Many articles and books have been written on how to install a secure Operating system. But once the system has been installed to meet security requirements, only half the battle is won. The second half involves ensuring that the system continues to meet its security requirements throughout its lifetime (and that you can prove it). This means that periodic system auditing is required to make sure that nothing goes wrong.
System audit requirements
The security requirements that you verify during routine system auditing should be the same requirements and security principles that guide the system installation. The three-part developerWorks series "Securing Linux" gives you an introduction on how to install a reasonably secure Linux system. Regular system auditing will also help refine the security policy used for new machine installations as it helps close the feedback loop on what subsystems are actually in use.
The first tools for meeting these requirements are system auditing and host-based intrusion detection. Host-based intrusion detection systems such as tripwire, AIDE, and Samhain detect when changes have been made to the file system and are therefore critical tools for ensuring that the system retains its known state. The Linux Gazette has an interesting article, "Constructive Paranoia," on using these tools.
The practical aspects of periodic system auditing based on real-world requirements need to seriously considered in every deployment. From network administrator's to business intranets to home users who want to prevent their home machine from becoming a zombie in the bot army. The administrator's system is required to undergo periodic, random system audits, during which routine audit activities (such as showing that the audit and system logs are regularly reviewed, and checking for user accounts that have lapsed), In addition, the administrator also has to address the following:
- Justification for suid/sgid executables that are on the system and why they are suid/sgid
- Proof that no file system with a world writable directory (/tmp and /var/tmp) has any suid/sgid files
- Open ports and the impact of firewalling off of those ports.Email email@example.com for more information.