-----BEGIN PGP SIGNED MESSAGE----- ============================================================================== UNIX Computer Security Checklist (Version 1.1) Last Update 19-Dec-1995 ============================================================================== The Australian Computer Emergency Response Team has developed a checklist which assists in removing common and known security vulnerabilities under the UNIX Operating System. It is based around recently discovered security vulnerabilities and other checklists which are readily available (see references in Appendix C). This document can be retrieved via anonymous ftp from: ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist For information about detecting or recovering from an intrusion, see the CERT security information document which can be retrieved via anonymous ftp from: ftp://ftp.auscert.org.au/pub/cert/tech_tips/security_info It is AUSCERT's intention to continue to update this checklist. Any comments should be directed via email to auscert@auscert.org.au. Before using this document, ensure you have the latest version. New versions of this checklist will be placed in the same area on the ftp server and should be checked for periodically. In order to make effective use of this checklist, readers will need to have a good grasp of basic UNIX system administration concepts. Refer to C.9 and C.10 for books on UNIX system administration. If possible, apply this checklist to a system before attaching it to a network. In addition, we recommend that you use the checklist on a regular basis as well as after you install any patches or new versions of the operating system, with consideration given to the appropriateness of each action to your particular situation. Command examples have been supplied for BSD-like and SVR4-like systems (see Appendix F for operating system details and Appendix G for command details). Full directory paths and program options may vary for different flavours of UNIX. If in doubt, consult your vendor documentation. For ease of use, the checklist has been organised into separate, logically cohesive sections. All sections are important. An abbreviated version of this checklist can be found in Appendix D. CHECKLIST INDEX: 1.0 Patches 2.0 Network security 3.0 ftpd and anonymous ftp 4.0 Password and account security 5.0 File system security 6.0 Vendor operating system specific security 7.0 Security and the X Window System APPENDICES: Appendix A Other AUSCERT information sources Appendix B Useful security tools Appendix C References Appendix D Abbreviated Checklist Appendix E Shell Scripts Appendix F Table of operating systems by flavour Appendix G List of commands by flavour Any trademarks which appear in this document are registered to their respective owners. ============================================================================== 1.0 Patches ============================================================================== * Retrieve the latest patch list from your vendor and install any patches not yet installed that are recommended for your system. Some patches may re-enable default configurations. For this reason, it is important to go through this checklist AFTER installing ANY new patches or packages. * Details on obtaining patches may be found in Section 6. * Verify the digital signature of any signed files. Tools like PGP may be used to sign files and to verify those signatures. (Refer to B.15 for PGP access information). * If no digital signature is supplied but an md5(1) checksum is supplied, then verify the checksum information to confirm that you have retrieved a valid copy. (Refer to B.10 for MD5 access information). * If only a generic sum(1) checksum is provided, then check that. Be aware that the sum(1) checksum should not be considered secure. ============================================================================== 2.0 Network security ============================================================================== The following is a list of features that can be used to help prevent attacks from external sources. 2.1 Filtering * ENSURE that ONLY those services which are required from outside your domain are allowed through your router filters. In particular, if the following are not required outside your domain, then filter them out at the router. NAME PORT PROTOCOL NAME PORT PROTOCOL echo 7 TCP/UDP login 513 TCP systat 11 TCP shell 514 TCP netstat 15 TCP printer 515 TCP bootp 67 UDP biff 512 UDP tftp 69 UDP who 513 UDP link 87 TCP syslog 514 UDP supdup 95 TCP uucp 540 TCP sunrpc 111 TCP/UDP route 520 UDP NeWS 144 TCP openwin 2000 TCP snmp 161 UDP NFS 2049 UDP/TCP xdmcp 177 UDP X11 6000 to 6000+n TCP exec 512 TCP (where n is the maximum number of X servers you will have) Note: Any UDP service that replies to an incoming packet may be subject to a denial of service attack. See CERT advisory CA-95.01 (C.8) for more details. Filtering is difficult to implement correctly. For information on packet filtering, please see Firewalls and Internet Security (C.6) and Building Internet Firewalls (C.7). 2.2 "r" commands 2.2.1 If you don't NEED to use the "r" commands... * DO disable all "r" commands (rlogin, rsh etc.) unless specifically required. This may increase your risk of password exposure in network sniffer attacks, but "r" commands have been a regular source of insecurities and attacks. Disabling them is by far the lesser of the two evils (see 2.9.1). 2.2.2 If you must run the "r" commands... * DO use more secure versions of the "r" commands for cases where there is a specific need. Wietse Venema's logdaemon package contains a more secure version of the "r" command daemons. These versions can be configured to consult only /etc/hosts.equiv and not $HOME/.rhosts. There is also an option to disable the use of wildcards ('+'). Refer to B.13 for access information for the logdaemon package * DO filter ports 512,513 and 514 (TCP) at the router if you do use any of the "r" commands. This will stop people outside your domain from exploiting these commands but will not stop people inside your domain. To do this you will need to disable these commands (see 2.2.1). * DO use tcp_wrappers to provide greater access and logging on these network services (see 2.12). 2.3 /etc/hosts.equiv 2.3.1 It is recommended that the following action be taken whether or not the "r" commands are in use on your system. * CHECK if the file /etc/hosts.equiv is required. If you are running "r" commands, this file allows other hosts to be trusted by your system. Programs such as rlogin can then be used to log on to the same account name on your machine from a trusted machine without supplying a password. If you are not running "r" commands or you do not wish to explicitly trust other systems, you should have no use for this file and it should be removed. If it does not exist, it cannot cause you any problems if any of the "r" commands are accidentally re-enabled. 2.3.2 If you must have a /etc/hosts.equiv file * ENSURE that you keep only a small number of TRUSTED hosts listed. * DO use netgroups for easier management if you run NIS (also known as YP) or NIS+. * DO only trust hosts within your domain or under your management. * ENSURE that you use fully qualified hostnames, i.e., hostname.domainname.au * ENSURE that you do NOT have a '+' entry by itself anywhere in the file as this may allow any user access to the system. * ENSURE that you do not use '!' or '#' in this file. There is no comment character for this file. * ENSURE that the first character of the file is not '-'. Refer to the CERT advisory CA-91:12 (C.8). * ENSURE that the permissions are set to 600. * ENSURE that the owner is set to root. * CHECK it again after each patch or operating system installation. 2.4 /etc/netgroup * If you are using NIS (YP) or NIS+, DO define each netgroup to contain only usernames or only hostnames. All utilities parse /etc/netgroup for either hosts or usernames, but never both. Using separate netgroups makes it easier to remember the function of each netgroup. The added time required to administer these extra netgroups is a small cost in ensuring that strange permission combinations have not left your machine in an insecure state. Refer to the manual pages for more information. 2.5 $HOME/.rhosts 2.5.1 It is recommended that the following action be taken whether or not the "r" commands are in use on your system. * ENSURE that no user has a .rhosts file in their home directory. They pose a greater security risk than /etc/hosts.equiv, as one can be created by each user. There are some genuine needs for these files, so hear each one on a case-by-case basis; e.g., running backups over a network unattended. * DO use cron to periodically check for, report the contents of and delete $HOME/.rhosts files. Users should be made aware that you regularly perform this type of audit, as directed by policy. 