home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker's Arsenal - The Cutting Edge of Hacking
/
Hacker's Arsenal - The Cutting Edge of Hacking.iso
/
texts
/
unixseccheck.txt
< prev
next >
Wrap
Text File
|
2001-07-11
|
19KB
|
357 lines
-----BEGIN PGP SIGNED MESSAGE-----
==============================================================================
UNIX Computer Security Checklist (Version 1.1) Last Update 19-Dec-1995
==============================================================================
The Australian Computer Emergency Response Team has developed a checklist which
assists in removing common and known security vulnerabilities under the UNIX
Operating System. It is based around recently discovered security
vulnerabilities and other checklists which are readily available (see
references in Appendix C).
This document can be retrieved via anonymous ftp from:
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
For information about detecting or recovering from an intrusion, see the
CERT security information document which can be retrieved via anonymous ftp
from:
ftp://ftp.auscert.org.au/pub/cert/tech_tips/security_info
It is AUSCERT's intention to continue to update this checklist. Any
comments should be directed via email to auscert@auscert.org.au. Before
using this document, ensure you have the latest version. New versions of this
checklist will be placed in the same area on the ftp server and should be
checked for periodically.
In order to make effective use of this checklist, readers will need to have
a good grasp of basic UNIX system administration concepts. Refer to C.9 and
C.10 for books on UNIX system administration.
If possible, apply this checklist to a system before attaching it to a network.
In addition, we recommend that you use the checklist on a regular basis as well
as after you install any patches or new versions of the operating system, with
consideration given to the appropriateness of each action to your particular
situation.
Command examples have been supplied for BSD-like and SVR4-like systems (see
Appendix F for operating system details and Appendix G for command details).
Full directory paths and program options may vary for different flavours of
UNIX. If in doubt, consult your vendor documentation.
For ease of use, the checklist has been organised into separate, logically
cohesive sections. All sections are important. An abbreviated version of
this checklist can be found in Appendix D.
CHECKLIST INDEX: 1.0 Patches
2.0 Network security
3.0 ftpd and anonymous ftp
4.0 Password and account security
5.0 File system security
6.0 Vendor operating system specific security
7.0 Security and the X Window System
APPENDICES: Appendix A Other AUSCERT information sources
Appendix B Useful security tools
Appendix C References
Appendix D Abbreviated Checklist
Appendix E Shell Scripts
Appendix F Table of operating systems by flavour
Appendix G List of commands by flavour
Any trademarks which appear in this document are registered to their
respective owners.
==============================================================================
1.0 Patches
==============================================================================
* Retrieve the latest patch list from your vendor and install any
patches not yet installed that are recommended for your system.
Some patches may re-enable default configurations. For this
reason, it is important to go through this checklist AFTER
installing ANY new patches or packages.
* Details on obtaining patches may be found in Section 6.
* Verify the digital signature of any signed files. Tools like PGP may
be used to sign files and to verify those signatures.
(Refer to B.15 for PGP access information).
* If no digital signature is supplied but an md5(1) checksum is supplied,
then verify the checksum information to confirm that you have retrieved
a valid copy.
(Refer to B.10 for MD5 access information).
* If only a generic sum(1) checksum is provided, then check that. Be
aware that the sum(1) checksum should not be considered secure.
==============================================================================
2.0 Network security
==============================================================================
The following is a list of features that can be used to help
prevent attacks from external sources.
2.1 Filtering
* ENSURE that ONLY those services which are required from outside your
domain are allowed through your router filters.
In particular, if the following are not required outside your
domain, then filter them out at the router.
NAME PORT PROTOCOL NAME PORT PROTOCOL
echo 7 TCP/UDP login 513 TCP
systat 11 TCP shell 514 TCP
netstat 15 TCP printer 515 TCP
bootp 67 UDP biff 512 UDP
tftp 69 UDP who 513 UDP
link 87 TCP syslog 514 UDP
supdup 95 TCP uucp 540 TCP
sunrpc 111 TCP/UDP route 520 UDP
NeWS 144 TCP openwin 2000 TCP
snmp 161 UDP NFS 2049 UDP/TCP
xdmcp 177 UDP X11 6000 to 6000+n TCP
exec 512 TCP (where n is the maximum number
of X servers you will have)
Note: Any UDP service that replies to an incoming packet may be
subject to a denial of service attack.
See CERT advisory CA-95.01 (C.8) for more details.
Filtering is difficult to implement correctly. For information on
packet filtering, please see Firewalls and Internet Security (C.6)
and Building Internet Firewalls (C.7).
2.2 "r" commands
2.2.1 If you don't NEED to use the "r" commands...
* DO disable all "r" commands (rlogin, rsh etc.) unless specifically
required.
