Enjeux de la sécurité informatique

Transcription

Sécurité des systèmes d’exploitation
Jean-Marc Robert
Génie logiciel et des TI
Plan de la présentation

Systèmes d’exploitation

Microsoft




XP, Vista, 7, …
Unix/Linux
MAC
Conclusion
Jean-Marc Robert, ETS
Sécurité des systèmes d'exploitation - A11
2
Windows XP – Checklists

Le NIST a publié deux excellents documents afin de sécuriser
un système basé sur Windows XP.


NIST SP-800-68: Guidance for Securing Microsoft Windows XP
Systems for IT Professionals : A NIST Security Configuration Checklist,
Octobre 2005.
NIST SP-800-69 : Guidance for Securing Microsoft Windows XP Home
Edition: A NIST Security Configuration Checklist, Septembre 2006.
3
4
5
Unix/Linux – En quelques mots

La sécurité de Unix est plutôt limitée.
 La sécurité et non la robustesse du système d’exploitation. Des systèmes
basés sur Unix tels que Linux et surtout OpenBSD ont d’excellentes
réputations puisqu’ils sont très robustes contre les vulnérabilités
logicielles.


Beaucoup moins complexe, le système d’exploitation est petit comparé à Windows.
Pour plus de détails sur la sécurité Unix/Linux:
http://www.auscert.org.au/render.html?cid=1937&it=5816
6
UNIX and Linux Security Checklist v3.0 (AusCERT)
A. Determine Appropriate Security
A.1 Computer role
A.2 Assess security needs of each kind of data handled
A.3 Trust relationships
A.4 Uptime requirements and impact if these are not met
A.5 Determine minimal software packages required for
role
A.6 Determine minimal net access required for role
B. Installation
B.1 Install from trusted media
B.2 Install while not connected to the Internet
B.3 Use separate partitions
B.4 Install minimal software
C. Apply all Patches and Updates
C.1 Initially apply patches while offline
C.2 Verify integrity of all patches and updates
C.3 Subscribe to mailing lists to keep up to
date
D. Minimise
D.1 Minimise network services
D.1.1 Locate services and remove or disable
D.1.2 Minimise inetd/xinetd
D.1.3 Minimise portmapper and RPC services
D.1.4 Notes on particular network services
D.2 Disable all unnecessary startup scripts
D.3 Minimise SetUID/SetGID programs
D.4 Other minimisation
7
E. Secure Base OS
E.1 Physical, console and boot security
E.2 User Logons
E.2.1 Account Administration
E.2.2 Special accounts
E.2.3 Root account
E.2.4 PATH advice
E.2.5 User session controls
E.3 Authentication
E.3.1 Password authentication
E.3.2 One-time passwords
E.3.3 PAM Pluggable Authentication Modules
E.3.4 NIS / NIS+
E.3.5 LDAP
E.4 Access Control
E.4.1 File Permissions
E.4.2 Filesystem attributes
E.4.3 Role Based Access Control
E.4.4 sudo
E.4.5 Consider mandatory access control features
E.5 Other
E.5.1 Cron
E.5.2 Mount options
E.5.3 Non-execute memory protection
E.5.4 Umask for startup scripts
E.5.5 .netrc files
8
F. Secure Major Services
F.1 Confinement
F.1.1 Running under an unprivileged account
F.1.2 using chroot jails
F.1.3 Other confinement mechanisms
F.2 tcp_wrappers
F.3 Other general advice for services
F.3.1 Configure services to listen on one interface only.
F.3.2 Adding SSL to existing services
F.4 SSH
F.5 Printing
F.6 RPC/portmapper
F.7 File services NFS/AFS/Samba
F.7.1 NFS
F.7.2 Samba
F.8 Email service
F.8.1 Sendmail
F.8.2 Mail server MTA choices
F.9 The X Window System
F.9.1 Restrict access to the X server
F.9.2 Protect any X traffic
F.9.3 Avoid cross-client X attacks
F.9.4 X display managers
F.10 DNS service
F.10.1 BIND
F.10.2 DNS server choices
F.11 WWW service
F.11.1 General configuration
F.11.2 Web applications
F.11.3 TLS / SSL
F.11.4 Static-only webserver
F.12 Squid proxy
F.13 CVS
F.14 Web browsers
F.15 FTP service
F.15.1 General configuration
F.15.2 Anonymous FTP
F.15.3 Upload directories
9
G. Add Monitoring Capability
G.1 syslog configuration
G.2 Monitoring of logs
G.2.1 Process for log monitoring
G.2.2 Automated log monitoring tools
G.3 Enable trusted audit subsystem if available
G.4 Monitor running processes
G.4.1 Availability of servers
G.4.2 Process accounting
G.4.3 lsof
G.5 Host-based intrusion detection
G.5.1 File integrity checker
G.5.2 Antivirus / malware detection
G.6 Network intrusion detection
G.6.1 Signature matching IDS
H. Connect to Net
H.1 First put in place a host firewall.
H.1.1 Identify host firewall software
H.1.2 Design host firewall
H.1.3 Weak end system
H.2 Position this computer behind a border
firewall.
H.3 Network stack hardening/sysctls
H.4 Connect to network for the first time
10
I. Test Backup/Rebuild Strategy
I.1 Backup/rebuild strategy
I.2 TEST backup and restore
I.3 Allow separate restore of software and data
I.4 Repatch after restoring
I.5 Process for intrusion response
I.5.1 Documented process
I.5.2 Forensic tools
I.5.3 Malware detection tools
J. Maintain
J.1 Mailing lists
J.2 Software inventory
J.3 Rapid patching
J.4 Secure administrative access
J.4.1 Strongly authenticated access only
J.4.2 Administer only from a secure workstation
J.5 Log book for all sysadmin work
J.6 Configuration change control with CVS
J.7 Regular audit
J.7.1 Re-apply this checklist
J.7.2 Check for dormant accounts
J.7.3 Audit weak passwords
J.7.4 Apply network scan/audit tools
11
Conclusion

La sécurité de tout système d’exploitation repose essentiellement
sur deux principes:

Mises-à-jour régulières des logiciels.



Systèmes d’exploitation
Applications
Logiciels de sécurité


Anti-virus / Anti-spyware / Anti-adware
Politiques de sécurité très strictes.



Mots de passe adéquats
Pare-feux limitant au minimum le trafic
Surveillance des activités

Trafic entrant, trafic sortant, utilisation des ressources, …
12

Enjeux de la sécurité informatique

Transcription

Similar documents

Commission scolaire des Samares

for the BEAUTY INDUSTRY

How to prepare succesful projects

vlaamse watermaatschappij

Villefranche-sur-Mer - VINAIGRIER

Anglais voltigeur 2002

Dreyer`s Product Guide

The Crêtes Itinerary

Westney Heights Plaza Ajax - December 10, 2015

Hanil E-hwa

IP Backbone Security > Nicolas FISCHBACH > Sébastien LACOSTE-SERIS