General UNIX

Security Top Ten List:

General UNIX

This list of security standards provides UNIX® system and network administrators at the University of Michigan with some of the most important actions that they can take to create and maintain a secure network environment. While it is recognized that the unique characteristics of some system configurations may make it impossible to implement all these standards, system and network administrators are encouraged to put into practice as many of these actions as possible.

For standards specific to SunOS™ and Solaris™ UNIX system administration, see Security Top Ten List: SunOS, Solaris, Reference R1410. For more information or to offer feedback about these security standards, send electronic mail to security-issues@umich.edu. For more information about the U-M Security Database, send electronic mail to UM-Security-DB@
umich.edu.

1. Disable, set, or change passwords for all vendor-supplied accounts, especially root.

Make sure that the passwords you choose are secure. Do not use any word that appears in a dictionary, and avoid proper names. (In fact, it’s better to think of a "password" as a "pass phrase.")

2. Install all vendor-supplied security patches for your operating system and version.

These patches are available to U-M system administrators in the U-M Security Database. Make sure you update your operating system regularly—by the time the vendor knows about a hole, so do hackers.

3. Examine the available security-enhanced versions of passwd and login, as well as other programs, and consider installing them.

U-M maintains versions of security-enhanced replacements for existing programs in the
U-M Security Database.

4. Consider setting up a shadow password file for your machine (if it doesn’t already have one).

5. Disable all network services; then activate the ones your users need in /etc/inetd.conf and the /etc rc files. Make sure those services that you do provide are secure.

Services such as sendmail, ftp, NIS, and the r-commands all pose some degree of security risk. If you do not need them, do not make them available. If you are going to have these services, read the vendor-supplied manual for security tips. If there is a version of the service which works with the kerberos authentication system, consider using it.

6. Control access to your machine over the network by installing both tcp_wrapper and Wietse Venema’s version of portmap.

These utilities cover different groups of network services, so you need both of them. Also consider running Ident, which will provide information to other machines in the event of an intrusion from yours. (They are all available in the U-M Security Database.)

7. Run syslog, and save the output. Save the sulog output.

Consider installing and running swatch, which will notify you when specified events happen. Even if you decide not to run swatch, syslog output can be very useful in tracing an incident once it happens.

8. Do not NFS export any file system to the world; do not export any file system with root privileges anywhere. NFS mount with no SUID enabled. Do not export your root file system.

If you are dealing with a partition that contains software for use in the local environment, you may need to leave SUID enabled so the software will work correctly.

9. Do not have a .rhosts file for root without good reason.

10. Make frequent backups.

Store backups in a secure environment. Do complete system, not just incremental, backups on a regular schedule.

Sun and Solaris are trademarks of Sun Microsystems, Inc., in the United States and other countries.

UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd.

R1408, 6/96