ABOUT THE README
================
This README provides a quick overall summary on how you can provide fairly robust security protection of your network(s) using freely available software tools, including several tools available from HackerTracker.
WHAT IS CST?
====================
CST follows a simple philosophy; provide a series of useful utilities that will help provide sound security coverage for unix based systems and networks.
CST works on the governing philosophy that security systems should be centrally controlled and managed. This provides better economy of scale, and allows a centralized system to be responsible for the "inventory" of the network (database of record for what is deployed); finding out what new systems have been deployed that have not been properly covered is extremely important in managing any size infrastructure.
Another governing philosophy of CST is to use security tools that are already available. CST isnt attempting to recreate duplicate toolsets; we strongly believe in and support open source initiatives and believe that the only way to encourage such efforts is to support useful tools so they become more useful. CST utilizes several such useful toolsets (Nessus, titan, snort, etc) to be successful.
One last governing philosophy of CST is to be modular, such that any toolset can be easily replaced or augmented into CST to provide a protective layer. This requires a normalization layer (taking abstract data sets from diverse tools and presenting that data in one common format), currently handled by Hackertracker's APE (Anomaly Policy Engine), but even that tool could replaced with any robust Intrusion Detection Policy Engine.
This README provides a summary of what steps are necessary to install these tools into a centralized managed system. Incremental releases of CST will include automated installation guides.
WHY USE IT?
===========
CST is intended to drive usefulness in the development of HackerTracker released toolsets (APE, HostControl, ConfigCheck, Logmon, Restrict-Menu, etc) and to refine the security deployment architecture that drives CST.
CST is intended to give you a quickstart method of being able to deploy a fairly mature and very robust security infrastructure; while still giving you the opportunity to plug-and-play new infrastructure solutions to evolve or grow the maturity of your own security infrastructure.
We have a lot of work and refinement left to do with CST, but its being released with the goal of allowing the community to assist in that development and help guide CST's direction.
WHERE CAN I OBTAIN CST TOOLS?
==========================
CST tool suites can be obtained from HackerTracker at http://www.hackertracker.org/cst.
MAILING LIST/SUPPORT
====================
Comments, issues, questions, and suggestions can be sent to "cst@hackertracker.org".
RIGHT TO USE & DISCLAIMER
=========================
CST is copyright(c) 2001, 2002 Dale Drew (ddrew@hackertracker.org). You may use and redistribute it under the terms of the GNU General Public License.
THE USE OF CST AND CST TOOLSETS IS SOLELY UNDER THE USERS DISCRETION. THE AUTOHR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.
INSTALLATION AND USE
====================
Consider this a quickstart guide for now. I'll add more data and details as time goes.
- Collector - (Buy a Linux machine)
We recommend that you run CST from a linux box; but all of the toolset work on Solaris or Linux. This box will be used as the centralized security system, used for Intrusion detection analysis, FTP server to perform tool update pushes, and perform configuration assessments.
- Install APE
APE and HostControl represent the "core" of the CST toolsets that provide for a centralization approach. APE runs on the collector and takes data from all of the security tools so they can be presented in one manner.
APE is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/ape.tar
- Install HostControl
HostControl is the tool that makes client based security infrastructure successful. Hostcontrol is two parts, a client and server. The server gets installed on all your machines in the network, and the client is installed on the Collector, and is used to inventory your network, as well as run commands on your clients in the network.
HostControl is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/hostcntl.tar
- Install Config Checker
ConfigCheck is a utility that can run assessment on config based elements (Juniper, Cisco, TNT, etc). You need to have your config based elements copy their configuratoins to the collector. ConfigCheck does not perform assessments on the boxes themselves.
ConfigCheck is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/configcheck.tar
- Install Restrict-Menu
Restrict Menu is used to manage the tools on the Collector.
Restrict-menu is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/restrict-menu.tar
- Install nmap
NMAP is used by the toolsets for inventorying purposes.
NMAP can be obtained at http://www.insecure.org/nmap
- Install radius sever and PAM module
This allows your collector to be a centralized authentication system for your unix network and supports SSH.
