security parameters for unix and linux systems

8/10/2019 Security Parameters for Unix and Linux Systems

1/33

M

Oper a t i n g M et h odOrganization of Networks, Carriers and IT Division

Architecture and Security Department

Architecture Prescriptions and Security

Organization of Networks, Carriers and IT DivisionCentre National de Scurit du Systme dInformation de France Tlcom (CNS SI)Btiment LC3, 2 avenue Pierre Marzin. Technopole Anticipa. 22307 Lannion CEDEXTelephone: 02 96 05 06 07 - Fax: 02 96 05 19 00

SA au capital de 4 098 458 244 EUR - RCS Paris B 380 129 866

Reference

MGS404 S2F0

Security parameters for Unix and Linux

systems

Master Document

PSI-RSI : PGS425

Location

Securinoo

Summary

This document describes security rules applicable forconfiguring UNIX systems.

Support Service

CNS SIZZZ Permanence CNSSI

Keywords

Security, rules, UNIX, Linux, HP-UX, AIX, SUN Solaris

Type

! Create

" Cancels and replaces:

Addressees for action

DSSI (Information System Security Delegates), MOAs and MOEs

Addressees for informationManagers of National Departments, Operating Units and Subsidiaries

Validity

! Permanent from 6th

November 2000

" Temporaryfrom to

Author Verification Approved by

Name

Patrick BREHINXavier GATELLIER

& al.Name

Jean-Paul GuiguenMickal Davila Name

Date 26/4/2004 Date 4/5/2004 Date

Signature Signature

Signature


2/33

Configuration of UNIX and Linux Security Parameters

MGS404 Version S2F0 Page : 2/33

Modifications

Version N Version date Nature of modification

S0F0 12.12.03 Document created from ROSSI-090 V2.0, MGS404S1F2, MGS405 S1F3, MGS406 S1F2, MGS412 S1F2 and

MGS422 S1F0

S0F1 11 16/12/2003 23/04/2004 Convergence of ROSSI and RSSI rules

Re-numbering rules

Domain of attachment

Domain code: GS Domain name: IS security management

Associated documents

Document code Document nameBD/99/41

BRHF/99/205

SG/99/27

Record of Decision BD/BRHF/SG of 22 April 1999 Organisation of France

Telecom information system security and associated charter.

Criminal Code Article 223 et seq.

MGS411 Configuration of security parameters for http servers

MGS402 S1F0 Warning to be inserted into title pages

MGS401 S2F3 Authentifiers, identifiers and passwords

MGS425 S1F0 OpenSSH configuration

MGS-679 v0.2 Archiving of logs

GUI-017 Tcp-wrappers installation and configuration guideMGS 601 V2.0 File transfer

MGS 620 S0F1 Configuring anonymous UNIX FTP servers


3/33



Contents

1. Objective 5

2. Scope and general principles 5

3. Players concerned 5

4. General security information 6

5. Overview of Operation 7

5.1. UNIX system 75.1.1.Data organisation 75.1.2.File and directory rights 75.1.3. Software packages 85.1.4. Task automation 85.1.5.X-Window 85.1.6.Miscellaneous 8

5.1.6.1. .exrc file 85.1.6.2. chroot command 9

5.2. Network services 95.2.1.IP stack 95.2.2.Rpc (Remote procedure call) Portmapper (portmap), rpcbind 105.2.3.Xinetd 10

6. General rules 11

6.1. Software packages and patches 11

6.2. Startup scripts 11

6.3. Miscellaneous 11

7. System security 12

7.1. File system 12

7.2. System stack 12

7.3. File and directory rights 13

7.4. Sensitive files 13

7.5. Automation 147.6. Logging configuration 14

7.7. Environment 15

8. Account (access) securi ty 16

8.1. Access control 16

8.2. Remote access right 16

8.3. Account/environment configuration 16

8.4. Administration commands 18

8.5. Trust mechanism 19

8.6. Logging 19


4/33



9. Network security 20

9.1. IP stack 20

9.2. Administration flow security 21

9.3. Network service filtering 219.3.1. Configuration of Inetd / tcp-wrapper 219.3.2. Configuration of Xinetd 22

9.4. Routing 23

9.5. Name resolution 23

9.6. RPC (Remote procedure call) Portmapper (portmap), rpcbind 24

9.7. Network services to ban 24

10. Security of services 25

10.1.General comments 25

10.2.X-Window 25

10.3.File transfer service 25

10.4.Messaging service 25

10.5.Distributed names service 26

10.6.NFS (network file system) 26

10.7.Administration / supervision department 26

10.8.WEB 27

10.9.Domain names service 27

11. Appendix: rights and permissions for important files 28


5/33



1. Objective

This document defines security rules applicable to UNIX and Linux security rules.

2. Scope and general principles

The rules and principles are applicable to all UNIX and Linux systems in the France Telecom groupinformation system.

They must be observed when developing applications or working on existing systems.

All rules in this document provide sufficient levels of security without overly restricting the freedom of

action of users.

It would however be possible, whenever necessary, to increase the level of security by

strengthening these rules whilst ensuring system stability (therefore, a rule specifying that an

unmask 022 is valid if the unmask is more restrictive, for example 027).

3. Players concerned

Systems administrators and operators

Principal Client and Principal Contractor Project Managers

Application architects


6/33



4. General security information

Computer security is necessary because information technology needs to communicate to operate

correctly. This involves aspects such as:

protection of systems and data

the reliability of software and hardware

the performance and availability of services

proper protection of stored and exchanged information

It should be pointed out that:

A system is neverentirely secure

The security of a system is a compromise between resources and expected results

People outside the company are responsible for 25% of risks.

# Intrusion

# service denial

# spying, document/programme theft (industrial property)

# data corruption

# liability (identity falsification followed by criminal action, etc.) . . )

# . . .

People inside the company are responsible for 75% of risks.

# data leaks (theft)

# irresponsible behaviour (brand image)

# theft of resources (working on the side)

# dissemination of illegal statements or images (liability of the organisation)

#

Reminders:

A chain's level of security is that of its weakest link

There is no network security.So:

Each system connected must be secure

We will apply the following basic principle:

EEvveerryytthhiinnggtthhaattiissnnootteexxpplliicciittllyy

aauutthhoorriisseeddiisspprroohhiibbiitteedd


7/33



5. Overview of Operation

5.1. UNIX system

5.1.1. Data organisation

All the data in a UNIX system may be seen as an enormous catalogue of files, referenced in an

unambiguous way. It is therefore a complex structure of data that must be able to manage the

following high-level concepts simultaneously: filename, its attributes, its type (if that is meaningfulfor the system), its size, its physical storage, operations in process on the file (concurrent access

management, modifications in process but not written onto the storage medium, etc.).

