8/10/2019 Security Parameters for Unix and Linux Systems
1/33
M
Oper a t i n g M et h odOrganization of Networks, Carriers and IT Division
Architecture and Security Department
Architecture Prescriptions and Security
Organization of Networks, Carriers and IT DivisionCentre National de Scurit du Systme dInformation de France Tlcom (CNS SI)Btiment LC3, 2 avenue Pierre Marzin. Technopole Anticipa. 22307 Lannion CEDEXTelephone: 02 96 05 06 07 - Fax: 02 96 05 19 00
SA au capital de 4 098 458 244 EUR - RCS Paris B 380 129 866
Reference
MGS404 S2F0
Security parameters for Unix and Linux
systems
Master Document
PSI-RSI : PGS425
Location
Securinoo
Summary
This document describes security rules applicable forconfiguring UNIX systems.
Support Service
CNS SIZZZ Permanence CNSSI
Keywords
Security, rules, UNIX, Linux, HP-UX, AIX, SUN Solaris
Type
! Create
" Cancels and replaces:
Addressees for action
DSSI (Information System Security Delegates), MOAs and MOEs
Addressees for informationManagers of National Departments, Operating Units and Subsidiaries
Validity
! Permanent from 6th
November 2000
" Temporaryfrom to
Author Verification Approved by
Name
Patrick BREHINXavier GATELLIER
& al.Name
Jean-Paul GuiguenMickal Davila Name
Date 26/4/2004 Date 4/5/2004 Date
Signature Signature
Signature
8/10/2019 Security Parameters for Unix and Linux Systems
2/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 2/33
Modifications
Version N Version date Nature of modification
S0F0 12.12.03 Document created from ROSSI-090 V2.0, MGS404S1F2, MGS405 S1F3, MGS406 S1F2, MGS412 S1F2 and
MGS422 S1F0
S0F1 11 16/12/2003 23/04/2004 Convergence of ROSSI and RSSI rules
Re-numbering rules
Domain of attachment
Domain code: GS Domain name: IS security management
Associated documents
Document code Document nameBD/99/41
BRHF/99/205
SG/99/27
Record of Decision BD/BRHF/SG of 22 April 1999 Organisation of France
Telecom information system security and associated charter.
Criminal Code Article 223 et seq.
MGS411 Configuration of security parameters for http servers
MGS402 S1F0 Warning to be inserted into title pages
MGS401 S2F3 Authentifiers, identifiers and passwords
MGS425 S1F0 OpenSSH configuration
MGS-679 v0.2 Archiving of logs
GUI-017 Tcp-wrappers installation and configuration guideMGS 601 V2.0 File transfer
MGS 620 S0F1 Configuring anonymous UNIX FTP servers
8/10/2019 Security Parameters for Unix and Linux Systems
3/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 3/33
Contents
1. Objective 5
2. Scope and general principles 5
3. Players concerned 5
4. General security information 6
5. Overview of Operation 7
5.1. UNIX system 75.1.1.Data organisation 75.1.2.File and directory rights 75.1.3. Software packages 85.1.4. Task automation 85.1.5.X-Window 85.1.6.Miscellaneous 8
5.1.6.1. .exrc file 85.1.6.2. chroot command 9
5.2. Network services 95.2.1.IP stack 95.2.2.Rpc (Remote procedure call) Portmapper (portmap), rpcbind 105.2.3.Xinetd 10
6. General rules 11
6.1. Software packages and patches 11
6.2. Startup scripts 11
6.3. Miscellaneous 11
7. System security 12
7.1. File system 12
7.2. System stack 12
7.3. File and directory rights 13
7.4. Sensitive files 13
7.5. Automation 147.6. Logging configuration 14
7.7. Environment 15
8. Account (access) securi ty 16
8.1. Access control 16
8.2. Remote access right 16
8.3. Account/environment configuration 16
8.4. Administration commands 18
8.5. Trust mechanism 19
8.6. Logging 19
8/10/2019 Security Parameters for Unix and Linux Systems
4/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 4/33
9. Network security 20
9.1. IP stack 20
9.2. Administration flow security 21
9.3. Network service filtering 219.3.1. Configuration of Inetd / tcp-wrapper 219.3.2. Configuration of Xinetd 22
9.4. Routing 23
9.5. Name resolution 23
9.6. RPC (Remote procedure call) Portmapper (portmap), rpcbind 24
9.7. Network services to ban 24
10. Security of services 25
10.1.General comments 25
10.2.X-Window 25
10.3.File transfer service 25
10.4.Messaging service 25
10.5.Distributed names service 26
10.6.NFS (network file system) 26
10.7.Administration / supervision department 26
10.8.WEB 27
10.9.Domain names service 27
11. Appendix: rights and permissions for important files 28
8/10/2019 Security Parameters for Unix and Linux Systems
5/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 5/33
1. Objective
This document defines security rules applicable to UNIX and Linux security rules.
