System Name:
Contents:
Access and Authorization
Network
Permissions
Auditing and logging
O.S. & application patches
System backups
Root
Disable network root logins. Privileged users (those with the authority to use the root/superuser account) should always login as themselves and then su to root or the root equivalent account.The local directory "." should not be in root's search path. Ensure root's PATH does not contain ".". Also, review root's PATH and remove any extraneous colons ":".
Solaris: Enable the "CONSOLE" line in /etc/default/login. To disable use of ftp by root, add "root" to /etc/ftpusers.
AIX: Use either smit user or edit the /etc/security/user file. Modify the root account so rlogin (remote login) is false and the su flag is true.
Root should be the only user with user id (uid) 0. If root-equivalent accounts are required, they should be documented with account owners and reason for being.
Root's login files (e.g. the .profile, .cshrc, .kshrc, etc) should not run any other files not owned by root or which are group or world writable. Any exceptions should be documented by the system administer and forwarded to the security administrator.
Root password must be set using the rules in your organization's password policy.
Install and Enable SUDO (superuser do). SUDO should be used by those needing root access for a limited set of commands.
See the SUDO documents page "http://www.courtesan.com/sudo/" for information.
General User
Remove, lock, or comment out unnecessary accounts.
Solaris: Possible accounts: sys, uucp, nuucp, listen. Put "NP" in the password field of the /etc/shadow file or use the noshell program to log attempts to use secured accounts.
AIX: Possible accounts: sys, uucp, nuucp, guest. Using smit user, modify the account.
Set password limitations as stated in your organization's password policy (length, aging, etc.).
Solaris: Only the expiration times needs to be set. The rest is set by default of the O.S. Edit /etc/default/passwd so it contains the following lines:
MAXWEEKS=9
MINWEEKS=1
PASSLENGTH=6
WARNWEEKS=1
AIX: Edit /etc/security/user. The default should look like:
histexpire = 0
histsize = 3
minage = 0
maxage = 9
maxexpired = 0
minalpha = 2
minother = 1
minlen = 6
mindiff = 3
maxrepeats = 3
dictionlist =
pwdchecks =
Warning: These changes are affective immediately.
Ensure the passwd file and the shadow password file(s) match.
Solaris: Run logins –p. It displays users who have no password (or who need to change their password). This command uses the local /etc/passwd file and the NIS or NIS+ password databases to obtain a user’s login status. NOTE: You can also use the logins commands to display a user’s login status (see the logins man page).
AIX: Run usrck –n ALL. It verifys the many parameters of a userid definition. The command pwdck –n ALL checks authentication standards.
Disable system accounts from using ftp. Create/edit the /etc/ftpusers file. The following accounts should be listed (one account per line):
root smtp daemon bin sys adm uucp nuucp listen lp lpd guest nobody noaccess
Other accounts you may want to include are:
servdir sync shutdown halt mail news operator games gopher mysql ftp anonymous
Warning Banner
Set the warning banner in /etc/motd. (NOTE:Below is an example.)
Warning: This system is restricted to your company/organization authorized users for business purposes only. Unauthorized access or use is a violation of company policy and the law. This system may be monitored for administrative and security reasons. By proceeding, you acknowledge that (1) you have read and understand this notice and (2) you consent to the system monitoring. (Note: substitute your organization's policy statement here.)
Solaris: Put the banner in the /etc/issue file as well.
Completed by: Date:
Ensure that only those services that are required from outside your domain are allowed through your router filters. If it is not required, routing should also be turned off on the UNIX system.
Solaris: This is controlled by /etc/init.d/inetinit. To turn off routing on a Solaris 2.5 machine, touch /etc/notrouter.
AIX: To dynamically turn off routing, use no –o ipforwarding=0. To turn it off at system boot add that line to the /etc/rc.net file.
Comment out or remove all unnecessary services. Look at removing: rusersd, rstatd, rwalld, shell, comsat, tftp, netstat, login, talk, finger, time, exec, uucp, sysstat, echo, name, discard, daytime, chargen, sprayd, and bootps. These services can be used to gain valuable information about the system and its users. "r" commands may also increase your risk of password exposure in network sniffer attacks andhave been a regular source of insecurities and attacks. To disable a service, edit the appropriate file (below) and put a comment (#) in front of the line for that particular service.
Solaris: /etc/inet/inetd.conf.
AIX: /etc/inetd.conf
Disable the sendmail daemon if it is not required (if there is no reason to receive e-mail on the system). To disable it immediately, find the sendmail process and kill it. To stop sendmail from starting on system boot:
Solaris: Go to the /etc/rc2.d directory (# cd /etc/rc2.d). Rename the S88sendmail file (# mv S88sendmail s88sendmail).
AIX: Edit the /etc/rc.tcpip file. Put a comment in front of the sendmail line (start /usr/lib/sendmail "$src_running" "-bd -q${qpi}").
Check if trusted hosts and/or users are required (/etc/hosts.equiv and .rhost).