The data is organised in a tree structure of files and directories. For easier handling, this structure is

generally broken down into several sub-structures called file systems.

File systems cannot be accessed directly. They have to undergo an operation known as mounting.

Any mounted file system must be unmounted or the removable media containing it must be taken

out before turning off the machine. Otherwise, any unwritten data will be permanently lost.

The Unix file system tree structure is standard and can be broken down as follows:

/etc Computer configuration files

/bin Fundamental programmes (shell, etc.) that can be called up by

the user

/lib Libraries (programme bank called up indirectly)

/sbin System administration programmes

/var Variable (dynamic) data

/tmp ou /var/tmp Temporary data (limited lifetime)

/root Administrator work file

/usr Main system programmes and commands. Subdivided into/usr/bin, /usr/sbin, /usr/lib, etc.

/usr/local Same as /usr, but for programmes installed locally (not included

in the standard system distributed)

/home (or others as applicable) User work files. E.g. /home/toto

5.1.2. File and directory rights

In UNIX systems, files may have read (r), write (w) and execute (x) protection. In this way, it is

possible to choose whether a file can be read and/or modified and/or executed. This protection is

based on the principle of file access rights.

File rights are defined according to these access rights (rwx) and ownership of the file.

Access rights to a file are defined for its owner, the group to which the file belongs and other users

(those that are neither its owner nor par of the owners group).

A file or directory may also be given the following other rights:

SetUID

SetGID

s Applicable to the owner and/or owner group for executable files.

It gives owner rights to the file during execution (or owner group rights, depending

on the case) to the user executing the file in question.StickyBIT t In a directory with the "stickyBit" set, only the owner of a file or directory may

delete it.


8/33



5.1.3. Software packages

Nowadays, most companies commercialising UNIX systems organise the various software

components and supply them in packages. The system is thus installed in homogeneous groups of

files and the elements grouped in a package are generally highly interdependent (in practice they are

files for the same application). When a package is installed, the user in fact installs specific

software. However, certain packages are dependent on other packages; for example, packages

containing the basic system are obviously used by all other packages. The installation programmesmanage this dependency and inter-package conflicts relatively well, so that they can now be

installed without too much difficulty.

In order to organise all these packages, companies often sort them into series. A series is simply a

set of packages grouped by functional domain. This means that a given package can easily be found

by searching in the series containing all the functionally similar packages. Grouping of packages

into series in no way means that all packages in the same series need to be installed in order to

obtain a given function but that the programmes within the series more or less concern this function.

In fact, redundancy or conflict may exist between two packages in the same series. In this case, the

user should select one or the other, according to the requirements.

5.1.4. Task automation

In Unix, tasks can be configured to be executed automatically during a given period of time, on

given dates or when the system load average is beneath a certain level.

These commands enable commands/scripts to be executed at a point in the future. The system

function cron is administered by the crontab command. The command "at" is used to submit a job to

the system.

5.1.5. X-Window

X Window is not only a video board driver but also an application interface (API) enabling them to

be displayed on the screen and receive input via the keyboard and mouse.

X is also a network server, which means that it can also offer services via a network, enabling

screen display of an application running on another machine, even if the two architectures are

completely different. This is why we use the term X server to designate the graphical sub-system.

The X Window system runs on almost all Unix systems and is even used under Windows and OS/2.

Almost all graphical programmes under Unix use X.

The user does not interact directly with X but rather with what are called X clients (as opposed tothe X server). You undoubtedly already use clients such as a Window Manager or a Desktop

Environment such as CDE, KDE or Gnome. To log on, you probably also use a Display Manager

such as KDM, XDM or GDM. The applications are located above these clients.

The X Window system (or X Window or even X) is a registered trademark of the X Consortium.

The free X servers distributed with Linux come from the XFree86 project.

Official sites:

http://www.x.org

http://www.xfree86.org

5.1.6. Miscellaneous

5.1.6.1. .exrc file


9/33



The exor vieditors, for example, first look for the .exrcstartup file in the current directory, then in

your HOME directory. This file is normally used to define abbreviations and key-combination

correspondence. However, it may also contain escape shells that enable commands to be executed

when the editor is started.

5.1.6.2. chroot command

Chroot is a command that modifies the location of the root of the file system; for example, adecoy can be set up for the programme so that ill-intentioned users cannot get into the real root.

5.2. Network services

5.2.1. IP stack

An IP stack is a group of interdependent protocols, each of them reliant on one or several others,

which is why the word stack is used. It is a simplified form of the OSI 7-layer model which has

proved robust and adaptable.

The principal components of the TCP/IP stack are as follows:

IP (Internet Protocol): This is a level-3 protocol. It transfers TCP/IP packets on the localnetwork and with external networks via routers. The IP protocol works in offline mode,

i.e. packets issued by level 3 are transferred independently (datagrams) without any

guarantee of delivery.

ARP ( Address Resolution Protocol): A protocol that enables the level-3 address (the IP

address) to be linked with a level-2 address (the MAC address)

ICMP ( Internet Control and error Message Protocol) : Used for tests and diagnostics

TCP (Transport Control Protocol): A level-4 protocol that operates in online mode. On a

TCP connection between two network machines, messages (packets or TCP segments) are

acknowledged and delivered in sequence.

UDP ( User Datagram Protocol): A level-4 protocol in offline mode: messages (or UDP

packets) are forwarded independently.

OSI TCP/IP

7 Application TELNET, FTP TFTP

6 Presentation SMTP, RPC DOMAIN

5 Session X11, HTTP NFS

4 Transport TCP UDP

3 Network IP (Internet Protocol), ICMP, ARP

2 Data Link Local Network Protocol

1 Physical (Ethernet, Fast Ethernet, FDDI...)

Files affected by OS:

AIX /etc/rc.net for versions prior to AIX 5.2 ;

see the command n to modify parameters, this file is not read on server start-up

for more recent versions.

Solaris /etc/init.d/inetinit

HP-UX /etc/rc.config.d/nddconf

Linux kernel 2.2 /etc/sysctl.conf

For further information, see the site: http://www.cymru.com/Documents/ip-stack-tuning.html


10/33



5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind

The operating principle for remote procedure calls is as follows: Each programme wishing to

provide RPC services "listens" on a TCP or UDP port for queries. Clients wishing to use these

services must send their queries to this port, indicating all the information needed for execution of

this query: query number and query parameters. The server executes the query and returns the result.

