CEN3303-Administrasi Sistem - Pertemuan 10

Pengenalan Konsep Dasar Tools Audit Lynis Audit Vulnerability Assessment File Integrity Compliance Frameworks Log Analysis Automated Monitoring Reporting Best Practices Studi Kasus Audit Simulator

Pertemuan 10: Audit Keamanan

1. Pendahuluan

Audit keamanan adalah proses sistematis untuk mengevaluasi dan menguji kontrol keamanan dalam sebuah sistem.

Focus: Setelah mempelajari konsep keamanan dasar, sekarang kita akan fokus pada bagaimana melakukan assessment yang komprehensif untuk mengidentifikasi kerentanan dan memastikan compliance dengan standar keamanan.

Identification

Find vulnerabilities

Assessment

Evaluate controls

Compliance

Verify standards

Improvement

Recommend actions

2. Konsep Dasar Audit Keamanan

Tujuan Audit Keamanan

Identifikasi Vulnerabilities

Menemukan kelemahan dalam sistem

Misconfigurations
Unpatched software
Weak passwords
Unnecessary services

Verifikasi Compliance

Memastikan kepatuhan terhadap kebijakan dan regulasi

Industry standards
Company policies
Legal requirements
Best practices

Risk Assessment

Menilai tingkat risiko keamanan

Impact analysis
Likelihood assessment
Risk prioritization
Remediation planning

Improvement Recommendation

Memberikan rekomendasi perbaikan

Actionable items
Priority classification
Timeline suggestions
Follow-up procedures

Jenis Audit Keamanan

Jenis Audit	Deskripsi	Keuntungan	Keterbatasan
Internal Audit	Dilakukan oleh tim internal organisasi	Biaya rendah, pengetahuan internal	Potential bias, limited expertise
External Audit	Dilakukan oleh pihak ketiga independen	Objectivity, specialized skills	Biaya tinggi, learning curve
Black Box Testing	Auditor tidak memiliki informasi awal tentang sistem	Real-world simulation, no insider knowledge	Time-consuming, may miss internal issues
White Box Testing	Auditor memiliki akses penuh ke dokumentasi dan sistem	Comprehensive, efficient	Not realistic, may overlook external threats
Grey Box Testing	Kombinasi black box dan white box	Balanced approach, realistic	May not be as thorough as white box

Framework Audit Terkenal

NIST CSF

Cybersecurity Framework

ISO 27001

Information Security

CIS Controls

Critical Security Controls

OWASP

Web Application Security

3. Tools Audit Keamanan Sistem

Kategori Tools Audit

Vulnerability Scanners

Mendeteksi kerentanan known

Nessus
OpenVAS
Nexpose
Qualys

# Example: Basic network scan

nmap --script vuln target_ip

Configuration Auditors

Memeriksa konfigurasi sistem

Lynis
OpenSCAP
CIS-CAT
Microsoft BPA

# Example: Lynis audit

lynis audit system

File Integrity Checkers

Memantau perubahan file sistem

AIDE
Tripwire
OSSEC
Samhain

# Example: AIDE check

aide --check

Log Analyzers

Menganalisis log untuk aktivitas mencurigakan

Logwatch
GoAccess
Graylog
Splunk

# Example: Log analysis

grep "Failed password" /var/log/auth.log

Network Scanners

Memetakan jaringan dan services

Nmap
Masscan
Zmap
Angry IP Scanner

# Example: Network discovery

nmap -sS 192.168.1.0/24

Penetration Testing Tools

Simulasi serangan untuk testing pertahanan

Metasploit
Burp Suite
SQLmap
John the Ripper

# Example: Password cracking

john --format=raw-md5 hashes.txt

4. Lynis - Security Auditing Tool

Instalasi Lynis

Ubuntu/Debian

# Install dari repository

sudo apt update && sudo apt install lynis

# atau install manual

wget https://downloads.cisofy.com/lynis/lynis-3.0.8.tar.gz

tar xvf lynis-3.0.8.tar.gz

cd lynis-3.0.8

CentOS/RHEL

# Enable EPEL repository

sudo yum install epel-release

# Install lynis

sudo yum install lynis

# atau dari source

git clone https://github.com/CISOfy/lynis

cd lynis

Penggunaan Dasar Lynis

Basic Commands

# Audit lengkap sistem

sudo lynis audit system

# Audit dengan detail tertentu

sudo lynis audit system --quick

sudo lynis audit system --pentest

# Audit specific components

sudo lynis audit system --tests-from-group malware

sudo lynis audit system --tests-from-group authentication

Reporting & Output

# Generate report file

sudo lynis audit system --report-file /tmp/lynis-report.txt

# Custom output format

sudo lynis audit system --logfile /var/log/lynis.log

# Upload report to central server

sudo lynis audit system --upload

Interpretasi Hasil Lynis

Hardening Index

75%

Skor keamanan sistem (0-100)

