Contents

• Most needed defenses
• System Security Checklist
• Other resources

Unix System Security Checklist

It is not sufficient to just go through this list once, as many of these things will change over time. You should periodically "audit" your network, or install tools that will automatically monitor some aspects of system security and notify you of anything that is discovered. Even then, there is still the potential for successful attacks (through modems or any network or terminal connections). You should never consider your systems 99.999% safe unless there is no way to get in besides the keyboard at the console (to be 100% safe, you must also remove the power supply!)

• Account Security
  • Inform users of "good" password selection criteria, and use either a pro-active password checker or a password cracking program to verify that passwords are secure (e.g., ftp://sable.ox.ac.uk/pub/comp/security/software/crackers/)
  • If desired, and your system supports it, implement a password generator which generates "good" passwords (avoid being too clear about how the program works, since this simplifies writing attack programs)
  • If desired, and your system supports it, implement password aging
  • If your system supports it, implement a shadow password file (e.g., Shadow from ftp://ftp.cs.widener.edu/pub/src/adm/)
  • Place expiration dates on, and periodically "expire", all accounts to eliminate unused accounts
  • Carefully restrict guest accounts, using restricted shells if possible
  • Do not leave "idle" (i.e. unused) guest accounts enabled
  • Password protect all well-known accounts that must be on the system; delete well-known accounts that are not needed
  • Make sure all accounts have passwords or "*" in the password field
  • Eliminate group and shared accounts, replacing them with groups instead
  • Avoid placing the current directory (".") in your (especially root's) search path
  • Make sure default file protections for newly created files do not allow group/world read/write access by using a "umask" value of 022, 027, or 077, especially on the root account
  • Codify rules and policies for operating as the "super user"; use "su -" instead of logging in as root to monitor use of the root account--then monitor the log files to see when this account is used
  • Write-protect the "root" account's startup files and home directory
  • Disable message permission using the mesg command if you are using a terminal with block-mode transmission features or remotely programmable function keys
  • Minimize the number of accounts on servers and "critical" hosts
  • Minimize the number of users with "super user" privileges
  • Check account security with a tool like COPS or Tiger

• Network Security
  • Check the CERT archives for advisories regarding known problems with your version of Unix
  • sendmail
    • Check your version of sendmail to ensure it is secure
    • Ensure the "decode" alias in the aliases file is disabled
    • Ensure that there is no "wizard" password in the sendmail.cf file
    • Ensure that there is no "debug" command
    • Ensure your versions of /bin/mail and /bin/rmail are secure
  • Ensure a properly secure and configured ftpd daemon is used (see http://www.cert.org/tech_tips/anonymous_ftp_config.html for information on configuration; a secure replacement is the Washington University ftpd)
  • Check that your version of TFTP is secure or disabled
  • Check that your version of fingerd is secure
  • Remove unnecessary services from the /etc/inetd.conf file and run the remaining services with as few privileges as possible (e.g., run fingerd as user "nobody", or some other regular user rather than "root")
  • If supported, enable logging of all (i.e., both successful and failed connections) for network services, or--better yet--use the TCP wrapper or xinetd program to both log connections and use access control lists to limit access to network services to as few hosts as possible
  • Replace portmap with one which can restrict access ala TCP wrappers
  • To prevent DNS hostname spoofing:
    • Put trusted hostnames in /etc/hosts
    • Search /etc/hosts in preference to DNS
  • When using NFS:
    • Ensure that no file systems are exported to the world or to untrusted hosts
    • Use the "-access" option on all file systems in the exports (or dfstab) file
    • Do not allow untrusted workstations to mount file systems with "root" access enabled (this still allows untrusted "root" users to "fake" other users, however)
    • Minimize the number of exported file systems
    • Make sure NFS servers require that clients use privileged ports
    • Understand that root on a client can always become any non-root NFS user
    • Understand any OS-Version-Specific NFS bugs on your system (send email to help@cac.washington.edu for assistance from NDC)
    • Use the mountd options which cross-check PTR and ADDR hostname lookups (and do DNS spoofing prevention steps)
  • When using NIS:
    • Replace portmap as explained above
    • Avoid using NIS if possible; if you do use it, choose a "hard to guess" NIS-domain name
    • Use "+:" instead of "+::0:0:::" in the password file
    • Be sure the NIS maps are writable only by "root"
    • Check "+" lines in passwd and group files
    • Realize that NIS passwords (and other maps) are visible on the network, so take extra care that users choose "good" passwords and change them frequently
  • When using the X Window System:
    • Make use of any access control mechanisms provided by the operating system and window system to prevent theft of workstation display contents or keystrokes
    • Inform users to not use the 'xhost +' command and/or disable it
    • Check for xsessions files with 'xhost +' enabled and stop doing this
    • Disable broadcast and/or indirect XDM requests for any X terminals that you don't explicitly want to support (the default from MIT is for XDM to accept a broadcast or indirect request from any X terminal)
    • See also: Safely Using the X Window System and "Securing X Windows" by John Fisher of CIAC
  • When possible, disable any packet monitoring (a.k.a., "promiscuous mode") capabilities of the kernel and/or network interface and do not provide the ability to rebuild the kernel or otherwise re-enable this feature on the system
  • Monitor security of systems on your network with tools like ISS and SATAN; Watch for people using ISS and/or SATAN on your systems with tools like Courtney and TCP wrapper
  • Ensure hosts.equiv contains only local hosts and no "+"
  • Do not allow .rhosts files in users' home directories; only use local hosts in "root" .rhosts file, if any
  • Do not allow .netrc files in users' home directories
  • Terminals/modems/terminal servers:
    • If you system provides the capability, designate public terminals as "insecure" in the ttys or ttytab file; If desired (especially on public workstations), designate "console" as "insecure" as well (ensure that "root" has some way to log in, however)
    • Ensure modems and terminal servers handle hang-ups correctly (i.e. terminate login sessions)
    • Consider the use of dial-back modems or dial-back software
    • If supported, enable passwords on terminal servers
  • Know who is sharing your subnet and make sure you trust them (or protect your self from them)

