unix computer security checklist.0

1000 HOWTOs for various needs [WINDOWS]

 5.2  /etc/rc.local
   
   *    CHECK /etc/rc.local does not chmod 666 motd.  
            This allows users to change system message for the day.
   *    ENSURE that the line "rm -f /tmp/t1" (or similar) exists in 
	/etc/rc.local to clean up the temporary file used to create /etc/motd. 
	This should occur BEFORE the code to startup the local daemons.


 5.3  /usr/lib/expreserve

   *	DO replace versions of /usr/lib/expreserve prior to July 1993 
   	with a recommended patch from your vendor.  
            If this is not possible, then remove execute permission on
            /usr/lib/expreserve:
  	        # /bin/chmod 400 /usr/lib/expreserve
            This will mean that users who edit their files with either vi
            or ex and have their sessions interrupted, will not be able to
            recover their lost work.  If you implement the above
            workaround, please advise your users to regularly save their
            editing sessions.
            Refer to the CERT advisory CA-93:09 for advice on fixing this
            problem for the SunOS and Solaris environments.


 5.4  External file systems/devices

   *    DO mount file systems non-setuid and read-only where practical.
	    (Refer to section 2.5 NFS)


 5.5  File Permissions 

   *    CHECK that the permissions of /etc/utmp are set to 644.
   *    CHECK that the permissions of /etc/sm and /etc/sm.bak are set to 2755.
   *    CHECK that the permissions of /etc/state are set to 644.
   *    CHECK that the permissions of /etc/motd and /etc/mtab are set to 644.
   *    CHECK that the permissions of /etc/syslog.pid are set to 644.
   *    REMOVE setgid priveleges on /usr/kvm/crash.
	    A group of kmem allows users to read the virtual memory of a 
	    running system.
	        # /bin/chmod g-s /usr/kvm/crash
   *    DO consider removing read access to files that users do not need to 
	access.
   *    ENSURE that the kernel (eg. /vmunix) is owned by root, has group set 
	to 0 (wheel on SunOS) and permissions set to 644.
   *    ENSURE that /etc, /bin, /usr/etc, /usr/bin and /tmp are owned by
        root and that the sticky-bit is set on /tmp. 
	    ie. permissions on /tmp should be:  drwxrwxrwt.
	    You should implement COPS or Tiger to check for this. 
            Refer to section B.2 for information where to obtain these.

   *    ENSURE that there are no unexpected world writable files or 
	directories on your system.  The following commands find world
	writeable files and directories.
	       # /bin/find / -type f -perm -22 -exec ls -l {} \;
	       # /bin/find / -type d -perm -22 -exec ls -ld {} \;

   *    CHECK that files which have the SUID or SGID bit enabled, should have
	it enabled:
	       # /bin/find / -type f \( -perm -004000 -o -perm -002000 \) \
	              -exec ls -l {} \;

   *    CHECK the umask value for each user and ensure it is set to
	something sensible like 027 or 077.  Refer to section E.1 for a 
	shell script to check this.


 5.6  Files run by root

	AUSCERT recommends that anything run by root should be owned by
        root, should not be world or group writable and should be located 
	in a directory where every directory in the path is owned by root 
	and is not group or world writable.

   *    CHECK the contents of the following files for the root account.
            Any programs or scripts referenced in these files should meet
            the above requirements:
            -  ~/.login, ~/.profile and similar login initialisation files
            -  ~/.exrc and similar program initialisation files
            -  ~/.logout and similar session cleanup files
            -  crontab and at entries
            -  /etc/rc* and similar system startup files

   *    If any programs or scripts referenced in these files source further 
	programs or scripts they also need to be verified.


 5.7  Bin ownership

        Many systems ship files and directories owned by bin.  This varies
        from system to system and may have serious security implications.

   *    CHANGE all non-setuid files and all non-setgid files and directories 
	that are world readable but not world or group writable and that are 
	owned by bin to ownership of root, with group id 0 (wheel group under 
	SunOS).
            Anything else should be verified with the vendor.