Warnings

12

Isu keamanan yang perlu perhatian segera

Suggestions

28

Rekomendasi perbaikan

Analisis Output

Filter Hasil Penting

# Lihat hasil audit

sudo cat /var/log/lynis.log

# Filter warnings

grep -i warning /var/log/lynis.log

# Filter suggestions

grep -i suggestion /var/log/lynis.log

# Check specific components

grep -i "ssh\|ssl\|firewall" /var/log/lynis.log

Contoh Output Analysis

[+] Boot and services

  - Service manager = systemd

  - UEFI boot = Not available

[+] Hardening

  - Separated /home partition = Yes

  - ASLR = Yes

  - Firewall = Active

[!] Security check warnings

  - Permissions of log files [WARNING]

  - PHP version seems outdated [WARNING]

5. Vulnerability Assessment Tools

OpenVAS/GVM (Greenbone Vulnerability Manager)

Installation

# Install OpenVAS

sudo apt install openvas

# Setup dan konfigurasi

sudo gvm-setup

sudo gvm-start

# Access via web browser

# https://localhost:9392

Basic Usage

# Create new target

gvm-cli --create-target 192.168.1.0/24

# Start scan

gvm-cli --start-scan "Network Scan"

# Generate report

gvm-cli --get-report scan_id

# Schedule scan

gvm-cli --create-task "Weekly Scan" --schedule "0 2 * * 0"

Nmap - Network Scanning

Basic Scanning

# Basic network scan

nmap -sS 192.168.1.0/24

# Vulnerability scanning

nmap --script vuln target_ip

# OS detection

nmap -O target_ip

# Service version detection

nmap -sV target_ip

Advanced Usage

# Output to file

nmap -oA scan_results target_ip

# Aggressive scan

nmap -A target_ip

# UDP scan

nmap -sU target_ip

# Script scanning

nmap --script "http-*" target_ip

Nikto - Web Vulnerability Scanner

Installation & Basic Scan

# Install nikto

sudo apt install nikto

# Basic web scan

nikto -h http://target-website.com

# Scan dengan specific port

nikto -h http://target-website.com -p 8080

# Update database

nikto -update

Advanced Scanning

# Comprehensive scan

nikto -h http://target-website.com -C all -Tuning 9

# Output to file

nikto -h http://target-website.com -o nikto_scan.html -Format htm

# Scan dengan authentication

nikto -h http://target-website.com -id admin:password

# Evasion techniques

nikto -h http://target-website.com -evasion 1

6. File Integrity Monitoring

AIDE (Advanced Intrusion Detection Environment)

Installation & Setup

# Install AIDE

sudo apt install aide

# Initialize database

sudo aideinit

# Copy new database

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Manual check

sudo aide --check

Maintenance & Updates

# Update database setelah perubahan legitimate

sudo aide --update

# Check configuration

aide -D

# Custom configuration

vi /etc/aide/aide.conf

# Exclude directories

!/var/log

!/tmp

Automated Monitoring dengan AIDE

Script Automated AIDE Checking

#!/bin/bash

# automated_aide_check.sh

LOG_FILE="/var/log/aide/check.log"

ALERT_EMAIL="admin@company.com"

# Run AIDE check

AIDE_RESULT=$(aide --check)

if [ $? -ne 0 ]; then

  echo "AIDE detected changes at $(date)" >> "$LOG_FILE"

  echo "$AIDE_RESULT" >> "$LOG_FILE"

  # Send email alert

  echo "AIDE detected file changes on $(hostname)" | mail -s "AIDE Alert" "$ALERT_EMAIL"

  # Additional actions

  echo "Changes detected:"

  echo "$AIDE_RESULT"

else

  echo "AIDE check passed at $(date)" >> "$LOG_FILE"

fi

Integrasi dengan System Monitoring

Cron Job Setup

# Edit crontab

crontab -e

# Daily AIDE check at 2 AM

0 2 * * * /usr/bin/aide --check

# Weekly AIDE update

0 3 * * 0 /usr/bin/aide --update

# With custom script

0 4 * * * /usr/local/bin/aide_check.sh

Alert Configuration

# Systemd service for AIDE

[Unit]

Description=AIDE check

[Service]