2.5.2 If you must have such a file * ENSURE the first character of the file is not '-'. Refer to the CERT advisory CA-91:12 (C.8). * ENSURE that the permissions are set to 600. * ENSURE that the owner of the file is the account's owner. * ENSURE that the file does NOT contain the symbol "+" on any line as this may allow any user access to this account. * ENSURE that usage of netgroups within .rhosts does not allow unintended access to this account. * ENSURE that you do not use '!' or '#' in this file. There is no comment character for this file. * REMEMBER that you can also use logdaemon to restrict the use of $HOME/.rhosts (see 2.2.2). 2.6 NFS When using NFS, you implicitly trust the security of the NFS server to maintain the integrity of the mounted files. * DO filter NFS traffic at the router. Filter TCP/UDP on port 111 TCP/UDP on port 2049 This will prevent machines not on your subnet from accessing file systems exported by your machines. * DO apply all available patches. NFS has had a number of security vulnerabilities. * DO disable NFS if you do not need it. See your vendor supplied documentation for detailed instructions. * DO enable NFS port monitoring. Calls to mount a file system will then be accepted from ports < 1024 only. This will provide added security in some circumstances. See your vendor's documentation to determine whether this is an option for your version of UNIX (see also 6.1.8 and 6.2.4). * DO use /etc/exports or /etc/dfs/dfstab to export ONLY the file systems you need to export. If you aren't certain that a file system needs to be exported, then it probably shouldn't be exported. * DO NOT self-reference an NFS server in its own exports file. i.e., The exports file should not export the NFS server to itself in part or in total. In particular, ensure the NFS server is not contained in any netgroups listed in its exports file. * DO NOT allow the exports file to contain a 'localhost' entry. * DO export to fully qualified hostnames only. i.e., Use the full machine address 'machinename.domainname.au' and do not abbreviate it to 'machinename'. * ENSURE that export lists do not exceed 256 characters. If you have access lists of hosts within /etc/exports, the list should not exceed 256 characters AFTER any host name aliases have been expanded. Refer to the CERT Advisory CA-94:02 (C.8). * DO run fsirand for all your file systems and rerun it periodically. Firstly, ensure that you have installed any patches for fsirand. Then ensure the file system is unmounted and run fsirand. Predictable file handles assist crackers in abusing NFS. * ENSURE that you never export file systems unintentionally to the world. Use a -access=host.domainname.au option or equivalent in /etc/exports. See the manual page for "exports" or "dfstab" for further examples. * DO export file systems read-only (-ro) whenever possible. See the manual page for "exports" or "dfstab" for more information. * If NIS is required in your situation, then DO use the secure option in the exports file and mount requests (if the secure option is available). * DO use showmount -e to see what you currently have exported. * ENSURE that the permissions of /etc/exports are set to 644. * ENSURE that /etc/exports is owned by root. * ENSURE that you run a portmapper or rpcbind that does not forward mount requests from clients. A malicious NFS client can ask the server's portmapper daemon to forward requests to the mount daemon. The mount daemon processes the request as if it came directly from the portmapper. If the file system is self-mounted this gives the client unauthorised permissions to the file system. Refer to section B.14 for how to obtain an alternate portmapper or rpcbind that disallow proxy access. Refer to the CERT Advisory 94:15 (C.8). * REMEMBER that changes in /etc/exports will take effect only after you run /usr/etc/exportfs or equivalent. Note: A "web of trust" is created between hosts connected to each other via NFS. That is, you are trusting the security of any NFS server you use. 2.7 /etc/hosts.lpd * ENSURE that the first character of the file is not '-'. (Refer to the CERT advisory CA-91:12 (see C.8)). * ENSURE that the permissions on this file are set to 600. * ENSURE that the owner is set to root. * ENSURE that you do not use '!' or '#' in this file. There is no comment character for this file. 2.8 Secure terminals * This file may be called /etc/ttys, /etc/default/login or /etc/security. See the manual pages for file format and usage information. * ENSURE that the secure option is removed from all entries that don't need root login capabilities. The secure option should be removed from console if you do not want users to be able to reboot in single user mode. Note: This does not affect usability of the su(1) command. * ENSURE that this file is owned by root. * ENSURE that the permissions on this file are 644. 2.9 Network services 2.9.1 /etc/inetd.conf * ENSURE that the permissions on this file are set to 600. * ENSURE that the owner is root. * DO disable any services which you do not require. - To do this we suggest that you comment out ALL services by placing a "#" at the beginning of each line. Then enable the ones you NEED by removing the "#" from the beginning of the line. In particular, it is best to avoid "r" commands and tftp, as they have been major sources of insecurities. - For changes to take effect, you need to restart the inetd process. Do this by issuing the commands in G.1. For some systems (including AIX), these commands are not sufficient. Refer to vendor documentation for more information. 2.9.2 Portmapper * DO disable any non-required services that are started up in the system startup procedures and register with the portmapper. See G.2 for a command to help check for registered services. 2.10 Trivial ftp (tftp) * If tftp is not needed, comment it out from the file /etc/inetd.conf and restart the inetd process (as above). * If required, read the AUSCERT Advisory SA-93:05 (see A.1) and follow the recommendations. 2.11 /etc/services * ENSURE that the permissions on this file are set to 644. * ENSURE that the owner is root. 2.12 tcp_wrapper (also known as log_tcp) * ENSURE that you are using this package. - Customise and install it for your system. - Enable PARANOID mode - Consider running with the RFC931 option - Deny all hosts by putting "all:all" in /etc/hosts.deny and explicitly list trusted hosts who are allowed access to your machine in /etc/hosts.allow. - See the documentation supplied with this package for details about how to do the above. * DO wrap all TCP services that you have enabled in /etc/inetd.conf * DO consider wrapping any udp services you have enabled. If you wrap them, then you will have to use the nowait option in the /etc/inetd.conf file. * See section B.4 for instructions to obtain tcp_wrapper. 2.13 /etc/aliases * Comment out the "decode" alias by placing a "#" at the beginning of the line. For this change to take effect you will need to run /usr/bin/newaliases. If you run NIS (YP), you will then need to rebuild your maps (see G.3). * ENSURE that all programs executable by an alias are owned by root, have permissions 755 and are stored in a systems directory e.g., /usr/local/bin. If smrsh is in use, program execution may be further restricted. Refer to the smrsh documentation for more details (see B.9). 2.14 Sendmail * DO use the latest version of Eric Allman's sendmail 8.x (currently 8.7.3), as it currently contains no KNOWN vulnerabilities. The latest version is available via anonymous FTP from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu /ucb/sendmail NOTE: If you don't already run Eric Allman's sendmail.8.7.*, then it may take you some time to build, install, and configure the system to your needs. Other sendmail(8) configuration files may not be compatible with sendmail(8) 8.7.x. There is some help available for converting from SUN's sendmail: bundled with the distribution of sendmail(8) v8.7.x is a document on converting standard SUN configuration files to sendmail(8) v8.*. This is located in the distribution, in the file: contrib/converting.sun.configs * If you use a vendor version of sendmail, ENSURE that you have installed the latest patches as sendmail(8) has been a source of a number of security vulnerabilities. Refer to AUSCERT Advisories SA-93:10, AA-95.08 and AA-95.09b (A.1) and CERT Advisories CA-94:12, CA-95:05 and CA-95:08 (C.8). * If you require progmailer functionality then DO use smrsh (see B.9). * If you do not require progmailer functionality then DO disable mail to programs by setting this field to /bin/false in the sendmail configuration file. * ENSURE that your version of sendmail does not have the wizard password enabled (see G.4). ENSURE that if you have a line starting with "OW" in /etc/sendmail.cf, it only has a "*" next to it. * DO increase sendmail(8) logging to a minimum log level of 9. This will help detect attempted exploitation of the sendmail(8) vulnerabilities. See G.5 for example commands. * DO increase the level of logging provided by syslog. Enable a minimum level of "info" for mail messages to be logged to the console and/or the syslog file. See G.6 for example code and instructions. * REMEMBER that you will need to restart sendmail for any changes to take effect. If you are running a frozen configuration file (sendmail.fc), you will need to rebuild it before restarting sendmail(8) (see G.7). 