Protos Reference Information Home | Services | Tools | Reference | About Us | Login  
Unix Security Review
(1999)

This is a checklist any unix administrator can use as a guideline to help increase their system security. It is not a case by case set of rules--pick and choose from them to suite each server environment.

Different areas are only applicable to the type of security you need to be concerned with. In general you have two primary issues when it comes to security: Accessability and Users. In each of these issues you need to decide if they are classifiable as trusted or public. A publicly accessable server is one which resides on the internet, or is on an open intranet where untrusted nodes on the network can gain full connectivity to the server. A server which has a trusted accessability means it resides on a secured private network. Access to it is usually made through a highly restrictive firewall--or all nodes on the network are fully trusted. Users are the second factor. If there is a possibility of untrusted users, then you have a public user base. If all users are trusted--i.e. the root password could be provided to all of them (but isn't) then it is a trusted user base.

Make note: While I try to follow this same list on every system I administrate, there are often a few items on the list which are inapplicable or inapropriate for the system.

General terms:

System Account
Any account with UID zero (should have the username "root", unknown if any system varies from this username).
System Group
Any group with UID zero (can have the group name "wheel", "system" or "root" group. There may other variant names).
Privileged Account
Any vendor-default account, usually under UID 10 or possibly under UID 100. Commonly include the usernames: root, daemon, operator, bin, man, uucp, sys, adm, lp. In addition the following accounts may exist but do not likely require additional privileges: nobody, xten, games, news.
Privileged Group
Any vendor-default group, usually under UID 10 or possibly under UID 100. Commonly include the group names: wheel, daemon, kmem, sys, tty, operator, mail, bin, news, man, games, staff, uucp, xten, dialer, network, other, adm, lp, users.

Policies

It is important to have formal standards and procedures defined. These should not only include usage and behaviour policies, but should also define rules to ensure monitoring and policy enforcement occur.

Monitoring/Logging

Automated monitoring mechanisms exists, watching for anything from the following list, and reporting in an appropriate means.

Privileged Account/Group Issues

General Account Issues

Account Creation Issues

Account Removal Issues

Passwords

  • Password file is shadowed
  • All accounts with login access have passwords
  • Passwords expire on a regular schedule for all accounts
  • Privileged accounts have a regular unannounced password change (at least every 60 days)
  • All vendor supplied account passwords (or lack thereof) should be changed immediately upon installation or upgrade
  • A password checking program is run on a regular basis (such as every 30 days), to verify that users do not have easilly guessable passwords--or a mechanism exists to disallow these passwords to be set
  • Passwords are all complex, unique and not easilly guessed
  • Passwords are not stored in command files or shell scripts

File/Directory Permissions

Shell Access

  • Network access is only available via an encrypted shell session (ssh/secure shell or ssl telnet)
  • Network access is available via ssh and telnet
  • Network access is limited to known hosts--public access is through a blackbox proxy server
  • Full shell access is available via a modem
  • Restricted shell access is available via modem
  • Modem phone numbers are confidential and only distributed to a limited group of people
  • Additional measures exist to secure modem access (such as key cards or dial-back service)

Network Services

  • TCP Wrappers are installed to limit access to services
  • IP Services use standard IETF defined ports
  • non-privileged port services (greater than 1023) are approved
  • RPC services have been reviewed and limited to necessary set
  • all internet services which are not needed are discontinued, specifically: echo, discard, daytime, chargen, finger.
  • Less secure services are disabled, including: shell (remsh), login (rsh), tftp
  • Additional service configurations have been reviewed for potential security issues, specifically: ftp, imap, pop
  • ftp access is limited to authorized users, if not all user login being denied--allowing only anonymous access.
  • anonymous ftp access is limited to file creation only (no directory creation, nor delete of any type).
  • Disallow download of password and group files from ftp.

Common Network Services in more detail

SMTP (Mail)

  • VRFY and EXPN commands are disabled
  • Relaying is limited to local approved hosts only
  • MAIL FROM must be a valid DNS address

NIS (Network Information Services)

  • Only valid, authorized and known hosts are listed in the NIS hosts file
  • Only hosts on the local network are be listed within the NIS hosts file
  • The root user is not included in the NIS password file
  • Users listed in the NIS password database are limited to those who require domain wide access
  • All user identification codes defined in the NIS password file have a password (following same password rules set above)

NFS

  • All exported mount points specify the nosuid option (effectively removing suid bits from any suid programs, and disallowing creation of them)
  • Read-only NFS is used for any filesystem where write access is not a requirement, specifically including any filesystems where system information is, such as shared libraries and configuration files (i.e. /usr).
  • The root filesystem is never exported
Copyright © 2004, Protos LLC