PamRadius is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/pam-radius.tar
- Install Titan
Titan is a Host Assessment system for Unix based systems. Install Titan in the /opt/titan directory.
Titan can be obtained from http://www.fish.com/titan/
- On Clients
- Install Titan
Titan is a Host Assessment system for Unix based systems. Install Titan in the /opt/titan directory.
Titan can be obtained from http://www.fish.com/titan/
- Install Logmon
LOGMON is used to spool specific pieces of data from log files to the collector, where it will be analyzed by APE.
Logmon is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/logmon.tar
- Install HostControl
HostControl is the tool that makes client based security infrastructure successful. Hostcontrol is two parts, a client and server. The server gets installed on all your machines in the network, and the client is installed on the Collector, and is used to inventory your network, as well as run commands on your clients in the network.
HostControl is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/hostcntl.tar
- Install NCFTP
NCFTP is used by HostControl for the clients to obtain tool updates from your collector.
You can obtain NCFTP from http://www.ncftpd.com/
- Install SSH
SSH can be obtained from http://www.openssh.org/. Ensure you enable PAM support.
- Install SSH PAM Module
This allows your clients to authenticate via a centralized server.
PamRadius is a CST tool and can be downloaded http://www.hackertracker.org/cst/current/pam-radius.tar
- Create tool-inventory file
Once all of your tools are installed on the clients, create a tool-inventory file (see the HostControl README for details). This will be used by the collector to inventory your network to ensure boxes are properly configured with the right security toolsets.
- Config based elements
- Send your configurations to the collector, so they can be audited by ConfigCheck. Typically this involves the need to set up a tftp server.
- "Special Elements"
Several elements within your network may have special fucntions. These functions may include; exposure analysis scanners, network intrusion detection systems, Firewalls, etc.
- Nessus Scanner
Hostcontrol supports Nessus via the "nessusscan" and "nessusscan" commands.
You can obtain nessus from http://www.nessus.org
- SNORT
Hostcontrol supports Snort via the "updatesnort" command.
You can obtain snort from http://www.snort.org
- Firewall (ipchains or iptables)
Hostcontrol supports IPCHAINS or IPTABLES rule sets via the "updatefw" command.
- Schedule Titan Assessments
On the collector, set up a cron job to run TITAN assessments on your network.
- In the hostcontrol directory, create a file called "target.networks" and populate that file with a list of your network targets (see the hostcontrol README file for details).
- Set up a cron job to run on a regular basis (eg; once a day)
59 23 * * * cd /opt/hostcntl ; /opt/hostcntl/client -c titanrun -o -f ./data/titanassessment ; mailx -s 'TitanRun' youremail@test.com < titanassessment ; rm titanassessment
When you have the bulk of the expsures corrected, then I would suggest that you send the results to APE, so that APE can be your single interface to recieve exposures
59 23 * * * cd /opt/hostcntl ; /opt/hostcntl/client -c titanrun -o -f ./data/titanassessment ; /opt/hostcntl/cmds/titanreport -s
- Schedule Config Checker Assessments
On the collector, set up a cron job to run ConfigChecker assessments.
I would suggest that you email yourself the reports at first because, presumably, the amount of anomalies to deal with will be sigificant.
0 22 * * * cd /opt/ConfigCheck ; /opt/ConfigCheck/ConfigCheck cisco ; mailx -s 'ConfigCheck - Cisco' youremail@test.com < cisco.log; rm cisco.log
30 22 * * * cd /opt/ConfigCheck ;/opt/ConfigCheck/ConfigCheck juniper ; mailx -s 'ToolCheck Scan' youremail@test.com < juniper.log ; rm juniper.log
When you have the bulk of the exposures corrected, then I would suggest that you send the results to APE, so that APE can be your single interface to receive exposures.