2.15 majordomo * ENSURE that your version is greater than 1.91. See AUSCERT Advisory SA-94.03 (see A.1) for more details. 2.16 fingerd * If your version of fingerd is older than than 5 November 1988, DO replace it with a newer version. * Finger can provide a would-be intruder with a lot of information about your host. CONSIDER the finger information you provide and think about reducing the content by disabling finger or by replacing it with a version that only offers restricted information. NOTE: other services such as rusers and netstat may give out similar information. * DO NOT use GNU finger v1.37 as it may allow intruders to read any file. 2.17 UUCP * DO disable the uucp account, including the shell that it executes for logging in, if it is not used at your site. uucp may be shipped in a dangerous state. * REMOVE any .rhosts file at the uucp home directory. * ENSURE that the file L.cmds is owned by root. * ENSURE that no uucp owned files or directories are world writable. * ENSURE that you have assigned a different uucp login for each site that needs uucp access to your machine. * ENSURE that you have limited the number of commands that each uucp login can execute to a bare minimum. * DO consider deleting the whole uucp subsystem if it is not required. * ENSURE there are no vendor-supplied uucp or root crontab entries. 2.18 REXD * DO disable this service. Comment this out in the inetd.conf file. See section 2.9.1 for details on how to do this. rexd servers have little or no security in their design or implementation. Intruders can exploit this service to execute commands as any user. 2.19 World Wide Web (WWW) - httpd * ENSURE that you are using the most recent version of the http daemon of your choice. * DO run the server daemon httpd as a specially created nonprivileged user such as 'httpd'. This way, if an intruder finds a vulnerability in the server they will only have access privileges for this unprivileged user. * DO NOT run the server daemon as root. * DO NOT run the client processes as root. * DO run httpd in a chroot(1) environment. This sets up an alternate root directory that severely limits access of http clients to the rest of the disk. * For systems which do not have a chroot(1) command, use of chrootuid (see B.16) may be of assistance. * DO carefully go through the configuration options for your server. * DO use the configuration options to give extra protection to sensitive directories by turning off the 'include files' feature. This will disallow files from these directories from being included in HTML documents. * DO use CGIWRAP. (See B.17) * DO NOT run CGI (Common Gateway Interface) scripts if they are not required. * DO be very careful in constructing CGI programs. These programs compute information to be returned to clients and are often driven by input from the remote user who may be hostile. If these programs are not carefully constructed, it may be possible for remote users to subvert them to execute arbitrary commands on the server system. Almost all vulnerabilities arise from these issues. * DO provide CGIs as statically linked binaries rather than as interpreted scripts. This will remove the need for a command interpreter to be available inside the chrooted environment. * ENSURE that the contents, permissions and ownership of files in the cgi-bin directory are what you expect them to be (see your site security policy document for more details). * AVOID passing user input directly to command interpreters such as Perl, AWK, UNIX shells or programs that allow commands to be embedded in outgoing messages such as /usr/ucb/mail * FILTER user input for potentially dangerous characters before it is passed to any command interpreters. Possibly dangerous characters include \n \r (.,/;~!)>|^&$`< . (Refer to the CERT Advisory CA-95:04 (see C.8)). ============================================================================== 3.0 ftpd and anonymous ftp ============================================================================== 3.1 Versions * ENSURE that you are using the most recent version of the ftp daemon of your choice. * DO consider installing the Washington University ftpd if you don't already have it (see B.19). * For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software (see B.20). 3.2 Configuration * CHECK all default configuration options on your ftp server. * ENSURE that your ftp server does not have the SITE EXEC command (see G.8 for command details). * ENSURE that you have set up a file /etc/ftpusers which specifies those users that are NOT allowed to connect to your ftpd. This should include, as a MINIMUM, the entries: root, bin, uucp, ingres, daemon, news, nobody and ALL vendor supplied accounts. 3.3 Anonymous ftp only * To ascertain whether you are running anonymous ftp, try to connect to the localhost using anonymous ftp. Be sure to give an RFC822 compliant username as the password (see G.9). * To disable anonymous ftp, move or delete all files in ~ftp/ and then remove the user ftp from your password file. * If you are running distributed passwords (e.g., NIS, NIS+) then you will need to check the password entries served to your machine as well as those in your local password file. 3.3.1 Configuration of your ftp server * CHECK all default configuration options on your ftp server. Not all versions of ftp are configurable. If you have a configurable version of ftp (e.g., wu-ftp) then make sure that all delete, overwrite, rename, chmod and umask options (there may be others) are NOT allowed for guests and anonymous users. In general, anonymous users should not have any unnecessary privileges. * ENSURE that you DO NOT include a command interpreter (such as a shell or tools like perl) in ~ftp/bin, ~ftp/usr/bin, ~ftp/sbin or similar directory configurations that can be executed by SITE EXEC (Refer to AUSCERT advisory SA-94.01 (see A.1)). * DO NOT keep system commands in ~ftp/bin, ~ftp/usr/bin, ~ftp/sbin or similar directory configurations that can be executed by SITE EXEC. It may be necessary to keep some commands, such as uncompress, in these locations. Consider the inclusion of each command on a case by case basis and be aware that the presence of such commands may make it possible for local users to gain unauthorised access. Be wary of including commands that can execute arbitrary commands. For example, some versions of tar may allow you to execute an arbitrary file. (Refer to AUSCERT advisory SA-94.01 (see A.1)). * ENSURE that you use an invalid password and user shell for the ftp entry in the system password file and the shadow password file (if you have one). It should look something like: ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/false where /home/ftp is the anonymous ftp area. * ENSURE that the permissions of the ftp home directory (~ftp/) are set to 555 (read nowrite execute), owner set to root (NOT ftp). * ENSURE that you DO NOT have a copy of your real /etc/passwd file as ~ftp/etc/passwd. Create one from scratch with permissions 444, owned by root. It should not contain the names of any accounts in your real password file. It should contain only root and ftp. These should be dummy entries with disabled passwords eg: root:*:0:0:Ftp maintainer:: ftp:*:400:400:Anonymous ftp:: The password file is used only to provide uid to username mapping for ls(1) listings. * ENSURE that you DO NOT have a copy of your real /etc/group file as ~ftp/etc/group. Create one from scratch with permissions 444, owned by root. * ENSURE the files ~ftp/.rhosts and ~ftp/.forward do not exist. * DO set the login shell of the ftp account to a non-functional shell such as /bin/false. 3.3.2 Permissions * ENSURE NO files or directories are owned by the ftp account or have the same group as the ftp account. If they are, it may be possible for an intruder to replace them with a trojan version. * ENSURE that the anonymous ftp user cannot create files or directories in ANY directory unless required (see Section 3.3.3). * ENSURE that the anonymous ftp user can only read information in public areas. * ENSURE that the permissions of the ftp home directory (~ftp/) are set to 555 (read nowrite execute), owner set to root (NOT ftp). * ENSURE that the system subdirectories ~ftp/etc and ~ftp/bin have the permissions 111 only, owner set to root. * ENSURE that the permissions of files in ~ftp/bin/* have the permissions 111 only, owner set to root. * ENSURE that the permissions of files in ~ftp/etc/* are set to 444, owner set to root. * ENSURE that there is a mail alias for ftp to avoid mail bounces. * ENSURE /usr/spool/mail/ftp is owned by root with permissions 400. 