2. Scope and general principles
The rules and principles are applicable to all UNIX and Linux systems in the France Telecom groupinformation system.
They must be observed when developing applications or working on existing systems.
All rules in this document provide sufficient levels of security without overly restricting the freedom of
action of users.
It would however be possible, whenever necessary, to increase the level of security by
strengthening these rules whilst ensuring system stability (therefore, a rule specifying that an
unmask 022 is valid if the unmask is more restrictive, for example 027).
3. Players concerned
Systems administrators and operators
Principal Client and Principal Contractor Project Managers
Application architects
8/10/2019 Security Parameters for Unix and Linux Systems
6/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 6/33
4. General security information
Computer security is necessary because information technology needs to communicate to operate
correctly. This involves aspects such as:
protection of systems and data
the reliability of software and hardware
the performance and availability of services
proper protection of stored and exchanged information
It should be pointed out that:
A system is neverentirely secure
The security of a system is a compromise between resources and expected results
People outside the company are responsible for 25% of risks.
# Intrusion
# service denial
# spying, document/programme theft (industrial property)
# data corruption
# liability (identity falsification followed by criminal action, etc.) . . )
# . . .
People inside the company are responsible for 75% of risks.
# data leaks (theft)
# irresponsible behaviour (brand image)
# theft of resources (working on the side)
# dissemination of illegal statements or images (liability of the organisation)
#
Reminders:
A chain's level of security is that of its weakest link
There is no network security.So:
Each system connected must be secure
We will apply the following basic principle:
EEvveerryytthhiinnggtthhaattiissnnootteexxpplliicciittllyy
aauutthhoorriisseeddiisspprroohhiibbiitteedd
8/10/2019 Security Parameters for Unix and Linux Systems
7/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 7/33
5. Overview of Operation
5.1. UNIX system
5.1.1. Data organisation
All the data in a UNIX system may be seen as an enormous catalogue of files, referenced in an
unambiguous way. It is therefore a complex structure of data that must be able to manage the
following high-level concepts simultaneously: filename, its attributes, its type (if that is meaningfulfor the system), its size, its physical storage, operations in process on the file (concurrent access
management, modifications in process but not written onto the storage medium, etc.).
The data is organised in a tree structure of files and directories. For easier handling, this structure is
generally broken down into several sub-structures called file systems.
File systems cannot be accessed directly. They have to undergo an operation known as mounting.
Any mounted file system must be unmounted or the removable media containing it must be taken
out before turning off the machine. Otherwise, any unwritten data will be permanently lost.
The Unix file system tree structure is standard and can be broken down as follows:
/etc Computer configuration files
/bin Fundamental programmes (shell, etc.) that can be called up by
the user
/lib Libraries (programme bank called up indirectly)
/sbin System administration programmes
/var Variable (dynamic) data
/tmp ou /var/tmp Temporary data (limited lifetime)
/root Administrator work file
/usr Main system programmes and commands. Subdivided into/usr/bin, /usr/sbin, /usr/lib, etc.
/usr/local Same as /usr, but for programmes installed locally (not included
in the standard system distributed)
/home (or others as applicable) User work files. E.g. /home/toto
5.1.2. File and directory rights
In UNIX systems, files may have read (r), write (w) and execute (x) protection. In this way, it is
possible to choose whether a file can be read and/or modified and/or executed. This protection is
based on the principle of file access rights.
File rights are defined according to these access rights (rwx) and ownership of the file.
Access rights to a file are defined for its owner, the group to which the file belongs and other users
(those that are neither its owner nor par of the owners group).
A file or directory may also be given the following other rights:
SetUID
SetGID
s Applicable to the owner and/or owner group for executable files.
It gives owner rights to the file during execution (or owner group rights, depending
on the case) to the user executing the file in question.StickyBIT t In a directory with the "stickyBit" set, only the owner of a file or directory may
delete it.
8/10/2019 Security Parameters for Unix and Linux Systems
8/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 8/33
5.1.3. Software packages
Nowadays, most companies commercialising UNIX systems organise the various software
components and supply them in packages. The system is thus installed in homogeneous groups of
files and the elements grouped in a package are generally highly interdependent (in practice they are
files for the same application). When a package is installed, the user in fact installs specific
software. However, certain packages are dependent on other packages; for example, packages
containing the basic system are obviously used by all other packages. The installation programmesmanage this dependency and inter-package conflicts relatively well, so that they can now be
installed without too much difficulty.
