From: Theresa Sarver (IFMC.tsarver@SDPS.ORG)
Date: Thu Sep 19 2002 - 12:26:49 EDT
Hi All -
As I was contacted offline about the recent security audit [nightmare] I just went through, I thought I'd send this to everyone - hopefully it will provide someone some help.
Thanks;
Theresa
AUDIT REQUIREMENTS:
_____________________
Startup/Login:
System files and directories should be owned by root/sys(tem) w/out world write/execute permission.
User startup files should be owned by that individual and should not allow world access.
Unless absolutely necessary, there should be no: '.rlogin', '.netrc', 'hosts.lpd', or 'hosts.equiv' files on the system.
Ensure that no files on the system begin with ".." and "..." - which could contain trojan commands.
Services and Ports:
All unnecessary services should be disabled (through /etc/inetd.conf), in addition these ports should be blocked at the perimeter router or firewall:
rexd, rquotad, talk, sadmind, kcmsd, rstatd, fs, exec, daytime, walld, fingerd, systat, ruserd, sprayd, uucpd,
chargen, time, echo, display, tftp, comstat, and discard
If any of these services are required then they should be running on reserved ports.
System Trust:
Prohibit root from logging in directly to a remote system.
Ensure that all users/administrators "su" to shared accounts
Network Communication:
If remote services are not required (telnet, ftp, "r commands") they should be disabled, if they are required then use ssh.
Network Configurations:
Ensure that network configuration files (/etc/hosts, /etc/resolv.conf, /etc/netsvc.conf, etc...) are owned by root and have a permission of 644.
Patches:
Ensure that recommended security patches are installed and are up to date.
User Accounts:
Remove outdated user accounts and home directories.
Set permissions for home directories to 750 (< - - I personally felt this was a bit excessive as the users can no longer perform a 'pwd' to find out where they are...nor can they 'cd' back to their home directory once they've left it forcing them to log out and log back in...so I left my permission at 755.)
Ensure users have a strong password:
8 characters: comprised of a MIN of 3 alpha, 2 numeric, and 1 other chars
No more than 2 repeated char's/password
New password can't use more than 3 chars from old password
System remembers 3 old passwords
Passwords must be changed every 90 days
Permissions:
Look for and disable setuid/setgid files/programs if not needed
Remove world writable access (if not needed)
World writable directories - such as tmp - should have the sticky bit set (1777)
(Most) user umasks should be 022 at login
Cron/At jobs
Ensure cron/at.allow/deny files exist
Permissions on cron/at.allow/deny sould be 644
Crontab files should be owned by associated user and permissions should be 600
Ensure all cron/at jobs use absolute paths
Ensure no world write/executable files/programs are being executed from a users crontab
Core Dumps:
Remove core files from system via regularly scheduled cron job (skulker)
Configure the system so core files are of a 0-byte size when created
Network Services:
Disable all network services if not needed (through /etc/rc.tcpip)
NIS, NIS +, NFS, DNS, Sendmail, SNMP
Logs:
Syslog should be enabled
Auditing should be enabled - and checking on the following categories:
general=USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename
system=USER_Change,GROUP_Change,USER_Create,GROUP_Create
init=USER_Login,USER_Logout
X-Window Environments
Disable if not using
Otherwise, use '.Xauthority', 'X.*hosts', or 'Xaccess' files to control X windows connections
__________________________
DISCLAIMER:
The above is merely informational, in no way do I accept responsibility for the changes *you* make based off the information provided. - Yep, that's what the auditor told me right before he [mistakenly] had me change root's shell (on my 24x7 production server) from '/bin/ksh' to '/sbin/sh' :> (FYI...there is no /sbin directory on an AIX box)
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:12 EDT