3.3.3 Writable directories * ENSURE that you don't have any writable directories. It is safest not to have any writable directories. If you do have any, we recommend that you limit the number to one. * ENSURE that writable directories are not also readable. Directories that are both writable and readable may be used in an unauthorised manner. * ENSURE that any writable directories are owned by root and have permissions 1733. * DO put writable directories on a separate partition if possible. This will help to prevent denial of service attacks. * DO read Anonymous FTP Configuration Guidelines (see B.21). 3.3.4 Disk mounting * NEVER mount disks from other machines to the ~ftp hierarchy unless they are set read-only in the mount command. ============================================================================== 4.0 Password and account security ============================================================================== This section of the checklist can be incorporated as part of a password and account usage policy. 4.1 Policy * ENSURE that you have a password policy for your site. See the AUSCERT Advisory SA-93.04 (see A.1). * ENSURE you have a User Registration Form for each user on each system. Make sure that this form includes a section that the intending applicant signs, stating that they have read your account usage policy and what the consequences are if they misuse their account. 4.2 Proactive Checking * DO use anlpasswd to proactively screen passwords as they are entered. This program runs a series of checks on passwords when they are set, which assists in avoiding poor passwords. It works with normal, shadow and NIS (or yp) password systems. (Refer to section B.3 for how to obtain it). * DO check passwords periodically with Crack. (Refer to section B.1 for how to obtain Crack). * DO apply password ageing (if possible). 4.3 NIS, NIS+ and /etc/passwd entries * DO NOT run NIS or NIS+ if you don't really need it. * If NIS functionality is required, DO use NIS+ if possible. * ENSURE that the only machines that have a '+' entry in the /etc/passwd files are NIS (YP) clients; i.e., NOT the NIS master server! There appears to be conflicting documentation and implementations regarding the '+' entry format and so a generic solution is not available here. It would be best to consult your vendor's documentation. Some of the available documentation suggests placing a '*' in the password field, which is NOT consistent across all implementations of NIS. We recommend testing your systems on a case-by-case basis to see if they correctly implement the '*' in the password field. See G.10 for instructions. * ENSURE that /etc/rc.local or the equivalent startup procedure is set up to start ypbind with the -s option. This may not be applicable on all systems. Check your documentation. * DO use secure RPC. 4.4 Password shadowing * DO enable vendor supplied password shadowing or a third party product. Password shadowing restricts access to users' encrypted passwords. * DO periodically audit your password and shadow password files for unauthorised additions or inconsistencies. 4.5 Administration * ENSURE that you regularly audit your system for dormant accounts and disable any that have not been used for a specified period, say 3 months. Send out account renewal notices by post and delete any accounts of users that do not reply. [NOTE: Do not email renewal notices because any accounts being used illegitimately will reply as expected and hence will not be discovered] * ENSURE that all accounts have passwords. Check shadow or NIS passwords too, if you have them. i.e., the password field is not empty. * ENSURE that any user area is adequately backed up and archived. * DO regularly monitor logs for successful and unsuccessful su(1) attempts. * DO regularly check for repeated login failures. * DO regularly check for LOGIN REFUSED messages. * Consider quotas on user accounts if you do not have them. * Consider requiring that users physically identify themselves before granting any requests regarding accounts (e.g., before creating a user account). 4.6 Special accounts * ENSURE that there are no shared accounts other than root in accordance with site security policy. i.e., more than one person should not know the password to an account. * Disable guest accounts. Better yet, do not create guest accounts! [NOTE: Some systems come preconfigured with guest accounts] * DO use special groups (such as the "wheel" group under SunOS) to restrict which users can use su to become root. * DISABLE ALL default vendor accounts shipped with the Operating System. This should be checked after each upgrade or installation. * DO Disable accounts that have no password which execute a command, for example "sync". Delete or change ownership of any files owned by these accounts. Ensure that these accounts do not have any cron or at jobs. It is best to remove these accounts entirely. * DO assign non-functional shells (such as /bin/false) to system accounts such as bin and daemon and to the sync account if it is not needed. * DO put system accounts in the /etc/ftpusers file so they cannot use ftp. This should include, as a MINIMUM, the entries: root, bin, uucp, ingres, daemon, news, nobody and ALL vendor supplied accounts. 4.7 Root account * DO restrict the number of people who know the root password. These should be the same users registered with groupid 0 (e.g., wheel group on SunOS). Typically this is limited to at most 3 or 4 people. * DO NOT log in as root over the network, in accordance with site security policy. * DO su from user accounts rather than logging in as root. This provides greater accountability. * ENSURE root does not have a ~/.rhosts file. * ENSURE "." is not in root's search path. * ENSURE root's login files do not source any other files not owned by root or which are group or world writable. * ENSURE root cron job files do not source any other files not owned by root or which are group or world writable. * DO use absolute path names when root. e.g., /bin/su, /bin/find, /bin/passwd. This is to stop the possibility of root accidentally executing a trojan horse. To execute commands in the current directory, root should prefix the command with "./", e.g., ./command. 4.8 .netrc files * DO NOT use .netrc files unless it is absolutely necessary. * If .netrc files must be used, DO NOT store password information in them. 4.9 GCOS field * DO include information in the GCOS field of the password file which can be used to identify your site if the password file is stolen. e.g., joe:*:10:10:Joe Bloggs, Organisation X:/home/joe:/bin/sh ============================================================================== 5.0 File system security ============================================================================== 5.1 General * ENSURE that there are no .exrc files on your system that have no legitimate purpose. * DO consider using the EXINIT environment variable to disable .exrc file functionality. These files may inadvertently perform commands that may compromise the security of your system if you happen to start either vi(1) or ex(1) in a directory which contains such a file. See G.11 for example commands to find .exrc files. * ENSURE that any .forward files in user home directories do not execute an unauthorised command or program. The mailer may be fooled into allowing a normal user privileged access. Authorised programs may be restricted through use of smrsh (see B.9). See G.12 for example commands to find .forward files. (Refer to AUSCERT Advisory SA-93.10 (see A.1)). 5.2 Startup and shutdown scripts * ENSURE startup and shutdown scripts do not chmod 666 motd. This allows users to change system message for the day. * ENSURE that the line "rm -f /tmp/t1" (or similar) exists in a startup script to clean up the temporary file used to create /etc/motd. This should occur BEFORE the code to startup the local daemons. 5.3 /usr/lib/expreserve * DO replace versions of /usr/lib/expreserve prior to July 1993 with a recommended patch from your vendor. If this is not possible, then remove execute permission on /usr/lib/expreserve (see G.13). This will mean that users who edit their files with either vi(1) or ex(1) and have their sessions interrupted, will not be able to recover their lost work. If you implement the above workaround, please advise your users to regularly save their editing sessions. (Refer to the CERT advisory CA-93:09 for advice on fixing this problem for the SunOS and Solaris environments). 