In order to organise all these packages, companies often sort them into series. A series is simply a
set of packages grouped by functional domain. This means that a given package can easily be found
by searching in the series containing all the functionally similar packages. Grouping of packages
into series in no way means that all packages in the same series need to be installed in order to
obtain a given function but that the programmes within the series more or less concern this function.
In fact, redundancy or conflict may exist between two packages in the same series. In this case, the
user should select one or the other, according to the requirements.
5.1.4. Task automation
In Unix, tasks can be configured to be executed automatically during a given period of time, on
given dates or when the system load average is beneath a certain level.
These commands enable commands/scripts to be executed at a point in the future. The system
function cron is administered by the crontab command. The command "at" is used to submit a job to
the system.
5.1.5. X-Window
X Window is not only a video board driver but also an application interface (API) enabling them to
be displayed on the screen and receive input via the keyboard and mouse.
X is also a network server, which means that it can also offer services via a network, enabling
screen display of an application running on another machine, even if the two architectures are
completely different. This is why we use the term X server to designate the graphical sub-system.
The X Window system runs on almost all Unix systems and is even used under Windows and OS/2.
Almost all graphical programmes under Unix use X.
The user does not interact directly with X but rather with what are called X clients (as opposed tothe X server). You undoubtedly already use clients such as a Window Manager or a Desktop
Environment such as CDE, KDE or Gnome. To log on, you probably also use a Display Manager
such as KDM, XDM or GDM. The applications are located above these clients.
The X Window system (or X Window or even X) is a registered trademark of the X Consortium.
The free X servers distributed with Linux come from the XFree86 project.
Official sites:
http://www.x.org
http://www.xfree86.org
5.1.6. Miscellaneous
5.1.6.1. .exrc file
8/10/2019 Security Parameters for Unix and Linux Systems
9/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 9/33
The exor vieditors, for example, first look for the .exrcstartup file in the current directory, then in
your HOME directory. This file is normally used to define abbreviations and key-combination
correspondence. However, it may also contain escape shells that enable commands to be executed
when the editor is started.
5.1.6.2. chroot command
Chroot is a command that modifies the location of the root of the file system; for example, adecoy can be set up for the programme so that ill-intentioned users cannot get into the real root.
5.2. Network services
5.2.1. IP stack
An IP stack is a group of interdependent protocols, each of them reliant on one or several others,
which is why the word stack is used. It is a simplified form of the OSI 7-layer model which has
proved robust and adaptable.
The principal components of the TCP/IP stack are as follows:
IP (Internet Protocol): This is a level-3 protocol. It transfers TCP/IP packets on the localnetwork and with external networks via routers. The IP protocol works in offline mode,
i.e. packets issued by level 3 are transferred independently (datagrams) without any
guarantee of delivery.
ARP ( Address Resolution Protocol): A protocol that enables the level-3 address (the IP
address) to be linked with a level-2 address (the MAC address)
ICMP ( Internet Control and error Message Protocol) : Used for tests and diagnostics
TCP (Transport Control Protocol): A level-4 protocol that operates in online mode. On a
TCP connection between two network machines, messages (packets or TCP segments) are
acknowledged and delivered in sequence.
UDP ( User Datagram Protocol): A level-4 protocol in offline mode: messages (or UDP
packets) are forwarded independently.
OSI TCP/IP
7 Application TELNET, FTP TFTP
6 Presentation SMTP, RPC DOMAIN
5 Session X11, HTTP NFS
4 Transport TCP UDP
3 Network IP (Internet Protocol), ICMP, ARP
2 Data Link Local Network Protocol
1 Physical (Ethernet, Fast Ethernet, FDDI...)
Files affected by OS:
AIX /etc/rc.net for versions prior to AIX 5.2 ;
see the command n to modify parameters, this file is not read on server start-up
for more recent versions.
Solaris /etc/init.d/inetinit
HP-UX /etc/rc.config.d/nddconf
Linux kernel 2.2 /etc/sysctl.conf
For further information, see the site: http://www.cymru.com/Documents/ip-stack-tuning.html
8/10/2019 Security Parameters for Unix and Linux Systems
10/33
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 10/33
5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind
The operating principle for remote procedure calls is as follows: Each programme wishing to
provide RPC services "listens" on a TCP or UDP port for queries. Clients wishing to use these
services must send their queries to this port, indicating all the information needed for execution of
this query: query number and query parameters. The server executes the query and returns the result.
RPC libraries provide the functions needed to transfer the parameters and the actual remote calls.
However, in practice, clients do not know on which port the RPC is expecting their queries. A
mechanism has therefore been set up to enable them to retrieve details of this port and then
communicate with the server. Each RPC server is identified by a unique programme number and a
version number. When they start up, the servers register with the system, specifying the port on
which they will be listening for queries. Clients can then query the remote system to ask for the port
where they will find a given server, based on the latters programme and version numbers.
A special RPC service therefore exists, known as portmapper which provides clients that request
them with the port numbers of other servers. The portmapper must of course always be contactable,
which implies that it must systematically use the same port number. By convention, the portmapper
is identified by programme number 100000 and it listens for client queries on the 111 ports of the
TCP and UDP protocols. It must be started in a particular order in order to make RPC calls (which
the NIS/NIS+ client programme does) to servers (as, for example an NIS/NIS+ server) on this
machine. When the RPC server is started, it will inform the portmap daemon of the number of the
port which it is scanning and the numbers of the RPC programmes with which it is ready to work.
In principle, standard RPC servers are launched by inetd (inetd(8) manual ), so portmap must be
launched before quinetdne. (All these elements are used by NIS/NIS+ and NFS among others, the
portmapper administers nfsd, mountd, ypbind/ypserv, pcnfsd and r services such as ruptime and
rusers.)
5.2.3. Xinetd
Xinetd is present on the following platforms at least: Solaris 2.6 (sparc and x86), Linux, BSDi, and
IRIX 5.3 and 6.2.
Xinetd offers access control capacities similar to those offered by tcp_wrapper. However, its
possibilities extend far beyond this:
access control for TCP, UDP and RPC services (not everything functions very well for
the latter);
access control based on time slots;
powerful logging, for both successful and failed logins;
efficient prevention of Deny of Services (DoS) attacks which block a machine by
saturating its resources
limitation of the number of servers of the same type that can run at the same time;
limitation of the total number of servers
limitation of the size of log files
attachment of a service to a specific interface: for example, this enables services to be
made accessible to your internal network but not to the outside world;
may serve as a proxy towards other systems which is very practical in the event of IP
masquerading (or NAT) in order to reach machines located on the internal network.
The main disadvantage concerns RPCs which are not yet very well supported. However, portmap
and xinetd coexist perfectly.
8/10/2019 Security Parameters for Unix and Linux Systems
11/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
11/33
6.Generalr
ules
6.1.
Softwarepackagesandpatches
N
Rule
Additionalinformation
RS-0000
Nounnecessarysoftwarepackages
shouldbeinstalledonthesystem.Allpackages
consideredunnecessaryshould,therefore,bedeleted.
Particularly,monitornetworkservicesanddevelopmen
ttools
Thefewerthesoftwarepackagesinstalledonamachine,thegreateritssecurity.
Thisalsoreduces
maintenanceaswellasthesecurityp
atchestobeinstalled.
RS-0001
Thesystemmustbetheasuptoda
teaspossible.Thismeansthatthelatestvalidated
securityupdatesmustbeinstalled.
Allsystemsmust
beregularlyupdated.
6.2.
Startupscripts
Thesescriptsareinitiatedwhenthesystem
isstartedandareresponsibleforvarioustaskssuchasmountingtheread/writefilesystem,
activatingswap,setting
somesystem
parametersandlaunchingvariousdaemonsrequiredbythesy
stem.
N
Rule
Additionalinformation
RS-0100
Theunmaskvaluefixedinthestart-upscriptsmustbepositionedat027
.
Toenablethelattertocreatefileswith640permissions.
Anywaivingofth
isrulemustbeapprovedbysecurity
teams.
RS-0101
Anyservicenotnecessarytoserve
rfunctionsmustbedeactivated.
Therefore,allunn
ecessarystartupscriptsinthedefault
startupdirectorymustbe
deactivatedoften
those(oftenthosefromunnecessarypackages).
6.3.
Misc
ellaneous
N
Rule
Additionalinformation
RS-0200
Prohibitrestartingviathekeyboard(CTRL+ALT+DEL).
ThisruleisvalidforallLinuxandSolarissystemsrunningonIntelplatforms.
RS-0201
Innon-secureenvironments,prohibitstartingofthemachineotherwisethanviathesystem
disk.
OnIntelplatforms,thismeansrequestedapasswordfo
raccesstotheBIOSto
preventtheboots
equencebeingmodified.
RS-0202
Protectthenon-standardsystembo
otingwithapassword.
I.e.anybootingviaCD-Romsoranyotherdisk.
8/10/2019 Security Parameters for Unix and Linux Systems
12/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
12/33
7.Systems
ecurity
7.1.