• Hardware (physical) Security
  • If possible, install a version of the PROM monitor that either does not provide (or at least password protects) the commands to examine and change memory contents
  • If possible, ensure that workstations cannot be taken into single-user mode without providing the "root" (or a PROM monitor "hardware") password

• File System Security
  • Set appropriate file permissions on all files
  • Do not allow set-user-id or set-group-id shell scripts on the system
  • Check all "nonstandard" set-user-id and set-group-id programs for security
  • Remove the set-user-id bit from /usr/etc/restore
  • Set the "sticky" bit on any world-writable directories
  • Ensure the appropriate permission modes are set on devices in the /dev directory
  • Implement some form of checklist scheme to check the file system for unauthorized modifications (e.g., using the tripwire and/or Riacs programs)
  • Implement and use a comprehensive backup scheme (e.g., doing Level 0 dumps at least monthly and incremental dumps at least bi-weekly)
  • Check file system security with a tool like COPS or Tiger

• General Security Policies/Procedures
  • Monitor account security regularly
  • Make sure someone receives security bulletins and notes from organizations like CIAC and CERT
  • Learn how to detect attacks and watch your system regularly; a tool to help watch system events is Watcher
  • Monitor system log files, consolidate them on a single, secured system, and/or print security-related messages to a secure line printer; you can automate some of the log file monitoring process with a tool like Swatch (Note: if you have crontab jobs that periodically "roll over" your log files, be sure to restart swatch at the same time)
  • Set policies for users that ensure they know what to/not to do on the system, for example:
    • Not to give out their password, or change it, because someone claims (in email or on the phone) that they are fixing a security problem
    • Not leaving their terminal unattended while logged on
    • Notifying the system administrator immediately if they notice their account has been accessed or strange files are discovered in their account
    The Electronic Frontier Foundation has examples of acceptable use policies; guidelines on procedures, policies, and incident handling can also be found in RFC 2196 - Site Security Handbook
  • MONITOR YOUR SYSTEM LOG FILES (this can't be said too many times)

AUSCERT has a very detailed security checklist you may wish to also read.

Also see the Defense Information Infrastructure (DII) Common Operating Environment (COE) Information Security (INFOSEC) checklist. [Personally, I don't think it includes enough acronyms.]

Internet Security Systems, Inc. maintains a list of security related FAQs

You should also visit the CERT web site. There you will find such gems as:

• UNIX Configuration Guidelines
• Intruder Detection Checklist
• List of Security Tools
• Many other tech tips