5.4 External file systems/devices * DO mount file systems non-setuid and read-only where practical. (Refer to section 2.6) 5.5 File Permissions * ENSURE that the permissions of /etc/utmp are set to 644. * ENSURE that the permissions of /etc/sm and /etc/sm.bak are set to 2755. * ENSURE that the permissions of /etc/state are set to 644. * ENSURE that the permissions of /etc/motd and /etc/mtab are set to 644. * ENSURE that the permissions of /etc/syslog.pid are set to 644. [NOTE: this may be reset each time you restart syslog.] * DO consider removing read access to files that users do not need to access. * ENSURE that the kernel (e.g., /vmunix) is owned by root, has group set to 0 (wheel on SunOS) and permissions set to 644. * ENSURE that /etc, /usr/etc, /bin, /usr/bin, /sbin, /usr/sbin, /tmp and /var/tmp are owned by root and that the sticky-bit is set on /tmp and on /var/tmp (see G.14). Refer to the AUSCERT Advisory AA-95:05 (see A.1). * ENSURE that there are no unexpected world writable files or directories on your system. See G.15 for example commands to find group and world writable files and directories. * CHECK that files which have the SUID or SGID bit enabled, should have it enabled (see G.16). * ENSURE the umask value for each user is set to something sensible like 027 or 077. (Refer to section E.1 for a shell script to check this). * ENSURE all files in /dev are special files. Special files are identified with a letter in the first position of the permissions bits. See G.17 for a command to find files in /dev which are not special files or directories. Note: Some systems have directories and a shell script in /dev which may be legitimate. Please check the manual pages for more information. * ENSURE that there are no unexpected special files outside /dev. See G.18 for a command to find any block special or character special files. 5.6 Files run by root AUSCERT recommends that anything run by root should be owned by root, should not be world or group writable and should be located in a directory where every directory in the path is owned by root and is not group or world writable. * CHECK the contents of the following files for the root account. Any programs or scripts referenced in these files should meet the above requirements: - ~/.login, ~/.profile and similar login initialisation files - ~/.exrc and similar program initialisation files - ~/.logout and similar session cleanup files - crontab and at entries - files on NFS partitions - /etc/rc* and similar system startup and shutdown files * If any programs or scripts referenced in these files source further programs or scripts they also need to be verified. 5.7 Bin ownership Many systems ship files and directories owned by bin (or sys). This varies from system to system and may have serious security implications. * CHANGE all non-setuid files and all non-setgid files and directories that are world readable but not world or group writable and that are owned by bin to ownership of root, with group id 0 (wheel group under SunOS 4.1.x). - Please note that under Solaris 2.x changing ownership of system files can cause warning messages during installation of patches and system packages. - Anything else should be verified with the vendor. 5.8 Tiger/COPS * Do run one or both of these. Many of the checks in this section can be automated by using these programs. * To obtain these programs, see B.2. 5.9 Tripwire * DO run statically linked binary * DO store the binary, the database and the configuration file on hardware write-protected media. * To obtain this program, see B.5. ============================================================================== 6.0 Vendor operating system specific security ============================================================================== The following is a list of security issues that relate to specific UNIX operating systems. This is not necessarily a complete list of available UNIX types or of problems for those that are listed. 6.1 SunOS 4.1.x 6.1.1 Patches * DO regularly ask your vendor for a complete list of patches. Sun regularly updates a list of recommended and security patches, which is available from: ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/* or ftp://sunsolve1.sun.com/pub/patches/* 6.1.2 IP forwarding and source routing This is particularly relevant if you are using your SUN box as a bastion host or duel homed system. * ENSURE IP forwarding is disabled. You will need the following line in the kernel configuration file: options "IPFORWARDING=-1" For information on how to customise a kernel, see the file: /usr/sys/`arch`/conf/README * DO also consider disabling source routing. Leaving source routing enabled may allow unauthorised traffic through. Unfortunately there is no official method or patch for turning source routing off. There is however an unsupported patch. It is available via anonymous ftp from ftp://ftp.auscert.org.au/pub/mirrors/ftp.greatcircle.com/v03.n153.Z 6.1.3 Framebuffers /dev/fb If somebody can log in to your Sun workstation from a remote source, they can read the contents of your Framebuffer, which is /dev/fb. Sun provides a mechanism which allows the user logging in on the console to have exclusive access to the Framebuffer, by using the file /etc/fbtab. A sample /etc/fbtab file: # # File: /etc/fbtab # Purpose: Specifies that upon login to /dev/console, the # owner, group and permissions of all supported # devices, including the framebuffer, will be set to # the user's username, the user's group and 0600. # Comments: SunOS specific. # Note: You cannot use \ to continue a line. # # Format: # Device Permission Colon separated device list. # /dev/console 0600 /dev/fb /dev/console 0600 /dev/bwone0:/dev/bwtwo0 /dev/console 0600 /dev/cgone0:/dev/cgtwo0:/dev/cgthree0 /dev/console 0600 /dev/cgfour0:/dev/cgsix0:/dev/cgeight0 /dev/console 0600 /dev/cgnine0:/dev/cgtwelve0 # /dev/console 0600 /dev/kb:/dev/mouse /dev/console 0600 /dev/fd0c:/dev/rfd0c After the above file has been created, reboot your machine, or log out fully, then log back in again. Read the man page for fbtab(5) for more information. * The login replacement from Wietse Venema's logdaemon package supports a similar feature. (Refer to B.13 for information on how to retrieve the logdaemon package) 6.1.4 /usr/kvm/sys/* * ENSURE all files and directories under /usr/kvm/sys/ are not writable by group. In SunOS 4.1.4 the default mode is 2775 with group staff, allowing users in group staff to trojan the kernel. 6.1.5 /usr/kvm/crash * REMOVE setgid privileges on /usr/kvm/crash with the command: # /bin/chmod g-s /usr/kvm/crash A group of kmem allows users to read the virtual memory of a running system. 6.1.6 /dev/nit (Network Interface Tap) * DO run the CERT tool cpm to check if your system is running in promiscuous mode. For access details for cpm see B.6. * DO disable the /dev/nit interface if you do not need to run in promiscuous mode. - For SunOS 4.x and Solbourne systems, the promiscuous interface to the network can be eliminated by removing the /dev/nit capability from the kernel. Once the procedure is complete, you may remove the device file /dev/nit since it is no longer functional. - Apply "method 1" as outlined in the System and Network Administration manual, in the section, "Sun System Administration Procedures," Chapter 9, "Reconfiguring the System Kernel." Excerpts from the method are reproduced below: # cd /usr/kvm/sys/sun[3,3x,4,4c]/conf # cp CONFIG_FILE SYS_NAME [NOTE: that at this step, you should replace the CONFIG_FILE with your system specific configuration file if one exists.] # chmod +w SYS_NAME # vi SYS_NAME # # The following are for streams NIT support. NIT is used by # etherfind, traffic, rarpd, and ndbootd. As a rule of thumb, # NIT is almost always needed on a server and almost never # needed on a diskless client. # pseudo-device snit # streams NIT pseudo-device pf # packet filter pseudo-device nbuf # NIT buffering module [Comment out the 3 "pseudo-device" lines; save and exit the editor before proceeding.] # config SYS_NAME # cd ../SYS_NAME # make # mv /vmunix /vmunix.old # cp vmunix /vmunix # /etc/halt > b [This step will reboot the system with the new kernel.] [NOTE: that even after the new kernel is installed, you need to take care to ensure that the previous vmunix.old , or other kernel, is not used to reboot the system.] See CERT Advisory CA_94.01 (see C.8) 6.1.7 Loadable drivers option * DO remove the option for loadable modules from the kernel. This will mean that a rebuild of the kernel and a reboot will be necessary in order to load any additional kernel modules and intruders will be prevented from being able to load extra kernel modules dynamically. To remove this option, comment out the line options VDDRV # loadable modules from the kernel configuration file and re-compile the kernel. NOTE: Some software may expect to be able to load additional modules such as device drivers. NOTE: Even after the new kernel is installed, you need to take care to ensure that the previous vmunix.old , or other kernel, is not used to reboot the system. 