Security Parameters For Unix and Linux Systems

M
Operating Method
Organization of Networks, Carriers and IT Division
Architecture and Security Department
Architecture Prescriptions and Security
Reference
MGS404 S2F0
Master Document
Security parameters for Unix and Linux

systems
PSI-RSI : PGS425
Location
Securinoo
Summary
Support Service
This document describes

configuring UNIX systems.
security
rules
applicable
for
CNS SI
ZZZ Permanence CNSSI
Type
Keywords
Security, rules, UNIX, Linux, HP-UX, AIX, SUN Solaris
Create
" Cancels and replaces:
Addressees for action
Validity
DSSI (Information System Security Delegates), MOAs and MOEs

Permanent from 6th
November 2000
Addressees for information
Managers of National Departments, Operating Units and Subsidiaries
Author
Verification
Name
Patrick BREHIN
Xavier GATELLIER
& al.
Name
Date
26/4/2004
Date
Signature
Jean-Paul Guiguen
Mickal Davila
4/5/2004
Signature
Organization of Networks, Carriers and IT Division

Centre National de Scurit du Systme dInformation de France Tlcom (CNS SI)
Btiment LC3, 2 avenue Pierre Marzin. Technopole Anticipa. 22307 Lannion CEDEX
Telephone: 02 96 05 06 07 - Fax: 02 96 05 19 00
SA au capital de 4 098 458 244 EUR - RCS Paris B 380 129 866
" Temporary
from
to
Approved by
Name
Date
Signature
Configuration of UNIX and Linux Security Parameters
Modifications
Version N
Version date
Nature of modification
S0F0
12.12.03
Document created from ROSSI-090 V2.0, MGS404

S1F2, MGS405 S1F3, MGS406 S1F2, MGS412 S1F2 and
MGS422 S1F0
S0F1 11
16/12/2003 23/04/2004
Convergence of ROSSI and RSSI rules

Re-numbering rules
Domain of attachment
Domain code: GS
Domain name: IS security management
Associated documents
Document code
BD/99/41
BRHF/99/205
SG/99/27
MGS411
MGS402 S1F0
MGS401 S2F3
MGS425 S1F0
MGS-679 v0.2
GUI-017
MGS 601 V2.0
MGS 620 S0F1
MGS404 Version S2F0
Document name
Record of Decision BD/BRHF/SG of 22 April 1999 Organisation of France
Telecom information system security and associated charter.
Criminal Code Article 223 et seq.
Configuration of security parameters for http servers
Warning to be inserted into title pages
Authentifiers, identifiers and passwords
OpenSSH configuration
Archiving of logs
Tcp-wrappers installation and configuration guide
File transfer
Configuring anonymous UNIX FTP servers
Page : 2/33
Contents
1.
Objective
2.
Scope and general principles
3.
Players concerned
4.
General security information
5.
Overview of Operation
5.1. UNIX system

5.1.1.
5.1.2.
5.1.3.
5.1.4.
5.1.5.
5.1.6.
5.1.6.1.
5.1.6.2.
Data organisation
File and directory rights
Software packages
Task automation
X-Window
Miscellaneous
.exrc file
chroot command
7
7
8
8
8
8
8
9
5.2. Network services
5.2.1. IP stack
5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind
5.2.3. Xinetd
6.
7.
8.
9
10
10
General rules
11
6.1. Software packages and patches
11
6.2. Startup scripts
11
6.3. Miscellaneous
11
System security
12
7.1. File system
12
7.2. System stack
12
7.3. File and directory rights
13
7.4. Sensitive files
13
7.5. Automation
14
7.6. Logging configuration
14
7.7. Environment
15
Account (access) security
16
8.1. Access control
16
8.2. Remote access right
16
8.3. Account/environment configuration
16
8.4. Administration commands
18
8.5. Trust mechanism
19
8.6. Logging
19
MGS404 Version S2F0
Page : 3/33
9.
Network security
20
9.1. IP stack
20
9.2. Administration flow security
21
9.3. Network service filtering
21
9.3.1. Configuration of Inetd / tcp-wrapper

9.3.2. Configuration of Xinetd
21
22
9.4. Routing
23
9.5. Name resolution
23
9.6. RPC (Remote procedure call) Portmapper (portmap), rpcbind
24
9.7. Network services to ban
24
10. Security of services
25
10.1. General comments
25
10.2. X-Window
25
10.3. File transfer service
25
10.4. Messaging service
25
10.5. Distributed names service
26
10.6. NFS (network file system)
26
10.7. Administration / supervision department
26
10.8. WEB
27
10.9. Domain names service
27
11. Appendix: rights and permissions for important files
MGS404 Version S2F0
28
Page : 4/33
1. Objective
This document defines security rules applicable to UNIX and Linux security rules.
2. Scope and general principles

The rules and principles are applicable to all UNIX and Linux systems in the France Telecom group
information system.
They must be observed when developing applications or working on existing systems.
All rules in this document provide sufficient levels of security without overly restricting the freedom of
action of users.
It would however be possible, whenever necessary, to increase the level of security by
strengthening these rules whilst ensuring system stability (therefore, a rule specifying that an
unmask 022 is valid if the unmask is more restrictive, for example 027).
3. Players concerned
Systems administrators and operators

Principal Client and Principal Contractor Project Managers
Application architects
MGS404 Version S2F0
Page : 5/33
4. General security information

Computer security is necessary because information technology needs to communicate to operate
correctly. This involves aspects such as:
protection of systems and data
the reliability of software and hardware
the performance and availability of services
proper protection of stored and exchanged information
It should be pointed out that:
A system is never entirely secure
The security of a system is a compromise between resources and expected results
People outside the company are responsible for 25% of risks.
# Intrusion
# service denial
# spying, document/programme theft (industrial property)
# data corruption
# liability (identity falsification followed by criminal action, etc.) . . )
# ...
People inside the company are responsible for 75% of risks.
# data leaks (theft)
# irresponsible behaviour (brand image)
# theft of resources (working on the side)
# dissemination of illegal statements or images (liability of the organisation)
#
Reminders:
A chain's level of security is that of its weakest link
There is no network security.
So:
Each system connected must be secure
We will apply the following basic principle:
Everything that is not explicitly

authorised is prohibited
MGS404 Version S2F0
Page : 6/33
5. Overview of Operation
5.1.
UNIX system
5.1.1. Data organisation
All the data in a UNIX system may be seen as an enormous catalogue of files, referenced in an
unambiguous way. It is therefore a complex structure of data that must be able to manage the
following high-level concepts simultaneously: filename, its attributes, its type (if that is meaningful
for the system), its size, its physical storage, operations in process on the file (concurrent access
management, modifications in process but not written onto the storage medium, etc.).
The data is organised in a tree structure of files and directories. For easier handling, this structure is
generally broken down into several sub-structures called file systems.
File systems cannot be accessed directly. They have to undergo an operation known as mounting.
Any mounted file system must be unmounted or the removable media containing it must be taken
out before turning off the machine. Otherwise, any unwritten data will be permanently lost.
The Unix file system tree structure is standard and can be broken down as follows:
/etc
/bin
/lib
/sbin
/var
/tmp ou /var/tmp
/root
/usr
/usr/local
/home (or others as applicable)
Computer configuration files