This may increase your risk of password exposure in network
sniffer attacks, but "r" commands have been a regular source of
insecurities and attacks. Disabling them is by far the lesser of
the two evils (see 2.9.1).
2.2.2 If you must run the "r" commands...
* DO use more secure versions of the "r" commands for cases where
there is a specific need.
Wietse Venema's logdaemon package contains a more secure version
of the "r" command daemons. These versions can be configured to
consult only /etc/hosts.equiv and not $HOME/.rhosts. There is
also an option to disable the use of wildcards ('+').
Refer to B.13 for access information for the logdaemon package
* DO filter ports 512,513 and 514 (TCP) at the router if you do use any
of the "r" commands.
This will stop people outside your domain from exploiting these
commands but will not stop people inside your domain.
To do this you will need to disable these commands (see 2.2.1).
* DO use tcp_wrappers to provide greater access and logging on these
network services (see 2.12).
2.3 /etc/hosts.equiv
2.3.1 It is recommended that the following action be taken whether or not
the "r" commands are in use on your system.
* CHECK if the file /etc/hosts.equiv is required.
If you are running "r" commands, this file allows other hosts to
be trusted by your system. Programs such as rlogin can then be
used to log on to the same account name on your machine from a
trusted machine without supplying a password.
If you are not running "r" commands or you do not wish to
explicitly trust other systems, you should have no use for
this file and it should be removed. If it does not exist, it
cannot cause you any problems if any of the "r" commands are
accidentally re-enabled.
2.3.2 If you must have a /etc/hosts.equiv file
* ENSURE that you keep only a small number of TRUSTED hosts listed.
* DO use netgroups for easier management if you run NIS (also known
as YP) or NIS+.
* DO only trust hosts within your domain or under your management.
* ENSURE that you use fully qualified hostnames,
i.e., hostname.domainname.au
* ENSURE that you do NOT have a '+' entry by itself anywhere in the
file as this may allow any user access to the system.
* ENSURE that you do not use '!' or '#' in this file.
There is no comment character for this file.
* ENSURE that the first character of the file is not '-'.
Refer to the CERT advisory CA-91:12 (C.8).
* ENSURE that the permissions are set to 600.
* ENSURE that the owner is set to root.
* CHECK it again after each patch or operating system installation.
2.4 /etc/netgroup
* If you are using NIS (YP) or NIS+, DO define each netgroup to contain
only usernames or only hostnames.
All utilities parse /etc/netgroup for either hosts or
usernames, but never both. Using separate netgroups makes it
easier to remember the function of each netgroup. The added
time required to administer these extra netgroups is a small
cost in ensuring that strange permission combinations have not
left your machine in an insecure state.
Refer to the manual pages for more information.
2.5 $HOME/.rhosts
2.5.1 It is recommended that the following action be taken whether or not
the "r" commands are in use on your system.
* ENSURE that no user has a .rhosts file in their home directory.
They pose a greater security risk than /etc/hosts.equiv, as one
can be created by each user. There are some genuine needs for
these files, so hear each one on a case-by-case basis; e.g.,
running backups over a network unattended.
* DO use cron to periodically check for, report the contents of
and delete $HOME/.rhosts files. Users should be made aware that
you regularly perform this type of audit, as directed by policy.
2.5.2 If you must have such a file
* ENSURE the first character of the file is not '-'.
Refer to the CERT advisory CA-91:12 (C.8).
* ENSURE that the permissions are set to 600.
* ENSURE that the owner of the file is the account's owner.
* ENSURE that the file does NOT contain the symbol "+" on any line as
this may allow any user access to this account.
* ENSURE that usage of netgroups within .rhosts does not allow
unintended access to this account.
* ENSURE that you do not use '!' or '#' in this file.
There is no comment character for this file.
* REMEMBER that you can also use logdaemon to restrict the use of
$HOME/.rhosts (see 2.2.2).
2.6 NFS
When using NFS, you implicitly trust the security of the NFS server
to maintain the integrity of the mounted files.
* DO filter NFS traffic at the router.
Filter TCP/UDP on port 111
TCP/UDP on port 2049
This will prevent machines not on your subnet from accessing
file systems exported by your machines.
* DO apply all available patches.
NFS has had a number of security vulnerabilities.
* DO disable NFS if you do not need it.
See your vendor supplied documentation for detailed instructions.
* DO enable NFS port monitoring.
Calls to mount a file system will then be accepted from ports < 1024
only. This will provide added security in some circumstances.
See your vendor's documentation to determine whether this is an
option for your version of UNIX (see also 6.1.8 and 6.2.4).
* DO use /etc/exports or /etc/dfs/dfstab to export ONLY the file systems
you need to export.
If you aren't certain that a file system needs to be exported,
then it probably shouldn't be exported.