RPC libraries provide the functions needed to transfer the parameters and the actual remote calls.

However, in practice, clients do not know on which port the RPC is expecting their queries. A

mechanism has therefore been set up to enable them to retrieve details of this port and then

communicate with the server. Each RPC server is identified by a unique programme number and a

version number. When they start up, the servers register with the system, specifying the port on

which they will be listening for queries. Clients can then query the remote system to ask for the port

where they will find a given server, based on the latters programme and version numbers.

A special RPC service therefore exists, known as portmapper which provides clients that request

them with the port numbers of other servers. The portmapper must of course always be contactable,

which implies that it must systematically use the same port number. By convention, the portmapper

is identified by programme number 100000 and it listens for client queries on the 111 ports of the

TCP and UDP protocols. It must be started in a particular order in order to make RPC calls (which

the NIS/NIS+ client programme does) to servers (as, for example an NIS/NIS+ server) on this

machine. When the RPC server is started, it will inform the portmap daemon of the number of the

port which it is scanning and the numbers of the RPC programmes with which it is ready to work.

In principle, standard RPC servers are launched by inetd (inetd(8) manual ), so portmap must be

launched before quinetdne. (All these elements are used by NIS/NIS+ and NFS among others, the

portmapper administers nfsd, mountd, ypbind/ypserv, pcnfsd and r services such as ruptime and

rusers.)

5.2.3. Xinetd

Xinetd is present on the following platforms at least: Solaris 2.6 (sparc and x86), Linux, BSDi, and

IRIX 5.3 and 6.2.

Xinetd offers access control capacities similar to those offered by tcp_wrapper. However, its

possibilities extend far beyond this:

access control for TCP, UDP and RPC services (not everything functions very well for

the latter);

access control based on time slots;

powerful logging, for both successful and failed logins;

efficient prevention of Deny of Services (DoS) attacks which block a machine by

saturating its resources

limitation of the number of servers of the same type that can run at the same time;

limitation of the total number of servers

limitation of the size of log files

attachment of a service to a specific interface: for example, this enables services to be

made accessible to your internal network but not to the outside world;

may serve as a proxy towards other systems which is very practical in the event of IP

masquerading (or NAT) in order to reach machines located on the internal network.

The main disadvantage concerns RPCs which are not yet very well supported. However, portmap

and xinetd coexist perfectly.


11/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

11/33

6.Generalr

ules

6.1.

Softwarepackagesandpatches

N

Rule

Additionalinformation

RS-0000

Nounnecessarysoftwarepackages

shouldbeinstalledonthesystem.Allpackages

consideredunnecessaryshould,therefore,bedeleted.

Particularly,monitornetworkservicesanddevelopmen

ttools

Thefewerthesoftwarepackagesinstalledonamachine,thegreateritssecurity.

Thisalsoreduces

maintenanceaswellasthesecurityp

atchestobeinstalled.

RS-0001

Thesystemmustbetheasuptoda

teaspossible.Thismeansthatthelatestvalidated

securityupdatesmustbeinstalled.

Allsystemsmust

beregularlyupdated.

6.2.

Startupscripts

Thesescriptsareinitiatedwhenthesystem

isstartedandareresponsibleforvarioustaskssuchasmountingtheread/writefilesystem,

activatingswap,setting

somesystem

parametersandlaunchingvariousdaemonsrequiredbythesy

stem.

N

Rule


RS-0100

Theunmaskvaluefixedinthestart-upscriptsmustbepositionedat027

.

Toenablethelattertocreatefileswith640permissions.

Anywaivingofth

isrulemustbeapprovedbysecurity

teams.

RS-0101

Anyservicenotnecessarytoserve

rfunctionsmustbedeactivated.

Therefore,allunn

ecessarystartupscriptsinthedefault

startupdirectorymustbe

deactivatedoften

those(oftenthosefromunnecessarypackages).

6.3.

Misc

ellaneous

N

Rule


RS-0200

Prohibitrestartingviathekeyboard(CTRL+ALT+DEL).

ThisruleisvalidforallLinuxandSolarissystemsrunningonIntelplatforms.

RS-0201

Innon-secureenvironments,prohibitstartingofthemachineotherwisethanviathesystem

disk.

OnIntelplatforms,thismeansrequestedapasswordfo

raccesstotheBIOSto

preventtheboots

equencebeingmodified.

RS-0202

Protectthenon-standardsystembo

otingwithapassword.

I.e.anybootingviaCD-Romsoranyotherdisk.


12/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

12/33

7.Systems

ecurity

7.1.

File

system

N

Rule

Additionalinform

ation

RS-1000

Thepartition/varmustbemountedonadedicatedfilesystem.

The/varpartitioncontainslog,patch,print,e-mailfiles,etc..Thediskspace

takenupbythesefilesthereforevaries.Thispartitionm

ustbeseparatefromthe

rootfilesystem.Thisruleavoidssaturationoflogswhic

hwouldbringtheserver

toastandstill.

RS-1001

Partitionsandremovabledevicesa

remountedusingtheoptions:

%%%%

nodev(exceptfordevicepartitionslike/devor/devices)

%%%%

noexec:for/varand/tmp

%%%%

nosuid:forpartitionsfornon-systemandnon-applicationusers(like/homeor/users)

andremovabledevices.

Thesemountoptio

nspreventbinariesrunning,processingofthesuid/sgidbits

andinterpretationofthespecialfiles.

Theaimistomanagerightsaspreciselyaspossible.

RS-1002

Automaticmountfunctionsforrem

ovabledevicesmustbedeleted.

Thesefunctionsca

nbeaccessedviathevold,automoun

torsupermount

daemons.

RS-1003

Usermustbeprohibitedfrommountingremovabledevicestoavoidintroducing

potentiallydangerousprogrammes

orfilesorleakingdata.

7.2.

Systemstack

Thisisthememoryzoneofaprocess(a

programmebeingexecuted)dedicatedtosavingdatanecessaryforthecalls(theargumentsandreturnaddressesare

stacked)a

ndreturns(argumentsandreturnaddressareun-stacked).

N

Rule

Additionalinform

ation

RS-1100

Theexecutionstackmustbeprotectedagainstbufferoverflowstopreve

ntattacksofthis

type.

RS-1101

Thesizeofcoredumpsmustbeco

nfiguredsothatthesizeiszero.

Corefilescontainamemoryimageoftheprocesswhich

receivedacertainsignal

andisterminate.T

hesefilestakeupdiskspaceandmay

containsensitive

information.

NothingpreventsT

EMPORARILYchangingthecorefilelimittoanadapted

valueifacorefile

reallyhastobeanalysed.


13/33


14/33


15/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

15/33

7.7.

Environment

N

Rule

Additionalinform

ation

RS-1600

PreventaTrojanHorsebeingrun:

ChecktheLD_

LIBRARY_PA

THvariable(orequivalent)doesnot

existintheuser

environment(rootorother),or,ifitexists,onlyreferencessurelibraries.

Checkthatthefilesexecutedatlogin(/etc/profile,bashrc.)dono

tsetthese

variablestoadubiousvalue

.

ForLinux,alsocheck/etc/ld.so.conf


16/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

16/33

8.

Account(access)security

8.1.

Accesscontrol

Inordertoi

mprovecontrolofaUNIXmachineandincreaseitssecurity,werecommendtheuseofP

AMs(PluggableAuthenticationModules).PAMisa

powerful,flexible,extensibleauthenticationtoolwhichenablesthesystemadministratortoconfigureauthenticationservicesindiv

iduallyforeachPAM-

compliantap

plication,withoutrecompiling

anyapplications.

N

Rule

Additionalinform

ation

RS-2000

UsePAMs

Thiswillquicklyu

pgradeyourlevelofsecurity.

RS-2001

Awarningbannershouldbedispla

yedbeforetheauthenticationdialogu

ewhenlogging

in,incompliancewithMGS402S1F0Warningtobeinsertedinthetitlepages

8.2.

Rem

oteaccessright

Allmachinesmustcontrolremoteaccessrights.Amachinemustdefinetheaccountsauthorisedtologinfromaremoteterminal.

N

Rule

Additionalinform

ation

RS-2100

Rootaccessviathenetworkmustbeimpossible.

Itisbettertousea

useraccountthenthesucommandto

taketherootidentityto

logrootconnectionstoasystem.

8.3.

Account/environmentconfiguration

N

Rule

Additionalinform

ation

RS-2200

AccountandpasswordmanagementmustcomplywithMGS401.

RS-2201

Thevalueofumaskmustbeasrestrictiveaspossibleforeachuser:

forroot:atleast077

forotherusers:atleast02

7

Therefore,eachfilecreatedbytheuserwillautomatical

lycarryminimumrights.

RS-2202

Filesenablingtheconfigurationof

thedefaultuserenvironmentmustbe

root:rootand

644.

Thefilesareoften

thosepresentin/etc/skel

RS-2203

TheuserPATHmustfirstcontainsystempathsBEFOREtheuserpaths

ThisavoidsexecutionofTrojanhorses

RS-2204

TheuserPATHmustnotcontaina

relativepath(startingwitha.)exceptthecurrent

directory(onlyone.).

ThisavoidsexecutionofTrojanhorses

RS-2205

Thereshouldbeno.netrc,.exrc,.vimrc,.forwardtypefilesinthetreestructurenor

.typefiles.

Notes:

.exrc(.vimrc)may

bereplacedbyjudicioususeofthevariableEXINIT

(VIMINIT)(a.exr

cfilemayexistanywhereandtherefo

rebeexecuted

inadvertentlyfrom

there).ThebehaviourofaVimismo

resecureonthispoint,

butfilesshouldbe

monitorednevertheless.

.forwardfilescanexecutecommandsthatareunforeseenornotdesirableonmail

reception.Theircontentshouldthereforebemonitored.


17/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

17/33

.-type

filesareoftenusedtomaskmaliciou

sfilesordirectories.

RS-2206

Passwordsforallusersmustbesto

redusingastronghashingalgorithm

(likeMD5).

Thisalgorithmism

oreresistantthanthecryptfunctionusuallyusedonUNIX

systems.

RS-2207

NoaccountshouldhaveaHOME-DIRECTORYat/.

RS-2208

Ifuucpandnuucpexist,theshellm

aybecontrolledbyafalseshell.

false,nologinORbash,sh,kshandcshareallowed.

RS-2209

Noaccountdefinedin/etc/passwd

shouldhaveanon-specifiedshell.

Thecaseof

root:

N

Rule

Additionalinform

ation

RS-2210

Onlyrootisthesystemsuperuser(UIDandGIDequaltozero).

RS-2211

TherootHOMEDIRECTORYmustbe/root,perm700,root:root

RS-2212

Allfilesloadedbyrootwhenitconnectsmustberoot:rootandnotbegrouporworld

writable(g-w,o-rwxforwhatissp

ecifictorootando-wforwhatiscom

mon).

thefollowingscrip

tsorprogrammesinparticular:

-~/.login,~/.profileandanyotherlogininitialisationfiles

-~/.exrcandanyo

therprogrammeinitialisationfiles(if

authorised)

-~/.logoutandany

otherend-of-sessionfiles

-crontabandaten

tries(seecronandatrules)

RS-2213

AllrootPATHdirectoriesmustbe

root:rootand755.

Inparticulartoavo

idaTrojanhorsebeingputinplace.

RS-2214

AllscriptsorbinariespresentintherootPATHmustbeexclusivelyownedbyrootora

systemaccountandmustnotbeworldandgroup-writable(g-w,o-w).

Inparticulartoavo

idTrojanhorsesbeingsetup.


18/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

18/33

8.4.

Adm

inistrationcommands

CertainUNI

Xcommands,calledrcommands,enableremoteuserseithertologin(rlogin)ortoexecutecommands(rsh,rcp,rexec)viathenetworkand

thereforecar

ryoutremoteoperation/administrationwork.

N

Rule

Additionalinform

ation

RS-2300

UseSSHcommandsinsteadoftel

netandr-commands(seeMGS425).

RS-2301

IftelnetcannotbereplacedbyS

SH,useitonadedicatednetwork,secureaccessto

telnetbyxinetdorinetd+TCP-Wrapper.

Limittheaddressesthathavetoaccessthemachinebytelnetprotocols:

Ifxinetdisused,addtheoptiononly_f

rom=

address1address2/mask

address3/maskinthefiles/etc/xinetd.d/*telnet

and/or/etc/xinetd.confto

limitaccess.

Ifinetd+TCP

-Wrapperisused,updatethefiles/etc/hosts.allowand

/etc/hosts.deny.

RS-2302

IfftpcannotbereplacedbySSH

,useitonthededicatednetworkinauthenticated

mode(unencryptedpasswordonth

enetwork).

Specialisetheserver(eitherinauthenticatedmodeoranonymousmode

inthiscase,

applyMGS620S0F1:ConfiguringanonymousUNIXFTPservers).

Inallcases,secureFTPaccesswithxinetdorinetd+TCP-Wrapper,lau

nchtheFTP

serverinaseparateenvironment(c

hroot).

Donotauthorisetheuploadfunctionifitisnotnecessary.

ProhibitconnectiontotheFTPwithtoohighrights.

LimittheaddressesthathavetoaccessthemachinebyF

TPprotocols:

Ifxinetdisused,addtheoptiononly_f

rom=address1address2/mask

address3/maskinthefiles/etc/xinetd.d/*FTPand/or/etc/xinetd.confto

limitaccess.

Ifinetd+TCP

-Wrapperisused,updatethefiles/etc/hosts.allowand

/etc/hosts.deny.

PutalluserswhoseUIDislessthan100(500ifPl@ton

architecture)in

/etc/ftpusers,aswe

llastheuser"nfsnobody"(ifitexists

),topreventFTPaccess

totheseusers.

LimitaccesstoFT

Pfiles/etc/ftpgroup,/etc/ftphosts(allowanddenyoptions),

/etc/ftpaccess(noretrieveoptions,uploadoptiontonooption),create

non-empty.notarfiles(444rights)indirectorieswheredownloadingis

prohibited.

Note:

Thenoretreive.notaroptionmaycauseproblemsforInternetExplorer.Ensurein

thiscasenottoputtheoptionnoretreive.notarin/etc/ftpaccess.


19/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

19/33

8.5.

Trus

tmechanism

Thetrusthostmachineconceptisbasedon

thefactthatusers,applicationsthatcallupfromatrusthostmachine,arenotobligedtosup

plyapassword(thereby

doingawaywithauthenticationmechanismsandendangeringthequalityofsystemsecurity).

N

Rule

Additionalinform

ation

RS-2400

Usingthe.rhostsfunctionisprohibited(evenforroot).Asaresult,alluserdefault

directoriesmustcontainanempty.rhostsDIRECTORYwith000rights(---------)with

root:rootproperties.

Ifitexists,thisfile

authorisesaccesstoyouraccountwithoutapasswordfor

localorremoteuserslistedinthisfile.Itdoesawaywithanyaccesscontrol

system.

RS-2401

Useofthehosts.equivfunctionisprohibited.

Therefore,themachinemusthaveanempty/etc/hosts.equivDIRECTO

RYwith000

rights(---------)androot:rootasproperties.

The/etc/hosts.equivfileenablesthefollowingtobedefinedatlocalmachine

level:

usersauthorisedtologintothelocalmachine(if

theirloginexists)

withoutsup

plyingpasswords.

usersnotau

thorisedtoconnecttothelocalmachine

Thisalsodoesawa

ywithanyaccesscontrolsystem

8.6.

Logging

Loggingisth

erecordingofapplicationeventsviaacentraldaemoninone

orseverallocaland/ordistantf

iles.

N

Rule

Additionalinform

ation

RS-2500

Useofthecommandsumustbelogged(inparticulartodetectchangesofunauthorised

privileges).

RS-2501

Allloginattempts(successfulorotherwise)mustbelogged.

Thisenablessuspiciousactivityonamachinetobemon

itored(attemptsat

hacking,forexample).


20/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

20/33

9.

Networkse

curity

9.1.

IPstack

N

Rule

Additionalinform

ation

RS-3000

Configurationofthenetworkinterfaces

Forallmachines,preventinformationbeingrecoveredbythenetworkinterfaces'

"promiscuous"mode(sniffer).

Onaserver,toavoidspoofing:

Usingstaticratherthandynam

icaddressing(noDHCP).

Foreachmachineonthesame

networkcalledtodialoguewiththisserver,recording

oftheMACaddresscanbeforced(Ethernetaddress)withthecommandarp.

Means:

Detectpromiscuou

smodewithacommandputinthecr

ontabatruncyclically

(hourlyforexample).

Onaserver:

RemovetheD

HCPclientpackage(s)andconfigure

thenetworkinterfaces

manually

ForeachmachineforwhichtheMACaddressisrequired,enter:

arp-s

(thesecommandsmaybeaddedattheendofthefile/etc/rc.d/rc.localfor

example).

Notes:

Aswitchtopromiscuousmodecanonlyoccurwithrootrights.Thismay

thereforeindicateananomaly(machinealreadycompromised?).

Theuseofcertain

librariesintendedfornetworklistenin

gmaynotbedetected.

Inaserverhosting

environment,itispreferabletohave

amachinethatdetects

thismode(oreven

detectsintrusions).

RS-3001

ThesocketsqueuemustbeprotectedfromSYNflooding.

RS-3002

Packetswiththesourceroutingoptionmustnotberetransmittedorpr

ocessed

RS-3003

TheTIME_W

AITparameterforT

CPmustbesetto1min(60secs)

RS-3004

ThemachinemustbeprotectedagainstDOSattacksbyICMPflooding

RS-3005

TheIPstackmustbeprotectedinordertopreventredirectionofanIP

RS-3006

ARPqueryexpirytimemustbelim

itedto1minutemaximuminordertoreduceARP

spoofing/hijackingrisks.

RS-3007

GenerationofTCPsequencenumb

ersmustbeconfiguredtopreventitfrombeing

guessed(randommanagement).


21/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

21/33

9.2.

Adm

inistrationflowsecurity

ApplyMGS

425OpenSSHwhichcontainsthesecurityrulesconcerningtheprotectionofnetworkflows

bymeansoftheOpen-SSLprotocol.

N

Rule

Additionalinform

ation

RS-3100

ApplyMGS425(OpenSSHconfig

uration)

RS-3101

Themachinemustbeadministered

throughaspecificnetworkinterface.

Methods:additional

networkboardorVPN(VirtualPrivateN

etwork).

RS-3102

Administrationservicesotherthan

SSHmustbefilteredwithXinetdorTCP-Wrapper.

IfXinetd:usebinda

ndonly_

fromoptions.

9.3.

Netw

orkservicefiltering

Filteringusestheaccesscontrolcomponents.Theroleoffilteringisnotto

formatnetworktrafficbetwee

ntwopointsbuttodecideifa

packetshouldorshould

notbeprocessed.Itcanberejected,acceptedormodified,accordingtoru

lesofvaryingcomplexity.Inm

anycases,filteringisusedtocontroland/orsecurean

internalnetw

orkfromtheoutsideworld(theInternetforexample).

N

Rule

Additionalinform

ation

RS-3200

AllservicesactivatedininetdorxinetdmustbeapprovedbytheCNSSIsecurityteams.

Specifytheappro

ach

RS-3201

Asfaraspossible,donotinstallaprinterserver.

Thisserviceishighlyvulnerable.

RS-3202

DonotuseNIS(dependsonRPCs,servicesthataretoovulnerable).

Ifsuchaserviceis

necessary,preferLDAP.

RS-3203

Limitaccesstonetworkservicesfo

rtheonlymachinesauthorisedusing

Xinetdor

inetd+TCPWrapper.

9.3.1.ConfigurationofInetd/tcp-wr

apper

Allservic

esauthorisedtobepresentonmachinesshouldapplythefollo

wingrules:

Configur

ationofinetd:

N

Rule

Additionalinform

ation

RS-3204

InetdmustbeassociatedwithTCP

-Wrapper

RS-3205

Connectionrequestsmustberecordedandfilteredviainetd/TCP-wrapp

er

Inetdalonedoesnotpermitnetworksecurity(seetherulesconcerningTCP-

Wrapperandxinetd)

RS-3206

Theinetddaemonmustbestartedinstandalonemode(-s)withtheoptio

nt.

RS-3207

AllTCPandUDPservicesopenin

/etc/inetd.confmustbeencapsulated

withTCP-

Wrapper(usingthenowaitoption).

Configur

ationoftcpwrapper:

N

Rule

Additionalinform

ation

RS-3208

PARANOIDmodemustbeactivated.

Forrefusingallconnectionsfromasystemwhosename

isnotthesameIP.

RS-3209

Includeonerulein/etc/hosts.deny

refusingwhatisnotauthorised.

ThefilemustcontainasingleALL:ALLline.


22/33


23/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

23/33

a.R

S-3219:athresholdfixedatbetween85%and95%helpspre

ventanypossiblesystemsaturation.Forlessimportantservices,alowerthresholdcan

b

efixedtoleaveprioritytoothe

rservices.

b.R

S-3220:thisoptiondependsheavilyontheservice;generally,thevalueshouldlessthan50.

c.R

S-3221:general,amaximum

ofthreeconnectionspersec

ondsisnecessary.Forheavilydemandedservices,itispossibletoincreaseto10

c

onnectionspersecond

9.4.

Routing

Routingisth

emethodofcarryinginformation(orpackets)tothecorrect

destinationviaanetwork.Acc

ordingtothetypesofnetwork

,dataissentbypackets

anditspathchoseneachtime(adaptiverouting)orapathischosenonce

andforall(thetwocanbecombined).Amachinethathandlesroutingiscommonly

calledarouter.

N

Rule

Additionalinform

ation

RS-3300

Routingdaemonsmustbedeactiva

tedordeleted(e.g.:gated,routed)

Routingdaemonsareonlyusedformachinesconnected

toseveralnetworksused

asmachinestorou

tepackets.

9.5.

Nam

eresolution

N

Rule

Additionalinform

ation

RS-3400

Nameresolutionmustfirstlybecarriedoutlocallybeforeanyothermethod(DNSand

LDAP).

Thisrequiresnameresolutiontobefirstofallcarriedoutviaalocalfilethenvia

aDNS.ThisenablesDNSspoofingtobeavoided.


24/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

24/33

9.6.

RPC

(Remoteprocedurecall)Portmapper(portmap),rpc

bind

N

Rule

Additionalinform

ation

RS-3500

AllRPCnetworkservicesstartedb

ytheportmapper,includingtheportmappermustbe

deactivated.

Allservicestobestartedbytheportmappermustreceiv

etheapprovalofsecurity

teams

RS-3501

IfRPCnetworkservicesarenec

essary,accessmustbesecuredandlo

ggedtothe

maximum.

9.7.

Netw

orkservicestoban

N

Rule

Additionalinform

ation

RS-3600

NonetworkserviceotherthanSSH

mustbeactivatedonthemachine.

Particularlydaytim

e,discard,chargen,echo,fingerd,rquotad,rusersd,rwalld,

rexd,systat,time,

netstat.


25/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

25/33

10.Securityofservices

Thischaptercoverstherulesthatapplytotheprincipalservices(functions)offeredbyUnixservers

10.1.Generalcomments

N

Rule

Additionalinform

ation

RS-4000

Allsensitiveservicesshouldbesta

rtedinach-rootedenvironment.

10.2.X-Window

N

Rule

Additionalinform

ation

RS-4100

IfanXserverisnecessary(X11orXfree),usethemostuptodatevalid

versionpossible.

RS-4101

Xserverauthenticationmustbecarriedoutbythexauthfunction

Unlikefilteringviaxhostwhichusesauthenticationbas

edontheclienthost

name,thexauthmethodusesasharedsecretinorderto

guaranteeauthentication

ofthetwoparties.

Butthecommunicationremainsinc

learlanguage

RS-4102

ThedataexchangedbetweentheclientandtheXservermustbeencode

dviaanSSH

tunnel,incompliancewithMGS425.

10.3.File

transferservice

N

Rule

Additionalinform

ation

RS-4200

ApplyMGS601V2.0:Filetransfe

r

Intheprocessofstandardisation

10.4.Messagingservice

N

Rule

Additionalinform

ation

RS-4300

Amailservicetransferagentisnecessaryfordistributingmessages.

Thisagentmustnotberunasanetworkservice.Inaddition,itsconfigurationshouldbe

modifiedsoitisnotusedasanuncontrolledmailservicerelay.


26/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

26/33

10.5.Distributednamesservice

N

Rule

Additionalinform

ation

RS-4400

Usesecurityfunctions(LDAPS)suppliedbyLDAP.

10.6.NFS

(networkfilesystem)

N

Rule

Additionalinform

ation

RS-4500

TheNFSservermustnotbeinstalledorstartedup.

IftheNFSserver

isnecessary,thefile/etc/exportsmu

strespectthefollowing

characteristics:

mustbelo

ngtoroot:rootandpermissionsbe64

4.

domainnamesmustbefullyqualifiedifpossible

mustverifyexportsusingtheaccessoption

mustnotexportthefiletoitself(localhostentry)

mustprefernosuidandreadonlymountingoptions

10.7.Adm

inistration/supervisiond

epartment

N

Rule

Additionalinform

ation

RS-4600

TheSNMPprotocolmustnotbeusedifnotnecessary.

RS-4601

IftheSNMPprotocolisnecessary,theversion3mustbeused

Iftheversion3isnotavailable,version2istolerated.Inanycase,banversion1.

RS-4602

IftheSNMPprotocolisnecessary,thereshouldbenonamedpublico

rprivate

SNMPcommunitychains,northenamessuppliedasstandardbymanufacturers(default

parameters).

RS-4603

IftheSNMPprotocolisnecessary,allcommunitychainsmustcomplyw

iththepassword

managementpolicy.

RS-4604

AccesstotheSNMPservermustb

erestrictedtoauthorisedstationsonly.

RS-4605

IftheSNMPprotocolisnecessary,sendingofSNMPtrapsmustbeprotectedby

identifiersincompliancewiththepasswordmanagementpolicy

RS-4606

IftheSNMPprotocolisnecessary,accesstotheSNMPserviceisonlyread-authorised

andnotwrite-authorised.


27/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

27/33

10.8.WEB

N

Rule

Additionalinform

ation

RS-4700

ApplyMGS411

10.9.Dom

ainnamesservice

N

Rule

Additionalinform

ation

RS-4800

UseBindorLDAPasthedomainnamesservice

RS-4801

Alwaysusethelatestavailablevalidatedandmaintainedversionofthedomainname

service.


28/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

28/33

11.Appendix

:rightsandpermissionsforimportantfiles

Thetablebelowpresentsanon-exhaustivelistoffilesforwhichownership

anduserrightsshouldbemon

itoredwithvigilance.

Therightssh

ownarethemaximumadmissibleforawell-securedinstallati

on.Theserightscanneverthele

ssbefurtherrestricted.

Whenrights

havetobemodified,usethefo

rmgivenasparameterofthecommand/bin/chmod

ThegroupnamedROOTcorrespondstothe

groupwhoseGIDis0(zero),thatnameofthisgroupmaydifferfromonesystemtoanother.

Thekeyword

ALLshowstherightsforallsystemsotherthanthosethesub

jectofaspecificlineintherightstable(forthesamefile/directory).

Asealingtool(TripWireforexamplestu

dyavailableatSecurinoo)wouldbeanadditionaladvantage

forensuringthatcriticalfiles

havenotbeenmodified

particularlyonservers.

Files/Directories

Owner

Group

Rights

Systems

/

root

ROOT

0755

ALL

/bin

root

ROOT,bin

0755

ALL

/bin/bash

root

ROOT,bin

0755

Linux

/bin/login

root

ROOT,bin

4555

ALL

/bin/mount

root

root

0550

Linux

/bin/netstat

root

root

0550

Linux

/bin/su

root

ROOT,bin

4755

ALL

/boot

root

root

0750

Linux

/boot/*

root

root

0640

Linux

/boot/grub/grub.con

f

root

root

0600

Linux

/crash

root

ROOT

0750

Solaris

/dev

root,bin

ROOT,sys,bin

0755

ALL

/dev/console

root

ROOT,sys

0633

ALL

/dev/full

root

root

0666

Linux

/dev/kmem

root

ROOT

0640

AIX

/dev/kmem

bin

sys

0640

HP-UX

/dev/kmem

root

kmem

0640

Linux

/dev/kmem

root

sys

0640

Solaris


29/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

29/33

Files/Directories

Owner

Group

Rights

Systems

/dev/MAKEDEV

root

root

0700

Linux

/dev/mem

root

ROOT

0640

AIX

/dev/mem

bin

sys

0640

HP-UX

/dev/mem

root

kmem

0640

Linux

/dev/mem

root

sys

0640

Solaris

/dev/null

root,bin

ROOT,sys,bin

0666

ALL

/dev/random

root

root

0644

Linux

/dev/tty

root,bin

ROOT,tty,bin

0666

ALL

/dev/urandom

root

root

0644

Linux

/dev/zero

root

ROOT,sys

0666

Solaris,Linux,Aix

/etc

root

ROOT,sys,bin

0755

ALL

/etc/aliases

root

ROOT,bin

0600

Solaris,Linux,Aix

/etc/aliases.db

root

root

0600

Linux

/etc/anacrontab

root

root

0600

Linux

/etc/at.allow

root

root

0600

Linux

/etc/at.deny

root

root

0600

Linux

/etc/cron.allow

root

root

0600

Linux

/etc/cron.d/at.allow

root

root

0600

Solaris

/etc/cron.d

root

sys

0750

Solaris

/etc/cron.d/at.deny

root

root

0600

Solaris

/etc/cron.d/cron.allo

w

root

sys

0600

Solaris

/etc/cron.d/cron.den

y

root

sys

0600

Solaris

/etc/cron.deny

root

root

0600

Linux

/etc/default/useradd

root

bin

0640

HP-UX

/etc/default

root

root,sys

0750

Linux,Solaris,HP-UX

/etc/default/init

root

sys

0644

Solaris

/etc/default/login

root

sys

0644

Solaris

/etc/default/passwd

root

sys

0644

Solaris

/etc/default/su

root

sys

0644

Solaris

/etc/defaultrouter

root

root

0644

Solaris

/etc/environment

root

ROOT

0644

AIX

/etc/exclude.rootvg

root

ROOT

0644

AIX

/etc/exports

root

root

0600

ALL


30/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

30/33

Files/Directories

Owner

Group

Rights

Systems

/etc/fstab

root

sys

0640

HP-UX

/etc/fstab

root

root

0600

Linux

/etc/ftpaccess

root

root

0400

Linux

/etc/ftpconversions

root

root

0400

Linux

/etc/ftpgroups

root

root

0400

Linux

/etc/ftphosts

root

root

0400

Linux

/etc/ftpusers

root

root

0400

Solaris,Linux

/etc/group

root

ROOT

0644

ALL

/etc/hosts

root

ROOT

0644

ALL

/etc/hosts.allow

root

ROOT

0640

ALL

/etc/hosts.deny

root

ROOT

0640

ALL

/etc/hosts.equiv

root

ROOT

0000

ALL

/etc/hosts.lpd

root

ROOT

0600

AIX

/etc/inet/hosts

root

root

0444

Solaris

/etc/inet/inetd.conf

root

root

0644

Solaris

/etc/inet/services

root

root

0644

Solaris

/etc/inetd.conf

root

ROOT

0644

ALL

/etc/init.d

root

root

0750

Solaris,Linux

/etc/init.d/*

root

root

0750

Solaris,Linux

/etc/inittab

root

ROOT

0644

ALL

/etc/issue*

root

root

0644

Solaris,Linux,HP-UX

/etc/lilo.conf

root

root

0600

Linux

/etc/login.defs

root

root

0600

Linux

/etc/mail

root

root

0755

Solaris,Linux,HP-UX

/etc/mail/*

root

root

0644

Solaris,Linux,HP-UX

/etc/motd

root

ROOT

0644

Solaris,Linux,AIX

/etc/mtab

root

root

0644

Linux

/etc/netgroup

root

Root

0644

HP-UX

/etc/notrouter

root

root

0644

Solaris

/etc/passwd

root

ROOT

0644

ALL

/etc/printcap

root

root

0644

Linux

/etc/profile

root

ROOT

0644

ALL

/etc/rc.*

root

ROOT

0750

AIX,Linux


31/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

31/33

Files/Directories

Owner

Group

Rights

Systems

/etc/rc.config.d

bin

bin

0755

HP-UX

/etc/rc.config.d/*

bin

bin

0644

HP-UX

/etc/rc.d/*/*

root

ROOT

0700

AIX,Linux

/etc/rc.d/rc?.d

root

ROOT

0755

AIX,Linux

/etc/rc.d/rc?.d/*

root

ROOT

0744

AIX,Linux

/etc/rc?.d

root

root

0755

Solaris

/etc/rc?.d/*

root

root

0744

Solaris

/etc/resolv.conf

root

ROOT

0644

ALL

/etc/rpc

root

ROOT,sys,bin

0644

ALL

/etc/securetty

root

root

0600

Linux

/etc/security

root

root

0755

AIX

/etc/security/group

root

security

0640

AIX

/etc/security/passwd

root

security

0600

AIX

/etc/security/user

root

security

0640

AIX

/etc/sendmail.cf

root

root

0644

Linux,AIX

/etc/services

root

ROOT

0644

ALL

/etc/shadow

root

root,sys

0600

Solaris,Linux

/etc/skel

root

root

0755

Solaris,Linux,HP-UX

/etc/skel/*

root

root

0644

Solaris,Linux,HP-UX

/etc/snmp/conf/snmpd.conf

root

root

0644

Solaris

/etc/SnmpAgent.d/s

nmpd.conf

root

root

0644

HP-UX

/etc/snmpd.conf

root

ROOT

0644

AIX

/etc/ssh

root

ROOT

0755

Linux,AIX

/etc/ssh/*(otherthanabove)

root

ROOT

0644

Linux,AIX

/etc/ssh/*_key

root

ROOT

0600

Linux,AIX

/etc/ssh/sshd_config

root

ROOT

0600

Linux,AIX

/etc/syslog.conf

root

ROOT

0644

ALL

/etc/system

root

root

0644

Solaris

/etc/xinetd.conf

root

ROOT

0640

ALL

/etc/xinetd.d

root

ROOT

0750

ALL

/etc/xinetd.d/*

root

ROOT

0640

ALL

/root/*

root

ROOT

0700

ALL

/root/.rhosts

root

ROOT

0000

ALL


32/33

Con

figura

tiono

fUNI

Xan

dLinux

Securi

tyParame

ters

MSG404Vers

ion

S2

F0

Page:

32/33

Files/Directories

Owner

Group

Rights

Systems

/sbin

root

ROOT,bin

0755

ALL

/sbin/arp

root

ROOT

0755

Linux

/sbin/init.d

root

root

0750

HP-UX

/sbin/init.d/*

root

root

0744

HP-UX

/sbin/mount

root

root

0550

HP-UX

/sbin/rc?.d

root

root

0755

HP-UX

/sbin/rc?.d/*

root

root

0744

HP-UX

/sbin/route

root

root

0550

Linux

/system

root

ROOT

0755

AIX,Linux,HP-UX

/system/products

root

root

0555

Linux

/system/products/su

do/log/sudo.log

root

root

0644

Linux

/tmp

root

ROOT

1777

ALL

/users

root

ROOT

0555

ALL

/usr/bin

root

ROOT,bin

0755

ALL

/usr/bin/at

root

ROOT

4555

ALL

/usr/bin/finger

root

root

0550

ALL

/usr/bin/netstat

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/passwd

root

ROOT,bin

4555

ALL

/usr/bin/rdate

root

root

0550

Solaris

/usr/bin/rdist

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/rpcinfo

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/rusers

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/rwho

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/talk

root

root

0550

Solaris,AIX,HP-UX

/usr/bin/wall

root

tty

2555

Linux

/usr/bin/write

root

tty,bin

2555

ALL

/usr/games

root

root

0755

Linux

/usr/lib

root

ROOT,bin

0755

ALL

/usr/sbin/arp

root

ROOT

0755

Solaris,AIX,HP-UX

/usr/sbin/chroot

root

root

0550

ALL

/usr/sbin/mount

root

root

0550

Solaris,AIX

/usr/sbin/route

root

root

0550

Solaris,AIX,HP-UX

/usr/sbin/rpcinfo

root

root

0550

Linux


33/33

fUNI

Xan

dLinux

Securi

tyParame

ters

on

S2

F0

Page:

33/33

Files/Directories

Owner

Group

Rights

Systems

/usr/sbin/wall

root

tty,bin

2555

AIX,Solaris,HP-UX

/var/adm/cron

root

ROOT,cron

0755

AIX,HP-UX

/var/adm/cron/at.allow

root

ROOT,cron

0640

AIX,HP-UX

/var/adm/cron/at.deny

root

ROOT,cron

0640

AIX,HP-UX

/var/adm/cron/cron.allow

root

ROOT,cron

0640

AIX,HP-UX

/var/adm/cron/cron.deny

root

ROOT,cron

0640

AIX,HP-UX

/var/adm/cron/log

root

ROOT

0644

AIX,HP-UX

/var/adm/messages

root

ROOT

0644

ALL

/var/adm/syslog/*

root

root

0644

HP-UX,Solaris

/var/cron/log

root

root

0644

Solaris

/var/log/*

root

root

0640

Solaris,Linux

/var/log/wtmp

root

utmp

0600

Linux

/var/run/syslogd.pid

root

root

0640

Solaris,Linux,HP-UX

/var/run/utmp

root

utmp

644

Linux

/var/spool

ROOT,bin

ROOT,bin

0755

ALL

/var/spool/at

daemon

daemon

0700

Linux

/var/spool/cron

root

root

0700

ALL

/var/tmp

root

root

1777

ALL