UNIX
The following sets of configuration guidelines are broad enough to address basic elements of System V- and BSD- based UNIX systems. In-depth configuration guidelines can also be found on the Australian CERT web site, http://www.auscert.org.au/render.html?cid=7. Specific guidance for your vendor and version should be obtained through your reseller or the vendor directly.
Versions and Patches for UNIX
- Verify that the OS is running the most current and stable kernel.
- Obtain OS and the default application patches from the vendor's web site.
- Verify the integrity of all patches by validating MD5 checksums (PGP and others also) with md5sum.
- Apply missing or needed patches.
- Periodically apply new security patches as they become available. Join security mailing lists (see the Appendix for links) for security vulnerability information updates. It is very important to keep apprised of the latest alerts, warnings, and trends.
Account Security for UNIX
- Ensure that a password has been set for all accounts.
- Ensure that passwords are not easily guessed and do not violate corporate password policies.
- Enable password aging.
- Consider using OPUS or a similar complexity requirement tool.
- Consider using one-time passwords, or other two-factor authentication package such as RSA SecurID.
System Services for UNIX
- Disable all or unnecessary ICMP requests on external and host-based firewalls.
- Identify running services via netstat -anp.
- Disable unneeded services as identified by PID in appropriate inetd.conf file or xinetd.d directory.
- Disable unneeded services running from a startup script by the following methods:
- If the system is System V (SysV), this can be done by removing the execute bit from scripts in /etc/init.d (or / etc/rc.d/init.d) or by changing the first character of the script name from an uppercase K or S to a lowercase k or s for all corresponding run levels (for example, /etc/rc.d/rc3.d).
- If the system is BSD, /etc/rc and /etc/rc.boot generally control startup, and the configuration file /etc/rc.conf would be used to control service startup.
- Consider disabling Loadable Kernel Modules (if supported by your operating system) to prevent LKM rootkits.
- Disable source routing. Apply a filter at network boundaries ensuring that packets coming from external sources do not contain the IP addresses of internal hosts.
User Accounts for UNIX
- Ensure that only one superuser account (UID 0) exists.
- Ensure that accounts are disabled after several bad login attempts.
- Ensure that root can only log in at the console (/etc/security).
- Never log in directly as root. Instead use "su" to log into root and "sudo" for program executions.
- Enable timeouts on inactive accounts.
- Periodically check that there are no stale accounts for users who no longer need access.
- Ensure that user accounts aren't shared.
File System Permissions for UNIX
- Remove unneeded .exrc files where possible.
- Verify that environment paths call on system directories first.
- Limit a user's file system volume.
- Verify that the umask for programs is 022.
- External file systems should be mounted read only with NO SUID set when possible.
- Logging and messaging directories should be set to 644.
- Limit users from reading rc scripts and authentication files.
- Review need of SUID and GUID settings.
- Review any world writable files.
- Review the /dev entries to be sure they are legitimate.
- Review all bin owned files that are not SUID or GUID, and transfer ownership as appropriate to root.
- Review the kernel and system directories for proper root ownership.
- Ensure that the user umask value setting is 027 or 077 to prevent unnecessary disclosure.
Logging for UNIX
- Ensure that a logging server is configured.
- Log successful and failed logins.
- Implement account inactivity timeouts for failed logins.
- Enable process logging when possible.
- Monitor failed su attempts.
- Upgrade logging daemon or use tools that can aid in logging, such as TCP Wrappers.
Integrity Checking for UNIX
- Obtain a snapshot of the "golden system" before deploying with a tool such as Tripwire.
- Monitor the system binaries with Tripwire.
- Consider using automated tools to periodically review file ownership.
- Monitor all root or administrator activity and changes.
Network Services for UNIX
- If possible, disable any banners that disclose version information.
- TCP Wrappers should be used, and filtering should be
configured. Two configuration files are used to control filtering.
TCP Wrapper is available at ftp://ftp.porcupine.org/pub/security/:
- The file /etc/hosts.allow should contain a list of hosts and services that are allowed to connect to the system. It should also contain the line "all:all:deny" at the end of the file to explicitly deny traffic.
- The file /etc/hosts.deny should contain a list of hosts and services that are denied access to the system. The line "all:all" line should be present in this file to deny all hosts and services.
- Enable a host-based firewall such as iptables, bpf, pf, or ipchains, and restrict access to only required services if possible.
- The r commands (such as rsh, rexec, rlogin, etc.) should be disabled when possible:
- If r commands are required, the use of $HOME/.rhosts should be disabled and the /etc/hosts.equiv file should only contain a few trusted hosts. Please consult your system documentation for more information.
- NFS should be disabled if possible:
- If NFS is required only export the file systems that are
required and disallow write permission when possible.
The exports file (typically /etc/exports) should contain only fully qualified host names and should not contain localhost. The command showmount -e can be used to see what is currently exported.
- If NFS is required only export the file systems that are
required and disallow write permission when possible.
- NFSBug (available at ftp://ftp.cs.vu.nl/pub/leendert/nfsbug.shar) can test NFS security.
- Ensure that ACLs have been correctly set to disable access to your X Windows system server. The xhost command can be used to view, add, and remove access to X.
- NIS should be disabled if not needed or NIS+ used instead and access restricted properly; pluggable authentication modules (PAM) are also available.