Remove the file /etc/hosts.equiv unless it is required. If it is required:No user should have a .rhosts file in their home directory. If it is required, Ensure that you keep only a small number of trusted hosts listed. DO only trust hosts within your domain or under your management. Ensure the trusted host is listed in the /etc/hosts file. Ensure that you do not have a '+' entry by itself anywhere in the file as this may allow any user access to the system. Ensure that you do not use '!' or '#'. There is no comment character for this file. Ensure that the first character of the file is not '-'. Ensure that the permissions are set to 400. Ensure that the owner is set to root. Remote filesystem mounting, NFS, should be monitored. Disable NFS if it is not required. If it is required, Ensure that the permissions are set to 600. Ensure the first character of the file is not '-'. Ensure that the owner of the file is the account's owner. Ensure that the file does not contain the symbol "+" on any line as this may allow any user access to this account. Ensure that usage of netgroups within .rhosts does not allow unintended access to this account. Ensure that you do not use '!' or '#'. There is no comment character for this file. Exported filesystems should be listed in:
- Export only the file systems you need to export. If you aren't certain that a file system needs to be exported, then it probably shouldn't be exported.
- Do not allow the exports file to contain a 'localhost' entry.
- Ensure that you never export file systems unintentionally to the world. Use -access=host.domainname.com option or equivalent for each filesystem exported.
- Do export file systems read-only (-ro) whenever possible.
- Ensure the permissions on the export file is 644 and the owner is root.
- Ensure the NFS client maps the file systems as nobody, unless specifically required.
Solaris: /etc/dfs/dfstab
AIX: /etc/exports
Install and Enable TCP Wrappers
Go to ftp://ftp.porcupine.org/pub/security/index.html to download the latest version. See the SunWorld document "Securing your network: An introduction to TCP wrappers - http://www.sunworld.com/sunworldonline/swol-06-2000/swol-06-tcp_p.html " for help on installing and enabling TCP wrappers.
Completed by: Date:
Set umask to 027 or 077. This should be set for all users in /etc/profile (ksh) and /etc/.login (C shell).
AIX: This can also be set in /etc/security/user.
No file in /etc should be group/world writeable.
Solaris: /etc/utmp can be set to mode 644 without disrupting service.
Review programs with the setuid and/or setgid bit set. Many of the setuid and setgid programs are used only by root, or by the user or group-id to which they are set. They can have setuid and setgid removed without diminishing user’s abilities to get their work done.
To find setuid/setgid files:
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \;
Solaris: The following executable programs are known security risks and should have the setuid bit removed:
/usr/vmsys/bin/chkperm
/usr/openwin/bin/ff.core
Ensure that there are no .exrc files on your system that have no legitimate purpose.
Set permissions on log files (in the /var/adm and /var/syslog directories) so none are world-readable:
chmod 640 /var/adm/* /var/syslog/*
Completed by: Date:
Make sure the following is being logged: su (successful and failed "substitute/switch user"), failed login and ftp attempts, sudo, cron. Log files should keep a continual 30 day history. Also, they should be backed-up for history. For su and failed logins, either syslog can be used or "other" files.
Log failed login attempts using syslog. Edit the /etc/syslog.conf file to enable logging to the localhost and the loghost. Add the following to the bottom of the file:
Solaris:
user.info @loghost
auth.info @loghost
AIX:
user.info @loghost
auth.info @loghost
Log failed login attempts using other files:
Solaris: Create the loginlog file in the /var/adm directory.
# touch /var/adm/loginlog
Set the ownership and the read/write permissions on the file.
# chmod 600 /var/adm/loginlog
# chown root:sys /var/adm/loglog
All failed logins for the system are put into this text file.
AIX: To view failed login attempts, run the command:
# who –a /etc/security/failedlogin
Log all su attempts.
Solaris: Edit the /etc/default/su file and uncomment the line SULOG=/var/adm/sulog.
AIX: Su loging (/var/adm/sulog) is automatically started.
Use a tool such as SWATCH to assist in monitoring and auditing log files. More information on Swatch is found at http://www.stanford.edu/~atkins/swatch/.
Completed by: Date:
Retrieve the latest patch list from the vendor and install any patches not yet installed that are recommended for your system. (NOTE: Some patches may re-enable default configurations. For this reason, it is important to go through this checklist AFTER installing ANY new patches or packages. For example, a patch may change root suid programs on the system.)
Solaris: Use showrev –p to list patches installed on the system. Check Sun’s patch list (http://sunsolve.sun.com or http://your-local-sunsolve-server/security) for current security-related patches. Download and install all pertinent security patches.
AIX: Use lslpp –L to list OS software versions. Check IBM’s RS/6000 Security patch list (http://techsupport.services.ibm.com/support/rs6000/) for current security-related patches.
Completed by: Date:
All systems must have a backup of current system critical files at the minimum. Other information or data should also be backed-up. This backup should be on some type of removable media (ie., 4mm or 8mm tape) and stored in a secure location separate from the system. Automated programs like Legato Networker or IBM ADSM may be used.
To use system commands to backup data to a tape:
Solaris: Use the ufsdump command to "dump" filesystems to tape.
# /usr/sbin/ufsdump 0uf /dev/rmt/0n files
AIX: Use smitty mksysb to put the system image to tape or use the command
# /usr/bin/mksysb -i /dev/rmt0
Completed by: Date:
Forward any questions or changes to Ron Woerner, Security Administrator, CSG Systems, Inc.
This document was last updated/reviewed 09/20/00 .
Copyright © 2000 CSG Systems, Inc. All rights reserved.