6.1.8 NFS port monitoring * DO enable NFS port monitoring (see also section 2.6). Add the following commands to /etc/rc.local: /bin/echo "nfs_portmon/W1" | /bin/adb -w /vmunix /dev/kmem > \ /dev/null 2>&1 rpc.mountd 6.2 Solaris 2.x 6.2.1 Patches * DO regularly ask your vendor for a complete list of patches. Sun regularly updates a list of recommended and security patches, which is available from: ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/* or ftp://sunsolve1.sun.com/pub/patches/* 6.2.2 IP forwarding and source routing This is particularly relevant if you are using your SUN box as a bastion host or duel homed system. * DO disable IP forwarding and source routing. To do this you will need to edit the file /etc/rc.2.d/S69.inet and set the options ip_forwarding and ip_ip_forward_src_routed to zero as illustrated below: ndd -set /dev/ip ip_forwarding 0 ndd -set /dev/ip ip_ip_forward_src_routed 0 For the changes to take effect you will then need to reboot. 6.2.3 Framebuffers /dev/fbs * Solaris versions 2.3 and above have a protection facility for framebuffers which is a superset of the functionality provided by /etc/fbtab in SunOS 4.1.x. * Under Solaris, /dev/fbs is a directory that contains links to the framebuffer devices. The /etc/logindevperm file contains information that is used by login(1) and ttymon(1M) to change the owner, group, and permissions of devices upon logging into or out of a console device. By default, this file contains lines for the keyboard, mouse, audio, and frame buffer devices. A sample /etc/logindevperm file: # # File: /etc/logindevperm # Purpose: Specifies that upon login to /dev/console, the # owner, group and permissions of all supported # devices, including the framebuffer, will be set to # the user's username, the user's group and 0600. # Comments: SunOS specific. # Note: You cannot use \ to continue a line. # # Format: # Device Permission Colon separated device list. # /dev/console 0600 /dev/kbd:/dev/mouse /dev/console 0600 /dev/sound/* # audio devices /dev/console 0600 /dev/fbs/* # frame buffers Read the man page for logindevperm(4) for more information. 6.2.4 NFS port monitoring * DO enable NFS port monitoring. To do this add the following lines to /etc/system: set nfs:nfs_portmon = 1 or in Solaris version 2.5 set nfssrv:nfs_portmon = 1 * See also section 2.6. 6.3 IRIX * DO regularly ask your vendor for a complete list of patches. * Some IRIX patches are available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.sgi.com/security/* or ftp://ftp.auscert.org.au/pub/mirrors/sgigate.sgi.com/* * DO read the FAQ on IRIX security. A copy can be obtained via anonymous ftp from ftp://ftp.auscert.org.au/pub/mirrors/ftp.uu.net/sgi/security.Z * For systems which do not have the chroot(1) command, use of chrootuid (see B.16) may be of assistance. * DO use the software tool rscan. It checks for many common IRIX-specific security vulnerabilities and problems. (Refer to B.11 for information on where to get a copy of rscan) 6.4 AIX * DO regularly ask your vendor for a complete list of patches. * Some AIX patches are available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/software.watson.ibm.com /aix-patches 6.5 HP/UX * DO regularly ask your vendor for a complete list of patches. HP has set up an automatic server to allow patches and other security information to be retrieved via email. Email should be sent to the address support@support.mayfield.hp.com. The subject line of the message will be ignored. The body (text) of the message should be of the format send XXXX where XXXX is the identifier for the information you want retrieved. For example, to retrieve the patch PHSS_4834, the message would be send PHSS_4834. To receive the HP SupportLine mail service user's guide send guide.txt To receive the readme file for a patch send doc PHSS_4834 To receive the original HP bulletin send doc HPSBUX9410-018. HP also has a World Wide Web server to browse and retrieve bulletins and patches. The URL is: http://support.mayfield.hp.com/ 6.6 OSF * DO regularly ask your vendor for a complete list of patches. Some patches are available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.service.digital.com /osf//ssrt* or ftp://ftp.service.digital.com/pub/osf//ssrt* where is the version of the operating system that you run. 6.7 ULTRIX * DO regularly ask your vendor for a complete list of patches. Some patches are available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.service.digital.com /ultrix/

//ssrt* or ftp://ftp.service.digital.com/pub/ultrix/

//ssrt* where

is either mips or vax; and where is the version of the operating system that you run. ============================================================================== 7.0 Security and the X Window System ============================================================================== Access to your X server may be controlled through either a host- based or user-based method. The former is left to the discretion of the Systems Administrator at your site and is useful as long as all hosts registered in the /etc/Xn.hosts file have users that can be trusted, where "n" represents your X server's number. This may not be possible at every site, so a better method is to educate each and every user about the security implications (see references below). Better still, when setting up a user, give them a set of X security related template files, such as .xserverrc and .xinitrc. These are located in the users home directory. You are strongly advised to read the section on X window system security referred to in the X Window System Administrators Guide (C.4). 7.1 Problems with xdm Note: Release 6 of X11 is now available and solves many problems associated with X security which were present in previous releases. If possible, obtain the source for R6 and compile and install it on your system. See B.18 for how to retrieve the source for X11R6. * xdm bypasses the normal getty and login functions, which means that quotas for the user, ownership of /dev/console and possibly other preventive measures put in place by you may be ignored. * You should consult your vendor and ask about potential security holes in xdm and what fixes are available. * If you are running a version of xdm earlier than October 1995 then you should update to a newer version. (Refer to CERT Vendor-Initiated Bulletin VB-95:08, see C.8) 7.2 X security - General * DO Read the man pages for xauth and Xsecurity. Use this information to set up the security level you require. * ENSURE that the permissions on /tmp are set to 1777 (or drwxrwxrwt). i.e., the sticky bit should be set. The owner MUST always be root and group ownership should be set to group-id 0, which is "wheel" or "system". - If the sticky bit is set, no one other than the owner can delete the file /tmp/.X11-unix/X0, which is a socket for your X server. Once this file is deleted, your X server will no longer be accessible. - See G.14 for example commands to set the correct permissions and ownership for /tmp. * DO use the X magic cookie mechanism MIT-MAGIC-COOKIE-1 or better. With logins under the control of xdm (see 7.1), you can turn on authentication by editing the xdm-config file and setting the DisplayManager*authorize attribute to true. When granting access to the screen from another machine, use the xauth command in preference to the xhost command. * DO not permit access from arbitrary hosts. Remove all instances of the 'xhost +' command from the system-wide Xsession file, from user .xsession files, and from any application programs or shell scripts that use the X window system. ============================================================================== Appendix A: Other AUSCERT information sources A.1 AUSCERT advisories and alerts Past AUSCERT advisories and alerts can be retrieved via anonymous ftp from ftp://ftp.auscert.org.au/pub/auscert/advisory/ A.2 AUSCERT's World Wide Web server AUSCERT maintains a World Wide Web server. Its URL is http://www.auscert.org.au A.3 AUSCERT's ftp server AUSCERT maintains an ftp server with an extensive range of tools and documents. Please browse through it. Its URL is ftp://ftp.auscert.org.au/pub/ ============================================================================== Appendix B: Useful security tools There are many good tools available for checking your system. The list below is not a complete list, and you should NOT rely on these to do ALL of your work for you. They are intended to be only a guide. It is envisaged that you may write some site specific tools to supplement these. It is also envisaged that you may look around on ftp servers for other useful tools. AUSCERT has not formally reviewed, evaluated or endorsed the tools described. The decision to use the tools described is the responsibility of each user or organisation. B.1 Crack Crack is a fast password cracking program designed to assist site administrators in ensuring that users use effective passwords. Available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/cert/tools/crack/* B.2 COPS and Tiger These packages identify common security and configuration problems. They also check for common signs of intrusion. Though there is some overlap between these two packages, they are different enough that it may be useful to run both. Both are available via anonymous ftp. COPS: ftp://ftp.auscert.org.au/pub/cert/tools/cops/1.04 tiger: ftp://ftp.auscert.org.au/pub/mirrors/net.tamu.edu/tiger* B.3 anlpasswd This program is a proactive password checker. It runs a series of checks on passwords at the time users set them and refuses password that fail the tests. It is designed to work with shadow password systems. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirror/info.mcs.anl.gov/* B.4 tcp_wrapper This software gives logging and access control to most network services. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl /tcp_wrappers_7.2.tar.gz B.5 Tripwire This package maintains a checksum database of important system files. It can serve as an early intrusion detection system. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/coast/COAST/Tripwire/* B.6 cpm cpm checks to see if your network interfaces are running in promiscuous mode. If you do not normally run in this state then it may be an indication that an intruder is running a network sniffer on your system. This program was designed to run on SunOS 4.1.x and may also work on many BSD systems. It is available via anonymous ftp from: ftp://ftp.auscert.edu.au/pub/cert/tools/cpm/* B.8 Vendor supplied security auditing packages Sun provides an additional security package called SUNshield. Please direct enquiries about similar products to your vendor. B.9 smrsh The smrsh(8) program is intended as a replacement for /bin/sh in the program mailer definition of sendmail(8). smrsh is a restricted shell utility that provides the ability to specify, through a configuration, an explicit list of executable programs. When used in conjunction with sendmail, smrsh effectively limits sendmail's scope of program execution to only those programs specified in smrsh's configuration. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/cert/tools/smrsh Note: smrsh comes bundled with Eric Allman's sendmail 8.7.1 and higher. B.10 MD5 MD5 is a message digest algorithm. An implementation of this is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/cert/tools/md5/* B.11 rscan This tool checks for a number of common IRIX-specific security bugs and problems. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.vis.colostate.edu /rscan/* B.12 SATAN SATAN (Security Administrator Tool for Analysing Networks) is a testing and reporting tool that collects information about networked hosts. It can also be run to check for a number of vulnerabilities accessible via the network. It is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/satan* B.13 logdaemon Written by Wietse Venema, this package includes replacements for rsh and rlogin daemons. By default these versions do not accept wild cards in host.equiv or .rhost files. They also have an option to disable user .rhost files. logdaemon is available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon* B.14 portmapper/rpcbind These are portmapper/rpcbind replacements written by Wietse Venema that disallow proxy access to the mount daemon via the portmapper. Choose the one suitable for your system. They are available via anonymous ftp from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl /portmap_3.shar.Z ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl /rpcbind_1.1.tar.Z B.15 PGP Pretty Good Privacy implements encryption and authentication. It is available from: ftp://ftp.ox.ac.uk/pub/pgp/unix/ B.16 chrootuid Allows chroot functionality. The current version is 1.2 (at time of writing). Please check for later versions. It is available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl /chrooduid1.2 A digital signature is available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl /chrooduid1.2.asc B.17 CGIWRAP It is available from: ftp://ftp.cc.umr.edu/pub/cgi/cgiwrap B.18 X11R6 It is available from: ftp://archie.au/X11/R6/* ftp://archie.au/X11/contrib/* or ftp://ftp.x.org/pub/R6/* B.19 Washington University ftpd (wu-ftpd) This can log all events and provide users with a login banner and provide writable directory support in a more secure manner. It is available from: ftp://ftp.auscert.org.au/pub/mirrors/wuarchive.wustl.edu /packages/wuarchive-ftpd/* NOTE: Do not install any versions prior to wu-ftp 2.4 as these are extremely insecure and in some cases have been trojaned. Refer to the CERT advisory CA-94:07 (C.8). B.20 Patch 005 for BSD/386 v1.1. It is available from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.bsdi.com /bsdi/patches/README ftp://ftp.auscert.org.au/pub/mirrors/ftp.bsdi.com /bsdi/patches/?U110-005 or ftp://ftp.bsdi.com/bsdi/patches/README ftp://ftp.bsdi.com/bsdi/patches/?U110-005 (where ? is B or S for the Binary or Source version) B.21 Anonymous FTP Configuration Guidelines The CERT document which addresses the many problems associated with writable anonymous ftp directories. It is available from: ftp://ftp.auscert.org.au/pub/cert/tech_tips/anonymous_ftp ============================================================================== Appendix C: References C.1 Practical UNIX Security Simson Garfinkel and Gene Spafford (C) 1991 O'Reilly & Associates, Inc. C.2 UNIX Systems Security Patrick Wood and Stephen Kochan (C) 1986 Hayden Books C.3 UNIX system security: A Guide for Users and System Administrators David A. Curry Addison-Wesley Professional Computing Series May 1992. C.4 X Window System Administrators Guide Chapter 4 (C) 1992 O'Reilly & Associates, Inc. C.5 Information Security Handbook William Caelli, Dennis Longley and Michael Shain (C) 1991 MacMillan Publishers Ltd. C.6 Firewalls and Internet Security William R. Cheswick & Steven M. Bellovin (C) 1994 AT&T Bell Laboratories Addison-Wesley Publishing Company C.7 Building Internet Firewalls Brent Chapman and Elizabeth Zwicky (C) 1995 O'Reilly & Associates, Inc. C.8 CERT advisories are available via anonymous FTP from ftp://ftp.auscert.org.au/pub/cert/cert_advisories/* CERT vendor-initiated bulletins are available via anonymous FTP from ftp://ftp.auscert.org.au/pub/cert/cert_bulletins/* C.9 UNIX System Administration Handbook (second edition) Evi Nemeth, Garth Snyder, Trent R. Hein and Scott Seebas Prentice-Hall, Englewood Cliffs (NJ), 1995 C.10 Essential System Administration Aeleen Frisch O'Reilly & Associates, Inc. C.11 Managing Internet Information Services Cricket Liu, Jerry Peek, Russ Jones, Bryan Buus, Adrian Nye O'Reilly & Associates, Inc. C.12 Managing NFS and NIS Hal Stern, O'Reilly and Associates, Inc., 1991 ============================================================================== Appendix D: Abbreviated Checklist It is intended that this short version of the checklist be used in conjunction with the full checklist as a progress guide (mark off the sections as you go so that you remember what you have done so far). 1.0 Patches [ ] Installed latest patches? 2.0 Network security [ ] Filtering [ ] "r" commands [ ] /etc/hosts.equiv [ ] /etc/netgroup [ ] $HOME/.rhosts [ ] NFS [ ] /etc/hosts.lpd [ ] Secure terminals [ ] Network services [ ] Trivial ftp (tftp) [ ] /etc/services [ ] tcp_wrapper (also known as log_tcp) [ ] /etc/aliases [ ] Sendmail [ ] majordomo [ ] fingerd [ ] UUCP [ ] REXD [ ] World Wide Web (WWW) - httpd 3.0 ftpd and anonymous ftp [ ] Versions [ ] Configuration [ ] Anonymous ftp only [ ] Configuration of your ftp server [ ] Permissions [ ] Writable directories [ ] Disk mounting 4.0 Password and account security [ ] Policy [ ] Proactive Checking [ ] NIS, NIS+ and /etc/passwd entries [ ] Password shadowing [ ] Administration [ ] Special accounts [ ] Root account [ ] .netrc files [ ] GCOS field 5.0 File system security [ ] General [ ] Startup and shutdown scripts [ ] /usr/lib/expreserve [ ] External file systems/devices [ ] File Permissions [ ] Files run by root [ ] Bin ownership [ ] Tiger/COPS [ ] Tripwire 6.0 Vendor operating system specific security [ ] SunOS 4.1.x [ ] Patches [ ] IP forwarding and source routing [ ] Framebuffers /dev/fb [ ] /usr/kvm/sys/* [ ] /usr/kvm/crash [ ] /dev/nit (Network Interface Tap) [ ] Loadable drivers option [ ] Solaris 2.x [ ] Patches [ ] IP forwarding and source routing [ ] Framebuffers /dev/fbs [ ] IRIX [ ] Patches [ ] AIX [ ] Patches [ ] HPUX [ ] Patches [ ] OSF [ ] Patches [ ] ULTRIX [ ] Patches 7.0 Security and the X Window System [ ] Problems with xdm [ ] X security - General ============================================================================== Appendix E: Shell Scripts E.1 Script for printing the umask value for each user. #!