Unix Security Checklist

This document shows system administrators how to secure their systems better. There are no guarantees of its completeness.

In addition, the author takes no responsibility if a person misuses this information. There are many versions of Unix. This paper gives examples for HP-UX.

For a longer version, please see UNIX Computer Security

Physical Security

1. Console security 
   1. Locked room (with limited number of keys)
   2. No alternate way into room (raised floors/ceilings)
   
   
2. Data Security 
   1. Backups stored in safe place & offsite data recovery scheme in place
   2. Computers on a UPS to guarantee stable power
   3. Secure network cables from exposure
   4. Lock cabinets with sensitive information
   5. Destroy sensitive printouts/tapes
   
   
3. Users practice secure measures 
   1. Lock screen (or logout) when away from desk
   2. No written passwds/passwd hints on desk
   3. Careful use of xauth/xhost so others can not read screen
   
   
4. NO welcome banner on site (Only authorized access allowed) 

Network Security

1. Filtering 
   1. Do not enable services you are not using (inetd.conf)
   2. Create access control lists /var/adm/inetd.sec to say what hosts can connect
   3. Filter out unnecessary services at router - only allow services you want
   4. TCP wrappers for logging as needed
   5. If you are on the Internet, build a firewall
   
   
2. Prevent spoofing 
   1. Router Mods
      1. Turn off source routing
      2. Apply a filter that guarantees that packets coming in from the outside network do not have a source IP address that matches the inside network
   2. Qualified hostnames only in any system file (NFS, hosts.equiv ....)
   3. No hosts.equiv or .rhosts if possible (cron job remove non-agreed upon ones)
   4. .rhost and .netrc files (if allowed), permissions must be 600
   
   
3. Telnet Security 
   1. Use ssh instead.
   2. Limit telnet to specific IPs (if you MUST use it)
   3. Turn off permissions for root to login directly (except console).
   
   
4. FTP Security 
   1. Make sure you have /etc/ftpusers w/ all system accounts (uucp, bin. root ..)
   2. Minimal permissions/minimal accounts
   3. Always use FTP logging and look at logs
   4. Make directories unwriteable if possible
   
   
5. Modem Security 
   1. All modems should have additional dial-up passwd
      1. make sure /etc/d_passwd passwds are non-guessable using CRACK
      2. One passwd per user; disable when user no longer needs access
   2. All dial-up modems should log users out upon disconnect (hupcl in /etc/gettydefs)
   
   
6. SATAN will find many of these problems
   
7. SNORT will monitor to see if you are being attacked (freeware IDS)

Account Security

1. Password Security 
   1. All accounts MUST have passwd field filled
   2. Only root should have UID 0
   3. Password not guessable (crack on regular basis)
   4. Password not written down
   5. No pictures on desk that are password
   6. Password aging
   7. One-time use passwords
   8. HP can use trusted system package (via SAM) - if NOT using NIS or NIS+
   9. No .netrc files
   10. Accounts should be disabled when there are several bad logins in a row
   
   
2. Root Accounts 
   1. Root can only log into console (/etc/securetty)
   2. Check root dot files; NEVER have "." in path
   3. Limited number of users
   4. Use strong passwd
   5. ALWAYS logout of root shells; never leave root shells unattended
   6. Change root passwd every 3 months & whenever someone leaves company
   7. Login as normal user & use "su"
   8. Sensible umasks (077 if possible) [though many times it is more practical to have it be 022]
   9. Always use full path when not at console
   10. Never allow non-root write access to ANY directories in root's path
   11. No tmp files in publically writable directories (if possible)
   
   
3. Guest Accounts 
   1. Limited time, only when needed
   2. Use non-standard names - not guest
   3. Use strong passwd
   4. Use a restricted shell
   5. Sensible umasks (077 if possible)
   
   
4. User Accounts
   
   1. Remove accounts upon termination
   2. Accounts should NOT be shared
   3. Disable login for well known accounts (bin,sys,uucp)
   4. Sensible umasks (077 if possible)
   5. Use a restricted shell when possible

File System Security

1. NFS Security 
   1. Only run NFS as needed, apply latest patches
   2. Careful use of /etc/exports (or /etc/dfs/dfstab for SUN)
   3. Read-only if possible
   4. No suid if possible
   5. Fully qualified hostnames
   
   
2. Device Security 
   1. Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable
   2. Most other device files should be unreadable and unwriteable by regular users
   
   
3. Script Security 
   1. Never write setuid/setgid shell scripts (can break out); write C programs instead
   2. Scripts should ALWAYS have full pathnames
4. Minimal writable filesystems (esp. system files/directories!)
5. Use setuid/setgid only where necessary
6. Make sure that important files are only accessible by authorized personnel
7. COPS will find many of these problems

Security Testing

1. Always have latest security OS patches installed
2. Subscribe to security mailing lists/newsgroups
3. If you do NOT use NIS or NIS+, make your system a HP-UX trusted system for easier system security
4. Test w/ SATAN (network security)
5. Test w/ COPS (Various system checks)
6. Test w/ TIGER (ways for root to be compromised)
7. Test w/ CRACK (passwd checker)
8. Tripwire (detects changes to files)
9. Check btmp, wtmp, syslog, sulog etc. regularly
10. Set up automatic email or paging to warn system administrators of any suspicious behavior.

If your web services are handled by a 3rd party then make sure you have a clear understanding of what their security arrangements are. You can also look at this list of best web hosts and ask each of them about their security setup.

Unix Security Books on Amazon

Unix/Linux Security News