Unix Security Checklist

Unix Tools
unix tutorials, unix security, unix help

Unix Security Checklist

This document shows system administrators how to secure their systems better. There are no guarantees of its completeness. In addition, the author takes no responsibility if a person misuses this information. There are many versions of Unix. This paper gives examples for HP-UX.

For a longer version, please see UNIX Computer Security

Physical Security

Console security
1. Locked room (with limited number of keys)
2. No alternate way into room (raised floors/ceilings)
Data Security
1. Backups stored in safe place & offsite data recovery scheme in place
2. Computers on a UPS to guarantee stable power
3. Secure network cables from exposure
4. Lock cabinets with sensitive information
5. Destroy sensitive printouts/tapes
Users practice secure measures
1. Lock screen (or logout) when away from desk
2. No written passwds/passwd hints on desk
3. Careful use of xauth/xhost so others can not read screen
NO welcome banner on site (Only authorized access allowed)

Network Security

Filtering
1. Do not enable services you are not using (inetd.conf)
2. Create access control lists /var/adm/inetd.sec to say what hosts can connect
3. Filter out unnecessary services at router - only allow services you want
4. TCP wrappers for logging as needed
5. If you are on the Internet, build a firewall
Prevent spoofing
1. Router Mods
  1. Turn off source routing
  2. Apply a filter that guarantees that packets coming in from the outside network do not have a source IP address that matches the inside network
2. Qualified hostnames only in any system file (NFS, hosts.equiv ....)
3. No hosts.equiv or .rhosts if possible (cron job remove non-agreed upon ones)
4. .rhost and .netrc files (if allowed), permissions must be 600
Telnet Security
1. Use ssh instead.
2. Limit telnet to specific IPs (if you MUST use it)
3. Turn off permissions for root to login directly (except console).
FTP Security
1. Make sure you have /etc/ftpusers w/ all system accounts (uucp, bin. root ..)
2. Minimal permissions/minimal accounts
3. Always use FTP logging and look at logs
4. Make directories unwriteable if possible
Modem Security
1. All modems should have additional dial-up passwd
  1. make sure /etc/d_passwd passwds are non-guessable using CRACK
  2. One passwd per user; disable when user no longer needs access
2. All dial-up modems should log users out upon disconnect (hupcl in /etc/gettydefs)
SATAN will find many of these problems
SNORT will monitor to see if you are being attacked (freeware IDS)

Account Security

Password Security
1. All accounts MUST have passwd field filled
2. Only root should have UID 0
3. Password not guessable (crack on regular basis)
4. Password not written down
5. No pictures on desk that are password
6. Password aging
7. One-time use passwords
8. HP can use trusted system package (via SAM) - if NOT using NIS or NIS+
9. No .netrc files
10. Accounts should be disabled when there are several bad logins in a row
Root Accounts
1. Root can only log into console (/etc/securetty)
2. Check root dot files; NEVER have "." in path
3. Limited number of users
4. Use strong passwd
5. ALWAYS logout of root shells; never leave root shells unattended
6. Change root passwd every 3 months & whenever someone leaves company
7. Login as normal user & use "su"
8. Sensible umasks (077 if possible) [though many times it is more practical to have it be 022]
9. Always use full path when not at console
10. Never allow non-root write access to ANY directories in root's path
11. No tmp files in publically writable directories (if possible)
Guest Accounts
1. Limited time, only when needed
2. Use non-standard names - not guest
3. Use strong passwd
4. Use a restricted shell
5. Sensible umasks (077 if possible)
User Accounts
1. Remove accounts upon termination
2. Accounts should NOT be shared
3. Disable login for well known accounts (bin,sys,uucp)
4. Sensible umasks (077 if possible)
5. Use a restricted shell when possible

File System Security

NFS Security
1. Only run NFS as needed, apply latest patches
2. Careful use of /etc/exports (or /etc/dfs/dfstab for SUN)
3. Read-only if possible
4. No suid if possible
5. Fully qualified hostnames
Device Security
1. Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable
2. Most other device files should be unreadable and unwriteable by regular users
Script Security
1. Never write setuid/setgid shell scripts (can break out); write C programs instead
2. Scripts should ALWAYS have full pathnames
Minimal writable filesystems (esp. system files/directories!)
Use setuid/setgid only where necessary
Make sure that important files are only accessible by authorized personnel
COPS will find many of these problems

Security Testing

Always have latest security OS patches installed
Subscribe to security mailing lists/newsgroups
If you do NOT use NIS or NIS+, make your system a HP-UX trusted system for easier system security
Test w/ SATAN (network security)
Test w/ COPS (Various system checks)
Test w/ TIGER (ways for root to be compromised)
Test w/ CRACK (passwd checker)
Tripwire (detects changes to files)
Check btmp, wtmp, syslog, sulog etc. regularly
Set up automatic email or paging to warn system administrators of any suspicious behavior.

Security Books

UNIX

Unix Tools

Site Map

Unix Tutorials


◦	Perl, CGI, C, C++ tutorials

◦	What is CGI?

◦	Perl Basics

◦	PHP Introduction

◦	Basic HTML Tutorials

◦	HTML Codes and Basics

◦	HTML Codes 2

◦	Basic Intro to Javascript

◦	Java tutorials

◦	SQL Tutorials

Unix Primer

UNIX HELP

Unix Help


◦	AIX Unix

◦	IRIX

◦	DG/UX

◦	Digital

◦	HP-UX - HP Unix

◦	Sun Server

◦	Unix for PCs

◦	SUSE Linux Enterprise 10

◦	SUSE Linux Enterprise 9

◦	Linux Runlevels

SECURITY

Unix Security


◦	Unix Network Security

◦	Unix Account Security

◦	Unix File System Security

◦	Unix Security Testing

◦	Unix Security Websites

◦	Unix Security Checklist

About Us

How to Build a Website, Step by Step

Deal of the Day

Other