Auditing Operating Systems and

Databases
Importance, Tools and Techniques

PRASAD GUPTE
PGDEB, CISM, ISO 27000 LA

AUGUST 4, 2012
1
Information technology (IT) auditing is the process
of collecting and evaluating evidence to
determine whether an information system:-
• Safeguards assets
• Maintains data integrity
• Achieves organisational goals effectively and
• Consumes resources efficiently

2

Review of soundness and adequacy of various operational controls, and
promotion of these controls at a reasonable cost in the organisation

Ascertaining the extent of compliance with the policies, plans and procedures
of the organisation

Ascertaining the extent to which the corporate information systems resources

are accounted and safeguard for various loss exposures

Ascertaining the correctness and the completeness of the information

processed through the information systems in the organisation

Recommending various internal controls for maintaining data integrity in the

information systems

Ascertaining the effectiveness and the efficiency of various information and

communication technology hardware and software in the organisation

3
The basic elements of security and control are:

Identification and authentication

Access control

System, or file and process integrity

Recoverability

Flexibility

4
Hardware
Hardware
Kernel
Shell
Utilities

Applications

5

The Operating System kernel interacts directly with hardware and provides
the basic functions of i/o, scheduling, memory management, security
protection, interrupt error handling, and system accounting.

The file system provides a hierarchical structure of directories and files with
the capability of file level security.

The UNIX shell is a command interpreter that interacts and controls user
and acts as primary user interface.

In the Linux shell will typically be a graphical user interface to give a
Windows lookalike environment.

Tools and utilities are standard programs and used for common tasks such
as printing, copying files, editing text, and developing software through
graphics and communications support. Utilities in any form are typically very
powerful and may prove a significant security threat to standard operating
environments if not used appropriately.

6

Network Information System (NIS) permits multiple computers to share
password and other system files over network. If badly configured, this
can lead to potential vulnerabilities.

Network File System (NFS) allows computers to share files over
networks.

UNIX uses a variety of special programs to support the Kernel (the
central part of the operating system). These programs, called daemons,
stay resident within the memory of the machine and operate in
conjunction with the Kernel. Given the comprehensive nature of these
programs, modification access should be severely restricted to systems
administrators. Examples:- initd, crond, sendmail etc.

7
Critical aspects of maintaining computer security is the
monitoring of the system. Auditors must ensure that this
monitoring is carried out on regular basis.

Auditing checks must be made for:-

Inappropriate access permissions to sensitive files ?

Login failures ?

Failed access to sensitive files ?

Successful logins from unknown hosts ?

Unexpectedly mounted file systems ?

Unexpected changes in permissions and ownerships ?

System reboots and shutdowns ?

Changes to the system date and/or clock ?

Existence of a valid password file ?

8

Owned by root ?

Read permissions for other ?

Password field for every account ?

Only root having the UID of 0 ?

System usage totaled by user ?

Unusual messages from system daemons ?

Account and activity ?

Error messages and the system log files ?

Unexpected users logged on ?

Unexpected host’s access ?

Normal users logged on and unexpected times ?

Unexpected system processes running ?

Normal system processes not running ?

Audit_Tools_Checklists.xlsx

9

Windows Server 2008 is a network operating system designed for
enterprises, servers, and workstations.

Networks running Windows Server 2008 are designed to share key
information and resources throughout an organization.

NTFS, offers access restrictions by user and by a group of users.NTFS is
extended to support encrypted files, mounted volumes, linked files, and
quotas.

Active Directory is a set of directory services for locating and accessing
resources over the network. Active directory can be shared across LANs
and WANs.

Like the parameters held within the registry, the active directory is protected
by access control lists (ACLs), which limit access.

10

Windows Server 2008 has a comprehensive auditing function that
enables the administrator to determine which events will be
recorded, and then to audit these events at a later date.

The first stage of the audit is to identify hardware, software,

network, people, and administrative issues within the operating
environment.

The second stage is to determine the uses to which the system is
put

The third stage is to match the users of functionality within the
systems against the requirements of their jobs

11

From an audit perspective, the auditor must determine that:
◦ NTFS is in use in all partitions
◦ Simple file sharing is disabled whenever possible
◦ Guest user accounts have been disabled
◦ Unnecessary user accounts have been eliminated
◦ All user accounts use passwords, particularly the Administrator
account and any users with Administrator privileges
◦ The Administrator user account has been renamed
◦ Passwords are not “remembered” by Windows
◦ A minimum number of users have been added to the Administrator
group
◦ Unnecessary services are disabled on startup
◦ Service / System accounts use one time configured password
◦ Antivirus and anti-spyware software is installed and up-to-date on all
workstations
◦ Microsoft service packs and hotfixes are kept up-to-date, particularly
for security fixes

12

An effective password security policy has been implemented by the
administrator

Last logged in username is not automatically displayed in the login dialog box

File shares are not granted to the Everyone group

The remote desktop is disabled

Appropriate auditing is enabled on all servers and workstations

Hidden administrative shares used by the operating system are disabled
(preventing the shares on startup is a highly technical control involving the
editing of the registry and should not be attempted by inexperienced users)

The ability to boot from a floppy, CD-ROM, USB device, or the network is
disabled and physically secured systems are used

Autorun is disabled on all CD/DVD drives

The page file is automatically cleared on system shutdown

13

There are many auditing tools commercially
available. However, the most common, popular
and free tool used for Windows auditing is
Microsoft Baseline Security analyzer (MBSA).

