know,
that's not very much data;
that looks like 3/27 was the last time that I logged on to the server,
but the first time the log has in here is going to be 3/5.
So this says boot configuration data loaded, okay.
Process creation, new process has being created.
This is information that is telling us what our system is doing, okay.
In order to put logging on other things within Windows it's extremely easy.
So let's say that we want to audit
our secured documents folder to see what happens with that.
So we're going to right-click on that secured documents,
go down to properties,
go to the Security tab,
then advanced, and then we have a few things here that we can edit.
So notice if you watch one of the other courses in Windows specialization,
we configured these permissions for this server.
However, we never configured auditing.
So if you come over here auditing, we'll add,
and let's add the Stooges principal.
Now a principal within Windows is actually a computer or
a user or something to indicate some object logged in, okay.
So we're going to do an audit success.
We can do fail.
Actually, let's do all.
This applies to this folder, subfolders, and files.
So we want to make sure that if we have full control
over this that it's going to audit all those conditions on that folder.
So if somebody puts some document in there or somebody logs into that folder,
it's going to tell us.
So I'm going to cancel out of this.
Let's switch over to Linux.
Okay, so here's my Linux system and I'm going to go to [inaudible] in my log folder, so var/log.
Let's go in to see what we have for login here.
Linux is really good about logging.
We have a lot of messages that tell us what this system is doing,
and each one of these are configurable.
Starting in Red Hat version 6,
auditing on the system was done automatically.
So let's go into the audit folder real quick,
and let's just look at the last few audit logs that there are.
What this is saying, Netfilter.
So Netfilter is basically one of
the firewall kernel modules that is built into Linux.
So this is telling us information on firewall, okay.
So that's it in the audit log, so type Syscall.
Here's another piece of information that Linux is auditing on a system.
Okay, so type service start,
service stop, so notice these as well.
This auditing tells us what we need to know about a system, what it's doing.
To configure this inside of Linux,
we'll go to etc/audit/auditd.conf.
Okay, so this just gives us a brief summary of what we can audit.
This gives us a brief summary of
the overall general settings that we can set up for the audit folder.
Let's say that we're in a high audit environment.
We don't necessarily trust our systems to tell us everything because they are systems.
So if we configure something that is correct to the system,
it may not report that.
So for example, several years ago we started
to look at Windows updates and Windows Updates has always
reported incorrect information in the systems that
were actually not receiving updates or were receiving updates.
So we decided to audit systems just to make sure.
Well, it turns out that we had accidentally turned off
a setting inside of Windows that
didn't allow three updates to come through and those were critical updates.
So even though our auditing process on the Windows side said everything was fine,
an independent audit of another piece of software said that it was not fine.
So let's look at an external auditing type system.
The tool that I'm going to use in order to audit the system is called Nessus.
I'm using the home version here.
I do have a professional license,
but I'm just using the home which is free up to 16 IP addresses.
So let's look at this real quick.
So admin and my password.
I don't want to remember the password.
Let's create a new scan.
So Nessus allows us to technically audit a system.
Okay, here's audit cloud infrastructure, credential patch audit.
There are scannings. There are scans that we can do.
There is an offline configuration audit;
so Policy compliance auditing.
So we can use this system to understand what is going on.
We can use software to understand what is going on with our systems.
Let's run a scan real quick,
and I'm just going to use an advanced scan here,
and I'm going to say test and I'm going to select.
I'm going to use a system that has many vulnerabilities in it at the moment.
So assessment, okay, looks like everything is enabled here,
so I'm not going to I'm going to set anything.
Let's just run this real quick and see what it does.
Okay, so right away
it's scanning the information;
it's scanning the system.
So the scan is still going on,
but let's look at... you can see it
keeps on increasing the amount of vulnerabilities that we have here, okay.
So auditing allows us,
if we're doing technical auditing,
to see what is going on with the system.
So it looks like I have many high end critical vulnerabilities here.
So if I configured something wrong and my system
doesn't report that it's incorrect or misconfigured,
something like Nessus or having somebody
manually audit the system allows us to see this kind of information.
If we go into one of these,
let's look at this here,
we can see Debian
open SSH open SSL package random number generator weakness.
So this was a bug several years ago that made
very very small amount of keys to get into a system.
So essentially the vulnerability is that if we're able to use all the keys,
which is very simple to do on this vulnerability,
then we can get into a system very easily.
In conclusion, auditing allows us to look at systems from another point of view,
just not the user point of view.
We could have a technical audit or we could have a human looking at the information,
but auditing is important in your organization to make sure that what you think
is true is actually true or what is happening is actually happening.
Auditing allows us to make sure things are the way we need them to be.