 5.8  Tiger/COPS

   *    Do run one or both of these.
            Many of the checks in this section can be automated by using
            these programs.  For information on where to get these programs
            see B.2.


------------------------------------------------------------------------------
6.0  SunOS specific security
------------------------------------------------------------------------------
        The following is a list of security issues that relate specifically
        to SunOS 4.1.x.  This is not necessarily a complete list.

 6.1  IP forwarding

   *    CHECK that IP forwarding is disabled.
            You will need the following line in the kernel configuration
            file: 
		options "IPFORWARDING=-1" 
	    For information on how to customise a kernel, see the file: 
		/usr/sys/`arch`/conf/README


 6.2  Framebuffers  /dev/fb 	

	If somebody can log in to your Sun workstation from
        a remote source, they can read the contents of your Framebuffer,
        which is /dev/fb. Sun provides a mechanism which allows the user
        logging in to have exclusive access to the Framebuffer, by using 
	the file /etc/fbtab.  A sample /etc/fbtab file:
	#
	# File:		/etc/fbtab
	# Purpose:      Specifies that upon login  to  /dev/console,  the
	#               owner,  group  and permissions of all supported 
	#               devices, including the framebuffer, will be set to 
	#		the user's username, the user's group and 0600.
	# Comments:	SunOS specific.
	# Note:		You cannot use \ to continue a line.
	#
	# Format:
	# Device	Permission	Colon separated device list.
	#
	/dev/console	0600		/dev/fb
	/dev/console	0600		/dev/bwone0:/dev/bwtwo0
	/dev/console	0600		/dev/cgone0:/dev/cgtwo0:/dev/cgthree0
	/dev/console	0600		/dev/cgfour0:/dev/cgsix0:/dev/cgeight0
	/dev/console	0600		/dev/cgnine0:/dev/cgtwelve0
	#
	/dev/console	0600		/dev/kb:/dev/mouse
	/dev/console	0600		/dev/fd0c:/dev/rfd0c

        After the above file has been created, reboot your machine, or log
	out fully, then log back in again.
	Read the man page for fbtab(5) for more information.


 6.3  /usr/kvm/sys/*

   *    CHECK all files and directories under /usr/kvm/sys/ are not
	writable by group.  
            In SunOs 4.1.4 the default mode is 2775 with group staff,
            allowing users in group staff to trojan the kernel.


 6.4  /dev/nit (Network Interface Tap)

   *    DO run the CERT tool cpm to check if your system is running in 
	promiscuous mode.
            For access details for cpm see B.6.

   *    DO disable the /dev/nit interface if you do not need to run in
        promiscuous mode.
	    For SunOS 4.x and Solbourne systems, the promiscuous interface 
	    to the network can be eliminated by removing the /dev/nit
            capability from the kernel.  Once the procedure is complete, you
	    may remove the device file /dev/nit since it is no longer 
	    functional.

            Apply "method 1" as outlined in the System and Network
            Administration manual, in the section, "Sun System
            Administration Procedures," Chapter 9, "Reconfiguring the
            System Kernel."  Excerpts from the method are reproduced below:
	          # cd /usr/kvm/sys/sun[3,3x,4,4c]/conf
		  # cp CONFIG_FILE SYS_NAME
            [Note that at this step, you should replace the CONFIG_FILE
            with your system specific configuration file if one exists.]

	          # chmod +w SYS_NAME
		  # vi SYS_NAME
		  #
		  # The following are for streams NIT support.  NIT is used by
	          # etherfind, traffic, rarpd, and ndbootd.  As a rule of thumb,
		  # NIT is almost always needed on a server and almost never
		  # needed on a diskless client.
		  #
		  pseudo-device   snit            # streams NIT
		  pseudo-device   pf              # packet filter
		  pseudo-device   nbuf            # NIT buffering module

	    [Comment out the 3 "pseudo-device" lines; save and exit the
            editor before proceeding.]