Fundamental programmes (shell, etc.) that can be called up by
the user
Libraries (programme bank called up indirectly)
System administration programmes
Variable (dynamic) data
Temporary data (limited lifetime)
Administrator work file
Main system programmes and commands. Subdivided into
/usr/bin, /usr/sbin, /usr/lib, etc.
Same as /usr, but for programmes installed locally (not included
in the standard system distributed)
User work files. E.g. /home/toto
5.1.2. File and directory rights
In UNIX systems, files may have read (r), write (w) and execute (x) protection. In this way, it is
possible to choose whether a file can be read and/or modified and/or executed. This protection is
based on the principle of file access rights.
File rights are defined according to these access rights (rwx) and ownership of the file.
Access rights to a file are defined for its owner, the group to which the file belongs and other users
(those that are neither its owner nor par of the owners group).
A file or directory may also be given the following other rights:
SetUID
SetGID
StickyBIT
s Applicable to the owner and/or owner group for executable files.

It gives owner rights to the file during execution (or owner group rights, depending
on the case) to the user executing the file in question.
t In a directory with the "stickyBit" set, only the owner of a file or directory may
delete it.
MGS404 Version S2F0
Page : 7/33
5.1.3. Software packages
Nowadays, most companies commercialising UNIX systems organise the various software
components and supply them in packages. The system is thus installed in homogeneous groups of
files and the elements grouped in a package are generally highly interdependent (in practice they are
files for the same application). When a package is installed, the user in fact installs specific
software. However, certain packages are dependent on other packages; for example, packages
containing the basic system are obviously used by all other packages. The installation programmes
manage this dependency and inter-package conflicts relatively well, so that they can now be
installed without too much difficulty.
In order to organise all these packages, companies often sort them into series. A series is simply a
set of packages grouped by functional domain. This means that a given package can easily be found
by searching in the series containing all the functionally similar packages. Grouping of packages
into series in no way means that all packages in the same series need to be installed in order to
obtain a given function but that the programmes within the series more or less concern this function.
In fact, redundancy or conflict may exist between two packages in the same series. In this case, the
user should select one or the other, according to the requirements.
5.1.4. Task automation
In Unix, tasks can be configured to be executed automatically during a given period of time, on
given dates or when the system load average is beneath a certain level.
These commands enable commands/scripts to be executed at a point in the future. The system
function cron is administered by the crontab command. The command "at" is used to submit a job to
the system.
5.1.5. X-Window
X Window is not only a video board driver but also an application interface (API) enabling them to
be displayed on the screen and receive input via the keyboard and mouse.
X is also a network server, which means that it can also offer services via a network, enabling
screen display of an application running on another machine, even if the two architectures are
completely different. This is why we use the term X server to designate the graphical sub-system.
The X Window system runs on almost all Unix systems and is even used under Windows and OS/2.
Almost all graphical programmes under Unix use X.
The user does not interact directly with X but rather with what are called X clients (as opposed to
the X server). You undoubtedly already use clients such as a Window Manager or a Desktop
Environment such as CDE, KDE or Gnome. To log on, you probably also use a Display Manager
such as KDM, XDM or GDM. The applications are located above these clients.
The X Window system (or X Window or even X) is a registered trademark of the X Consortium.
The free X servers distributed with Linux come from the XFree86 project.
Official sites:
http://www.x.org
http://www.xfree86.org
5.1.6. Miscellaneous
5.1.6.1.
MGS404 Version S2F0
.exrc file
Page : 8/33
The ex or vi editors, for example, first look for the .exrc startup file in the current directory, then in
your HOME directory. This file is normally used to define abbreviations and key-combination
correspondence. However, it may also contain escape shells that enable commands to be executed
when the editor is started.
5.1.6.2.
chroot command
Chroot is a command that modifies the location of the root of the file system; for example, a
decoy can be set up for the programme so that ill-intentioned users cannot get into the real root.
5.2.
Network services
5.2.1. IP stack
An IP stack is a group of interdependent protocols, each of them reliant on one or several others,
which is why the word stack is used. It is a simplified form of the OSI 7-layer model which has
proved robust and adaptable.
The principal components of the TCP/IP stack are as follows:
IP (Internet Protocol): This is a level-3 protocol. It transfers TCP/IP packets on the local
network and with external networks via routers. The IP protocol works in offline mode,
i.e. packets issued by level 3 are transferred independently (datagrams) without any
guarantee of delivery.
ARP ( Address Resolution Protocol): A protocol that enables the level-3 address (the IP
address) to be linked with a level-2 address (the MAC address)
ICMP ( Internet Control and error Message Protocol) : Used for tests and diagnostics
TCP (Transport Control Protocol): A level-4 protocol that operates in online mode. On a
TCP connection between two network machines, messages (packets or TCP segments) are
acknowledged and delivered in sequence.
UDP ( User Datagram Protocol): A level-4 protocol in offline mode: messages (or UDP
packets) are forwarded independently.
OSI
7 Application
6 Presentation
5
Session
4 Transport
3
Network
2
Data Link
1
Physical
TCP/IP
TELNET, FTP
TFTP
SMTP, RPC
DOMAIN
X11, HTTP
NFS
TCP
UDP
IP (Internet Protocol), ICMP, ARP
Local Network Protocol
(Ethernet, Fast Ethernet, FDDI...)
Files affected by OS:

AIX
Solaris
HP-UX
Linux kernel 2.2
/etc/rc.net for versions prior to AIX 5.2 ;

see the command n to modify parameters, this file is not read on server start-up
for more recent versions.
/etc/init.d/inetinit
/etc/rc.config.d/nddconf
/etc/sysctl.conf
For further information, see the site: http://www.cymru.com/Documents/ip-stack-tuning.html
MGS404 Version S2F0
Page : 9/33
5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind
The operating principle for remote procedure calls is as follows: Each programme wishing to
provide RPC services "listens" on a TCP or UDP port for queries. Clients wishing to use these
services must send their queries to this port, indicating all the information needed for execution of
this query: query number and query parameters. The server executes the query and returns the result.
RPC libraries provide the functions needed to transfer the parameters and the actual remote calls.
However, in practice, clients do not know on which port the RPC is expecting their queries. A
mechanism has therefore been set up to enable them to retrieve details of this port and then
communicate with the server. Each RPC server is identified by a unique programme number and a
version number. When they start up, the servers register with the system, specifying the port on
which they will be listening for queries. Clients can then query the remote system to ask for the port
where they will find a given server, based on the latters programme and version numbers.
A special RPC service therefore exists, known as portmapper which provides clients that request
them with the port numbers of other servers. The portmapper must of course always be contactable,
which implies that it must systematically use the same port number. By convention, the portmapper
is identified by programme number 100000 and it listens for client queries on the 111 ports of the
TCP and UDP protocols. It must be started in a particular order in order to make RPC calls (which
the NIS/NIS+ client programme does) to servers (as, for example an NIS/NIS+ server) on this
machine. When the RPC server is started, it will inform the portmap daemon of the number of the
port which it is scanning and the numbers of the RPC programmes with which it is ready to work.
In principle, standard RPC servers are launched by inetd (inetd(8) manual ), so portmap must be
launched before quinetdne. (All these elements are used by NIS/NIS+ and NFS among others, the
portmapper administers nfsd, mountd, ypbind/ypserv, pcnfsd and r services such as ruptime and
rusers.)
5.2.3. Xinetd
Xinetd is present on the following platforms at least: Solaris 2.6 (sparc and x86), Linux, BSDi, and
IRIX 5.3 and 6.2.
Xinetd offers access control capacities similar to those offered by tcp_wrapper. However, its
possibilities extend far beyond this:
access control for TCP, UDP and RPC services (not everything functions very well for
the latter);
access control based on time slots;
powerful logging, for both successful and failed logins;
efficient prevention of Deny of Services (DoS) attacks which block a machine by
saturating its resources
limitation of the number of servers of the same type that can run at the same time;
limitation of the total number of servers
limitation of the size of log files
attachment of a service to a specific interface: for example, this enables services to be
made accessible to your internal network but not to the outside world;
may serve as a proxy towards other systems which is very practical in the event of IP
masquerading (or NAT) in order to reach machines located on the internal network.
The main disadvantage concerns RPCs which are not yet very well supported. However, portmap
and xinetd coexist perfectly.
MGS404 Version S2F0
Page : 10/33
The system must be the as up to date as possible. This means that the latest validated
security updates must be installed.
Rule
No unnecessary software packages should be installed on the system. All packages
considered unnecessary should, therefore, be deleted.
Startup scripts
RS-0001
RS-0000
Software packages and patches

Additional information
Particularly, monitor network services and development tools
The fewer the software packages installed on a machine, the greater its security.
This also reduces maintenance as well as the security patches to be installed.
All systems must be regularly updated.
RS-0202
RS-0200
RS-0201
Rule
Prohibit restarting via the keyboard (CTRL+ALT+DEL).
In non-secure environments, prohibit starting of the machine otherwise than via the system
disk.
Protect the non-standard system booting with a password.
Miscellaneous
Any service not necessary to server functions must be deactivated.
RS-0101
MSG404 Version S2F0
6.3.
Rule
The unmask value fixed in the start-up scripts must be positioned at 027.
RS-0100
Page : 11/33
This rule is valid for all Linux and Solaris systems running on Intel platforms.
On Intel platforms, this means requested a password for access to the BIOS to
prevent the boot sequence being modified.
I.e. any booting via CD-Roms or any other disk.
To enable the latter to create files with 640 permissions.
Any waiving of this rule must be approved by security teams.
Therefore, all unnecessary startup scripts in the default startup directory must be
deactivated often those (often those from unnecessary packages).
These scripts are initiated when the system is started and are responsible for various tasks such as mounting the read/write file system, activating swap, setting
some system parameters and launching various daemons required by the system.
6.2.
6.1.
6. General rules
System stack
User must be prohibited from mounting removable devices to avoid introducing

potentially dangerous programmes or files or leaking data.
RS-1003
These functions can be accessed via the vold, automount or supermount

daemons.
Automatic mount functions for removable devices must be deleted.
RS-1002
The /var partition contains log, patch, print, e-mail files, etc.. The disk space
taken up by these files therefore varies. This partition must be separate from the
root file system. This rule avoids saturation of logs which would bring the server
to a standstill.
These mount options prevent binaries running, processing of the suid/sgid bits
and interpretation of the special files.
Partitions and removable devices are mounted using the options:

% nodev (except for device partitions like /dev or /devices)
% noexec: for /var and /tmp
% nosuid: for partitions for non-system and non-application users (like /home or /users) The aim is to manage rights as precisely as possible.
and removable devices.
Rule
The partition /var must be mounted on a dedicated file system.
RS-1001
RS-1000
File system
MSG404 Version S2F0
RS-1101
RS-1100
Page : 12/33
Rule
The execution stack must be protected against buffer overflows to prevent attacks of this
type.
The size of core dumps must be configured so that the size is zero.
Core files contain a memory image of the process which received a certain signal
and is terminate. These files take up disk space and may contain sensitive
information.
Nothing prevents TEMPORARILY changing the core file limit to an adapted
value if a core file really has to be analysed.
This is the memory zone of a process (a programme being executed) dedicated to saving data necessary for the calls (the arguments and return addresses are
stacked) and returns (arguments and return address are un-stacked).
7.2.
7.1.
7. System security
Any file or directory must be linked to an existing user (UID) and to a group (GID).
Link-type files pointing to absent files should be deleted.
RS-1205
RS-1206
Sensitive files
MSG404 Version S2F0
Rule
Page : 13/33
Exceptions:
Some systems have directories and system shell scripts in /dev.
The device creation executable file MAKEDEV may exist in the /dev
directory. Leave it there, but apply the command /usr/bin/chattr +I to protect
it against modifications.
Directories and symbolic links may also exist in the /dev tree structure.
Socket-type files (type s) may be in the /tmp or /var tree structure.
Special files that do not fit these cases should be deleted or moved.
Links (symbolic or not) may be considered as normal except if they are in a
directory that can be written by all (particularly /tmp and /var/tmp), where they
must be considered as suspect and if possible deleted.
There should be no orphan files or directories. This makes it easier to manage the
user accounts and rights.
Prevent the use of uncontrolled special files (C-bit for character and B for block) to
mount an attack.
So-called special files, and them alone, should be in a specially allocated file structure
(such as /dev or /devices) and only in that tree structure.
RS-1203
RS-1202
RS-1204
Such files are often used by hackers to create backdoors (buffer overflow-type
1) Non-used binary files
attacks, overwriting of system files or access root privileges).
2) User files
3) Scripts belonging to root
must not be SUID/SGID
The directory containing the kernel must be owned by root, its group must be zero and
the permissions must be set to 750 or better. Ditto for the content but with permissions set
at 640 or better.
No file or directory should be write-authorised for other users. Otherwise, the sticky-bit Files write-authorized for everyone allow hackers to insert malicious code in the
should be set on the directories involved.
files.
Note:
With the t-bit set, only the owner of the directory or root has the right to
delete the files.
This must already be done as standard on /tmp and /var/tmp directories.
This may cause problems for shared directories where one user can create a
file and another can delete it.
Rule
Rights and permissions described in files and directories mentioned in appendix to the
present document must be respected.
RS-1201
RS-1200
File and directory rights
All operating systems contain files of a sensitive nature since they are directly or indirectly involved in the security of the system.
7.4.
7.3.
The root cron must not execute a file that loads other files not held by root or which are
write-accessible for other users.
Crontab entries executed by the root user supplied by third-party providers must be
deleted.
The cron daemon activity must be logged
Rule
Cron and at services must be invalidated for standard users
Logging configuration
RS-1403
RS-1402
RS-1401
RS-1400
Automation
Third-party non-constructor suppliers
MSG404 Version S2F0
RS-1507
Log files must be centralised in a specific directory (/var/adm or /var/log). They must be
protected by setting the rights at 640 or better for files and 750 or better for the directory
containing them.
All info priority events (or higher) must be redirected to a remote log file.
*.info
RS-1506
@loghost
auth.info;mail.info
or
authpriv.info;mail.info
A mail and authentication facilities event must be redirected in a local restrained access
log file (600).
RS-1505
/var/log /secure.log
/var/log /secure.log
*.emerg <console device (for example: /dev/console)>

*.emerg /var/log/ emerg.log
*.info;mail.none;auth.none
/var/log/ message.log
or
*.info;mail.none;authpriv.none
/var/log/ message.log
kern.info
<console device (for example: /dev/console)>
kern.info
/var/log/kernel.log
A facilities kernel event must be redirected to the console in a local log file (dedicated
and global).
Rule
RSSI N 679 Log archiving must be complied with.
Log files must be duplicated on a secure machine designated the loghost (present in
/etc/hosts )
An emergency priority event must be redirected to the console in a local log file
(dedicated and global).
An info priority event (or higher) for all daemons (except e-mail and authentication)
must be redirected to a local log file.
RS-1504
RS-1503
RS-1502
RS-1500
RS-1501
Page : 14/33
Cron.allow and at.allow files must only contain root. All other accounts can be in
cron.deny and at.deny files.
A Trojan horse may be placed in files launched by the root cron
E.g. snoop, tcpdump, etc
If development tools are present on a machine, hackers can compile exploits

more easily and replace these tools with other hacked tools.
For example: nessus, saint, john the ripper, etc
The syslog daemon must be configured (via syslog.conf the log file according to the system) so that:
7.6.
7.5.
No tools that may reveal all or part of the security policy should be present on the
machine.
No network sniffers must be present on the machine
RS-1301
RS-1302
Development and compilation tools should not be present on the machine.
RS-1300
RS-1600
Rule
Prevent a Trojan Horse being run:
Check the LD_LIBRARY_PATH variable (or equivalent) does not exist in the user
environment (root or other), or, if it exists, only references sure libraries.
Check that the files executed at login (/etc/profile, bashrc.) do not set these
variables to a dubious value.
Environment
MSG404 Version S2F0
7.7.
For Linux, also check /etc/ld.so.conf
Page : 15/33
Access control
Remote access right
Rule
Use PAMs
A warning banner should be displayed before the authentication dialogue when logging
in, in compliance with MGS402 S1F0 Warning to be inserted in the title pages
This will quickly upgrade your level of security.
RS-2205
RS-2203
RS-2204
RS-2202
RS-2200
RS-2201
Rule
Root access via the network must be impossible.
Rule
Account and password management must comply with MGS 401.
The value of umask must be as restrictive as possible for each user:
for root: at least 077
for other users: at least 027
Files enabling the configuration of the default user environment must be root:root and
644.
The user PATH must first contain system paths BEFORE the user paths
The user PATH must not contain a relative path (starting with a . ) except the current
directory (only one .).
There should be no .netrc, .exrc, .vimrc, .forward type files in the tree structure nor
.<something> type files.
Account/environment configuration
MSG404 Version S2F0
8.3.
RS-2100
Page : 16/33
.forward files can execute commands that are unforeseen or not desirable on mail
reception. Their content should therefore be monitored.
Notes:
.exrc (.vimrc) may be replaced by judicious use of the variable EXINIT
(VIMINIT) (a .exrc file may exist anywhere and therefore be executed
inadvertently from there). The behaviour of a Vim is more secure on this point,
but files should be monitored nevertheless.
This avoids execution of Trojan horses

This avoids execution of Trojan horses
The files are often those present in /etc/skel
Therefore, each file created by the user will automatically carry minimum rights.
It is better to use a user account then the su command to take the root identity to
log root connections to a system.
All machines must control remote access rights. A machine must define the accounts authorised to log in from a remote terminal.
8.2.
RS-2000
RS-2001
In order to improve control of a UNIX machine and increase its security, we recommend the use of PAMs (Pluggable Authentication Modules). PAM is a
powerful, flexible, extensible authentication tool which enables the system administrator to configure authentication services individually for each PAMcompliant application, without recompiling any applications.
8.1.
8. Account (access) security
No account defined in /etc/passwd should have a non-specified shell.
All root PATH directories must be root:root and 755.
All scripts or binaries present in the root PATH must be exclusively owned by root or a
system account and must not be world and group-writable ( g-w, o-w ).
RS-2213
RS-2214
MSG404 Version S2F0
Rule
Only root is the system super user (UID and GID equal to zero).
The root HOME DIRECTORY must be /root , perm 700, root:root
All files loaded by root when it connects must be root:root and not be group or world
writable (g-w, o-rwx for what is specific to root and o-w for what is common).
RS-2210
RS-2211
RS-2212
The case of root:
RS-2209
No account should have a HOME-DIRECTORY at /.
RS-2207
RS-2208
If uucp and nuucp exist, the shell may be controlled by a false shell.
Passwords for all users must be stored using a strong hashing algorithm (like MD5).
RS-2206
In particular to avoid Trojan horses being set up.
Page : 17/33
the following scripts or programmes in particular:

- ~/.login , ~/.profile and any other login initialisation files
- ~/.exrc and any other programme initialisation files (if authorised )
- ~/.logout and any other end-of-session files
- crontab and at entries ( see cron and at rules )
In particular to avoid a Trojan horse being put in place.
false, nologin OR bash, sh, ksh and csh are allowed.
.<something>-type files are often used to mask malicious files or directories.

This algorithm is more resistant than the crypt function usually used on UNIX
systems.
Administration commands
If ftp cannot be replaced by SSH, use it on the dedicated network in authenticated

mode (unencrypted password on the network).
Specialise the server (either in authenticated mode or anonymous mode in this case,
apply MGS 620 S0F1: Configuring anonymous UNIX FTP servers).
In all cases, secure FTP access with xinetd or inetd + TCP-Wrapper, launch the FTP
server in a separate environment (chroot).
Do not authorise the upload function if it is not necessary.
Prohibit connection to the FTP with too high rights.
RS-2302
MSG404 Version S2F0
If telnet cannot be replaced by SSH, use it on a dedicated network, secure access to

telnet by xinetd or inetd + TCP-Wrapper.
Rule
Use SSH commands instead of telnet and r-commands (see MGS 425).
RS-2301
RS-2300
Page : 18/33
Note:
The noretreive .notar option may cause problems for Internet Explorer. Ensure in
this case not to put the option noretreive .notar in /etc/ftpaccess.
Limit access to FTP files /etc/ftpgroup, /etc/ftphosts (allow and deny options),
/etc/ftpaccess (noretrieve <directory> options, upload option to no option), create
non-empty .notar files (444 rights) in directories where downloading is
prohibited.
Put all users whose UID is less than 100 (500 if Pl@ton architecture) in
/etc/ftpusers, as well as the user "nfsnobody" (if it exists), to prevent FTP access
to these users.
If inetd + TCP-Wrapper is used, update the files /etc/hosts.allow and

/etc/hosts.deny.
Limit the addresses that have to access the machine by FTP protocols:
If xinetd is used, add the option only_from = address1 address2/mask
address3/mask in the files /etc/xinetd.d/*FTP and/or /etc/xinetd.conf to
limit access.
If inetd + TCP-Wrapper is used, update the files /etc/hosts.allow and
/etc/hosts.deny.
Limit the addresses that have to access the machine by telnet protocols:
If xinetd is used, add the option only_from = address1 address2/mask
address3/mask in the files /etc/xinetd.d/*telnet and/or /etc/xinetd.conf to
limit access.
Certain UNIX commands, called r commands, enable remote users either to log in (rlogin) or to execute commands (rsh, rcp, rexec) via the network and
therefore carry out remote operation/administration work.
8.4.
Trust mechanism
Logging
Rule
Using the .rhosts function is prohibited (even for root). As a result, all user default
directories must contain an empty .rhosts DIRECTORY with 000 rights ( --- --- ---) with
root:root properties.
Use of the hosts.equiv function is prohibited.
Therefore, the machine must have an empty /etc/hosts.equiv DIRECTORY with 000
rights ( --- --- ---) and root:root as properties.
If it exists, this file authorises access to your account without a password for
local or remote users listed in this file. It does away with any access control
system.
The /etc/hosts.equiv file enables the following to be defined at local machine
level:
users authorised to log in to the local machine (if their login exists)
without supplying passwords.
users not authorised to connect to the local machine
This also does away with any access control system
MSG404 Version S2F0
RS-2501
RS-2500
Rule
Use of the command su must be logged (in particular to detect changes of unauthorised
privileges).
All login attempts (successful or otherwise) must be logged.
Page : 19/33
This enables suspicious activity on a machine to be monitored (attempts at

hacking, for example).
Logging is the recording of application events via a central daemon in one or several local and/or distant files.
8.6.
RS-2401
RS-2400
The trust host machine concept is based on the fact that users, applications that call up from a trust host machine, are not obliged to supply a password (thereby
doing away with authentication mechanisms and endangering the quality of system security).
8.5.
RS-3007
RS-3001
RS-3002
RS-3003
RS-3004
RS-3005
RS-3006
RS-3000
The sockets queue must be protected from SYN flooding.

Packets with the source routing option must not be retransmitted or processed
The TIME_WAIT parameter for TCP must be set to 1 min (60 secs)
The machine must be protected against DOS attacks by ICMP flooding
The IP stack must be protected in order to prevent redirection of an IP
ARP query expiry time must be limited to 1 minute maximum in order to reduce ARP
spoofing/hijacking risks.
Generation of TCP sequence numbers must be configured to prevent it from being
guessed (random management).
Rule
Configuration of the network interfaces
For all machines, prevent information being recovered by the network interfaces'
"promiscuous" mode (sniffer).
On a server, to avoid spoofing:
Using static rather than dynamic addressing (no DHCP).
For each machine on the same network called to dialogue with this server, recording
of the MAC address can be forced (Ethernet address) with the command arp.
IP stack
MSG404 Version S2F0
9.1.
9. Network security
Page : 20/33
Notes:
A switch to promiscuous mode can only occur with root rights. This may
therefore indicate an anomaly (machine already compromised?).
The use of certain libraries intended for network listening may not be detected.
In a server hosting environment, it is preferable to have a machine that detects
this mode (or even detects intrusions).
On a server:
Remove the DHCP client package(s) and configure the network interfaces
manually
For each machine for which the MAC address is required, enter: arp -s
<IP_address> <MAC_ address>
(these commands may be added at the end of the file /etc/rc.d/rc.local for
example).
Means:
Detect promiscuous mode with a command put in the crontab at run cyclically
(hourly for example).
Administration flow security
Network service filtering
Rule
Apply MGS 425 (OpenSSH configuration)
The machine must be administered through a specific network interface.
Administration services other than SSH must be filtered with Xinetd or TCP-Wrapper.
Methods: additional network board or VPN (Virtual Private Network).
If Xinetd: use bind and only_from options.
Limit access to network services for the only machines authorised using Xinetd or
inetd+TCPWrapper.
Rule
All services activated in inetd or xinetd must be approved by the CNSSI security teams.
As far as possible, do not install a printer server.
Do not use NIS (depends on RPCs, services that are too vulnerable).
The inetd daemon must be started in standalone mode(-s) with the option t.
All TCP and UDP services open in /etc/inetd.conf must be encapsulated with TCPWrapper (using the nowait option).
Rule
Inetd must be associated with TCP-Wrapper
Connection requests must be recorded and filtered via inetd/TCP-wrapper
MSG404 Version S2F0
RS-3208
RS-3209
Rule
PARANOID mode must be activated.
Include one rule in /etc/hosts.deny refusing what is not authorised.
Configuration of tcpwrapper:
RS-3206
RS-3207
RS-3204
RS-3205
Configuration of inetd:
All services authorised to be present on machines should apply the following rules:
9.3.1. Configuration of Inetd / tcp-wrapper
RS-3203
RS-3200
RS-3201
RS-3202
Page : 21/33
For refusing all connections from a system whose name is not the same IP.
The file must contain a single ALL:ALL line.
Inetd alone does not permit network security (see the rules concerning TCPWrapper and xinetd)
Specify the approach
This service is highly vulnerable.
If such a service is necessary, prefer LDAP.
Filtering uses the access control components. The role of filtering is not to format network traffic between two points but to decide if a packet should or should
not be processed. It can be rejected, accepted or modified, according to rules of varying complexity. In many cases, filtering is used to control and/or secure an
internal network from the outside world (the Internet for example).
9.3.
RS-3100
RS-3101
RS-3102
Apply MGS 425 OpenSSH which contains the security rules concerning the protection of network flows by means of the Open-SSL protocol.
9.2.
The last line of the file /etc/host.allow must prohibit everything.
The file must contain a single ALL:ALL:DENY line.
The services declared in the configuration file xinetd.conf must contain the
parameter per_source m equalling the maximum number of simultaneous connections
authorised from the same machine.
Services declared in the configuration file xinetd.conf must use the parameter
max_load c .
Services declared in the configuration file xinetd.conf must use the parameter
instances n.
Services declared in the configuration file xinetd.conf must use the parameter cps x y .
The xinetd.conf includedir option must be used.
RS-3218
RS-3219
(1)
RS-3220
(1)
RS-3221
(1)
RS-3222
For logging the following information in the event of successful connection:

HOST: client address
DURATION: the duration of the session
PID: the server PID
EXIT: the exit status of the process
The parameter determines the maximum number of simultaneous connections
authorised from the same machine. In general, a value lower than or equal to 128
connections per server is more than necessary.
Enables service denials to be prevented
The parameter (expressed as a percentage) corresponds to the average CPU load
over a minute beyond which connections to this service will be refused.
Enables service denials to be avoided
This parameter determines the maximum number of simultaneous accesses to this
service.
The parameters correspond to an x threshold of authorised connections per
second beyond which the service will be deactivated for y seconds.
For logging the following information in the event of connection failure:

HOST: client address
By default no network can connect in (the only_from parameter enables the

networks authorised to connect in to be specified)
Sent to syslog as authpriv.info.
All services are deactivated by default.
MSG404 Version S2F0
Page : 22/33
(1) : for rules RS-3219, RS-3220 et RS-3221, the parameters are entirely dependent on the use of the server and the services used. They must therefore be
configured appropriately. However, the following values may be used as a basis:
The xinetd.conf default configuration file must contain:

log_on_success = HOST DURATION PID EXIT
Rule
Connection requests must be recorded via xinetd
Connection requests must be filtered per service via xinetd.
disable = yes
no_access = 0.0.0.0/0
log_type = SYSLOG authpriv
log_on_failure = HOST
RS-3217
RS-3216
RS-3215
RS-3214
RS-3211
RS-3212
RS-3213
All services authorised to be present on machines should apply the following rules:
9.3.2. Configuration of Xinetd
For further information on the installation and configuration of TCP-Wrapper, refer to the guide MGS 499 S1F3 available from securinoo
RS-3210
Routing
RS-3400
Rule
Routing daemons must be deactivated or deleted (e.g.: gated, routed)
Rule
Name resolution must firstly be carried out locally before any other method (DNS and
LDAP).
Name resolution
MSG404 Version S2F0
9.5.
RS-3300
Page : 23/33
This requires name resolution to be first of all carried out via a local file then via
a DNS. This enables DNS spoofing to be avoided.
Routing daemons are only used for machines connected to several networks used
as machines to route packets.
Routing is the method of carrying information (or packets) to the correct destination via a network. According to the types of network, data is sent by packets
and its path chosen each time (adaptive routing) or a path is chosen once and for all (the two can be combined). A machine that handles routing is commonly
called a router.
9.4.
a. RS-3219: a threshold fixed at between 85% and 95% helps prevent any possible system saturation. For less important services, a lower threshold can
be fixed to leave priority to other services.
b. RS-3220: this option depends heavily on the service; generally, the value should less than 50.
c. RS-3221: general, a maximum of three connections per seconds is necessary. For heavily demanded services, it is possible to increase to 10
connections per second
RS-3600
Rule
All RPC network services started by the portmapper, including the portmapper must be
deactivated.
If RPC network services are necessary, access must be secured and logged to the
maximum.
Rule
No network service other than SSH must be activated on the machine.
Network services to ban
RS-3501
RS-3500
RPC (Remote procedure call) Portmapper (portmap), rpcbind
MSG404 Version S2F0
9.7.
9.6.
Page : 24/33
Particularly daytime, discard, chargen, echo, fingerd, rquotad, rusersd, rwalld,
rexd, systat, time, netstat.
All services to be started by the portmapper must receive the approval of security
teams
Rule
All sensitive services should be started in a ch-rooted environment.
Rule
Apply MGS 601 V2.0: File transfer
MSG404 Version S2F0
RS-4300
Rule
A mail service transfer agent is necessary for distributing messages.
This agent must not be run as a network service. In addition, its configuration should be
modified so it is not used as an uncontrolled mail service relay.
10.4. Messaging service
RS-4200
In the process of standardisation
Page : 25/33
Rule
If an X server is necessary (X11 or Xfree), use the most up to date valid version possible.
X server authentication must be carried out by the xauth function
Unlike filtering via xhost which uses authentication based on the client host
name, the xauth method uses a shared secret in order to guarantee authentication
of the two parties. But the communication remains in clear language
The data exchanged between the client and the X server must be encoded via an SSH
tunnel, in compliance with MGS 425.
10.3. File transfer service
RS-4102
RS-4100
RS-4101
10.2. X-Window
RS-4000
10.1. General comments
This chapter covers the rules that apply to the principal services (functions) offered by Unix servers
10.Security of services
Rule
Use security functions (LDAPS) supplied by LDAP.
Rule
The NFS server must not be installed or started up.
MSG404 Version S2F0
RS-4606
RS-4604
RS-4605
RS-4603
RS-4600
RS-4601
RS-4602
If the NFS server is necessary, the file /etc/exports must respect the following
characteristics:
must belong to root:root and permissions be 644.
domain names must be fully qualified if possible
must verify exports using the access option
must not export the file to itself (localhost entry)
must prefer nosuid and read only mounting options
Page : 26/33
Rule
The SNMP protocol must not be used if not necessary.
If the SNMP protocol is necessary, the version 3 must be used
If the version 3 is not available, version 2 is tolerated. In any case, ban version 1.
If the SNMP protocol is necessary, there should be no named public or private
SNMP community chains, nor the names supplied as standard by manufacturers (default
parameters).
If the SNMP protocol is necessary, all community chains must comply with the password
management policy.
Access to the SNMP server must be restricted to authorised stations only.
If the SNMP protocol is necessary, sending of SNMP traps must be protected by
identifiers in compliance with the password management policy
If the SNMP protocol is necessary, access to the SNMP service is only read-authorised
and not write-authorised.
10.7. Administration / supervision department
RS-4500
10.6. NFS (network file system)
RS-4400
10.5. Distributed names service
Rule
Apply MGS 411
MSG404 Version S2F0
RS-4800
RS-4801
Rule
Use Bind or LDAP as the domain names service
Always use the latest available validated and maintained version of the domain name
service.
10.9. Domain names service
RS-4700
10.8. WEB
Page : 27/33
MSG404 Version S2F0
Owner
root
root
root
root
root
root
root
root
root
root
root
root, bin
root
root
root
bin
root
root
Files/Directories
/
/bin
/bin/bash
/bin/login
/bin/mount
/bin/netstat
/bin/su
/boot
/boot/*
/boot/grub/grub.conf
/crash
/dev
/dev/console
/dev/full
/dev/kmem
/dev/kmem
/dev/kmem
/dev/kmem
ROOT
ROOT, bin
ROOT, bin
ROOT, bin
root
root
ROOT, bin
root
root
root
ROOT
ROOT, sys, bin
ROOT, sys
root
ROOT
sys
kmem
sys
Group
0755
0755
0755
4555
0550
0550
4755
0750
0640
0600
0750
0755
0633
0666
0640
0640
0640
0640
Rights
ALL
ALL
Linux
ALL
Linux
Linux
ALL
Linux
Linux
Linux
Solaris
ALL
ALL
Linux
AIX
HP-UX
Linux
Solaris
Systems
Page : 28/33
A sealing tool (TripWire for example study available at Securinoo) would be an additional advantage for ensuring that critical files have not been modified
particularly on servers.
The keyword ALL shows the rights for all systems other than those the subject of a specific line in the rights table (for the same file/directory).
The group named ROOT corresponds to the group whose GID is 0 (zero), that name of this group may differ from one system to another.
When rights have to be modified, use the form given as parameter of the command /bin/chmod
The rights shown are the maximum admissible for a well-secured installation. These rights can nevertheless be further restricted.
The table below presents a non-exhaustive list of files for which ownership and user rights should be monitored with vigilance.
11.Appendix: rights and permissions for important files
MSG404 Version S2F0
Owner
root
root
bin
root
root
root, bin
root
root, bin
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Files/Directories
/dev/MAKEDEV
/dev/mem
/dev/mem
/dev/mem
/dev/mem
/dev/null
/dev/random
/dev/tty
/dev/urandom
/dev/zero
/etc
/etc/aliases
/etc/aliases.db
/etc/anacrontab
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.d/at.allow
/etc/cron.d
/etc/cron.d/at.deny
/etc/cron.d/cron.allow
/etc/cron.d/cron.deny
/etc/cron.deny
/etc/default/useradd
/etc/default
/etc/default/init
/etc/default/login
/etc/default/passwd
/etc/default/su
/etc/defaultrouter
/etc/environment
/etc/exclude.rootvg
/etc/exports
root
ROOT
sys
kmem
sys
ROOT, sys, bin
root
ROOT, tty, bin
root
ROOT, sys
ROOT, sys, bin
ROOT, bin
root
root
root
root
root
root
sys
root
sys
sys
root
bin
root, sys
sys
sys
sys
sys
root
ROOT
ROOT
root
Group
0700
0640
0640
0640
0640
0666
0644
0666
0644
0666
0755
0600
0600
0600
0600
0600
0600
0600
0750
0600
0600
0600
0600
0640
0750
0644
0644
0644
0644
0644
0644
0644
0600
Rights
Linux
AIX
HP-UX
Linux
Solaris
ALL
Linux
ALL
Linux
Solaris, Linux, Aix
ALL
Solaris, Linux, Aix
Linux
Linux
Linux
Linux
Linux
Solaris
Solaris
Solaris
Solaris
Solaris
Linux
HP-UX
Linux, Solaris, HP-UX
Solaris
Solaris
Solaris
Solaris
Solaris
AIX
AIX
ALL
Systems
Page : 29/33
MSG404 Version S2F0
Owner
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Files/Directories
/etc/fstab
/etc/fstab
/etc/ftpaccess
/etc/ftpconversions
/etc/ftpgroups
/etc/ftphosts
/etc/ftpusers
/etc/group
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/hosts.equiv
/etc/hosts.lpd
/etc/inet/hosts
/etc/inet/inetd.conf
/etc/inet/services
/etc/inetd.conf
/etc/init.d
/etc/init.d/*
/etc/inittab
/etc/issue*
/etc/lilo.conf
/etc/login.defs
/etc/mail
/etc/mail/*
/etc/motd
/etc/mtab
/etc/netgroup
/etc/notrouter
/etc/passwd
/etc/printcap
/etc/profile
/etc/rc.*
sys
root
root
root
root
root
root
ROOT
ROOT
ROOT
ROOT
ROOT
ROOT
root
root
root
ROOT
root
root
ROOT
root
root
root
root
root
ROOT
root
Root
root
ROOT
root
ROOT
ROOT
Group
0640
0600
0400
0400
0400
0400
0400
0644
0644
0640
0640
0000
0600
0444
0644
0644
0644
0750
0750
0644
0644
0600
0600
0755
0644
0644
0644
0644
0644
0644
0644
0644
0750
Rights
HP-UX
Linux
Linux
Linux
Linux
Linux
Solaris, Linux
ALL
ALL
ALL
ALL
ALL
AIX
Solaris
Solaris
Solaris
ALL
Solaris, Linux
Solaris, Linux
ALL
Solaris, Linux, HP-UX
Linux
Linux
Solaris, Linux, AIX
Linux
HP-UX
Solaris
ALL
Linux
ALL
AIX, Linux
Systems
Page : 30/33
MSG404 Version S2F0
/etc/rc.config.d
/etc/rc.config.d/*
/etc/rc.d/*/*
/etc/rc.d/rc?.d
/etc/rc.d/rc?.d/*
/etc/rc?.d
/etc/rc?.d/*
/etc/resolv.conf
/etc/rpc
/etc/securetty
/etc/security
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/sendmail.cf
/etc/services
/etc/shadow
/etc/skel
/etc/skel/*
/etc/snmp/conf/snmpd.conf
/etc/SnmpAgent.d/snmpd.conf
/etc/snmpd.conf
/etc/ssh
/etc/ssh/* (other than above)
/etc/ssh/*_key
/etc/ssh/sshd_config
/etc/syslog.conf
/etc/system
/etc/xinetd.conf
/etc/xinetd.d
/etc/xinetd.d/*
/root/*
/root/.rhosts
Files/Directories
bin
bin
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Owner
bin
bin
ROOT
ROOT
ROOT
root
root
ROOT
ROOT, sys, bin
root
root
security
security
security
root
ROOT
root, sys
root
root
root
root
ROOT
ROOT
ROOT
ROOT
ROOT
ROOT
root
ROOT
ROOT
ROOT
ROOT
ROOT
Group
0755
0644
0700
0755
0744
0755
0744
0644
0644
0600
0755
0640
0600
0640
0644
0644
0600
0755
0644
0644
0644
0644
0755
0644
0600
0600
0644
0644
0640
0750
0640
0700
0000
Rights
HP-UX
HP-UX
AIX, Linux
AIX, Linux
AIX, Linux
Solaris
Solaris
ALL
ALL
Linux
AIX
AIX
AIX
AIX
Linux, AIX
ALL
Solaris, Linux
Solaris
HP-UX
AIX
Linux, AIX
Linux, AIX
Linux, AIX
Linux, AIX
ALL
Solaris
ALL
ALL
ALL
ALL
ALL
Systems
Page : 31/33
MSG404 Version S2F0
/sbin
/sbin/arp
/sbin/init.d
/sbin/init.d/*
/sbin/mount
/sbin/rc?.d
/sbin/rc?.d/*
/sbin/route
/system
/system/products
/system/products/sudo/log/sudo.log
/tmp
/users
/usr/bin
/usr/bin/at
/usr/bin/finger
/usr/bin/netstat
/usr/bin/passwd
/usr/bin/rdate
/usr/bin/rdist
/usr/bin/rpcinfo
/usr/bin/rusers
/usr/bin/rwho
/usr/bin/talk
/usr/bin/wall
/usr/bin/write
/usr/games
/usr/lib
/usr/sbin/arp
/usr/sbin/chroot
/usr/sbin/mount
/usr/sbin/route
/usr/sbin/rpcinfo
Files/Directories
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Owner
ROOT, bin
ROOT
root
root
root
root
root
root
ROOT
root
root
ROOT
ROOT
ROOT, bin
ROOT
root
root
ROOT, bin
root
root
root
root
root
root
tty
tty, bin
root
ROOT, bin
ROOT
root
root
root
root
Group
0755
0755
0750
0744
0550
0755
0744
0550
0755
0555
0644
1777
0555
0755
4555
0550
0550
4555
0550
0550
0550
0550
0550
0550
2555
2555
0755
0755
0755
0550
0550
0550
0550
Rights
ALL
Linux
HP-UX
HP-UX
HP-UX
HP-UX
HP-UX
Linux
AIX, Linux, HP-UX
Linux
Linux
ALL
ALL
ALL
ALL
ALL
Solaris, AIX, HP-UX
ALL
Solaris
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Linux
ALL
Linux
ALL
Solaris, AIX, HP-UX
ALL
Solaris, AIX
Solaris, AIX, HP-UX
Linux
Systems
Page : 32/33
MSG404 Version S2F0
/usr/sbin/wall
/var/adm/cron
/var/adm/cron/at.allow
/var/adm/cron/at.deny
/var/adm/cron/cron.allow
/var/adm/cron/cron.deny
/var/adm/cron/log
/var/adm/messages
/var/adm/syslog/*
/var/cron/log
/var/log/*
/var/log/wtmp
/var/run/syslogd.pid
/var/run/utmp
/var/spool
/var/spool/at
/var/spool/cron
/var/tmp
Files/Directories
root
root
root
root
root
root
root
root
root
root
root
root
root
root
ROOT, bin
daemon
root
root
Owner
tty, bin
ROOT, cron
ROOT, cron
ROOT, cron
ROOT, cron
ROOT, cron
ROOT
ROOT
root
root
root
utmp
root
utmp
ROOT, bin
daemon
root
root
Group
2555
0755
0640
0640
0640
0640
0644
0644
0644
0644
0640
0600
0640
644
0755
0700
0700
1777
Rights
AIX, Solaris, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
ALL
HP-UX, Solaris
Solaris
Solaris, Linux
Linux
Linux
ALL
Linux
ALL
ALL
Systems
Page : 33/33

Security Parameters For Unix and Linux Systems

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Parameters For Unix and Linux Systems

Uploaded by

Copyright:

Available Formats

M

Security parameters for Unix and Linux

This document describes

Security, rules, UNIX, Linux, HP-UX, AIX, SUN Solaris

Addressees for action

DSSI (Information System Security Delegates), MOAs and MOEs

Organization of Networks, Carriers and IT Division

Configuration of UNIX and Linux Security Parameters

Document created from ROSSI-090 V2.0, MGS404

Convergence of ROSSI and RSSI rules

Domain name: IS security management

MGS404 Version S2F0

Configuration of UNIX and Linux Security Parameters

Scope and general principles

General security information

5.1. UNIX system

5.2. Network services

6.1. Software packages and patches

6.2. Startup scripts

7.1. File system

7.2. System stack

7.3. File and directory rights

7.4. Sensitive files

7.6. Logging configuration

Account (access) security

8.1. Access control

8.2. Remote access right

8.3. Account/environment configuration

8.4. Administration commands

8.5. Trust mechanism

MGS404 Version S2F0

Configuration of UNIX and Linux Security Parameters

9.2. Administration flow security

9.3. Network service filtering

9.3.1. Configuration of Inetd / tcp-wrapper

9.5. Name resolution

9.6. RPC (Remote procedure call) Portmapper (portmap), rpcbind

9.7. Network services to ban

10. Security of services

10.1. General comments

10.3. File transfer service

10.4. Messaging service

10.5. Distributed names service

10.6. NFS (network file system)

10.7. Administration / supervision department

10.9. Domain names service

11. Appendix: rights and permissions for important files

MGS404 Version S2F0

Configuration of UNIX and Linux Security Parameters

2. Scope and general principles

Systems administrators and operators

MGS404 Version S2F0

Configuration of UNIX and Linux Security Parameters

4. General security information

We will apply the following basic principle:

Everything that is not explicitly

MGS404 Version S2F0

Configuration of UNIX and Linux Security Parameters

5.1.1. Data organisation

Computer configuration files

5.1.2. File and directory rights

s Applicable to the owner and/or owner group for executable files.