Security Configuration and Policy

Security Configuration and Policy
under construction

Intro
Prevention
Detection
CERT Intruder Detection Checklist
CERT Sniffer Detection Checklist
Policy

Intro

Prevention

1. Make frequent backups. These are needed to compare your system to determine unauthorized changes. In the worst cases, a system might need to be completely restored from a know safe backup. I recommend backing up workstations at least once a month, servers with numerous users, at least weekly.

2. Keep system log files for at least a month. Sometimes, you'll find out that some unauthorized use of your system went on recently and may even continued up to the present time. SGI's come with cron jobs that rotate the system log, /var/adm/SYSLOG. This means after a period of time, usually a week or so, the file with a record of most access to your system is renamed to /var/adm/OLDsyslog and the previous /var/adm/OLDsyslog is removed. Below is a program from Marty Dellwo that renames SYSLOG, auth.log, mail.log, local0.log and potentially other files with a number suffix, allowing you to keep as many weeks of these files as you'd like. (auth.log, mail.log and local0.log are from TCP Wrappers).

To add log rotation perform the following steps:

1. Add the following lines to a script file, /var/adm/logroll.sh; ( make the file executable: "chmod u+rwx /var/adm/logroll.sh")

#! /bin/sh
#
# This script rolls over all the logs specified on a weekly
# basis, and also compresses them if they are quite large, using
# gzip. Any log greater than 8 weeks old will be deleted.
#
#This is run by an entry in /var/spool/cron/crontabs/root
#

logdir=/var/adm
if [ ! -d $logdir ] ; then exit ; fi

gz=/usr/sbin/gzip
umask 077
cd $logdir
for log in SYSLOG auth.log mail.log local0.log ; do
        if [ -f $log ] && [ "`/sbin/stat -qs $log`" -ge 10240 ]
                then
                [ -f $log.6.gz ] && /sbin/mv $log.6.gz $log.7.gz
                [ -f $log.6 ] && /sbin/mv $log.6 $log.7
                [ -f $log.5.gz ] && /sbin/mv $log.5.gz $log.6.gz
                [ -f $log.5 ] && /sbin/mv $log.5 $log.6
                [ -f $log.4.gz ] && /sbin/mv $log.4.gz $log.5.gz
                [ -f $log.4 ] && /sbin/mv $log.4 $log.5
                [ -f $log.3.gz ] && /sbin/mv $log.3.gz $log.4.gz
                [ -f $log.3 ] && /sbin/mv $log.3 $log.4
                [ -f $log.2.gz ] && /sbin/mv $log.2.gz $log.3.gz
                [ -f $log.2 ] && /sbin/mv $log.2 $log.3
                [ -f $log.1.gz ] && /sbin/mv $log.1.gz $log.2.gz
                [ -f $log.1 ] && /sbin/mv $log.1 $log.2
                /sbin/mv $log $log.1 ; touch $log
                if [ "`/sbin/stat -qs $log.1`" -ge 1048576 ]
                        then
                        [ -x $gz ] && $gz -v $log.1
                fi
        fi
find . -local -type f -name "${log}.*" -mtime +50 -exec /sbin/rm -rf {} \;
done

killall 1 syslogd

2. Add this line to your crontab file:
1. Become root: "su - ".
2. "cd; crontab -l > /crontab.out".
3. Edit crontab.out to add the line below.
4. "crontab /crontab.out"

1 1 * * 0 if test -x /var/adm/logroll.sh; then /var/adm/logroll.sh; fi

Detection

Here are some quick tips for detecting unauthorized use:
-Examine the /var/adm/SYSLOG file.
-Enter "last" to see log ins.

CERT Intruder Detection Checklist

CERT Sniffer Detection Checklist

Policy

Next SGI System Administration Chemistry Computer Facility

last updated 990318 by Martin McCormick, martinm@sas.upenn.edu