		  # config SYS_NAME
		  # cd ../SYS_NAME
		  # make
	          # mv /vmunix /vmunix.old
		  # cp vmunix /vmunix
	          # /etc/halt
		  > b                                          
           
            [This step will reboot the system with the new kernel.]

            [NOTE that even after the new kernel is installed, you need to
            take care to ensure that the previous vmunix.old , or other
            kernel, is not used to reboot the system.]

	See CERT Advisory CA_94.01 (see C.7)             


 6.5    SUN recommended and security patches are available via anonymous ftp 
	from
	    ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/*


------------------------------------------------------------------------------
7.0  IRIX specific security
------------------------------------------------------------------------------
	The following is a list of security issues that relate specifically
	to the IRIX operating system.  This is not necessarily a complete list.

 7.1  /usr/lib/vadmin/serial_ports
        The /usr/lib/vadmin/serial_ports program is used to initialise the 
        data files for the serial ports on your system. 

        (This only be applies to IRIX Version 4 systems, or Version 5
        systems that still contain the serial_ports program.) 

   *    DO DISABLE this program 
	1)If you are not using the serial ports on your IRIX Version 4
        system.
        2)If you are using serial ports and do not wish to change the
        configuration of those ports.
        3)If you are using version 5 and the serial_ports program is present.
	    This program has been superseded by /usr/Cadmin/bin/cports on
            Version 5 and therefore, is no longer required. 
	    /usr/lib/vadmin/serial_ports can be disabled by the command:
	        # /bin/chmod 700 /usr/lib/vadmin/serial_ports

   *    If you intend changing the serial port configuration, you can still
        disable the serial_ports program as above.  To change the serial 
	port configuration, run the serial_ports program as root. 
	
	(Refer to AUSCERT Advisory AA-94.05a (see A.1))


 7.2    Some IRIX patches are available via anonymous ftp from
            ftp://ftp.auscert.org.au/pub/mirrors/ftp.sgi.com/security/*
	    ftp://ftp.auscert.org.au/pub/mirrors/sgigate.sgi.com/*


------------------------------------------------------------------------------
8.0  X windows security
------------------------------------------------------------------------------
	Access to your X server may be controlled through either a host-
	based or user-based method.  The former is left to the discretion
	of the Systems Administrator at your site and is useful as long as
	all hosts registered in the /etc/Xn.hosts file have users that can be
	trusted, where "n" represents your X server's number.

	This may not be possible at every site, so a better method is
	to educate each and every user about the security implications
	(see references below).  Better still, when setting up a user, give
	them a set of X security related template files, such as .xserverrc 
	and .xinitrc. These are located in the users home directory.

	You are strongly advised to read the section on X windows security
	referred to in C.4 below.


 8.1  Problems with xdm

	Note: Release 6 of X11 is now available and solves many problems
        associated with X security which were present in previous releases.  
	If possible, obtain the source for R6 and compile and install it on 
	your system.  Source for R6 is available via anonymous ftp from:
            ftp://munnari.oz.au/X.V11/R6   

        xdm bypasses the normal getty and login functions, which means that 
        quotas for the user, ownership of /dev/console and possibly other
        preventive measures put in place by you may be ignored. 

	You should consult your vendor and ask about potential security holes
	in xdm and what fixes are available.


 8.2  X security - General

   *	DO Read the man pages for xauth and Xsecurity.
            Use this information to set up the security level you require.
   *	CHECK that the permissions on /tmp are set to 1777 (or drwxrwxrwt).
            i.e. the sticky bit should be set.  The owner MUST always be
            root and group ownership should be set to group-id 0, which is
            "wheel" or "system".
            If the sticky bit is set, no one other than the owner can delete
	    the file /tmp/.X11-unix/X0, which is a socket for your X server.  
	    Once this file is deleted, your X server is gone forever!
            
            If the permissions or ownership are not set as above, then
            type the following commands:
	         # /bin/chown root.wheel /tmp
	         # /bin/chmod 1777 /tmp

            Note: This will NOT recursively set the sticky bit on
            sub-directories below /tmp, such as /tmp/.X11-unix and