Title: A UNIX Security Checklist

Abstract: This session is a discussion of a UNIX Security Checklist. Administrators use this on new and existing Sun Solaris and IBM AIX UNIX systems to evaluate and document the security on the system.  It is based on a number of open-source security materials and contains the following sections: Contact information:  (402) 963-8447 - work phone
                                   ron_woerner@csgsystems.com  - work e-mail

Thank you,

Ron Woerner,
Sr. Security Administrator
CSG Systems, Inc


UNIX Security Checklist




This document is for the evaluation of security on both new and existing UNIX (Sun Solaris & IBM AIX) systems.  Some items only apply to new systems and only need to be evaluated for that system once.  Most items may need to be evaluated multiple times over the course of time as that systems changes.  This is an evolving document that will be updated as new security items are identified.  CSG Systems, Inc. takes no responsibility for the use of this document. It is intented to help UNIX systems administrators in securing their system. Also, be sure to backup your system before making any changes. 



When evaluating a system, "check-off" each completed item and use area following each major section to list comments and justifications of requirements.  When complete, print it out, forward a copy to the security administrator and store a copy in the system's logbook.



System Name:

Contents:
Access and Authorization
Network
Permissions
Auditing and logging
O.S. & application patches
System backups




Access



     Root
Disable network root logins. Privileged users (those with the authority to use the root/superuser account) should always login as themselves and then su to root or the root equivalent account.
Solaris: Enable the "CONSOLE" line in /etc/default/login. To disable use of ftp by root, add "root" to /etc/ftpusers.
AIX: Use either smit user or edit the /etc/security/user file. Modify the root account so rlogin (remote login) is false and the su flag is true.
Root should be the only user with user id (uid) 0. If root-equivalent accounts are required, they should be documented with account owners and reason for being.
Root's login files (e.g. the .profile, .cshrc, .kshrc, etc) should not run any other files not owned by root or which are group or world writable.  Any exceptions should be documented by the system administer and forwarded to the security administrator.
Root password must be set using the rules in your organization's password policy.
The local directory "." should not be in root's search path. Ensure root's PATH does not contain ".".  Also, review root's PATH and remove any extraneous colons ":".
Install and Enable SUDO (superuser do).  SUDO should be used by those needing root access for a limited set of commands.
See the SUDO documents page "http://www.courtesan.com/sudo/" for information.

     General User
Remove, lock, or comment out unnecessary accounts.
Solaris: Possible accounts: sys, uucp, nuucp, listen. Put "NP" in the password field of the /etc/shadow file or use the noshell program to log attempts to use secured accounts.
AIX: Possible accounts: sys, uucp, nuucp, guest. Using smit user, modify the account.
Set password limitations as stated in your organization's password policy (length, aging, etc.).
Solaris: Only the expiration times needs to be set.  The rest is set by default of the O.S. Edit /etc/default/passwd so it contains the following lines:
          MAXWEEKS=9
          MINWEEKS=1
          PASSLENGTH=6
          WARNWEEKS=1
AIX:  Edit  /etc/security/user. The default should look like:
          histexpire = 0
          histsize = 3
          minage = 0
          maxage = 9
          maxexpired = 0
          minalpha = 2
          minother = 1
          minlen = 6
          mindiff = 3
          maxrepeats = 3
          dictionlist =
          pwdchecks =
      Warning:  These changes are affective immediately.
Ensure the passwd file and the shadow password file(s) match.
Solaris: Run logins p. It displays users who have no password (or who need to change their password). This command uses the local /etc/passwd file and the NIS or NIS+ password databases to obtain a users login status. NOTE: You can also use the logins commands to display a users login status (see the logins man page).
AIX: Run usrck n ALL. It verifys the many parameters of a userid definition.  The command pwdck n ALL checks authentication standards.
Disable system accounts from using ftp. Create/edit the /etc/ftpusers file. The following accounts should be listed (one account per line):
      root smtp daemon bin sys adm uucp nuucp listen lp lpd guest nobody noaccess
Other accounts you may want to include are:
      servdir sync shutdown halt mail news operator games gopher mysql ftp anonymous

