Auditing

Loading...

Do curso por University of Colorado System

Planning, Auditing and Maintaining Enterprise Systems

21 ratings

University of Colorado System

Planning, Auditing and Maintaining Enterprise Systems

21 ratings

Curso 4 de 4 em Specialization Computer Security and Systems Management

Good system management not only requires managing the systems themselves, but requires careful planning to make systems interact with each other, auditing of the systems once the systems are built, and proactive maintenance of all systems. Organizations also rely on organizational policies, such as Acceptable Use Policies to bolster the technical aspect of system management. This course explores many of the behind the scenes requirements of good system management. The first half of the course covers how to build security into system management process and the organization policies necessary for any enterprise to follow. The latter half of the course focuses on auditing and maintenance of systems once they have been designed, and implemented. By the end of the course you should be able to design and construct organizational policies based on a set of requirements, audit a system based on those requirements, and make sure systems adhere technically to the set of requirements.

Na lição

Auditing systems in the enterprise

Once a system is planned and built, it's now time to continuously monitor and audit the systems.

Strategies for Monitoring7:48

Conheça os instrutores

Greg Williams
Lecturer
Department of Computer Science

In this lesson, I'll talk about auditing.

Auditing is an independent review of something.

So this could be, you know,

if you're here in the U.S.,

it could be the auditing of your taxes.

For example, it's an independent review of something that you are putting forward.

So let's say that in an organization I accessed a certain folder,

the system is going to say I accessed that folder.

Auditing is important to understand

because we need that independent analysis for systems.

We need auditing to make sure that what we are saying we're doing actually happens,

so we can do that in a number of different ways.

We're going to look at Windows;

we're going to look at Linux,

and then we'll look at an independent review as well.

So auditing within an operating system is pretty easy to look at.

So we can ship all these logs back off to Splunk,

and we'll look at that briefly here in a second.

However, let's look at some logs here, so Windows logs.

We have application security set up system

and forwarded events as our logging information,

so this could be an audit.

Each one of these is saying what happened to the system at a certain time.

So let's look at security.

Notice that especially with security,

we have information here.

Audits success means that we're saying that

this computer logged off at a certain time,

an account was logged off.

So this says it was probably the actual computer itself was logging off;

he was trying to log in to something.

So the security log looks at audit successes and

audit failures to understand what the system is doing as far as security.

This is a giant file and you'll notice that.

Well, Windows only stores 128 megabytes default for logging.

So if you'll notice that even on the server that I only use for testing, you know,

that's not very much data;

that looks like 3/27 was the last time that I logged on to the server,

but the first time the log has in here is going to be 3/5.

So this says boot configuration data loaded, okay.

Process creation, new process has being created.

This is information that is telling us what our system is doing, okay.

In order to put logging on other things within Windows it's extremely easy.

So let's say that we want to audit

our secured documents folder to see what happens with that.

So we're going to right-click on that secured documents,

go down to properties,

go to the Security tab,

then advanced, and then we have a few things here that we can edit.

So notice if you watch one of the other courses in Windows specialization,

we configured these permissions for this server.

However, we never configured auditing.

So if you come over here auditing, we'll add,

and let's add the Stooges principal.

Now a principal within Windows is actually a computer or

a user or something to indicate some object logged in, okay.

So we're going to do an audit success.

We can do fail.

Actually, let's do all.

This applies to this folder, subfolders, and files.

So we want to make sure that if we have full control

over this that it's going to audit all those conditions on that folder.

So if somebody puts some document in there or somebody logs into that folder,

it's going to tell us.

So I'm going to cancel out of this.

Let's switch over to Linux.

Okay, so here's my Linux system and I'm going to go to [inaudible] in my log folder, so var/log.

Let's go in to see what we have for login here.

Linux is really good about logging.

We have a lot of messages that tell us what this system is doing,

and each one of these are configurable.

Starting in Red Hat version 6,

auditing on the system was done automatically.

So let's go into the audit folder real quick,

and let's just look at the last few audit logs that there are.

What this is saying, Netfilter.

So Netfilter is basically one of

the firewall kernel modules that is built into Linux.

So this is telling us information on firewall, okay.

So that's it in the audit log, so type Syscall.

Here's another piece of information that Linux is auditing on a system.

Okay, so type service start,

service stop, so notice these as well.

This auditing tells us what we need to know about a system, what it's doing.

To configure this inside of Linux,

we'll go to etc/audit/auditd.conf.

Okay, so this just gives us a brief summary of what we can audit.

This gives us a brief summary of

the overall general settings that we can set up for the audit folder.

Let's say that we're in a high audit environment.

We don't necessarily trust our systems to tell us everything because they are systems.

So if we configure something that is correct to the system,

it may not report that.

So for example, several years ago we started

to look at Windows updates and Windows Updates has always

reported incorrect information in the systems that

were actually not receiving updates or were receiving updates.

So we decided to audit systems just to make sure.

Well, it turns out that we had accidentally turned off

a setting inside of Windows that

didn't allow three updates to come through and those were critical updates.

So even though our auditing process on the Windows side said everything was fine,

an independent audit of another piece of software said that it was not fine.

So let's look at an external auditing type system.

The tool that I'm going to use in order to audit the system is called Nessus.

I'm using the home version here.

I do have a professional license,

but I'm just using the home which is free up to 16 IP addresses.

So let's look at this real quick.

So admin and my password.

I don't want to remember the password.

Let's create a new scan.

So Nessus allows us to technically audit a system.

Okay, here's audit cloud infrastructure, credential patch audit.

There are scannings. There are scans that we can do.

There is an offline configuration audit;

so Policy compliance auditing.

So we can use this system to understand what is going on.

We can use software to understand what is going on with our systems.

Let's run a scan real quick,

and I'm just going to use an advanced scan here,

and I'm going to say test and I'm going to select.

I'm going to use a system that has many vulnerabilities in it at the moment.

So assessment, okay, looks like everything is enabled here,

so I'm not going to I'm going to set anything.

Let's just run this real quick and see what it does.

Okay, so right away

it's scanning the information;

it's scanning the system.

So the scan is still going on,

but let's look at... you can see it

keeps on increasing the amount of vulnerabilities that we have here, okay.

So auditing allows us,

if we're doing technical auditing,

to see what is going on with the system.

So it looks like I have many high end critical vulnerabilities here.

So if I configured something wrong and my system

doesn't report that it's incorrect or misconfigured,

something like Nessus or having somebody

manually audit the system allows us to see this kind of information.

If we go into one of these,

let's look at this here,

we can see Debian

open SSH open SSL package random number generator weakness.

So this was a bug several years ago that made

very very small amount of keys to get into a system.

So essentially the vulnerability is that if we're able to use all the keys,

which is very simple to do on this vulnerability,

then we can get into a system very easily.

In conclusion, auditing allows us to look at systems from another point of view,

just not the user point of view.

We could have a technical audit or we could have a human looking at the information,

but auditing is important in your organization to make sure that what you think

is true is actually true or what is happening is actually happening.

Auditing allows us to make sure things are the way we need them to be.

Explore nosso catálogo

Registre-se gratuitamente e obtenha recomendações, atualizações e ofertas personalizadas.

O Coursera proporciona acesso universal à melhor educação do mundo fazendo parcerias com as melhores universidades e organizações para oferecer cursos on-line.

© 2018 Coursera Inc. Todos os direitos reservados.

Baixar na App Store

Baixar no Google Play