IT Audit – Why it is important to system administrators?

What is an IT Audit?

System administrators who are working with publicly traded companies registered with the govt. firms, will frequently go through the process of IT audit. The purpose of these IT audit  is,  to require CEO/CFO of the companies to personally validate that all financial records accuracy and also to ensure that there are appropriate procedures in place for the internal control of the financial data.

If you are working with a US based public traded companies, you must have heard the term “SOX ( Sarbanes-Oxley) audit”. Similar Auditing agencies are existing in the countries like Japan, Germany, France, Italy, Australia, India, South Africa, and Turkey, to monitor the operations happening inside and outside of the publicly traded companies. you can find more about Sox Audit from here

How it happens –  Internal Audit vs External Audit?

Once the upcoming audit event is announced, there will be lot of pressure in the teams and the audit event will become highest priority task for every one. For every IT manager these audits are very serious stuff where they don’t have an option to fail.

In order avoid failures in “real audits from govt. agencies”, companies will hire third party auditing firms to perform “internal audit” in the way that “real audit” happens.  These internal auditors use same techniques and procedures of the real audits, but only difference is internal audits are conducted for own testing of our systems. During the internal audit , auditors will analyze the data and let the teams know where the systems are not compliant. In internal audit we will have an opportunity to go back and fix the issues identified, and  once the issues fixed the auditors will perform another scan of the systems to ensure that issues are corrected.

once  the management satisfied with the internal audit results, the real audit event will be announced. During the real audit, the auditors will sit with some system administrators ( chosen by management) and will ask to run some queries and commands against some random systems. And auditors will analyze the answers and will confirm for IT audit PASS or not ( remember, Failure is Not an option here).

What exactly Auditors looks for?

The Scope of IT auditing covers entire network infrastructure, but our focus is on unix environment alone. Below are some of the sample areas, related to Unix, where auditors want to scan and analyze.

1. Access Control Policies: 

– all accounts must have passwords. Passwords should have expire policy and must follow the complex password rules.

– all user accounts which are not in use must be disable within specific duration.

– All system default user accounts should be disabled … example : uucp.

– disable all unused network services on each host – like telnet, ssh, http ….etc

– user access to specific unix groups must be frequently reviewed  for addition and removals

– Disable direct remote access to the machines using the super user and privileged application accounts. And the SUDO kind should be setup for the users who want additional privileges for their tasks.

– Setup proper log mechanism to capture every user action on a production system.

2.  File and directory level permissions:

–  World Writable Files:- if you want to see how much you are compliant just go to a machine where there are several nfs mounts available, and run the command ls -R on any nfs mount. If you notice any files or directory which is having write permissions to the others then your machine is definitely not compliant with audit. And management should provide proper business risk acceptance certificate for those exceptions.

– Files with SetGID and SetUID permissions must be reviewed

– system configuration files like – /etc/passwd , /etc/shadow, /etc/services …etc must be having appropriate permissions

3. System Stability and Security compliance, in terms of patches and releases.

– All the machines must be updated with latest patches , tested and certified by the internal Unix engineering department.

– Any changes to the currently running machines should go through the proper approvals and procedures, before going for implementation.

– all the change requests related to the current production machines ( which are directly providing services to the core business applications) must be attached with testing details and back out procedures.

– all the systems should be configured with proper monitoring tools, and the proper notification process should setup in case of any malfunction of the system.

– Redundancy and Fail over Setups for the Critical Systems

How companies ensure that their systems are under compliance?

Most of the organizations who are eligible for the IT auditing, will setup a central configuration information servers. Which is collecting the system configuration information ( like software versions, package versions, operating system releases, hardware models …etc) about each and every system in the network .

And these Central configuration database Server will give the management a clear picture about what are the systems in the network are not compliant with the auditing.

 

What is system administrator role to keep the machines under compliance?

 Below are some of sample tasks that a system admin can look into, interm of Auditing. But, please remember that this never ends here.

– Ensure that every system you install , configure and manage reporting the Central Configuration Server without failure.

– Make sure the systems which are in your control are properly monitored and appropriate alert mechanism set for each host depending on the function of the system.

– When ever you are asked to implement a change to a production server, make sure proper approvals added to the change request, change has been tested earlier and appropriate backout procedure was added to the change request.

– Never do set lose permissions on files/directories without proper business justification added with appropriate business approvals.

 

What is your IT auditing experience? Please share with us.

 

 

 

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

9 Responses

  1. Muneer says:

    FILE-SYSTEM SECURITY
    Weak File system configuration
    Set Null shell for system user accounts
    Login banner is not enabled
    Non essential services are enabled in inetd
    Non essential services are enabled in startup scripts
    FTP and Telnet banners are absent in the system
    . FTP users are not restricted
    SNMP Service is not secured
    Executable stacks are not secured
    Weak system umask
    Weak user permissions for CRON and AT
    Critical folders have weak permission
    Intense use of system resources
    EEPROM security functionality is disabled
    SYSTEM ACCESS AND AUTHENTICATION
    Password policy is not enabled in the system
    Remote root login is enabled
    Remote login by unauthenticated users
    XDMCP protocol is enabled for CDE
    AUDITING AND LOGGING
    Failed login attempts are not audited
    User authentication is not audited
    Weak permission on log files
    NETWORK SETTINGS AND SERVICES
    Weak preliminary network settings
    Weak TCP sequence number used

  2. Ramesh says:

    Hi Gukulindia,

    Please share some knowledge on hadoop .

    Regards
    Ramesh Reddy 

  3. AbheeG says:

    IT Audit is mainly done to check if the the systems are in accordance with the companies/System Owners Security Policy.As long as the Security Policy maker is technical enough that what is to mentioned and what is not u can have a relatively easier time implement it and maintain it.I Have seen policies which have been entirely downloaded from net and give to me to apply.As a System Admin we always have right of denial.Sometimes its just not practically possible to apply all the policies to a non critical system. Also Patch Management can be a big a nightmare if you do not test them on a testing server before applying it on a production server.

  4. ramdev says:

    @AbheeG – thanks for sharing your experience.

  5. PiGeePi says:

    Just wanted to point out that the word compliant is misspelled as ‘complaint’ numerous times in the article. There is a big difference in meaning.

    Nevertheless, this was an excellent article.

    I worked for a company in New York, where we implement PCI compliance. We ran some scripts that checked for a lot of the things mentioned here and in Muneer’s list. If I can ever find this script I will post some additional comments here.

  1. September 15, 2015

    […] IT Audit – Why it is important to system administrators? […]

  2. September 17, 2015

    […] IT Audit – Why it is important to system administrators? […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us