The audit of OS Security involves different phases from logging into the system and seeing the values on the system to running a few commands / tools to find these values. In this blog article, we will be looking at how to go about an audit of OS Security.
IS Auditor should draw up audit checklists based on internal and external benchmarks. Some of these benchmarks are discussed below:
A. Information Security Policy and Procedures
All organisations have a security policy and administration for their information systems. During the OS audit, the IS auditor will have to verify whether the security features have been enabled and parameters have been set to values consistent with the security policy of the organisation. IS auditor will have to use the IS policy as the internal benchmark.
B. Center for Internet Security benchmarks
One of the external Information Security Benchmarking organizations is CIS (Center for Internet Security). The CIS provides security benchmark for the OSs. It helps to improve the overall security of the OS by providing a list of steps to improve the system security. These steps can be carried out without shutting down any of the running applications. It provides automated testing tool with a simple scoring system, which gives organisations an objective metric to compare the relative levels of security in their systems. If an organisation follows the steps in the benchmark, their system becomes substantially more secure and reliable than a default install of the given OS. For further information on this, readers may visit the following site. http://www.cisecurity.org/bench.html
Major Audit Review Areas
The important areas to be taken up for an audit review of OS are:
1. Physical Security
It describes measures that prevent or deter unauthorised persons from accessing the system or information stored on physical media. Large organisations will have multiple data centres, server rooms, and operating systems. Physical access must be limited and secure. The organisation should keep a time log of those accessing the OS and the systems.
2. Logical Security
a. User / Account Management
User IDs, also known as logins, user names, logons or accounts, are unique personal identifiers. Authentication is the process by which the OS confirms the identity of a user and allows access. The confirmation of identities is essential to the concept of access control, as access would be given only to authorized people.
Access Rights and Authority Levels are the rights or power granted to users to create, change, delete or view data and files. The system administrator or the superuser alone will have the privileges to grant or deny these rights. In Unix OS, Superuser is also called the root, who has all access rights in the system, including changing ownership of files. In the Windows 2000 and XP a superuser is known as the Administrator. The IS auditor should ascertain whether the access privileges granted are in tune with the organisational policies.
Another type of user is the Guest account, or anonymous login. These are for the login by several users who can log in to the account at the same time. This account has very limited access and is often only allowed to view data and public files.
Administrator and Guest accounts should be renamed and protected with passwords as mentioned in the organization’s security policy.
The list of user IDs in the system should be mapped with the actual users. This helps determine the permissions and privileges to the different resources/data allowed to each user.
b. Password Management
The user could create a password or be assigned. The user is normally permitted to change the password to something of his choice. However, there are some limitations in changing the passwords. Usually, limitations to password creation include length restrictions, a requirement of a number, uppercase letter or special character in it, or not being able to use the past four or five changed passwords associated with the username. In addition, the system may force a user to change his/her password after a period of time, say once in 30 days or so, called compulsory aging.
The IS auditor should evaluate some of the most common security parameters, like password rules, minimum password length, password history, password required, compulsory password aging, lock-out on unsuccessful logins, login station and time restrictions. An important area to be looked at is whether the unsuccessful login attempts are being monitored and whether such feature has been enabled. The superuser password is to be held by the authorised person only. Unused logins should be disabled.
3. Other Security Settings
IS auditor should check whether logs like audit logs, system logs and security logs have been enabled. Also, the log sizes should be reviewed taking into consideration that there should be a proper balance between good security and efficient system performance. IS Auditor should also check whether unnecessary services have been disabled.
4. Patch Management
IS auditor will have to check whether the most current patches for the OS software are installed. Many of these patches fix security vulnerabilities that are well known to intruders. There are two types of patches in general viz. Service Packs and Hotfixes. Installing these patches in order is important. Service Packs must be installed before the Hotfixes.
Service packs are used to patch a wide range of vulnerabilities and bugs. The latest service pack that has been tested to work in one’s environment should always be applied after installing the operating system. Service packs are cumulative; users need to install the latest Service Pack.
Hotfixes are released more frequently than service packs and are meant to patch a more specific problem. Not all hotfixes may be needed for a particular system. Before installing these fixes on critical systems or installing them on a large number of devices, hotfixes should be tested to ensure that there is no conflict with other third party drivers.
Patch management may be done manually or through a centralized patch management system. Under either of the methods it should be ensured that the patches have been adequately tested for the applications running in the organization before being deployed on the desktops.
One other important aspect to be looked is whether the OS is whether a proper licensed software.
Audit review of Operating System is a vital element of a comprehensive IS Audit of any organization. Vulnerabilities in the OS may nullify the security controls built into the applications. Hence, organizations should include in their audit plans regular review of OS for all critical applications and the servers that hold critical and vital information. Also IS Auditor should be meticulous in planning their audit reviews so as to include critical audit areas mentioned above.