|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
With the su command, any user can obtain superuser privileges if he knows the relevant password. Since there is no upper limit on the number of unsuccessful attempts at log-on in the case of su, there is an increased risk that the password may be discovered by systematic try-out with the help of suitable programs. Therefore, su should be available only to the superuser. Alternatively, a modified su could be installed so that the number of unsuccessful attempts is restricted, the delay before su can be invoked again following each unsuccessful attempt is lengthened, and, after a certain number of unsuccessful attempts, it is not possible to execute su and/or the terminal is blocked. All use of the su command should be logged.
Where permitted by the given system, a log-in name other than root may be selected for the superuser. However, only Administrator log-ins should be created as additional superuser log-ins (see S 2.33 Division of Administrator roles under UNIX)
To prevent discovery of the Administrator's password through line tapping, he should only be allowed to work from the console. Under Solaris, for instance, this can be achieved by appropriately configuring the /etc/default/login file. Alternatively, security functions which prevent the ferreting out of Administrator passwords can be used. Examples of suitable mechanisms are Secure Shell (see safeguard S 5.64 Secure Shell) and one-time passwords (see safeguard S 5.34 Use of one-time passwords).
Under BSD UNIX, root can only log on at terminals designated as secure in the /etc/ttytab file. If this option is removed for all terminal entries, an Administrator can only log on at a terminal with the command su as root. Consideration should be given to setting up a user group to which execution of the su command is limited.
If under BSD UNIX, the console is designated as secure in the /etc/ttytab file, no password is requested during start-up in single-user mode. It is therefore essential that this entry is removed.
The file /etc/ftpusers contains the log-in names which are not allowed to log on via ftp. With ftp, passwords are transmitted over an unprotected plain text connection. Therefore administrative accesses ( root, bin, daemon, sys, adm, lp, smtp, uucp, nuucp, etc.) should be entered in this file. Under some standard installations, root is not contained in this file.
If a user or a user program executes a superuser file (files with the owner root and with s bit set), this user or program will, during execution, obtain superuser rights. This is required for certain applications, but could also be abused. Therefore, care must be taken to ensure that only essential program files are superuser files and that no extra superuser files can be added by third persons.
Automatic mounting of devices for exchangeable data media
With s bit programs in the mounted drive, an ordinary user can acquire superuser rights. Therefore, restrictions on automatic mounting (automounting) should be put in place. Some versions of UNIX offer a variant of the mount command under which the s bit is ignored for the relevant file system. When exchangeable data media are used, consideration should be given as to whether to use this option.
When sharing directories which can be mounted by other computers, the restrictions mentioned in S 5.17 Use of NFS security mechanisms must be observed. In particular, no directories with root rights should be shared; directories with write authority should only be shared when this is necessary.
This safeguard is supplemented by the following:
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |