Generic Unix Security Standard

Generic Unix Security Standard LCZ-GUS 1.4 16 May 2009 This document specifies generic technical security policy. This standard contains 110 baseline controls, and 2 above baseline controls, for a total of 112 controls. 1.4 16 May 2009 FOD Revised for re-release 1.3 01 June 2004 LCZ Corrected control errors 1.2 04 April 2003 LCZ Many new controls added 1.1 19 March 2003 LCZ Updated sections 1.0 21 January 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer All of these Security Standards and Security Policies are copyrighted. THEY ARE NOT IN THE PUBLIC DOMAIN. They are however distributed under a liberal open-source license, see Publishing these Security Standards and Policies.Frank O'Dwyer Introduction

ObjectivesThe objectives of this document are: To specify generic security standards applicable to all IT platforms.

Scope Controls specified in this document apply to all IT platforms. All of the organisation's information systems will be subject to the policies specified within this generic security standard. The policies will be applied to new and existing installations.

Not In Scope Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is a generic standard. Controls specific to particular technologies are not defined here but will be the subject of additional standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt.

Giving FeedbackYour feedback to improve this document is welcome. Please let me know of your experiences in applying the controls and guidance in this standard. Are the controls effective, easy to implement, too onerous, clear, unclear, something missing? Does an exceptional case need to be covered? Let me know. Please send your comments to frankodwyer AT netscape.net. Your comments will be used to produce better free security standards for the IT community.I also request that you give feedback where you think the controls and guidance is correct. This will let us gauge whether or not specific controls are controversial or broadly acceptable to the community, and will help us to resolve cases where we have conflicting feedback on particular content.

Publishing these Security Standards and PoliciesThis document may be reproduced and distributed in whole or in part, free of charge, subject to the following conditions:All copyright and trademark notices, and this permission notice must be preserved complete on all complete or partial copies.Any translation or derivative work of this document must be approved by Frank O'Dwyer in writing before distribution.If you distribute this guide in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given.Neither Frank O'Dwyer's name nor the names of any contributors may be used to endorse or promote products derived from this document without specific prior written permission.THIS DOCUMENT IS PROVIDED BY FRANK O'DWYER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FRANK O'DWYER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I would like to be informed of any plans to publish or distribute these documents, just so I know how they're being used and where they are becoming available. If you are publishing or distributing or planning to publish or distribute any of these documents, please send mail to frankodwyer AT netscape.net

Related DocumentsThis document should be read and applied in conjunction with the technology specific security standards that are available from the frankodwyer.com web site. Please note that some of the documents below are currently under development and as such may not as yet be available. Check back frequently for updates to this document and those documents listed below.

Generic Security StandardsGeneric Security Standardshttp://www.frankodwyer.com/standards/index.html#genericData Protection European Union Security Standardhttp://www.frankodwyer.com/standards/index.html#genericApplication Service Provider Security Standardshttp://www.frankodwyer.com/standards/index.html#generic

Operating System Security StandardsGeneric Unix Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Generic Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Workstation Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Server Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Domain Security Standardshttp://www.frankodwyer.com/standards/index.html#os

Database Security StandardsOracle Security Standardshttp://www.frankodwyer.com/standards/index.html#db

Definitions An Information Asset equates to any computerised information system or component thereof and thus includes an application, off the shelf software, hardware, media, data item, data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous.

User Configuration

Default Accounts

Change default account passwordsIDVersionLevelEnforcementGUS-USER-021.0baselinemandatory

StandardThe default passwords of the following accounts must be changed following installation; open, uucp, toor, mount, guest, manager, ingres, mail, help, visitor, system, bin, demo, telnet, lp, who, finger, games

Detailed Steps For all accounts above the following accounts should have their passwords changed; open, uucp, toor, mount, guest, manager, ingres, uucp, mail, help, visitor, system, bin, demo, telnet , lp, who, finger, games

Risks AddressedWhere this control is not applied, the following residual risks exist: Unuathorised access may be obtained Unauthorised access may be used for fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The synch account must not be disabled or password protected IDVersionLevelEnforcementGUS-DA-21.0baselinemandatory

StandardThe synch account must not be disabled or password protected

Detailed Steps Ensure the synch account is enabled Ensure the synch account has no password

Risks AddressedWhere this control is not applied, the following residual risks exist: Emergency shutdown can be performed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The nobody account should own no files on any of the systems filesystemsIDVersionLevelEnforcementGUS-DA-11.0baselinerecommended

StandardThe nobody account should own no files on any of the systems filesystems

Detailed Steps Scan the filesystems for objects owned by nobody Reassign the ownership of any objects identified belonging to nobody

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Roles, Views, and Access Control

Access to /dev/kmem must be restrictedIDVersionLevelEnforcementGUS-ACCESS-11.0baselinemandatory

StandardAccess to the device file /dev/kmem must be restricted

Detailed Steps Ensure that access to the device file /dev/kmem has the most restrictive access permissions

Risks AddressedWhere this control is not applied, the following residual risks exist: Users may be able to change their UID to root Root access may lead to complete compromise of the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Do not rely on access control lists on NFS file systemsIDVersionLevelEnforcementGUS-ACCESS-21.0baselinerecommended

StandardDo not rely on access control lists on NFS file systems

Detailed Steps Be aware that access control lists often do not work on NFS file systems Do not therefore rely on access control lists to mediate access to objects on NFS file systems

Risks AddressedWhere this control is not applied, the following residual risks exist: Access to objects may not be restricted as expected Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Avoid changing permissions on objects with access control lists using a numeric chmodIDVersionLevelEnforcementGUS-ACCESS-31.0baselinerecommended

StandardAvoid changing permissions on objects with access control lists using a numeric chmod

Detailed Steps Be aware that numeric chmod commands may disable the ACL Use the symbolic chmod command to modify the permissions of files with ACLs

Any filenames beginning with a period . must not be everyone or group writable/readable.IDVersionLevelEnforcementGUS-ACCESS-41.0baselinerecommended

StandardAny filenames beginning with a period . must not be everyone or group writable/readable.

Detailed Steps Identify all files beginning with a period . Check for each file whether it has everyone or group read/write Remove these permissions wherever possible

Risks AddressedWhere this control is not applied, the following residual risks exist: Access to objects may not be restricted as expected Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

If a tape drive is used for backup ensure this device is not everyone readableIDVersionLevelEnforcementGUS-ACCESS-51.0baselinerecommended

StandardIf a tape drive is used for backup ensure this device is not everyone readable

Detailed Steps Identify the backup tape drives Check the permissions for this device Remove world read access where this permission has been enabled

Risks AddressedWhere this control is not applied, the following residual risks exist: Access to data may not be restricted as expected Unauthorised access to data may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Privileges

at access should be restricted using at.allowIDVersionLevelEnforcementGUS-PRIV-21.0baselinerecommended

Standardat access should be restricted using at.allow

Detailed Steps Edit the at.allow file Add the users names who need to be able to submit at jobs

User UIDs must be greater than 20IDVersionLevelEnforcementGUS-USER-011.0baselinemandatory

StandardUser UIDs must be greater than 20

Detailed Steps List each user account entry in the /etc/passwd file Check the UID value of each and highlight those that are not greater than 20 Change the UID values to greater than 20 if possible Ensure that any new user accounts are set up with UIDs greater than 20

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Unauthorised access may be used for fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Suid shell scripts should not be usedIDVersionLevelEnforcementGUS-PRIV-021.0baselinerecommended

StandardSuid shell scripts should not be used

Detailed Steps Identify all suid shell scripts on the system Replace these scripts with a different language such as perl

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Unauthorised access may lead to malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The use of the su command should be with the hyphen (-) qualifierIDVersionLevelEnforcementGUS-PRIV-011.0baselinerecommended

StandardThe use of the su command should always be used with the hyphen (-) qualifier

Detailed Steps Educate all users to ensure that the(-) hyphen qualifier is used with su. Check scripts or executables running on the system that call su also use hyphen

Risks AddressedWhere this control is not applied, the following residual risks exist: Account login script controls may be bypassed Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misue Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The alias file should be reviewed to ensure all redirection entries are usersIDVersionLevelEnforcementGUS-MAIL-031.0baselinerecommended

StandardThe mail aliases file should be reviewed to ensure that all entries for mail redirection are valid users and not a program or a script for execution

Detailed Steps Review the aliases file Identify all redirection target accounts Check each of these targets is a user and not a script or program Investigate any entries that are inconsistent with this Delete inconsistent entries

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised program execution may occur Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

root should only be logged into using suIDVersionLevelEnforcementGUS-PRIV-051.0above baselinerecommended

Standardroot should only be logged into using su

Detailed Steps Set all terminals to restricted to force root login via su

Risks AddressedWhere this control is not applied, the following residual risks exist: Direct compromise of the root password will still result in no access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Use the wheel group if possibleIDVersionLevelEnforcementGUS-PRIV-061.0baselinemandatory

StandardWhere it is available use the wheel group

Detailed Steps Create the wheel group Add all users who are permitted to su root to the group Exclude all others

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Users must have indvidual UIDsIDVersionLevelEnforcementGUS-USER-031.0baselinemandatory

StandardEvery user must have a unique UID.

Detailed Steps List all users sorted by UID. Identify all those with shared UIDs. Modify the users such that they have a unique UID. Ensure the files and directories these users own are appropriately owned. Ensure the files and directories these users own remain accessible.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access to data and software objects Unauthorised access may lead to fraudulent or malicious misuse Loss of accountability Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Mount any foreign filesystems as NODEVIDVersionLevelEnforcementGUS-PRIV-041.0baselinemandatory

StandardEnsure that any foreign file systems are mounted NODEV

Detailed Steps Locate all instances where a foreign filesystem is mounted. For each instance ensure that the mount is qualified with NODEV

Risks AddressedWhere this control is not applied, the following residual risks exist: Malicious device files can be used to subvert system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The write program should be set to SGID tty and not SUID rootIDVersionLevelEnforcementGUS-PRIV-031.0above baselinerecommended

StandardThe write program should be set to SGID tty and not SUID root

Detailed Steps Locate the write program Check its permissions If the permissions are SUID root set them to SGID tty

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged commands may be executed Unauthorised privileged access may be obtained Unauthorised access may result in malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

cron access should be restricted using cron.allowIDVersionLevelEnforcementGUS-PRIV-11.0baselinerecommended

Standardcron access should be restricted using cron.allow

Detailed Steps Edit the cron.allow file Add the users names who need to be able to submit cron jobs

Authentication/Password Configuration

Implement a login failure retry interval of 3 seconds where possibleIDVersionLevelEnforcementGUS-AUTH-031.0baselinerecommended

StandardImplement a login failure retry interval of 3 seconds where possible

Detailed Steps If the variant of Unix supports a login failure retry interval set this interval to 3 seconds

Risks AddressedWhere this control is not applied, the following residual risks exist: Automated password guessing routines will be hampered Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Autologout of idle users should occur after 1 hourIDVersionLevelEnforcementGUS-AUTH-021.0baselinerecommended

StandardAutologout of idle users should be set after 1 hour

Detailed Steps set autologout in .cshrc script to 1 hour

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Unauthorised access may result in fradulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Do not permit the use of control characters in passwordsIDVersionLevelEnforcementGUS-AUTH-011.0baselinerecommended

StandardThe use of control characters should be prevented from being used within user passwords.

Detailed Steps Use filtering software that rejects passwords containing control characters.

Risks AddressedWhere this control is not applied, the following residual risks exist: Control characters within passwords can interpreted and lead to a breach Unauthorised privileged access may be obtained Unauthorised privileged commands may be executed Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Security Compliance

Security Compliance Checking

Hidden files should be sought out and investigatedIDVersionLevelEnforcementGUS-MON-051.0baselinerecommended

StandardHidden files should be sought out and investigated. Certain control characters in file names can make it difficult to see or access such files.

Detailed Steps Use the ls -q command to list files with control characters in their name. For each file identified review its contents for any malicious code or commands. Remove any files which are clearly intended to breach the security of the system.

Risks AddressedWhere this control is not applied, the following residual risks exist: Malicious scripts and programs may be used to gain unauthorised access Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Reports should be produced and reviewed for access outside of normal hoursIDVersionLevelEnforcementGUS-AUD-021.0baselinerecommended

StandardReports should be produced and reviewed for access outside of normal hours

Detailed Steps Log times of user logins Determine the normal access times for the system Report on logons that fall outside of those access times Reconcile the use with the account owner to ensure legitimacy

Risks AddressedWhere this control is not applied, the following residual risks exist: Misuse may go unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

syslog.conf must be monitored for all alterationsIDVersionLevelEnforcementGUS-AUD-011.0baselinemandatory

Standardsyslog.conf must be monitored for alterations

Detailed Steps Establish a baseline syslog.conf Identify any changes to the file from the baseline Reconcile the changes to ensure they are legitimate

All new su programs should be identified and validatedIDVersionLevelEnforcementGUS-MON-011.0baselinerecommended

StandardAll new su programs should be identified and validated to ensure that they are legitimate.

Detailed Steps Instigate a means of identifying the addition of new su programs to the system. Investigate the new su programs to ensure they are valid. Investigate any that are not and remove them from the system.

Risks AddressedWhere this control is not applied, the following residual risks exist: Privileged unauthorised access may be obtained Unauthorised access may result in malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

grpck should be run regularlyIDVersionLevelEnforcementGUS-MON-031.0baselinerecommended

Standardgrpck should be run regularly to check for inconsistencies in the /etc/groups file

Detailed Steps Run grpck to check for any inconsistencies in the groups file Any inconsistencies reported should be investigated and rectified

Risks AddressedWhere this control is not applied, the following residual risks exist: Incorrect group membership may permit unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Reports should be produced and reviewed for multiple login failures from a single sourceIDVersionLevelEnforcementGUS-AUD-071.0baselinerecommended

StandardReports should be produced and reviewed for multiple login failures from a single source

Detailed Steps Record login failures against user accounts Extract the source address/terminal id for each failure Report on login failures based upon source address Investigate any source terminal with a login failure against more than one target user account.

Risks AddressedWhere this control is not applied, the following residual risks exist: Misuse may go unnoticed Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

pwck should be run regularlyIDVersionLevelEnforcementGUS-MON-021.0baselinerecommended

Standardpwck should be run regularly to identify inconsistencies in the password file.

Detailed Steps Run pwck on a regular basis to identify any inconsistencies in the passwd file. Any inconsistencies identified should be investigated and rectified.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Unauthorised access may lead to malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Security monitoring software should be installed and usedIDVersionLevelEnforcementGUS-MON-041.0baselinerecommended

StandardSecurity monitoring software, for example Tripwire, Cops, Tiger, TCPWrapper etc should be installed and used for monitor for security critical changes, to harden the operating system and to provide security reporting.

Detailed Steps Identify security monitoring products appropriate to your environment. Install these tools. Use them to protect and monitor your system

Risks AddressedWhere this control is not applied, the following residual risks exist: Security significant changes may go unnoticed Attempts to breach security may go unnoticed Unauthorised access may be obtained Unauthorised access may result in malicious or fraduluent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Reports should be produced and reviewed for multiple login failuresIDVersionLevelEnforcementGUS-AUD-061.0baselinerecommended

StandardReports should be produced and reviewed for multiple login failures

Detailed Steps Record login failures against user accounts Produce a daily report of login failures for user accounts Reconcile the login failures with the owners of the accounts.

Security Management

Aliases should be created for all non-user accounts to redirect to the adminIDVersionLevelEnforcementGUS-MAIL-021.0baselinerecommended

StandardAliases should be created for all non-user accounts to redirect inbound mail to an administrator account where it will be read

Detailed Steps Identify all non-user accounts Identify an administrator to receive mail for these accounts Set up a mail alias to direct inbound mail to these accounts to the administrator

Network Security Configuration

Network Interface Considerations

The ftp home directory should be owned by rootIDVersionLevelEnforcementGUS-NET-541.0baselinerecommended

StandardThe ftp home directory should be owned by root

Detailed Steps Set the ownership of the ftp home directory to root

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised write access may be obtained Business information and data may be maliciously or accidentally altered Business information and applications may be unavailable.

PPP must not be installed on the systemIDVersionLevelEnforcementGUS-NET-291.0baselinemandatory

StandardPPP must not be installed on the system

Detailed Steps Remove the PPP executable from the system Remove any reference to PPP from network configuration files

Risks AddressedWhere this control is not applied, the following residual risks exist: Remote unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

.rosts files must not be usedIDVersionLevelEnforcementGUS-NET-161.0baselinemandatory

Standard.rhosts files must not be used as they can provide arbitrary remote access to local users accounts and are subject to spoofing.

Detailed Steps Search users home directories for the presence of .rhosts files For those identified replace the access with another more secure method. Delete the .rhosts file

Risks AddressedWhere this control is not applied, the following residual risks exist: .rhosts file entries can permit successful spoofing Unauthorised access may be obtained Fraudulent misuse may occur Malicious misuse may occur Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The systat service should be commented out of the inetd.conf fileIDVersionLevelEnforcementGUS-NET-151.0baselinerecommended

StandardThe systat service should be commented out of the inetd.conf file as this provides very useful information to attackers

Detailed Steps Edit the inetd.conf file Identify the entry that initiates the systat daemon Comment out the entry so identified

Risks AddressedWhere this control is not applied, the following residual risks exist: Unnecessary intelligence may be given to system attackers Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

SLIP must not be installed on the systemIDVersionLevelEnforcementGUS-NET-281.0baselinemandatory

StandardSLIP must not be installed on the system

Detailed Steps Remove the SLIP executable from the system Remove any reference to SLIP from network configuration files

The ftp entry in the password file should contain an invalid password and refer to a non-existent shellIDVersionLevelEnforcementGUS-NET-531.0baselinerecommended

StandardThe ftp entry in the password file should contain an invalid password and refer to a non-existent shell

Detailed Steps Edit the password file and set an invalid password value and a non existent shell

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable.

Disable anonymous ftp if possibleIDVersionLevelEnforcementGUS-NET-451.0baselinerecommended

StandardDisable anonymous ftp if possible

Detailed Steps Edit the configuration and/or services file and comment out anonymous ftp service Restart the inet daemon and other appropriate system services/daemons to make the change take effect

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised non-privileged remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

root must be used to run all crontab scripts as user UUCP. The scripts must be owned by root. IDVersionLevelEnforcementGUS-NET-111.0baselinemandatory

Standardroot must be used to run all crontab scripts as user UUCP. The scripts must be owned by root.

Detailed Steps Identify all crontab scripts required to be run by UUCP. Take ownership of these scripts by root. Ensure that when they are run they are executed by root as crontab.

Risks AddressedWhere this control is not applied, the following residual risks exist: Protects crontab scripts from malicious alteration or substitution Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The /etc/inetd.conf should be owned by root.IDVersionLevelEnforcementGUS-NET-261.0baselinerecommended

StandardThe /etc/inetd.conf should be owned by root.

Detailed Steps View the ownership of the inetd.conf file If this is not owned by root set it to be owned by root

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised changes to the file may be made Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

rexecd daemon should be disabledIDVersionLevelEnforcementGUS-NET-141.0baselinerecommended

StandardThe rexecd daemon should be disabled by commenting out the rexec entry in inetd.conf.

Detailed Steps Edit inetd.conf and locate the entry for rexecd Comment out the entry that initiates this daemon.

Risks AddressedWhere this control is not applied, the following residual risks exist: Remote execution can be used to attempt to subvert system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

NFS Filesystems should be exported nosuidIDVersionLevelEnforcementGUS-NET-361.0baselinerecommended

StandardNFS Filesystems should be exported nosuid

Detailed Steps Exam the contents of the NFS exports file Ensure that the file systems are exported nosuid

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Anonymous ftp should prevent overwrite by guests or anonymous usersIDVersionLevelEnforcementGUS-NET-471.0baselinerecommended

StandardAnonymous ftp should be configured to prevent overwrite by guests or anonymous users

Detailed Steps Configure the ftp daemon to prevent overwrite by anonymous or guest users

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised data deletions may take place Unauthorised data alteration may take place Business information and applications may be unavailable.

Entries in an NFS exports file must be comprised of fully qualified hostnamesIDVersionLevelEnforcementGUS-NET-331.0baselinemandatory

StandardEntries in an NFS exports file must be comprised of fully qualified hostnames

Detailed Steps Exam the contents of the NFS exports file Ensure that the entries are fully qualified hostnames

Risks AddressedWhere this control is not applied, the following residual risks exist: Data may be exported to incorrect hosts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The ftp home directory should have permissions of 555IDVersionLevelEnforcementGUS-NET-551.0baselinerecommended

StandardThe ftp home directory should have permissions of 555

Detailed Steps Set the file permissions of the ftp home directory to 555

The fingerd daemon should be disabled by commenting out the finger entry in inetd.conf.IDVersionLevelEnforcementGUS-NET-131.0baselinerecommended

StandardThe fingerd daemon should be disabled by commenting out the finger entry in inetd.conf.

Detailed Steps Edit the inetd.conf file in order to delete the fingerd daemon entry.

Risks AddressedWhere this control is not applied, the following residual risks exist: The unnecessary provision of intelligence to attackers Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The permissions on the /etc/inetd.conf should be 644IDVersionLevelEnforcementGUS-NET-271.0baselinerecommended

StandardThe permissions on the /etc/inetd.conf should be 644

Detailed Steps View the permissions on the inetd.conf file If this is not set to 644 set the permissions to 644

The /etc/hosts.equiv should contain the fewest number of trusted hostsIDVersionLevelEnforcementGUS-NET-211.0baselinerecommended

StandardThe /etc/hosts.equiv should contain the fewest number of trusted hosts

Detailed Steps View the contents of the /etc/hosts.equiv file and validate all entries Remove all of the entries that are not required

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Ensure /etc/ftpusers contains default vendor and system accounts that should not require ftp accessIDVersionLevelEnforcementGUS-NET-441.0baselinerecommended

StandardEnsure /etc/ftpusers contains default vendor and system accounts that should not require ftp access

Detailed Steps Edit the /etc/ftpusers account Add the following accounts to the list where they are not already included, news, nobody, lp, uucp, bin, guest. Add all other default vendor accounts that have no ftp requirement Add all other default system accounts that have no ftp requirement

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised non-privileged remote access may be obtained Unauthorised privileged remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Reverse lookup should be used for anonymous ftp connectionsIDVersionLevelEnforcementGUS-NET-511.0baselinerecommended

StandardReverse lookup should be used for anonymous ftp connections

Detailed Steps Configure the ftp daemon to use reverse lookup of anonymous ftp connections

Risks AddressedWhere this control is not applied, the following residual risks exist: IP address spoofing can be prevented Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable.

The /etc/hosts.equiv should be removed unless requiredIDVersionLevelEnforcementGUS-NET-201.0baselinerecommended

StandardThe /etc/hosts.equiv should be removed unless required

Detailed Steps View the contents of the /etc/hosts.equiv file and validate any entries Where the file is empty delete the file altogether

There should be a mail alias to redirect mail from the UUCP account using the aliases fileIDVersionLevelEnforcementGUS-MAIL-041.0baselinemandatory

StandardThere should be a mail alias to redirect mail from the UUCP account using the aliases file. The .forward file should not be used to achieve this.

Detailed Steps Add an entry in the aliases file forwarding mail to an alternate account Ensure that there are no entries in the UUCP account's .forward file.

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be disclosed.

Anonymous ftp should prevent rename by guests or anonymous usersIDVersionLevelEnforcementGUS-NET-481.0baselinerecommended

StandardAnonymous ftp should be configured to prevent rename by guests or anonymous users

Detailed Steps Configure the ftp daemon to prevent rename by anonymous or guest users

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised object renames may take place Business information and data may be maliciously or accidentally altered Business information and applications may be unavailable.

Inetd.conf must be monitored for all alterationsIDVersionLevelEnforcementGUS-NET-031.0baselinemandatory

StandardInetd.conf must be monitored for alterations

Detailed Steps Establish a baseline inetd.conf Identify any changes to the file from the baseline Reconcile the changes to ensure they are legitimate

Risks AddressedWhere this control is not applied, the following residual risks exist: inetd.conf changes may result in the execution of unauthorised services Privileged unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The tftp home directory should not permit write accessIDVersionLevelEnforcementGUS-NET-621.0baselinerecommended

StandardThe tftp home directory should not permit write access

Detailed Steps Check the permissions on the tftp home directory Set the permissions on the directory to exclude write access

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable.

Ensure that the ftp daemon is the most recentIDVersionLevelEnforcementGUS-NET-401.0baselinerecommended

StandardEnsure that the ftp daemon is the most recent

Detailed Steps Determine the currently installed ftp daemon Determine the most current ftp daemon If they differ install the most current ftp daemon

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Unauthorised non-privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

No SUID/SGID bits should be set on UUCP component programs.IDVersionLevelEnforcementGUS-NET-051.0baselinerecommended

StandardWhere the UUCP subsystem is required all SUID and SGID bits should be removed from its component programs

Detailed Steps Determine if the UUCP subsystem is required. If it is required, identify all of the components with SGID and SUID bits set. For all components so identified strip these bits.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained remotely Access may lead to to fradulent or malcious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The rcp daemon should be disabled unless requiredIDVersionLevelEnforcementGUS-NET-191.0baselinerecommended

StandardThe rcp daemon should be disabled unless required

Detailed Steps Edit inetd.conf and locate the entry for rcpd Comment out the entry that initiates this daemon.

Ensure /etc/ftpusers is in place to deny users ftp access that do not require itIDVersionLevelEnforcementGUS-NET-431.0baselinerecommended

StandardEnsure /etc/ftpusers is in place to deny users ftp access that do not require it

Detailed Steps Create an /etc/ftpusers file Populate the file with theusers who should not have ftp access Ensure that the list is single entry per line

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised remote access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

The ~ftp/etc/passwd file should be owned by rootIDVersionLevelEnforcementGUS-NET-591.0baselinerecommended

StandardThe ~ftp/etc/passwd file should be owned by root

Detailed Steps Check the file ownership of ~ftp/etc/passwd Where the owner is not root set the ownership to be root

UUCP if required should be configured to only allow remote file retrieval from particular directoriesIDVersionLevelEnforcementGUS-NET-071.0baselinerecommended

StandardUUCP if required should be configured to only allow remote file retrieval from particular directories.

Detailed Steps Configure UUCP access to permit access to specifically required directories.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

tftp should be disabled unless the system serves X-terminalsIDVersionLevelEnforcementGUS-NET-611.0baselinerecommended

Standardtftp should be disabled unless the system serves X-terminals

Detailed Steps Determine if tftp is required Where it is not required comment the tftp entry out of the inetd.conf file

Anonymous ftp should prevent setting of umask by guests or anonymous usersIDVersionLevelEnforcementGUS-NET-501.0baselinerecommended

StandardAnonymous ftp should be configured to prevent setting of umask by guests or anonymous users

Detailed Steps Configure the ftp daemon to prevent setting of umask by anonymous or guest users

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised object access permissioning may take place Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable.

UUCP Callback should be enabledIDVersionLevelEnforcementGUS-NET-081.0baselinerecommended

StandardUUCP callback should be enabled to reduce the risk of simple spoofing attacks

Detailed Steps If UUCP is required set up UUCP callback to deny simple spoofing attacks.

Risks AddressedWhere this control is not applied, the following residual risks exist: Simple spoofing attacks Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The /etc/hosts.equiv should contain no hyphens or plus signsIDVersionLevelEnforcementGUS-NET-221.0baselinerecommended

StandardThe /etc/hosts.equiv should contain no hyphens or plus signs

Detailed Steps View the contents of the /etc/hosts.equiv file and identify any (-) or (+) Remove all entries containing a - or a + symbol

The /usr/lib/uucp/L.sys file must not allow group or everyone read accessIDVersionLevelEnforcementGUS-NET-661.0baselinemandatory

StandardThe /usr/lib/uucp/L.sys file must not allow group or everyone read access

Detailed Steps Check the permissions on the /usr/lib/uucp/L.sys file Remove group or everyone read access where it is granted

Risks AddressedWhere this control is not applied, the following residual risks exist: A password may be disclosed Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

rdist should be used as a more secure means of performing file transfersIDVersionLevelEnforcementGUS-NET-011.0baselinemandatory

Standardrdist should be used as a more secure means of performing file transfers and should be used in preference to ftp.

Detailed Steps Use rdist for file transfers in preference to ftp

Disable sendmail if it is not requiredIDVersionLevelEnforcementGUS-NET-381.0baselinerecommended

StandardDisable sendmail if it is not required

Detailed Steps Remove it as a service

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

The /etc/hosts.equiv should be owned by root IDVersionLevelEnforcementGUS-NET-231.0baselinerecommended

StandardThe /etc/hosts.equiv should be owned by root

Detailed Steps Check the ownership of the /etc/hosts.equiv file Where it is not owned by root change the ownership to root

UUCP account should be password protected if presentIDVersionLevelEnforcementGUS-NET-061.0baselinerecommended

StandardWhere the UUCP account is present it should be password protected.

Detailed Steps If the UUCP account is present ensure that it is password protected.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised remote access may be obtained Unauthorised access may be used for fraudulent misuse Unauthorised access may be used for malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

If NFS is used, all available patches should be applied.IDVersionLevelEnforcementGUS-NET-311.0baselinerecommended

StandardIf NFS is used, all available patches should be applied.

Detailed Steps Ensure that the release of software updates are monitored. Ensure that the patches identified are applied.

The ~ftp/etc/passwd file permissions should be set to 444IDVersionLevelEnforcementGUS-NET-601.0baselinerecommended

StandardThe ~ftp/etc/passwd file permissions should be set to 444

Detailed Steps Check the file permissions of ~ftp/etc/passwd Where the permissions are not set to 444 set the permissions to 444

The UUCP subsystem should be removed unless it is requiredIDVersionLevelEnforcementGUS-NET-041.0baselinemandatory

StandardThe UUCP subsystem must be removed unless it is required.

Detailed Steps Check to see whether the UUCP subsystem is actually required. If it is not required, remove it.

Risks AddressedWhere this control is not applied, the following residual risks exist: UUCP can be a source of multiple security vulnerabilities Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The /etc/hosts.equiv should contain no trusted usersIDVersionLevelEnforcementGUS-NET-251.0baselinerecommended

StandardThe /etc/hosts.equiv should contain no trusted users

Detailed Steps View the contents of the /etc/hosts.equiv file and identify any specific users Remove all entries relating to specific users

The home directory of the ftp user account must not contain a .forward fileIDVersionLevelEnforcementGUS-NET-581.0baselinemandatory

StandardThe home directory of the ftp user account must not contain a .forward file

Detailed Steps Delete any .forward file from the ftp user home directory

Ensure that the ftp daemon is started up with the -l qualifierIDVersionLevelEnforcementGUS-NET-411.0baselinerecommended

StandardEnsure that the ftp daemon is started up with the -l qualifier to log connections

Detailed Steps Edit the configuration or services file referenced during the startup of the ftp daemon Modify the entry for the ftp daemon to include the -l qualifier

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised use may go unrecorded Unauthorised use may go undetected Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

The home directory of the ftp user account must not contain a .rhosts fileIDVersionLevelEnforcementGUS-NET-571.0baselinemandatory

StandardThe home directory of the ftp user account must not contain a .rhosts file

Detailed Steps Delete any .rhosts file from the ~ftp directory

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised remote access may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable.

The ~ftp/etc/passwd file must not contain the entries from the real password fileIDVersionLevelEnforcementGUS-NET-561.0baselinemandatory

StandardThe ~ftp/etc/passwd file must not contain the entries from the real password file

Detailed Steps Do not copy the real passwd file Do not copy entries from the real passwd file Create a new passwd file for the ~ftp/etc/passwd

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access to the system may be obtained Business information and data may be maliciously or accidentally altered Business information and data may be maliciously or accidentally disclosed Business information and applications may be unavailable.

The rsh daemon should be disabled unless requiredIDVersionLevelEnforcementGUS-NET-181.0baselinerecommended

StandardThe rsh daemon should be disabled unless required

Detailed Steps Edit inetd.conf and locate the entry for rshd Comment out the entry that initiates this daemon.

NFS exports file must not contain an entry for localhostsIDVersionLevelEnforcementGUS-NET-321.0baselinerecommended

StandardThe NFS exports file must not contain an entry for localhosts

Detailed Steps Exam the contents of the NFS exports file Ensure that no entries exist for localhosts

Users $HOME directories must not contain any .netrc filesIDVersionLevelEnforcementGUS-NET-651.0baselinemandatory

StandardUsers $HOME directories must not contain any .netrc files

Detailed Steps List all users $HOME directories and identify those with .netrc files Delete all .netrc files found

Risks AddressedWhere this control is not applied, the following residual risks exist: Passwords may be disclosed Unauthorised access to data objects may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The ~ftp/usr/bin directory and its equivalents should not contain CLIs or other system commandsIDVersionLevelEnforcementGUS-NET-521.0baselinerecommended

StandardThe ~ftp/usr/bin directory and its equivalents should not contain CLIs or other system commands

Detailed Steps Ensure that the contents of the ~ftp/usr/bin directory contains no unnecessary system commands or CLIs

Risks AddressedWhere this control is not applied, the following residual risks exist: Unintended commands may be executed Business information and data may be maliciously or accidentally altered Business information and data may be accidentally or maliciously disclosed Business information and applications may be unavailable.

Telnet should be disabled unless requiredIDVersionLevelEnforcementGUS-NET-301.0baselinerecommended

StandardTelnet should be disabled unless required

Detailed Steps Comment the telnet daemon out of the inetd.conf file

The rlogin daemon should be disabled unless requiredIDVersionLevelEnforcementGUS-NET-171.0baselinerecommended

StandardThe rlogin daemon should be disabled unless required

Detailed Steps Edit inetd.conf and locate the entry for rlogind Comment out the entry that initiates this daemon.

Ensure that the ftp server does not permit the execution of the site exec commandIDVersionLevelEnforcementGUS-NET-421.0baselinerecommended

StandardEnsure that the ftp server does not permit the execution of the site exec command

Detailed Steps Check the ftp daemon default configuration Test the ftp server to see if the site exec command is accepted

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Do not export a system owned file systemIDVersionLevelEnforcementGUS-NET-371.0baselinemandatory

StandardDo not export a system owned file system

Detailed Steps Examine the contents of the NFS exports file Ensure that no system owned file systems are exported.

No UUCP files or directories should permit everyone write accessIDVersionLevelEnforcementGUS-NET-641.0baselinerecommended

StandardNo UUCP files or directories should permit everyone write access

Detailed Steps Check the permissions on the UUCP files and directories Set the permissions to exclude everyone write access where it is currently permitted.

Ensure that all patches available for sendmail have been appliedIDVersionLevelEnforcementGUS-NET-391.0baselinerecommended

StandardEnsure that all patches available for sendmail have been applied

Detailed Steps Maintain notification for sendmail patch release Apply these patches as they become available.

Anonymous ftp should prevent deletion by guests or anonymous usersIDVersionLevelEnforcementGUS-NET-461.0baselinerecommended

StandardAnonymous ftp should be configured to prevent deletions by guests or anonymous users

Detailed Steps Configure the ftp daemon to prevent deletion by anonymous or guest users

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised object deletions may take place Business information and applications may be unavailable.

The /etc/exports file should be owned by rootIDVersionLevelEnforcementGUS-NET-351.0baselinerecommended

StandardThe /etc/exports file should be owned by root

Detailed Steps Exam the ownershiip of the NFS exports file Set the ownership to root

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Anonymous ftp should prevent chmod by guests or anonymous usersIDVersionLevelEnforcementGUS-NET-491.0baselinerecommended

StandardAnonymous ftp should be configured to prevent chmod by guests or anonymous users

Detailed Steps Configure the ftp daemon to prevent chmod by anonymous or guest users

The tftp daemon should be started up with the -s qualifierIDVersionLevelEnforcementGUS-NET-631.0baselinerecommended

StandardThe tftp daemon should be started up with the -s qualifier

Detailed Steps Edit the inetd.conf file Add the -s qualifier to the tftp daemon entry in the file

The ftp daemon must deny access to user accounts whose shell is not found as a valid shell in /etc/shellsIDVersionLevelEnforcementGUS-NET-021.0baselinemandatory

Standardthe ftp daemon should deny access to user accounts whose shell is not found as a valid shell in /etc/shells

Detailed Steps Ensure that /etc/shells includes only those shells valid for your system

Risks AddressedWhere this control is not applied, the following residual risks exist: The execution of illict user shells by ftp may provide unauthorised access Unauthorised access may be used for malicious or fraudulent misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Export NFS filesystems read only wherever possibleIDVersionLevelEnforcementGUS-NET-341.0baselinerecommended

StandardExport NFS filesystems read only wherever possible

Detailed Steps Exam the contents of the NFS exports file Ensure that the file systems are exported read only where possible

Configuration

Files and File Permissions

.plan and .project files in users $HOME directory should be kept emptyIDVersionLevelEnforcementGUS-USER-041.0baselinerecommended

StandardThe files .plan and .project held in user $HOME directories should be kept empty so that if the account is fingered no unnecessary information is released about the individual.

Detailed Steps The .plan and .project files held in the users $HOME should be identified. Each of these files should be checked for any contents. For any with content these should be cleared out.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unnecessary intelligence may be provided to system attackers Unauthorised access may be obtained Unauthorised access may result in fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The wall command should be denied from non-administrative usersIDVersionLevelEnforcementGUS-FP-11.0baselinerecommended

StandardThe wall command should be denied from non-administrative users

Detailed Steps Set permissions on the wall command to prevent execution by non-administrative users

Risks AddressedWhere this control is not applied, the following residual risks exist: Unwanted broadcast messages may be generated Business information may be disclosed. Business information and applications may be unavailable.

The permissions on the /etc/hosts.equiv should be 755IDVersionLevelEnforcementGUS-NET-241.0baselinerecommended

StandardThe permissions on the /etc/hosts.equiv should be 755

Detailed Steps Check the permissions of the /etc/hosts.equiv file Where the permissions are greater than 755 set the permissions to 755

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access to the file may be obtained Entries may be added to the file to provide unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Installation

Setup Choices

Fsirand should be run once following commissioning IDVersionLevelEnforcementGUS-SETUP-11.0baselinerecommended

StandardFsirand should be run once following commissioning to generate random inode numbers for the files on the system

Detailed Steps Following commissioning of the system run fsirand

Do not install Unix as "Dual Universe"IDVersionLevelEnforcementGUS-INST-011.0baselinemandatory

StandardDo not install Unix in dual universe form as this can introduce significant security vulnerabilities.

Detailed Steps During installation install either Berkeley or System V.

Risks AddressedWhere this control is not applied, the following residual risks exist: Multiple weaknesses may ensue from a dual universe installation Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Auditing and Monitoring

Events to be audited

The sulog should record both successful and unsuccessful su attemptsIDVersionLevelEnforcementGUS-EVEN-031.0baselinerecommended

StandardThe sulog should record both successful and unsuccessful su attempts

Detailed Steps Configure auditing to record both successful and unsuccessful su attempts

Risks AddressedWhere this control is not applied, the following residual risks exist: Attempts to breach security can be identified and avoided Unauthorised access may be obtained Unauthorised access may lead to fraudulent or malicious misuse Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Lastlog should be enabled for all usersIDVersionLevelEnforcementGUS-AUD-031.0baselinerecommended

StandardLastlog should be enabled for all users

Detailed Steps Ensure that all users have a lastlog file and that it is written to

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised account usage may go unnoticed Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Events for logging to syslog should be enabled for auth, daemon and cron messages.IDVersionLevelEnforcementGUS-AUD-041.0baselinerecommended

StandardEvents for logging to syslog should be enabled for auth, daemon and cron messages.

Detailed Steps Configure auditing to log auth, daemon and cron messages to the syslog

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised activity may go unrecorded Business information may be accidentally or maliciously altered. Business information may be accidentally or maliciously disclosed. Business information and applications may be unavailable.

Events logged to the syslog should be wrtten to a physically secure line printer as well.IDVersionLevelEnforcementGUS-AUD-051.0baselinerecommended

StandardEvents logged to the syslog should be wrtten to a physically secure line printer as well.

Detailed Steps Configure auditing to write the syslog events to a physically secure line printer as well.

The sulog contents should be recorded in both the sulog itself and written to a physically secure line printerIDVersionLevelEnforcementGUS-EVEN-041.0baselinerecommended

StandardThe sulog contents should be recorded in both the sulog itself and written to a physically secure line printer

Detailed Steps Configure auditing to write the sulog events to both the sulog and to a line printer

Risks AddressedWhere this control is not applied, the following residual risks exist: Primary audit data is retained in a tamper proof manner allowing the identification of privileged unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Loginlog should be used to identify potential breakin attemptsIDVersionLevelEnforcementGUS-EVEN-021.0baselinerecommended

StandardThe loginlog file should be created and every entry should be considered as a potential breakin attempt and should therefore be regularly reviewed.

Detailed Steps Create the loginlog file Review the loginlog file on a periodic basis and identify new entries Each entry represents 5 login failures which should be investigated Any irreconcilable entries should be treated as a breakin attempt

wtmp file should be regularly archived IDVersionLevelEnforcementGUS-EVEN-011.0baselinerecommended

StandardThe wtmp should be regularly archived to protect its contents from loss

Detailed Steps Ensure that the wtmp file is backed up at intervals which precede its erasure

Risks AddressedWhere this control is not applied, the following residual risks exist: Loss of security significant event information may be lost Loss of accountability may occur Business information and applications may be unavailable.

Other

The file L.cmds should be emptyIDVersionLevelEnforcementGUS-NET-101.0baselinerecommended

StandardThe file L.cmds should be empty thereby making it impossible to remotely execute commands by using UUX.

Detailed Steps Delete any entries from the L.cmds file

All UUCP accounts should be added to the /etc/ftpusers account.IDVersionLevelEnforcementGUS-NET-121.0baselinerecommended

StandardAll UUCP accounts should be added to the /etc/ftpusers account.

Detailed Steps Edit the /etc/ftpusers to include all UUCP accounts.

If NFS is used, it should be ensured that the UUCP configuration, programs and data are never exported IDVersionLevelEnforcementGUS-NET-091.0baselinemandatory

StandardIf NFS is used, it should be ensured that the UUCP configuration, programs and data are never exported as these are owned by UUCP and not root.

Detailed Steps Determine if NFS is in use. Determine if UUCP is in use. If both are in use check that the UUCP configuration, programs and data are not on the export volume.

.procmailrc and .forward should be reviewed for illicit entriesIDVersionLevelEnforcementGUS-MAIL-011.0baselinerecommended

Standard.procmailrc and .forward should be reviewed for illict entries for example, the execution of a script in the /tmp directory.

Detailed Steps list the contents of each file validate the entries in each file remove any illicit entries in each file investigate the source of any illicit entries

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be disclosed. Business information and applications may be unavailable.

Any foreign filesystems should be mounted NOSUIDIDVersionLevelEnforcementGUS-PRIV-071.0baselinerecommended

StandardAny foreign filesystems including floppy disks should be mounted NOSUID

Detailed Steps When mounting a foreign filesystem ensure it is qualified with NOSUID

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised root access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

ChecklistUser ConfigurationDefault AccountsControl IDChecklist QuestionYour AnswerGUS-USER-02Have the default passwords of the default accounts open, uucp, toor, mount, guest, manager, ingres, mail, help, visitor, system, bin, demo, telnet, lp, who, finger, gamesGUS-DA-2Is the synch account disabled or password protected?GUS-DA-1Is it ensured that the nobody account owns no files on any of the systems filesystems?Roles, Views, and Access ControlControl IDChecklist QuestionYour AnswerGUS-ACCESS-1Is access to /dev/kmem restricted?GUS-ACCESS-2Is reliance placed on access control lists on NFS file systemsGUS-ACCESS-3Is it ensured that changing permissions on objects with access control lists is avoided?GUS-ACCESS-4Is it ensured that any filenames beginning with a period . everyone or group writable/readableGUS-ACCESS-5Are tape drives used for backups everyone readable?PrivilegesControl IDChecklist QuestionYour AnswerGUS-PRIV-2Is at access restricted using at.allow?GUS-USER-01Are all user UIDs greater than 20?GUS-PRIV-02Are suid shell scripts in use on the system?GUS-PRIV-01Is the hyphen qualifier always used with the su command?GUS-MAIL-03Has the mail aliases file been reviewed to ensure that all entries for mail redirection are valid users and not a program or a script for execution?GUS-PRIV-05Is root access only available via su?GUS-PRIV-06If the wheel group is available is it in use?GUS-USER-03Do all users on the system have unique UIDs?GUS-PRIV-04Are all foreign filesystems mounted NODEV?GUS-PRIV-03Is the write program set to SGID tty and not SUID root?GUS-PRIV-1Is cron access restricted using cron.allow?Authentication/Password ConfigurationControl IDChecklist QuestionYour AnswerGUS-AUTH-03Has a login failure retry interval of 3 seconds been implemented?GUS-AUTH-02Has autologout been set to 1 hour for idle users?GUS-AUTH-01Has the use of control characters in user passwords been prevented?Security ComplianceSecurity Compliance CheckingControl IDChecklist QuestionYour AnswerGUS-MON-05Are hidden files or files with control characters in their names identified and investigated on a regular basis?GUS-AUD-02Are reports produced and reviewed for access outside of normal hours?GUS-AUD-01Is syslog.conf monitored for any changes?GUS-MON-01Are new SU programs identified and validated?GUS-MON-03Is grpck run regularly on the system?GUS-AUD-07Are reports produced and reviewed for multiple login failures from a single source?GUS-MON-02Is pwck run regularly to check for inconsistencies in the password file?GUS-MON-04Are security tools installed and in use on the system?GUS-AUD-06Are reports produced and reviewed for multiple login failures?Security ManagementControl IDChecklist QuestionYour AnswerGUS-MAIL-02Are aliases in place for all non-user accounts?Network Security ConfigurationNetwork Interface ConsiderationsControl IDChecklist QuestionYour AnswerGUS-NET-54Is the ftp home directory owned by root?GUS-NET-29Is it ensured that PPP is not installed on the system?GUS-NET-16Are .rhosts files in use on users accounts on the system?GUS-NET-15Has the systat service been commented out of the inetd.conf file?GUS-NET-28Is it ensured that SLIP is not installed on the system?GUS-NET-53Does the ftp entry in the password file contain an invalid password and refer to a non-existent shell?GUS-NET-45If anonymous ftp is not required is it disabled?GUS-NET-11Does root run all UUCP crontab scripts as user UUCP and own all of the scripts?GUS-NET-26Is the /etc/inetd.conf owned by root?GUS-NET-14Has the rexecd daemon been commented out in the inetd.conf?GUS-NET-36Are NFS Filesystems exported nosuid?GUS-NET-47Is anonymous ftp configured to prevent overwrite by guests or anonymous users?GUS-NET-33Are the entries in the NFS exports file comprised of fully qualified hostnames?GUS-NET-55Does the ftp home directory have permissions of 555?GUS-NET-13Has the fingerd daemon been commented out of the inetd.conf file?GUS-NET-27Are the permissions on the /etc/inetd.conf set to 644?GUS-NET-21Does the /etc/hosts.equiv file contain the fewest number of trusted hosts?GUS-NET-44Is it ensured that /etc/ftpusers contains default vendor and system accounts that should not require ftp access?GUS-NET-51Is reverse lookup used for anonymous ftp connectionsGUS-NET-20Has the /etc/hosts.equiv been removed where it is not required?GUS-MAIL-04Does the UUCP account have a mail alias in the aliases file and no entries in the .forward file?GUS-NET-48Is anonymous ftp configured to prevent rename by guests or anonymous users?GUS-NET-03Is inetd.conf monitored for any changes?GUS-NET-62Does the tftp home directory permit write access?GUS-NET-40Is the ftp daemon the most recent?GUS-NET-05If the UUCP subsystem is required have the SGID/SUID bits been stripped from the UUCP?GUS-NET-19Has the rcp daemon been commented out of the inetd.conf?GUS-NET-43Are users who do not require ftp access denied it's use?GUS-NET-59Is the ~ftp/etc/passwd file owned by root?GUS-NET-07Has UUCP been set up to permit file retrieval from only certain pre-defined directories?GUS-NET-61Is tftp disabled where it is not required?GUS-NET-50Is anonymous ftp configured to prevent setting of umask by guests or anonymous users?GUS-NET-08Is UUCP callback enabled?GUS-NET-22Has it been ensured that the /etc/hosts.equiv contains no hyphens or plus signs?GUS-NET-66Does the /usr/lib/uucp/L.sys file allow group or everyone read access?GUS-NET-01Is rdist used for secure file transfer?GUS-NET-38Is sendmail disabled where it is not required?GUS-NET-23Is the /etc/hosts.equiv owned by root?GUS-NET-06Is the UUCP account password protected where present?GUS-NET-31IHave all available NFS been applied?GUS-NET-60Are the ~ftp/etc/passwd file permissions set to 444?GUS-NET-04Has the UUCP subsystem been removed? If not, is it reqyured?GUS-NET-25Has it been ensured that the /etc/hosts.equiv contains no trusted usersGUS-NET-58Does the home directory of the ftp user account contain a .forward file?GUS-NET-41Is it ensured that the ftp daemon is started up with the -l qualifier to log connections?GUS-NET-57Does the home directory of the ftp user account contain a .rhosts file?GUS-NET-56Does the ~ftp/etc/passwd file contain entries from the real password file?GUS-NET-18Has the rsh daemon been commented out of the inetd.conf?GUS-NET-32Does the NFS exports file contain an entry for localhostsGUS-NET-65Do users $HOME directories contain any .netrc files?GUS-NET-52Is it ensured that the ~ftp/usr/bin directory and its equivalents do not contain CLIs or other system commandsGUS-NET-30Is Telnet disabled unless required?GUS-NET-17Has the rlogin daemon been commented out of the inetd.conf?GUS-NET-42Is it ensured that the ftp server does not permit the execution of the site exec command?GUS-NET-37Are any system owned file systems exported?GUS-NET-64Do UUCP files or directories permit everyone write access?GUS-NET-39Have all patches available for sendmail been applied?GUS-NET-46Is anonymous ftp configured to prevent deletions by guests or anonymous users?GUS-NET-35Is the /etc/exports file owned by root?GUS-NET-49Is anonymous ftp configured to prevent chmod by guests or anonymous users?GUS-NET-63Is the tftp daemon started up with the -s qualifier?GUS-NET-02Does the ftp daemon deny access to user accounts whose shell is not found to be a valid shell in /etc/shells?GUS-NET-34Are NFS filesystems exported read only where possible?ConfigurationFiles and File PermissionsControl IDChecklist QuestionYour AnswerGUS-USER-04Are the .plan and .project files held in the users $HOME directories kept empty? GUS-FP-1Is the wall command denied from non-administrative users? GUS-NET-24Are the permissions on the /etc/hosts.equiv set to 755InstallationSetup ChoicesControl IDChecklist QuestionYour AnswerGUS-SETUP-1Is Fsirand run once on the system following commissioning?GUS-INST-01Is the installation dual universe i.e. accepts both Berkeley and System V commands.Auditing and MonitoringEvents to be auditedControl IDChecklist QuestionYour AnswerGUS-EVEN-03Does the sulog record both successful and unsuccessful su attemptsGUS-AUD-03Is lastlog enabled for all users?GUS-AUD-04Are the following events logged to syslog - auth, daemon and cron messages?GUS-AUD-05Are the events logged to the syslog also wrtten to a physically secure line printer as well?GUS-EVEN-04Are the sulog contents recorded in both the sulog itself and written to a physically secure line printer?GUS-EVEN-02Does the loginlog file exist and are its contents regularly reviewed?GUS-EVEN-01Is the wtmp file regularly archived?OtherControl IDChecklist QuestionYour AnswerGUS-NET-10Is the L.cmds file empty?GUS-NET-12Are all UUCP accounts added to the /etc/ftpusers account?GUS-NET-09If NFS is in use has it been ensured that the UUCP configuration, programs and data are never exported?GUS-MAIL-01Are the .procmailrc and .forward files reviewed for illicit entries?GUS-PRIV-07Are all foreign filesystems mounted NOSUID?