Audit_Tools_Checklists.xlsx

14

Scrutiny of logs for various system activities and
tasks is most important part of an IT audit
programme.

Log files are commonly kept of user access,
incidents, file access attempts, and so on.
Maintaining these logs is an overhead on the
system and worthless unless they are frequently
and regularly scrutinized and the appropriate
action taken based on the contents.

15

Planning and setting up for an audit

• Selecting a target

• Interview key staff (DBA)

• Software versions and patches

• Enumerate users and find passwords

• File system analysis

• Network analysis

• Database configuration

16

Install only what is required

Lock and expire default user accounts

Change default user passwords

Change passwords for administrator accounts

Enforce Password Policy:-

• Password must be complex but, simple to remember, difficult to guess

• A complex password should contain:-

• At least 10 values in length

• A mixture of letters and numbers

• Contain mixed case (Supported in Oracle Database 11g)

• Include symbols (Supported in Oracle Database 11g)

• Little or no relation to an actual word

Password must expire after a set period as per policy

Don't allow same password usage repeatedly (minimum last 7 passwords)

17

Secure batch jobs

Monitor Audit Logs

Follow the principle of least privilege

Restrict permissions on RUN-TIME facilities

Authenticate clients

Restrict Operating System access

Secure the listener

Prevent RUN-TIME changes to listener

Check network IP address

Harden the operating system

Encrypt network traffic

Apply all security patches

18

Most business applications are using relational database
management systems. These include:
◦ Oracle
◦ MS SQL Server
◦ Sybase
◦ MySQL
◦ PostgreSQL

Audit and control issues for each type of database are similar
but need to understand specific architecture and technology

Business Logic may also be held in database
◦ Stored Procedures

19

A database environment is essentially a data repository
or data store
◦ Operational Data (e.g.Financial Data; Personnel Data)
◦ Data Warehouse Data
◦ Security Data

Need to understand security requirements for data in
terms of
◦ Confidentiality
◦ Integrity
◦ Availability

Need to understand compliance and regulatory
requirements based on business environment

20

Database security mechanisms include:
◦ Identification and authentication mechanisms
◦ Access controls
◦ Audit trail mechanisms

Network security and host operating system security are
required in addition to database security

Database systems are “TCP/IP services” and can be
compromised even when the operating system is not
“hardened”
◦ Database compromise can also result in operating system
compromise

21

Direct Interface to Database Server
◦ SQL*PLUS (Oracle)
◦ SQL Query Analyzer (SQL Server)

ODBC Interface
◦ Allows use of standard software tools
◦ Excel; MSQuery; Microsoft Access

JDBC Interface

22

Need to understand network and application system
architecture and design

Need to identify and understand database connections
in relation to the following access paths to the database
environment:
◦ On-line transaction processing
◦ Batch processing (application and database)
◦ Business user ad-hoc access
◦ Database Administration
◦ Developer and Application Support access

23
 DMZ –
Web Servers

Internet Router
Firewall

Web-Based Clients Firewall

Application /
Database
Servers 24

Understand application system and network
infrastructure

Identify Database Administrators

Identify Database environments and versions
◦ Operating system hosts
◦ Database configuration files / documentation
◦ Database Schemas

Arrange database access
◦ Select access to system tables/views

Run initial sql queries to obtain database security
information

25
 Client Server

Application Layer
Application Layer
DBMS FTP SMTP Telnet
DBMS
Server
Client
--Listeners--
Host-
Host -to-
to-Host Transport Layer Host-
Host -to-
to-Host Transport Layer
TCP TCP
Internet Layer Internet Layer
(IP) (IP)
192.168.0.5:1050
to
192.168.0.2:1433
Ethernet Ethernet

26

Oracle
◦ TCP 1521

SQL Server
◦ TCP 1433; UDP 1434

MySQL
◦ TCP 3306

27

Bugs in database software components (e.g.
buffer overflows) left un-patched

Lack of network isolation (external and internal)