 

     Warning Banner
Set the warning banner in /etc/motd. (NOTE:Below is an example.)
Warning: This system is restricted to your company/organization authorized users for business purposes only. Unauthorized access or use is a violation of company policy and the law. This system may be monitored for administrative and security reasons. By proceeding, you acknowledge that (1) you have read and understand this notice and (2) you consent to the system monitoring. (Note: substitute your organization's policy statement here.)
Solaris: Put the banner in the /etc/issue file as well.

     Comments & Justifications:


     Completed by:            Date:

 

Network



Ensure that only those services that are required from outside your domain are allowed through your router filters. If it is not required, routing should also be turned off on the UNIX system.
Solaris: This is controlled by /etc/init.d/inetinit. To turn off routing on a Solaris 2.5 machine, touch /etc/notrouter.
AIX: To dynamically turn off routing, use no o ipforwarding=0. To turn it off at system boot add that line to the /etc/rc.net file.
Comment out or remove all unnecessary services. Look at removing: rusersd, rstatd, rwalld, shell, comsat, tftp, netstat, login, talk, finger, time, exec, uucp, sysstat, echo, name, discard, daytime, chargen, sprayd, and bootps.  These services can be used to gain valuable information about the system and its users.  "r" commands may also increase your risk of password exposure in network sniffer attacks andhave been a regular source of insecurities and attacks.  To disable a service, edit the appropriate file (below) and put a comment (#) in front of the line for that particular service.
Solaris: /etc/inet/inetd.conf.
AIX: /etc/inetd.conf
Disable the sendmail daemon if it is not required (if there is no reason to receive e-mail on the system). To disable it immediately, find the sendmail process and kill it. To stop sendmail from starting on system boot:
Solaris: Go to the /etc/rc2.d directory (# cd /etc/rc2.d). Rename the S88sendmail file (# mv S88sendmail s88sendmail).
AIX: Edit the /etc/rc.tcpip file. Put a comment in front of the sendmail line (start /usr/lib/sendmail "$src_running" "-bd -q${qpi}").
Check if trusted hosts and/or users are required (/etc/hosts.equiv and .rhost).
Remove the file /etc/hosts.equiv unless it is required. If it is required:
  • Ensure that you keep only a small number of trusted hosts listed.
  • DO only trust hosts within your domain or under your management.
  • Ensure the trusted host is listed in the /etc/hosts file.
  • Ensure that you do not have a '+' entry by itself anywhere in the file as this may allow any user access to the system.
  • Ensure that you do not use '!' or '#'. There is no comment character for this file.
  • Ensure that the first character of the file is not '-'.
  • Ensure that the permissions are set to 400.
  • Ensure that the owner is set to root.
  • No user should have a .rhosts file in their home directory.  If it is required,
  • Ensure that the permissions are set to 600.
  • Ensure the first character of the file is not '-'.
  • Ensure that the owner of the file is the account's owner.
  • Ensure that the file does not contain the symbol "+" on any line as this may allow any user access to this account. 
  • Ensure that usage of netgroups within .rhosts does not allow unintended access to this account.
  • Ensure that you do not use '!' or '#'. There is no comment character for this file.
  • Remote filesystem mounting, NFS, should be monitored. Disable NFS if it is not required. If it is required, Exported filesystems should be listed in:
    Solaris: /etc/dfs/dfstab
    AIX: /etc/exports
    Install and Enable TCP Wrappers
    Go to ftp://ftp.porcupine.org/pub/security/index.html to download the latest version.   See the SunWorld document "Securing your network: An introduction to TCP wrappers - http://www.sunworld.com/sunworldonline/swol-06-2000/swol-06-tcp_p.html " for help on installing and enabling TCP wrappers.