* DO NOT self-reference an NFS server in its own exports file.
i.e., The exports file should not export the NFS server to
itself in part or in total. In particular, ensure the NFS server
is not contained in any netgroups listed in its exports file.
* DO NOT allow the exports file to contain a 'localhost' entry.
* DO export to fully qualified hostnames only.
i.e., Use the full machine address 'machinename.domainname.au' and
do not abbreviate it to 'machinename'.
* ENSURE that export lists do not exceed 256 characters.
If you have access lists of hosts within /etc/exports, the list
should not exceed 256 characters AFTER any host name aliases have
been expanded.
Refer to the CERT Advisory CA-94:02 (C.8).
* DO run fsirand for all your file systems and rerun it periodically.
Firstly, ensure that you have installed any patches for fsirand.
Then ensure the file system is unmounted and run fsirand.
Predictable file handles assist crackers in abusing NFS.
* ENSURE that you never export file systems unintentionally to the world.
Use a -access=host.domainname.au option or equivalent in
/etc/exports.
See the manual page for "exports" or "dfstab" for further examples.
* DO export file systems read-only (-ro) whenever possible.
See the manual page for "exports" or "dfstab" for more information.
* If NIS is required in your situation, then DO use the secure option in
the exports file and mount requests (if the secure option is available).
* DO use showmount -e to see what you currently have exported.
* ENSURE that the permissions of /etc/exports are set to 644.
* ENSURE that /etc/exports is owned by root.
* ENSURE that you run a portmapper or rpcbind that does not forward
mount requests from clients.
A malicious NFS client can ask the server's portmapper daemon
to forward requests to the mount daemon. The mount daemon
processes the request as if it came directly from the portmapper.
If the file system is self-mounted this gives the client
unauthorised permissions to the file system.
Refer to section B.14 for how to obtain an alternate portmapper or
rpcbind that disallow proxy access.
Refer to the CERT Advisory 94:15 (C.8).
* REMEMBER that changes in /etc/exports will take effect only after
you run /usr/etc/exportfs or equivalent.
Note: A "web of trust" is created between hosts connected to each other via
NFS. That is, you are trusting the security of any NFS server you use.
2.7 /etc/hosts.lpd
* ENSURE that the first character of the file is not '-'.
(Refer to the CERT advisory CA-91:12 (see C.8)).
* ENSURE that the permissions on this file are set to 600.
* ENSURE that the owner is set to root.
* ENSURE that you do not use '!' or '#' in this file.
There is no comment character for this file.
2.8 Secure terminals
* This file may be called /etc/ttys, /etc/default/login or
/etc/security. See the manual pages for file format and usage
information.
* ENSURE that the secure option is removed from all entries that
don't need root login capabilities.
The secure option should be removed from console if you do not
want users to be able to reboot in single user mode.
Note: This does not affect usability of the su(1) command.
* ENSURE that this file is owned by root.
* ENSURE that the permissions on this file are 644.
2.9 Network services
2.9.1 /etc/inetd.conf
* ENSURE that the permissions on this file are set to 600.
* ENSURE that the owner is root.
* DO disable any services which you do not require.
- To do this we suggest that you comment out ALL services by
placing a "#" at the beginning of each line. Then enable
the ones you NEED by removing the "#" from the beginning
of the line. In particular, it is best to avoid "r" commands
and tftp, as they have been major sources of insecurities.
- For changes to take effect, you need to restart the inetd
process. Do this by issuing the commands in G.1. For some
systems (including AIX), these commands are not sufficient.
Refer to vendor documentation for more information.
2.9.2 Portmapper
* DO disable any non-required services that are started up in the system
startup procedures and register with the portmapper. See G.2 for a
command to help check for registered services.
2.10 Trivial ftp (tftp)
* If tftp is not needed, comment it out from the file
/etc/inetd.conf and restart the inetd process (as above).
* If required, read the AUSCERT Advisory SA-93:05 (see A.1) and follow
the recommendations.
2.11 /etc/services
* ENSURE that the permissions on this file are set to 644.
* ENSURE that the owner is root.
2.12 tcp_wrapper (also known as log_tcp)
* ENSURE that you are using this package.
- Customise and install it for your system.
- Enable PARANOID mode
- Consider running with the RFC931 option
- Deny all hosts by putting "all:all" in /etc/hosts.deny and
explicitly list trusted hosts who are allowed access to your
machine in /etc/hosts.allow.
- See the documentation supplied with this package for details
about how to do the above.
* DO wrap all TCP services that you have enabled in /etc/inetd.conf
* DO consider wrapping any udp services you have enabled. If you
wrap them, then you will have to use the nowait option in the
/etc/inetd.conf file.
* See section B.4 for instructions to obtain tcp_wrapper.
2.13 /etc/aliases
* Comment out the "decode" alias
... texts ...