Type=oneshot

ExecStart=/usr/bin/aide --check

[Install]

WantedBy=multi-user.target

# Timer for daily check

[Unit]

Description=Daily AIDE check

[Timer]

OnCalendar=daily

Persistent=true

7. Security Compliance Frameworks

CIS Benchmarks

Download & Implementation

# Download CIS benchmarks

# Available from: https://www.cisecurity.org/cis-benchmarks/

# Manual implementation based on guidelines

# Example SSH hardening (CIS Benchmark)

# /etc/ssh/sshd_config

Protocol 2

PermitRootLogin no

MaxAuthTries 3

ClientAliveInterval 300

ClientAliveCountMax 0

AllowUsers specific_users

Automated Compliance Scanning

# Install OpenSCAP

sudo apt install openscap-scanner scap-security-guide

# Scan system against CIS profile

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \

  --results scan_results.xml \

  --report scan_report.html \

  /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml

# Generate HTML report

oscap xccdf generate report scan_results.xml > compliance_report.html

SCAP (Security Content Automation Protocol)

SCAP Components

XCCDF - Checklist specification
OVAL - Vulnerability assessment
CPE - Platform identification
CVE - Vulnerability enumeration
CVSS - Vulnerability scoring
CCE - Configuration enumeration

SCAP Tools

OpenSCAP - Open source implementation
SCAP Workbench - GUI tool
SCAP Security Guide

oscap - Command line tool

SCAP Compliance Checker

# Check SCAP content
oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml

8. Log Analysis untuk Keamanan

Important Security Logs

Linux Security Logs

# Authentication attempts
/var/log/auth.log

# System events
/var/log/syslog

# Security events (RHEL/CentOS)
/var/log/secure

# Fail2ban blocking events
/var/log/fail2ban.log

# Apache/Nginx access logs
/var/log/apache2/access.log
/var/log/nginx/access.log

Windows Security Logs

# Event Viewer locations
# Windows Logs -> Security
# Windows Logs -> System
# Applications and Services -> Microsoft -> Windows

# Important Event IDs
4624 - Successful login
4625 - Failed login
4648 - Logon with explicit credentials
4672 - Special privileges assigned
4720 - User account created
4732 - User added to enabled security group

Log Analysis Tools

Command Line Tools

# grep untuk pattern matching
sudo grep "Failed password" /var/log/auth.log

# awk untuk advanced parsing
sudo awk '/Failed password/ {print $11}' /var/log/auth.log | sort | uniq -c | sort -nr

# tail untuk real-time monitoring
sudo tail -f /var/log/auth.log | grep -i fail

# journalctl untuk systemd logs
journalctl -u ssh --since "1 hour ago" | grep -i fail

Custom Monitoring Script

#!/bin/bash
# security_log_monitor.sh

LOG_FILE="/var/log/auth.log"
ALERT_FILE="/var/log/security_alerts.log"

tail -f "$LOG_FILE" | while read line; do
  if echo "$line" | grep -q "Failed password"; then
    IP=$(echo "$line" | awk '{print $11}')
    echo "$(date): Failed login from $IP" >> "$ALERT_FILE"

    # Check if IP has multiple failures
    FAIL_COUNT=$(grep -c "$IP" "$ALERT_FILE")
    if [ "$FAIL_COUNT" -gt 3 ]; then
      echo "Blocking IP: $IP" | mail -s "Security Alert" admin@company.com
    fi
  fi
done

9. Automated Security Monitoring

OSSEC - Host-based Intrusion Detection

Installation & Setup

# Install OSSEC
sudo apt install ossec-hids

# Configuration
sudo vi /var/ossec/etc/ossec.conf

# Start services
sudo /var/ossec/bin/ossec-control start
sudo /var/ossec/bin/ossec-control status

# Log monitoring
sudo tail -f /var/ossec/logs/alerts/alerts.log

OSSEC Configuration

# Example ossec.conf rules
<rule id="1002" level="0">
  <match>^Failed password</match>
  <description>Failed password attempt.</description>
</rule>

<rule id="1003" level="5">
  <if_sid>1002</if_sid>
  <same_source_ip />
  <frequency>5</frequency>
  <description>Multiple failed passwords from same IP.</description>
</rule>

Wazuh - Modern Security Monitoring

Wazuh Agent Installation

# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --no-default-keyring --keyring gnupg_kb:/dev/stdin --import
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list

# Install agent
sudo apt update
sudo apt install wazuh-agent

# Configure agent
sudo vi /var/ossec/etc/ossec.conf

# Start agent
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

Wazuh Server Setup

# Install Wazuh server
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-manager

# Start Wazuh manager
sudo systemctl daemon-reload
sudo systemctl enable wazuh-manager
sudo systemctl start wazuh-manager

