Operating System Audit Article Index for
Operating System 		Website Links For
Operating System 		 

Information About

Operating System Audit
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



As computers became more sophisticated, many manual operations are automated within the operating system (see more about the history of Operating System s).The operating system (OS) is the program that runs all other programs. OS perform the undertaking of coordinating all tasks, such recognizing input from the keyboard and keeping track of files and directories. It also ensures that all the different programs that are running and the users for those systems do not interfere with each other. OS is also in charge of security and guarantees that no unauthorized use occurs.

The operating system provides a software platform on top of which other programs called applications can run. Some examples of popular operating systems include Windows , Unix , and Linux .


WHY IS OS SECURITY RELEVANT?


In today's business climate, there is an increasing use and awareness of many OS used by large organizations. The mechanisms that control the information and the data itself is what is considered valuable. Therefore security of information systems is crucial. It has been recognized that it is good security protocol to either perform internal security audits or hire external firms to audit existing policies, practices, and installations. OS interact with vital business assets such as Payroll , Human Resources , development, and customer information.

The operating system sees “ {Link without Title} data on the disk as streams of bits in the records inside the files and folders. The operating system does not see the data relating to the basic pay of an employee as being significantly more or less sensitive than the employee's telephone number. It is the application software that understands the data from the business perspective; all business rules relating to the way the data can be manipulated are enforced through programs in the application software”.

Good Application Software has controls designed to enforce all the validations and business rules relating to who interacts with which elements of the data and how. As long as the user stays within such an application, the user's actions are well controlled. “However, if a user is able to bypass the application and gain access to the operating system, then all the rules and controls in the application software become irrelevant.” Hence, it is necessary to carry out reviews of the OS and database for all critical applications and the servers that hold sensitive information.


HOW DO YOU PERFORM AN OPERATING SYSTEMS AUDIT?


“The purpose of this page is to focus on the concepts and need for the audit of OS and not to provide detailed guidelines or checklists for doing the same. Such guidelines or checklists are specific in technical detail to different OS. Many professional audit firms develop, through their own research, guidelines and work procedures for such technical audits.”
Typically, operating systems are purchsed from outside vendors. The auditor should obtain and understand the technical descriptions and documentation from their vendors, before beginning an audit.

By their nature, operating systems are heavily relied upon for general operation of computer hardware. Therefore, an operating system audit requires the auditor to deploy further investigation in determining whether:

1) An application program can access main or Data Storage areas or files being used by other applications.

2) Important security and accuracy features (e.g., error handling for invalid data types of formats) are fully used and are not being overridden by application programs.

3) Adequate supervisory procedures are established for the system Programmers (in addition, a security background investigation should be performed).
  • Usually, the system programmers have access to all system software. A primary control is necessary, in order to reduce the programmer’s ability to perform unauthorized or damaging acts that could impair the accuracy and/or reliability of the system.


4) Access to and use of privileged instructions (e.g., input and output instructions that would enable reading or writing of data from another user’s file) is restricted.

5) Scheduling functions are self-processing or require extensive operator intervention.

6) Improvements to the system are routinely implemented. Most of the changes are initiated as maintenance described by the vendors. The organization should control software changes by:
  • Establishing formal procedures that require supervisory authorization before implementation.

  • Ensuring all the changes are thoroughly tested.

  • Removing critical files and application programs from the computer area while the system programmers are making changes.

    • Important areas in an OS audit are the following:

  • Physical Security - protecting the equipment guarantees that physical access to specific systems is only granted to those who need it. This is indispensable for many large organizations because they often have multiple data centers, server rooms, and operating systems. It is important to ensure that physical access is limited and secure

  • Logical Security – controlled access to applications and data.

  • Security Policy and administration – instituting change control policies. Sound change control policies help ensure that systems are kept free of operator errors and other common problems such as changes that are meant to be temporary, but are then never changed back to their original state. This also provides a good baseline review of the organization. On a side note, having a concrete and reliable standard is essential in the event of a disaster or security breach


The following steps aim to cover each of the aforementioned topics.
  • “Evaluating whether the security features have been enabled and parameters have been set to values consistent with the security policy of the organization, and verifying that all users of the system (user IDs) have appropriate privileges to the various resources and data held in the system. Next, the auditor should obtain the list of user IDs in the system and map these with actual users. Then, the auditor has to determine for each user what the permissions and privileges to the different resources/data are in the system. There are different methods, for example, commands for ascertaining this from the system for different OS. Another way is to determine for a given critical piece of data that the users with access are, and whether their access is appropriate.”

  • “Some of the most common security parameters that can be evaluated are password rules, such as minimum password length, password history, password required, compulsory password aging, lock-out on unsuccessful logins, login station and time restrictions. The other areas of scrutiny are whether the logging of certain events, such as unsuccessful login attempts, has been enabled or whether the superuser password is held by the appropriate person. Other OS/version-specific parameters also have to be verified.”

  • “Another point for examination pertains to the network. With all computers intricately connected to the internal and external networks, the network-related vulnerabilities of such systems also need to be covered in reviews, although they are even more specialized.” Through suitable use of tools, the auditor should determine whether the services that are open and running in the server (such as FTP , Telnet , HTTP ) or ports are only those that really are required. “If the review is being done on a system that is hosting a Web Server or a Firewall , the evaluation must be done by an expert.”

  • After an assessment of the control is performed, the auditor must conclude and report their findings and see if any changes need to be made to the initial audit plan. This is also the time when weaknesses are brought to the attention of appropriate parties that need to be informed, such as management. If weaknesses are discovered in the OS audit, and nothing is done it will compromise the following audits of the organization’s ERP ( Enterprise Resource Planning ), SAP , applications, and business components.



EXTERNAL LINKS