To do this, you would set up your cron jobs as follows;
0 22 * * * cd /opt/ConfigCheck ; /opt/ConfigCheck/ConfigCheck cisco
30 22 * * * cd /opt/ConfigCheck ;/opt/ConfigCheck/ConfigCheck juniper
You would then setup LOGMON to monitor the ciso.log and juniper.log files. See the LOGMON file for details, but the configuration entries (in logmon.conf) would be;
(Lets say the logmon REGION is "MYNET")
the logmon.conf file would have the following entry;
MYNET:^ConfigCheck:\s:NP:syslog|local0.info
the REGION file would have the following entry;
Region:MYNET
HomeDir:/opt/logmon
Files:/opt/ConfigCheck/log/cisco.log /opt/ConfigCheck/log/juniper.log
APE already has a rule to read ConfigCheck rules.
- Schedule Tool-Checker assessments
ToolChecker inventories your network to identify which systems do not have security tools properly installed. See the hostcontrol README for details.
On the collector, setup a cronjob to run toolchecker scans;
I would suggest that you email yourself the reports at first because, presumably, the amount of anomolies to deal with will
be sigificant.
0 20 * * * cd /opt/hostcntl ; /opt/hostcntl/client -c checksectools -o -f ./data/toolecheckscan ; mailx -s 'ToolCheck Scan' youremail@test.com < sectoolcheck; rm toolcheckscan
When you have the bulk of the exposures corrected, then I would suggest that you send the results to APE, so that APE can be your single interface to recieve exposures.
To do this, you would set up your cron jobs as follows;
0 20 * * * cd /opt/hostcntl ; /opt/hostcntl/client -c sectoolcheck -o -f /var/log/toolcheckscan
You would then setup LOGMON to monitor the log file. See the LOGMON file for details, but the configuration entries (in logmon.conf) would be;
(Lets say the logmon REGION is "MYNET")
the logmon.conf file would have the following entry;
MYNET:^Toolcheck:\s:NP:syslog|local0.info
the REGION file would have the following entry;
Region:MYNET
HomeDir:/opt/logmon
Files:/var/log/toolcheckscan
APE already has a rule to read Toolcheck rules.
- Schedule network scanning assessments
Nessus scans your network to identify remote accessible exposures.
On the collector, setup a cronjob to run nessus scans. This implies that;
- You have nessus installed on a server that you want to perform scans from (this doesnt have to be the collector)
- The nessus client is installed on the collector
- That you create a nessus username of scanme with a password of scanme (this can be modified in the /opt/hostcntl/cmds/nessusscan file)
- That you manually connect with the nessus client to the nessus server to establish the nessus key relationship
- A file called nessus.targets exists in /opt/nessus that has a list of the IPs and/or networks that you want nessus to scan
I would suggest that you email yourself the reports at first because, presumably, the amount of anomalies to deal with will be significant.
0 20 * * * cd /opt/hostcntl/cmds ; ./nessusscan ; mailx -s 'Nessus Scan' youremail@test.com < /var/log/nessusscan ; rm /var/log/nessusscan;
When you have the bulk of the exposures corrected, then I would suggest that you send the results to APE, so that APE can be your single interface to receive exposures.
To do this, you would set up your cron jobs as follows;
0 20 * * * cd /opt/hostcntl/cmds ; ./nessusscan ; ./nesssusreport -s
You would then setup LOGMON to monitor the log file. See the LOGMON file for details, but the configuration entries (in logmon.conf) would be;
(Lets say the logmon REGION is "MYNET")
the logmon.conf file would have the following entry;
MYNET:^Nessus-scan:\s:NP:syslog|local0.info
the REGION file would have the following entry;
Region:MYNET
HomeDir:/opt/logmon
Files:/var/log/nessusscan
APE already has a rule to read Nessus rules.
- Set up exception reports
The Nessusreport and Titanreport programs provide for the ability to process exceptions (assessment findings that yuo dont want reported). You can modify the "/opt/hostcntl/cmds/assessment-exceptions" file to add your exceptions. The format is;
tool:host:results
For example;
Titan:10.10.10.1:cronlog-redhat.sh:/etc/cron.daily/logrotate LIMIT
Things left to do
=================
MySQL interface to APE
Web page interface (reports and resrict menu)
Windows
HFNETCHECK
Eventmon
Virus scanning