# Access web interface
# https://localhost

10. Security Reporting dan Documentation

Komponen Laporan Audit

Executive Summary

Ringkasan untuk manajemen

Methodology

Metodologi audit yang digunakan

Findings

Temuan kerentanan dan issues

Risk Assessment

Analisis risiko untuk setiap finding

Recommendations

Rekomendasi perbaikan

Appendices

Data teknis detail

Template Laporan Keamanan

Report Template Structure

# Laporan Audit Keamanan Sistem
## Tanggal: [Date]
## Auditor: [Name]
## Scope: [Systems Audited]

## Executive Summary
[Ringkasan temuan dan risiko utama]

## Temuan Utama
### 1. [High Risk Finding]
- **Risk Level**: High
- **Description**: [Detail temuan]
- **Recommendation**: [Rekomendasi perbaikan]
- **Remediation Timeline**: [Waktu perbaikan]

### 2. [Medium Risk Finding]
- **Risk Level**: Medium
- **Description**: [Detail temuan]
- **Recommendation**: [Rekomendasi perbaikan]
- **Remediation Timeline**: [Waktu perbaikan]

## Appendix: Technical Details
[Data teknis, screenshots, log excerpts]

11. Best Practices Audit Keamanan

Planning dan Preparation

Pre-Audit Activities

Define scope dan objectives yang jelas

Obtain proper authorization

Backup sistem sebelum testing

Schedule during maintenance windows

Prepare communication plan

Document baseline configuration

Execution Guidelines

Document semua steps dan findings

Use multiple tools untuk cross-verification

Validate findings sebelum reporting

Maintain confidentiality of findings

Follow established methodologies

Minimize impact on production systems

Post-Audit Activities

Review Findings

Review findings dengan stakeholders

Develop Plan

Develop remediation plan

Follow-up

Schedule follow-up audits

Continuous Improvement: Update security policies berdasarkan lessons learned dari setiap audit cycle.

12. Studi Kasus: Comprehensive Security Audit

Scenario:

Perusahaan mid-size dengan 3 server (Web, Database, File) perlu audit keamanan menyeluruh untuk compliance dengan ISO 27001.

Audit Plan:

1. Information Gathering

Dokumentasi sistem dan network topology

Inventory hardware dan software

User account review

Policy documentation collection

2. Vulnerability Assessment

Scan dengan Lynis, OpenVAS, Nmap

Web application testing

Database security review

Network segmentation check

3. Configuration Review

Check compliance dengan CIS Benchmarks

OS hardening assessment

Application configuration review

Access control evaluation

4. Log Analysis & Reporting

Review security logs untuk suspicious activities

Incident response capability assessment

Backup and recovery testing

Compliance gap analysis

Tools Matrix:

Server Type Assessment Tools Key Focus Areas

Web Server Lynis, Nikto, Nmap, AIDE Web app security, SSL/TLS, access controls

Database Server Lynis, CIS Benchmark, Custom queries Database hardening, user permissions, encryption

File Server Lynis, ClamAV, AIDE, chkrootkit File permissions, malware scanning, backup integrity

13. Security Audit Simulator

Interactive Audit Assessment

Select System Type:

Audit Scope:

Vulnerability Assessment

Configuration Audit

Compliance Check

Log Analysis

Audit Progress:

0%

Ready to start audit...

Audit Results:

Audit results will appear here...

0
Critical

0
High

0
Medium

Recommendations:

Ringkasan Pembelajaran

Pada pertemuan ini kita telah mempelajari audit keamanan yang komprehensif, termasuk tools, metodologi, dan best practices untuk security assessment.

Key Takeaways:

Pemahaman berbagai jenis audit keamanan

Penggunaan tools seperti Lynis, OpenVAS, AIDE

Metodologi vulnerability assessment

Compliance frameworks dan reporting

Next Topic Preview:

Pertemuan berikutnya: Pemantauan Kinerja Sistem - monitoring tools dan performance optimization.

Sebelumnya Selanjutnya: Monitoring Kinerja

Server Type	Assessment Tools	Key Focus Areas
Web Server	Lynis, Nikto, Nmap, AIDE	Web app security, SSL/TLS, access controls
Database Server	Lynis, CIS Benchmark, Custom queries	Database hardening, user permissions, encryption
File Server	Lynis, ClamAV, AIDE, chkrootkit	File permissions, malware scanning, backup integrity