         Comments & Justifications:


         Completed by:            Date:

     

    Permissions



    Set umask to 027 or 077. This should be set for all users in /etc/profile (ksh) and /etc/.login (C shell).
    AIX: This can also be set in /etc/security/user.
    No file in /etc should be group/world writeable.
    Solaris: /etc/utmp can be set to mode 644 without disrupting service.
    Review programs with the setuid and/or setgid bit set. Many of the setuid and setgid programs are used only by root, or by the user or group-id to which they are set. They can have setuid and setgid removed without diminishing users abilities to get their work done.
    To find setuid/setgid files:
    find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \;
    Solaris:  The following executable programs are known security risks and should have the setuid bit removed:
               /usr/vmsys/bin/chkperm
               /usr/openwin/bin/ff.core
    Ensure that there are no .exrc files on your system that have no legitimate purpose.
    Set permissions on log files (in the /var/adm and /var/syslog directories) so none are world-readable:
               chmod 640 /var/adm/* /var/syslog/*

          Comments & Justifications:


         Completed by:            Date:

     

     

    Auditing & Logging



    Make sure the following is being logged: su (successful and failed "substitute/switch user"), failed login and ftp attempts, sudo, cron. Log files should keep a continual 30 day history. Also, they should be backed-up for history. For su and failed logins, either syslog can be used or "other" files.
    Log failed login attempts using syslog. Edit the /etc/syslog.conf file to enable logging to the localhost and the loghost. Add the following to the bottom of the file:

    Solaris:
            user.info @loghost
            auth.info @loghost
    AIX: 
            user.info @loghost
            auth.info @loghost
    Log failed login attempts using other files:
    Solaris: Create the loginlog file in the /var/adm directory.
                        # touch /var/adm/loginlog
                  Set the ownership and the read/write permissions on the file.
                        # chmod 600 /var/adm/loginlog
              # chown root:sys /var/adm/loglog

                  All failed logins for the system are put into this text file.
    AIX: To view failed login attempts, run the command:
                       # who a /etc/security/failedlogin
    Log all su attempts.
    Solaris: Edit the /etc/default/su file and uncomment the line SULOG=/var/adm/sulog.
    AIX: Su loging (/var/adm/sulog) is automatically started.
    Use a tool such as SWATCH to assist in monitoring and auditing log files. More information on Swatch is found at http://www.stanford.edu/~atkins/swatch/.

         Comments & Justifications:


         Completed by:            Date:

     

     

    Operating System patches



    Retrieve the latest patch list from the vendor and install any patches not yet installed that are recommended for your system. (NOTE: Some patches may re-enable default configurations. For this reason, it is important to go through this checklist AFTER installing ANY new patches or packages. For example, a patch may change root suid programs on the system.)
    Solaris: Use showrev p to list patches installed on the system. Check Suns patch list (http://sunsolve.sun.com or http://your-local-sunsolve-server/security) for current security-related patches. Download and install all pertinent security patches.
    AIX: Use lslpp L to list OS software versions. Check IBMs RS/6000 Security patch list (http://techsupport.services.ibm.com/support/rs6000/) for current security-related patches.

         Comments & Justifications:


         Completed by:            Date:

     

    System backups



    All systems must have a backup of current system critical files at the minimum.  Other information or data should also be backed-up.  This backup should be on some type of removable media (ie., 4mm or 8mm tape) and stored in a secure location separate from the system.  Automated programs like Legato Networker or IBM ADSM may be used. 
    To use system commands to backup data to a tape: 
    Solaris: Use the ufsdump command to "dump" filesystems to tape.
                   # /usr/sbin/ufsdump 0uf /dev/rmt/0n files
    AIX: Use smitty mksysb to put the system image to tape or use the command
                   # /usr/bin/mksysb -i /dev/rmt0

         Comments & Justifications:


         Completed by:            Date:

     


     

    Forward any questions or changes to Ron Woerner, Security Administrator, CSG Systems, Inc.

    This document was last updated/reviewed 09/20/00 .
    Copyright 2000 CSG Systems, Inc. All rights reserved.