Improper security configuration

Use of default user accounts and passwords

Use of null passwords

Excessive privileges

28

Use of Generic & Shared User Accounts

Use of OS Authentication

Application Connections to Database

Default / weak passwords

Hard-coded passwords in application code and scripts

Lack of Password Controls

Control over Administrative Users
◦ dba (technical and application support)
◦ developers

System Privileges and Authorities

Object Privileges required for Production environment

Public Access to Production Schemas

Default access provided to PUBLIC

29

Security Events and Audit Trails

System Access

Logins – Success / Fail

Account / Role / Permissions Changes
◦ Data Access

SELECT – Success / Fail
◦ Data Change

INSERT, UPDATE, DELETE
◦ Schema / Object Changes

CREATE, ALTER, DROP
◦ Privileged User Activity

All

Monitoring, Analysis and Follow-up Processes

30

Configuration Parameters

Oracle User Accounts and Passwords

Oracle Roles

Database System Privileges

Database Object Privileges

Oracle Audit Trails

Network Security

31

Obtain listing of all Oracle user accounts
◦ select * from sys.dba_users

Identify purpose and use of each Oracle account
◦ identify generic accounts

Review password policies
◦ defined in Oracle profiles

Check for open default accounts and default
passwords

32

Oracle “roles” provide a mechanism to group
privileges

Roles can be granted to users or other roles

Enabling a role can be password protected

Need to review the following views:
◦ dba_roles (roles defined)
◦ dba_role_privs (roles granted)
◦ dba_sys_privs (privileges granted)

33

Auditing enabled in init.ora
◦ audit_trail = NONE | DB | OS

Audit activities based on:
◦ Statement executed
◦ Privilege used
◦ Object accessed

Limit audit recording based on user, success of failure

Use AUDIT statement to start a particular auditing task
◦ AUDIT SESSION (all connections)

Use of queries to view Audit Trails (SYS.AUD$)

34

SQL Server Security Configuration

SQL Server Logins

Server Roles

SQL Server Databases

Security Logs and Audit Trails

35

Configuration Parameters
◦ exec sp_configure

System Tables
◦ Stored in master database, and
◦ Stored in each individual database (including master
database)

36

Generic & Group User-ids (OS)

Membership of OS Admin Groups

Trust Relationships (Domains)

Password Crackers

Null password for sa account

Lack of Password Controls

37
◦ sysadmin - can perform any activity in SQL Server
◦ serveradmin - can set server-wide configuration options, shut
down the server
◦ setupadmin - can manage linked servers and startup procedures
◦ securityadmin - can manage logins and CREATE DATABASE
permissions, read error logs and change passwords
◦ processadmin - can manage processes running in SQL Server
◦ dbcreator - can create, alter, and drop databases
◦ diskadmin - can manage disk files
◦ bulkadmin - can execute BULK INSERT statements

38

SQL Server databases comprise:
◦ Master Database
◦ Default Install databases - tempdb, msdb, pubs & model
◦ Sample databases - e.g. Northwind
◦ Application & User databases

Master Database
◦ exec sp_helpdb
◦ select * from sysdatabases

Need to identify databases subject to audit

Should always include Master database

39

OS Application Event Log - Logins

SQL Error Log - Logins

Profiler – Events based on selected criteria

Snort IDS – specific attacks

40

MySQL (Version 5.x)
◦ OS Configuration
◦ File System Permissions
◦ Logging
◦ MySQL Configuration
◦ MySQL Permissions

PostgreSQL (Version 8.2.x)
◦ Local Trust Authentication
◦ Brute Force User Accounts
◦ Privilege Escalation

41

Implementing Database Security & Auditing
◦ Ron Ben Natan (Elsevier Digital Press)

The Database Hacker’s Handbook
◦ Litchfield, Anley, Heasman, Grindlay (Wiley)

Oracle Security Handbook (Oracle Press)

Oracle Database Administration (O’Reilly)

www.petefinnigan.com
◦ Many useful resources and scripts
◦ scanner.sql (security and audit test script)
◦ Exploiting and Penetrating Oracle whitepaper

www.sans.org (SCORE section – Oracle Audit Checklist)

SQL Server Security – Andrews/Litchfield
◦ McGraw Hill / Osborne

SQL Server Audit Checklists and Tools
◦ www.sqlsecurity.com Audit_Tools_Checklists.xlsx

Center for Internet Security – Benchmarks
◦ Cisecurity.org (Oracle, SQL Server, MySQL)

42

Database security design

Database hardening

Security alert monitoring

Patch management

Network isolation
◦ Not exposed to Internet
◦ Not exposed in internal network

Encryption in transit

Database Encryption

Secure Application Coding (e.g. to address SQL
Injection issues)

43

Security and control of database environment
involves audit of a number of key areas:
◦ Network Security
◦ Operating System Security
◦ Database Security
◦ Application System Security

Key is to understand and evaluate the placement
of security and control features

44
Thank You

45