/bin/sh PATH=/bin:/usr/bin:/usr/etc:/usr/ucb HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u` FILES=".cshrc .login .profile" for dir in $HOMEDIRS do for file in $FILES do grep -s umask /dev/null $dir/$file done done ============================================================================== Appendix F: Table of operating systems by flavour Operating System SVR4-like BSD-like Other ------------------------------------------------------------------- | | | SunOS 4.1.x * | | | | Solaris 2.x * | | | | Solaris intel86 x.x * | | | | Irix x.x * | | | | HP/UX x.x * | | | | Ultrix x.x * | | | | OSF x.x * | | | | *BSD* x.x * | | | | Linux x.x * | | | | AIX x.x * | | | | SCO x.x * | | | ------------------------------------------------------------------- ============================================================================== Appendix G: List of commands by flavour Notes: 1. The commands given here are examples only. Please consult the manual pages for your system if you are unsure of the consequence of any command. 2. BSD-style commands are marked as BSD commands, similarly for SVR4. 3. Commands which are not labelled are expected to work for both. 4. Full directory paths and program options may vary for different flavours of UNIX. If in doubt, consult your vendor documentation. G.1 Restart inetd BSD commands # /bin/ps -aux | /bin/grep inetd | /bin/grep -v grep # /bin/kill -HUP SVR4 commands # /bin/ps -ef | /bin/grep inetd | /bin/grep -v grep # /bin/kill -HUP G.2 Ascertain which services are registered with the portmapper # /usr/bin/rpcinfo -p G.3 Rebuild alias maps # /usr/bin/newaliases If you run NIS (YP), you will then need to rebuild your maps to have the change take effect over all clients: # (cd /var/yp; /usr/bin/make aliases) G.4 Test whether sendmail wizard password is enabled % telnet hostname 25 wiz debug kill quit % You should see the response "5nn error return" (e.g., "500 Command unrecognized") after each of the commands 'wiz', 'debug' and 'kill'. Otherwise, your version of sendmail may be vulnerable. If you are unsure whether your version is vulnerable, update it. G.5 Set sendmail log level to 9 Include lines describing the log level (similar to the following two) in the options part of the general configuration information section of the sendmail configuration file: # log level OL9 The log level syntax changed in sendmail 8.7 to: # log level O LogLevel=9 G.6 Set syslog log level for mail messages Include lines describing the logging required (similar to the following two) in the syslog.conf file: mail.info /dev/console mail.info /var/adm/messages For the change to take effect, you must then instruct syslog to reread the configuration file. BSD commands Get the current PID of syslog: # /bin/ps -aux | /bin/grep syslogd | /bin/grep -v grep Then tell syslog to reread its configuration file: # /bin/kill -HUP SVR4 commands: Get the current PID of syslog: # /bin/ps -ef | /bin/grep syslogd | /bin/grep -v grep Then tell syslog to reread its configuration file: # /bin/kill -HUP NOTE: In the logs, look for error messages like: - mail to or from a single pipe ("|") - mail to or from an obviously invalid user (e.g., bounce or blah) G.7 (Rebuilding and) restarting sendmail(8) To rebuild the frozen configuration file, firstly do: # /usr/lib/sendmail -bz NOTE: The above process does not apply to sendmail v8.x which does not support frozen configuration files. To restart sendmail(8), you should kill *all* existing sendmail(8) processes by sending them a TERM signal using kill, then restart sendmail(8). BSD commands Get the pid of every running sendmail process: # /bin/ps -aux | /bin/grep sendmail | /bin/grep -v grep Kill every running sendmail process and restart sendmail: # /bin/kill #pid of every running sendmail process # /usr/lib/sendmail -bd -q1h SVR4 commands Get the pid of every running sendmail process: # /bin/ps -ef | /bin/grep sendmail | /bin/grep -v grep Kill every running sendmail process and restart sendmail: # /bin/kill #pid of every running sendmail process # /usr/lib/sendmail -bd -q1h G.8 Test whether ftpd supports SITE EXEC For normal users: % telnet localhost 21 USER username PASS password SITE EXEC For anonymous users: % telnet localhost 21 USER ftp PASS username@domainname.au SITE EXEC You should see the response "5nn error return" (e.g., "500 'SITE EXEC' command not understood"). If your ftp daemon has SITE EXEC enabled, make sure you have the most recent version of the daemon (e.g., wu-ftp 2.4). Older versions of ftpd allow any user to gain shell access using the SITE EXEC command. Use QUIT to end the telnet session. G.9 Ascertain whether anonymous ftp is enabled % ftp localhost Connected to localhost 220 hostname FTP server ready Name (localhost:username): anonymous 331 Guest login ok, send username as password Password: user@domain.au 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> G.10 Ensure that * in the password field is correctly implemented 1. Try using NIS with the '*' in the password field for example: +:*:0:0::: If NIS users cannot log in to that machine, remove the '*' and try the next test. 2. With the '*' removed, try logging in again. If NIS users can log in AND you can also log in unauthenticated as the user '+', then your implementation is vulnerable. Contact the vendor for more information. If NIS users can log in AND you cannot log in as the user '+', your implementation should not be vulnerable to this problem. G.11 Find .exrc files # /bin/find / -name '.exrc' -exec /bin/cat {} \; -print See also G.19. G.12 Locate and print .forward files # /bin/find / -name '.forward' -exec /bin/cat {} \; -print See also G.19. G.13 Remove execute permission on /usr/lib/expreserve # /bin/chmod 400 /usr/lib/expreserve G.14 Set ownership and permissions for /tmp correctly # /bin/chown root /tmp # /bin/chgrp 0 /tmp # /bin/chmod 1777 /tmp NOTE: This will NOT recursively set the sticky bit on sub-directories below /tmp, such as /tmp/.X11-unix and /tmp/.NeWS-unix; you may have to set these manually or through the system startup files. G.15 Find group and world writable files and directories # /bin/find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; # /bin/find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; See also G.19. G.16 Find files with the SUID or SGID bit enabled # /bin/find / -type f \( -perm -004000 -o -perm -002000 \) \ -exec ls -lg {} \; See also G.19. G.17 Find normal files in /dev # /bin/find /dev -type f -exec ls -l {} \; See also G.19. G.18 Find block or character special files # /bin/find / \( -type b -o -type c \) -print | grep -v '^/dev/' See also G.19. G.19 Avoid NFS mounted file systems when using /bin/find # /bin/find / \( \! -fstype nfs -o -prune \) As an example, could be -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; ============================================================================== The AUSCERT team have made every effort to ensure that the information contained in this checklist is accurate. However, the decision to use the tools and techniques described is the responsibility of each user or organisation. The appropriateness of each item for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. AUSCERT acknowledges technical input and review of this document by CERT Coordination Center and DFN-CERT and comments from users of this document. Permission is granted to copy and distribute this document provided that The University of Queensland copyright is acknowledged. (C) Copyright 1995 The University of Queensland ============================================================================== If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au AUSCERT Hotline: (07) 3365 4417 (International: + 61 7 3365 4417) Facsimile: (07) 3365 4477 AUSCERT personnel answer during business hours (AEST - GMT+10:00), on call after hours for emergencies. Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane, Queensland 4072. Australia -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMNdrTih9+71yA2DNAQH9sQP/aWGDwRG80e4oz6pgeRRkzB25tm0D12ew 8zXBldNrbGC1s0h4U//G/WPNvWeF4Llr7GAAevTxwc8RMeDS9N3Aw5YTpPXaOE+x WSqHDEQfCwRgiOJc4sw3GA9r7/HYcwi81E06gNwmFTDU+IMmAiKCBisw/vNCnHS9 RztMITIV7is= =wZf1 -----END PGP SIGNATURE-----