LCZ-GUS 1.4 16 May 2009 This document specifies generic technical security policy. 1.4 16 May 2009 FOD Revised for re-release 1.3 01 June 2004 LCZ Corrected control errors 1.2 04 April 2003 LCZ Many new controls added 1.1 19 March 2003 LCZ Updated sections 1.0 21 January 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer To specify generic security standards applicable to all IT platforms. Controls specified in this document apply to all IT platforms. All of the organisation's information systems will be subject to the policies specified within this generic security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is a generic standard. Controls specific to particular technologies are not defined here but will be the subject of additional standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, off the shelf software, hardware, media, data item, data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous. The default passwords of the following accounts must be changed following installation; open, uucp, toor, mount, guest, manager, ingres, mail, help, visitor, system, bin, demo, telnet, lp, who, finger, games Have the default passwords of the default accounts open, uucp, toor, mount, guest, manager, ingres, mail, help, visitor, system, bin, demo, telnet, lp, who, finger, games For all accounts above the following accounts should have their passwords changed; open, uucp, toor, mount, guest, manager, ingres, uucp, mail, help, visitor, system, bin, demo, telnet , lp, who, finger, games Unuathorised access may be obtained Unauthorised access may be used for fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The synch account must not be disabled or password protected Is the synch account disabled or password protected? Ensure the synch account is enabled Ensure the synch account has no password Emergency shutdown can be performed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The nobody account should own no files on any of the systems filesystems Is it ensured that the nobody account owns no files on any of the systems filesystems? Scan the filesystems for objects owned by nobody Reassign the ownership of any objects identified belonging to nobody Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Access to the device file /dev/kmem must be restricted Is access to /dev/kmem restricted? Ensure that access to the device file /dev/kmem has the most restrictive access permissions Users may be able to change their UID to root Root access may lead to complete compromise of the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Do not rely on access control lists on NFS file systems Is reliance placed on access control lists on NFS file systems Be aware that access control lists often do not work on NFS file systems Do not therefore rely on access control lists to mediate access to objects on NFS file systems Access to objects may not be restricted as expected Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Avoid changing permissions on objects with access control lists using a numeric chmod Is it ensured that changing permissions on objects with access control lists is avoided? Be aware that numeric chmod commands may disable the ACL Use the symbolic chmod command to modify the permissions of files with ACLs Access to objects may not be restricted as expected Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Any filenames beginning with a period . must not be everyone or group writable/readable. Is it ensured that any filenames beginning with a period . everyone or group writable/readable Identify all files beginning with a period . Check for each file whether it has everyone or group read/write Remove these permissions wherever possible Access to objects may not be restricted as expected Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. If a tape drive is used for backup ensure this device is not everyone readable Are tape drives used for backups everyone readable? Identify the backup tape drives Check the permissions for this device Remove world read access where this permission has been enabled Access to data may not be restricted as expected Unauthorised access to data may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. at access should be restricted using at.allow Is at access restricted using at.allow? Edit the at.allow file Add the users names who need to be able to submit at jobs Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User UIDs must be greater than 20 Are all user UIDs greater than 20? List each user account entry in the /etc/passwd file Check the UID value of each and highlight those that are not greater than 20 Change the UID values to greater than 20 if possible Ensure that any new user accounts are set up with UIDs greater than 20 Unauthorised privileged access may be obtained Unauthorised access may be used for fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Suid shell scripts should not be used Are suid shell scripts in use on the system? Identify all suid shell scripts on the system Replace these scripts with a different language such as perl Unauthorised privileged access may be obtained Unauthorised access may lead to malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The use of the su command should always be used with the hyphen (-) qualifier Is the hyphen qualifier always used with the su command? Educate all users to ensure that the(-) hyphen qualifier is used with su. Check scripts or executables running on the system that call su also use hyphen Account login script controls may be bypassed Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misue Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The mail aliases file should be reviewed to ensure that all entries for mail redirection are valid users and not a program or a script for execution Has the mail aliases file been reviewed to ensure that all entries for mail redirection are valid users and not a program or a script for execution? Review the aliases file Identify all redirection target accounts Check each of these targets is a user and not a script or program Investigate any entries that are inconsistent with this Delete inconsistent entries Unauthorised program execution may occur Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. root should only be logged into using su Is root access only available via su? Set all terminals to restricted to force root login via su Direct compromise of the root password will still result in no access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Where it is available use the wheel group If the wheel group is available is it in use? Create the wheel group Add all users who are permitted to su root to the group Exclude all others Unauthorised privileged access may be obtained Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Every user must have a unique UID. Do all users on the system have unique UIDs? List all users sorted by UID. Identify all those with shared UIDs. Modify the users such that they have a unique UID. Ensure the files and directories these users own are appropriately owned. Ensure the files and directories these users own remain accessible. Unauthorised access to data and software objects Unauthorised access may lead to fraudulent or malicious misuse Loss of accountability Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that any foreign file systems are mounted NODEV Are all foreign filesystems mounted NODEV? Locate all instances where a foreign filesystem is mounted. For each instance ensure that the mount is qualified with NODEV Malicious device files can be used to subvert system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The write program should be set to SGID tty and not SUID root Is the write program set to SGID tty and not SUID root? Locate the write program Check its permissions If the permissions are SUID root set them to SGID tty Unauthorised privileged commands may be executed Unauthorised privileged access may be obtained Unauthorised access may result in malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. cron access should be restricted using cron.allow Is cron access restricted using cron.allow? Edit the cron.allow file Add the users names who need to be able to submit cron jobs Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Implement a login failure retry interval of 3 seconds where possible Has a login failure retry interval of 3 seconds been implemented? If the variant of Unix supports a login failure retry interval set this interval to 3 seconds Automated password guessing routines will be hampered Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Autologout of idle users should be set after 1 hour Has autologout been set to 1 hour for idle users? set autologout in .cshrc script to 1 hour Unauthorised access may be obtained Unauthorised access may result in fradulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The use of control characters should be prevented from being used within user passwords. Has the use of control characters in user passwords been prevented? Use filtering software that rejects passwords containing control characters. Control characters within passwords can interpreted and lead to a breach Unauthorised privileged access may be obtained Unauthorised privileged commands may be executed Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Hidden files should be sought out and investigated. Certain control characters in file names can make it difficult to see or access such files. Are hidden files or files with control characters in their names identified and investigated on a regular basis? Use the ls -q command to list files with control characters in their name. For each file identified review its contents for any malicious code or commands. Remove any files which are clearly intended to breach the security of the system. Malicious scripts and programs may be used to gain unauthorised access Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Reports should be produced and reviewed for access outside of normal hours Are reports produced and reviewed for access outside of normal hours? Log times of user logins Determine the normal access times for the system Report on logons that fall outside of those access times Reconcile the use with the account owner to ensure legitimacy Misuse may go unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. syslog.conf must be monitored for alterations Is syslog.conf monitored for any changes? Establish a baseline syslog.conf Identify any changes to the file from the baseline Reconcile the changes to ensure they are legitimate Misuse may go unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. All new su programs should be identified and validated to ensure that they are legitimate. Are new SU programs identified and validated? Instigate a means of identifying the addition of new su programs to the system. Investigate the new su programs to ensure they are valid. Investigate any that are not and remove them from the system. Privileged unauthorised access may be obtained Unauthorised access may result in malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. grpck should be run regularly to check for inconsistencies in the /etc/groups file Is grpck run regularly on the system? Run grpck to check for any inconsistencies in the groups file Any inconsistencies reported should be investigated and rectified Incorrect group membership may permit unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Reports should be produced and reviewed for multiple login failures from a single source Are reports produced and reviewed for multiple login failures from a single source? Record login failures against user accounts Extract the source address/terminal id for each failure Report on login failures based upon source address Investigate any source terminal with a login failure against more than one target user account. Misuse may go unnoticed Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. pwck should be run regularly to identify inconsistencies in the password file. Is pwck run regularly to check for inconsistencies in the password file? Run pwck on a regular basis to identify any inconsistencies in the passwd file. Any inconsistencies identified should be investigated and rectified. Unauthorised access may be obtained Unauthorised access may lead to malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Security monitoring software, for example Tripwire, Cops, Tiger, TCPWrapper etc should be installed and used for monitor for security critical changes, to harden the operating system and to provide security reporting. Are security tools installed and in use on the system? Identify security monitoring products appropriate to your environment. Install these tools. Use them to protect and monitor your system Security significant changes may go unnoticed Attempts to breach security may go unnoticed Unauthorised access may be obtained Unauthorised access may result in malicious or fraduluent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Reports should be produced and reviewed for multiple login failures Are reports produced and reviewed for multiple login failures? Record login failures against user accounts Produce a daily report of login failures for user accounts Reconcile the login failures with the owners of the accounts. Misuse may go unnoticed Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Aliases should be created for all non-user accounts to redirect inbound mail to an administrator account where it will be read Are aliases in place for all non-user accounts? Identify all non-user accounts Identify an administrator to receive mail for these accounts Set up a mail alias to direct inbound mail to these accounts to the administrator Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ftp home directory should be owned by root Is the ftp home directory owned by root? Set the ownership of the ftp home directory to root Unauthorised write access may be obtained Business information and data may be maliciously or accidentally altered Business information and applications may be unavailable. PPP must not be installed on the system Is it ensured that PPP is not installed on the system? Remove the PPP executable from the system Remove any reference to PPP from network configuration files Remote unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. .rhosts files must not be used as they can provide arbitrary remote access to local users accounts and are subject to spoofing. Are .rhosts files in use on users accounts on the system? Search users home directories for the presence of .rhosts files For those identified replace the access with another more secure method. Delete the .rhosts file .rhosts file entries can permit successful spoofing Unauthorised access may be obtained Fraudulent misuse may occur Malicious misuse may occur Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The systat service should be commented out of the inetd.conf file as this provides very useful information to attackers Has the systat service been commented out of the inetd.conf file? Edit the inetd.conf file Identify the entry that initiates the systat daemon Comment out the entry so identified Unnecessary intelligence may be given to system attackers Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. SLIP must not be installed on the system Is it ensured that SLIP is not installed on the system? Remove the SLIP executable from the system Remove any reference to SLIP from network configuration files Remote unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ftp entry in the password file should contain an invalid password and refer to a non-existent shell Does the ftp entry in the password file contain an invalid password and refer to a non-existent shell? Edit the password file and set an invalid password value and a non existent shell Unauthorised access may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable. Disable anonymous ftp if possible If anonymous ftp is not required is it disabled? Edit the configuration and/or services file and comment out anonymous ftp service Restart the inet daemon and other appropriate system services/daemons to make the change take effect Unauthorised non-privileged remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. root must be used to run all crontab scripts as user UUCP. The scripts must be owned by root. Does root run all UUCP crontab scripts as user UUCP and own all of the scripts? Identify all crontab scripts required to be run by UUCP. Take ownership of these scripts by root. Ensure that when they are run they are executed by root as crontab. Protects crontab scripts from malicious alteration or substitution Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The /etc/inetd.conf should be owned by root. Is the /etc/inetd.conf owned by root? View the ownership of the inetd.conf file If this is not owned by root set it to be owned by root Unauthorised changes to the file may be made Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The rexecd daemon should be disabled by commenting out the rexec entry in inetd.conf. Has the rexecd daemon been commented out in the inetd.conf? Edit inetd.conf and locate the entry for rexecd Comment out the entry that initiates this daemon. Remote execution can be used to attempt to subvert system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. NFS Filesystems should be exported nosuid Are NFS Filesystems exported nosuid? Exam the contents of the NFS exports file Ensure that the file systems are exported nosuid Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Anonymous ftp should be configured to prevent overwrite by guests or anonymous users Is anonymous ftp configured to prevent overwrite by guests or anonymous users? Configure the ftp daemon to prevent overwrite by anonymous or guest users Unauthorised data deletions may take place Unauthorised data alteration may take place Business information and applications may be unavailable. Entries in an NFS exports file must be comprised of fully qualified hostnames Are the entries in the NFS exports file comprised of fully qualified hostnames? Exam the contents of the NFS exports file Ensure that the entries are fully qualified hostnames Data may be exported to incorrect hosts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ftp home directory should have permissions of 555 Does the ftp home directory have permissions of 555? Set the file permissions of the ftp home directory to 555 Unauthorised write access may be obtained Business information and data may be maliciously or accidentally altered Business information and applications may be unavailable. The fingerd daemon should be disabled by commenting out the finger entry in inetd.conf. Has the fingerd daemon been commented out of the inetd.conf file? Edit the inetd.conf file in order to delete the fingerd daemon entry. The unnecessary provision of intelligence to attackers Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The permissions on the /etc/inetd.conf should be 644 Are the permissions on the /etc/inetd.conf set to 644? View the permissions on the inetd.conf file If this is not set to 644 set the permissions to 644 Unauthorised changes to the file may be made Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The /etc/hosts.equiv should contain the fewest number of trusted hosts Does the /etc/hosts.equiv file contain the fewest number of trusted hosts? View the contents of the /etc/hosts.equiv file and validate all entries Remove all of the entries that are not required Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure /etc/ftpusers contains default vendor and system accounts that should not require ftp access Is it ensured that /etc/ftpusers contains default vendor and system accounts that should not require ftp access? Edit the /etc/ftpusers account Add the following accounts to the list where they are not already included, news, nobody, lp, uucp, bin, guest. Add all other default vendor accounts that have no ftp requirement Add all other default system accounts that have no ftp requirement Unauthorised non-privileged remote access may be obtained Unauthorised privileged remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Reverse lookup should be used for anonymous ftp connections Is reverse lookup used for anonymous ftp connections Configure the ftp daemon to use reverse lookup of anonymous ftp connections IP address spoofing can be prevented Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable. The /etc/hosts.equiv should be removed unless required Has the /etc/hosts.equiv been removed where it is not required? View the contents of the /etc/hosts.equiv file and validate any entries Where the file is empty delete the file altogether Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. There should be a mail alias to redirect mail from the UUCP account using the aliases file. The .forward file should not be used to achieve this. Does the UUCP account have a mail alias in the aliases file and no entries in the .forward file? Add an entry in the aliases file forwarding mail to an alternate account Ensure that there are no entries in the UUCP account's .forward file. Business information may be disclosed. Anonymous ftp should be configured to prevent rename by guests or anonymous users Is anonymous ftp configured to prevent rename by guests or anonymous users? Configure the ftp daemon to prevent rename by anonymous or guest users Unauthorised object renames may take place Business information and data may be maliciously or accidentally altered Business information and applications may be unavailable. Inetd.conf must be monitored for alterations Is inetd.conf monitored for any changes? Establish a baseline inetd.conf Identify any changes to the file from the baseline Reconcile the changes to ensure they are legitimate inetd.conf changes may result in the execution of unauthorised services Privileged unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The tftp home directory should not permit write access Does the tftp home directory permit write access? Check the permissions on the tftp home directory Set the permissions on the directory to exclude write access Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. Ensure that the ftp daemon is the most recent Is the ftp daemon the most recent? Determine the currently installed ftp daemon Determine the most current ftp daemon If they differ install the most current ftp daemon Unauthorised privileged access may be obtained Unauthorised non-privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Where the UUCP subsystem is required all SUID and SGID bits should be removed from its component programs If the UUCP subsystem is required have the SGID/SUID bits been stripped from the UUCP? Determine if the UUCP subsystem is required. If it is required, identify all of the components with SGID and SUID bits set. For all components so identified strip these bits. Unauthorised privileged access may be obtained remotely Access may lead to to fradulent or malcious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The rcp daemon should be disabled unless required Has the rcp daemon been commented out of the inetd.conf? Edit inetd.conf and locate the entry for rcpd Comment out the entry that initiates this daemon. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure /etc/ftpusers is in place to deny users ftp access that do not require it Are users who do not require ftp access denied it's use? Create an /etc/ftpusers file Populate the file with theusers who should not have ftp access Ensure that the list is single entry per line Unauthorised remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. The ~ftp/etc/passwd file should be owned by root Is the ~ftp/etc/passwd file owned by root? Check the file ownership of ~ftp/etc/passwd Where the owner is not root set the ownership to be root Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. UUCP if required should be configured to only allow remote file retrieval from particular directories. Has UUCP been set up to permit file retrieval from only certain pre-defined directories? Configure UUCP access to permit access to specifically required directories. Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. tftp should be disabled unless the system serves X-terminals Is tftp disabled where it is not required? Determine if tftp is required Where it is not required comment the tftp entry out of the inetd.conf file Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. Anonymous ftp should be configured to prevent setting of umask by guests or anonymous users Is anonymous ftp configured to prevent setting of umask by guests or anonymous users? Configure the ftp daemon to prevent setting of umask by anonymous or guest users Unauthorised object access permissioning may take place Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable. UUCP callback should be enabled to reduce the risk of simple spoofing attacks Is UUCP callback enabled? If UUCP is required set up UUCP callback to deny simple spoofing attacks. Simple spoofing attacks Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The /etc/hosts.equiv should contain no hyphens or plus signs Has it been ensured that the /etc/hosts.equiv contains no hyphens or plus signs? View the contents of the /etc/hosts.equiv file and identify any (-) or (+) Remove all entries containing a - or a + symbol Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The /usr/lib/uucp/L.sys file must not allow group or everyone read access Does the /usr/lib/uucp/L.sys file allow group or everyone read access? Check the permissions on the /usr/lib/uucp/L.sys file Remove group or everyone read access where it is granted A password may be disclosed Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. rdist should be used as a more secure means of performing file transfers and should be used in preference to ftp. Is rdist used for secure file transfer? Use rdist for file transfers in preference to ftp Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Disable sendmail if it is not required Is sendmail disabled where it is not required? Remove it as a service Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. The /etc/hosts.equiv should be owned by root Is the /etc/hosts.equiv owned by root? Check the ownership of the /etc/hosts.equiv file Where it is not owned by root change the ownership to root Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Where the UUCP account is present it should be password protected. Is the UUCP account password protected where present? If the UUCP account is present ensure that it is password protected. Unauthorised remote access may be obtained Unauthorised access may be used for fraudulent misuse Unauthorised access may be used for malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. If NFS is used, all available patches should be applied. IHave all available NFS been applied? Ensure that the release of software updates are monitored. Ensure that the patches identified are applied. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ~ftp/etc/passwd file permissions should be set to 444 Are the ~ftp/etc/passwd file permissions set to 444? Check the file permissions of ~ftp/etc/passwd Where the permissions are not set to 444 set the permissions to 444 Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. The UUCP subsystem must be removed unless it is required. Has the UUCP subsystem been removed? If not, is it reqyured? Check to see whether the UUCP subsystem is actually required. If it is not required, remove it. UUCP can be a source of multiple security vulnerabilities Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The /etc/hosts.equiv should contain no trusted users Has it been ensured that the /etc/hosts.equiv contains no trusted users View the contents of the /etc/hosts.equiv file and identify any specific users Remove all entries relating to specific users Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The home directory of the ftp user account must not contain a .forward file Does the home directory of the ftp user account contain a .forward file? Delete any .forward file from the ftp user home directory Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. Ensure that the ftp daemon is started up with the -l qualifier to log connections Is it ensured that the ftp daemon is started up with the -l qualifier to log connections? Edit the configuration or services file referenced during the startup of the ftp daemon Modify the entry for the ftp daemon to include the -l qualifier Unauthorised use may go unrecorded Unauthorised use may go undetected Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. The home directory of the ftp user account must not contain a .rhosts file Does the home directory of the ftp user account contain a .rhosts file? Delete any .rhosts file from the ~ftp directory Unauthorised remote access may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. The ~ftp/etc/passwd file must not contain the entries from the real password file Does the ~ftp/etc/passwd file contain entries from the real password file? Do not copy the real passwd file Do not copy entries from the real passwd file Create a new passwd file for the ~ftp/etc/passwd Unauthorised access to the system may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. The rsh daemon should be disabled unless required Has the rsh daemon been commented out of the inetd.conf? Edit inetd.conf and locate the entry for rshd Comment out the entry that initiates this daemon. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The NFS exports file must not contain an entry for localhosts Does the NFS exports file contain an entry for localhosts Exam the contents of the NFS exports file Ensure that no entries exist for localhosts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Users $HOME directories must not contain any .netrc files Do users $HOME directories contain any .netrc files? List all users $HOME directories and identify those with .netrc files Delete all .netrc files found Passwords may be disclosed Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ~ftp/usr/bin directory and its equivalents should not contain CLIs or other system commands Is it ensured that the ~ftp/usr/bin directory and its equivalents do not contain CLIs or other system commands Ensure that the contents of the ~ftp/usr/bin directory contains no unnecessary system commands or CLIs Unintended commands may be executed Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable. Telnet should be disabled unless required Is Telnet disabled unless required? Comment the telnet daemon out of the inetd.conf file Remote unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The rlogin daemon should be disabled unless required Has the rlogin daemon been commented out of the inetd.conf? Edit inetd.conf and locate the entry for rlogind Comment out the entry that initiates this daemon. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the ftp server does not permit the execution of the site exec command Is it ensured that the ftp server does not permit the execution of the site exec command? Check the ftp daemon default configuration Test the ftp server to see if the site exec command is accepted Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Do not export a system owned file system Are any system owned file systems exported? Examine the contents of the NFS exports file Ensure that no system owned file systems are exported. Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. No UUCP files or directories should permit everyone write access Do UUCP files or directories permit everyone write access? Check the permissions on the UUCP files and directories Set the permissions to exclude everyone write access where it is currently permitted. Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that all patches available for sendmail have been applied Have all patches available for sendmail been applied? Maintain notification for sendmail patch release Apply these patches as they become available. Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Anonymous ftp should be configured to prevent deletions by guests or anonymous users Is anonymous ftp configured to prevent deletions by guests or anonymous users? Configure the ftp daemon to prevent deletion by anonymous or guest users Unauthorised object deletions may take place Business information and applications may be unavailable. The /etc/exports file should be owned by root Is the /etc/exports file owned by root? Exam the ownershiip of the NFS exports file Set the ownership to root Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Anonymous ftp should be configured to prevent chmod by guests or anonymous users Is anonymous ftp configured to prevent chmod by guests or anonymous users? Configure the ftp daemon to prevent chmod by anonymous or guest users Unauthorised object access permissioning may take place Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable. The tftp daemon should be started up with the -s qualifier Is the tftp daemon started up with the -s qualifier? Edit the inetd.conf file Add the -s qualifier to the tftp daemon entry in the file Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable. the ftp daemon should deny access to user accounts whose shell is not found as a valid shell in /etc/shells Does the ftp daemon deny access to user accounts whose shell is not found to be a valid shell in /etc/shells? Ensure that /etc/shells includes only those shells valid for your system The execution of illict user shells by ftp may provide unauthorised access Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Export NFS filesystems read only wherever possible Are NFS filesystems exported read only where possible? Exam the contents of the NFS exports file Ensure that the file systems are exported read only where possible Business information may be accidentally or maliciously altered. Business information and applications may be unavailable. The files .plan and .project held in user $HOME directories should be kept empty so that if the account is fingered no unnecessary information is released about the individual. Are the .plan and .project files held in the users $HOME directories kept empty? The .plan and .project files held in the users $HOME should be identified. Each of these files should be checked for any contents. For any with content these should be cleared out. Unnecessary intelligence may be provided to system attackers Unauthorised access may be obtained Unauthorised access may result in fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The wall command should be denied from non-administrative users Is the wall command denied from non-administrative users? Set permissions on the wall command to prevent execution by non-administrative users Unwanted broadcast messages may be generated Business information may be disclosed. Business information and applications may be unavailable. The permissions on the /etc/hosts.equiv should be 755 Are the permissions on the /etc/hosts.equiv set to 755 Check the permissions of the /etc/hosts.equiv file Where the permissions are greater than 755 set the permissions to 755 Unauthorised access to the file may be obtained Entries may be added to the file to provide unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Fsirand should be run once following commissioning to generate random inode numbers for the files on the system Is Fsirand run once on the system following commissioning? Following commissioning of the system run fsirand Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Do not install Unix in dual universe form as this can introduce significant security vulnerabilities. Is the installation dual universe i.e. accepts both Berkeley and System V commands. During installation install either Berkeley or System V. Multiple weaknesses may ensue from a dual universe installation Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The sulog should record both successful and unsuccessful su attempts Does the sulog record both successful and unsuccessful su attempts Configure auditing to record both successful and unsuccessful su attempts Attempts to breach security can be identified and avoided Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Lastlog should be enabled for all users Is lastlog enabled for all users? Ensure that all users have a lastlog file and that it is written to Unauthorised account usage may go unnoticed Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Events for logging to syslog should be enabled for auth, daemon and cron messages. Are the following events logged to syslog - auth, daemon and cron messages? Configure auditing to log auth, daemon and cron messages to the syslog Unauthorised activity may go unrecorded Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. Events logged to the syslog should be wrtten to a physically secure line printer as well. Are the events logged to the syslog also wrtten to a physically secure line printer as well? Configure auditing to write the syslog events to a physically secure line printer as well. Unauthorised activity may go unrecorded Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable. The sulog contents should be recorded in both the sulog itself and written to a physically secure line printer Are the sulog contents recorded in both the sulog itself and written to a physically secure line printer? Configure auditing to write the sulog events to both the sulog and to a line printer Primary audit data is retained in a tamper proof manner allowing the identification of privileged unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The loginlog file should be created and every entry should be considered as a potential breakin attempt and should therefore be regularly reviewed. Does the loginlog file exist and are its contents regularly reviewed? Create the loginlog file Review the loginlog file on a periodic basis and identify new entries Each entry represents 5 login failures which should be investigated Any irreconcilable entries should be treated as a breakin attempt Attempts to breach security can be identified and avoided Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The wtmp should be regularly archived to protect its contents from loss Is the wtmp file regularly archived? Ensure that the wtmp file is backed up at intervals which precede its erasure Loss of security significant event information may be lost Loss of accountability may occur Business information and applications may be unavailable. The file L.cmds should be empty thereby making it impossible to remotely execute commands by using UUX. Is the L.cmds file empty? Delete any entries from the L.cmds file Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. All UUCP accounts should be added to the /etc/ftpusers account. Are all UUCP accounts added to the /etc/ftpusers account? Edit the /etc/ftpusers to include all UUCP accounts. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. If NFS is used, it should be ensured that the UUCP configuration, programs and data are never exported as these are owned by UUCP and not root. If NFS is in use has it been ensured that the UUCP configuration, programs and data are never exported? Determine if NFS is in use. Determine if UUCP is in use. If both are in use check that the UUCP configuration, programs and data are not on the export volume. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. .procmailrc and .forward should be reviewed for illict entries for example, the execution of a script in the /tmp directory. Are the .procmailrc and .forward files reviewed for illicit entries? list the contents of each file validate the entries in each file remove any illicit entries in each file investigate the source of any illicit entries Business information may be disclosed. Business information and applications may be unavailable. Any foreign filesystems including floppy disks should be mounted NOSUID Are all foreign filesystems mounted NOSUID? When mounting a foreign filesystem ensure it is qualified with NOSUID Unauthorised root access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.