File
system
N
Rule
Additionalinform
ation
RS-1000
Thepartition/varmustbemountedonadedicatedfilesystem.
The/varpartitioncontainslog,patch,print,e-mailfiles,etc..Thediskspace
takenupbythesefilesthereforevaries.Thispartitionm
ustbeseparatefromthe
rootfilesystem.Thisruleavoidssaturationoflogswhic
hwouldbringtheserver
toastandstill.
RS-1001
Partitionsandremovabledevicesa
remountedusingtheoptions:
%%%%
nodev(exceptfordevicepartitionslike/devor/devices)
%%%%
noexec:for/varand/tmp
%%%%
nosuid:forpartitionsfornon-systemandnon-applicationusers(like/homeor/users)
andremovabledevices.
Thesemountoptio
nspreventbinariesrunning,processingofthesuid/sgidbits
andinterpretationofthespecialfiles.
Theaimistomanagerightsaspreciselyaspossible.
RS-1002
Automaticmountfunctionsforrem
ovabledevicesmustbedeleted.
Thesefunctionsca
nbeaccessedviathevold,automoun
torsupermount
daemons.
RS-1003
Usermustbeprohibitedfrommountingremovabledevicestoavoidintroducing
potentiallydangerousprogrammes
orfilesorleakingdata.
7.2.
Systemstack
Thisisthememoryzoneofaprocess(a
programmebeingexecuted)dedicatedtosavingdatanecessaryforthecalls(theargumentsandreturnaddressesare
stacked)a
ndreturns(argumentsandreturnaddressareun-stacked).
N
Rule
Additionalinform
ation
RS-1100
Theexecutionstackmustbeprotectedagainstbufferoverflowstopreve
ntattacksofthis
type.
RS-1101
Thesizeofcoredumpsmustbeco
nfiguredsothatthesizeiszero.
Corefilescontainamemoryimageoftheprocesswhich
receivedacertainsignal
andisterminate.T
hesefilestakeupdiskspaceandmay
containsensitive
information.
NothingpreventsT
EMPORARILYchangingthecorefilelimittoanadapted
valueifacorefile
reallyhastobeanalysed.
8/10/2019 Security Parameters for Unix and Linux Systems
13/33
8/10/2019 Security Parameters for Unix and Linux Systems
14/33
8/10/2019 Security Parameters for Unix and Linux Systems
15/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
15/33
7.7.
Environment
N
Rule
Additionalinform
ation
RS-1600
PreventaTrojanHorsebeingrun:
ChecktheLD_
LIBRARY_PA
THvariable(orequivalent)doesnot
existintheuser
environment(rootorother),or,ifitexists,onlyreferencessurelibraries.
Checkthatthefilesexecutedatlogin(/etc/profile,bashrc.)dono
tsetthese
variablestoadubiousvalue
.
ForLinux,alsocheck/etc/ld.so.conf
8/10/2019 Security Parameters for Unix and Linux Systems
16/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
16/33
8.
Account(access)security
8.1.
Accesscontrol
Inordertoi
mprovecontrolofaUNIXmachineandincreaseitssecurity,werecommendtheuseofP
AMs(PluggableAuthenticationModules).PAMisa
powerful,flexible,extensibleauthenticationtoolwhichenablesthesystemadministratortoconfigureauthenticationservicesindiv
iduallyforeachPAM-
compliantap
plication,withoutrecompiling
anyapplications.
N
Rule
Additionalinform
ation
RS-2000
UsePAMs
Thiswillquicklyu
pgradeyourlevelofsecurity.
RS-2001
Awarningbannershouldbedispla
yedbeforetheauthenticationdialogu
ewhenlogging
in,incompliancewithMGS402S1F0Warningtobeinsertedinthetitlepages
8.2.
Rem
oteaccessright
Allmachinesmustcontrolremoteaccessrights.Amachinemustdefinetheaccountsauthorisedtologinfromaremoteterminal.
N
Rule
Additionalinform
ation
RS-2100
Rootaccessviathenetworkmustbeimpossible.
Itisbettertousea
useraccountthenthesucommandto
taketherootidentityto
logrootconnectionstoasystem.
8.3.
Account/environmentconfiguration
N
Rule
Additionalinform
ation
RS-2200
AccountandpasswordmanagementmustcomplywithMGS401.
RS-2201
Thevalueofumaskmustbeasrestrictiveaspossibleforeachuser:
forroot:atleast077
forotherusers:atleast02
7
Therefore,eachfilecreatedbytheuserwillautomatical
lycarryminimumrights.
RS-2202
Filesenablingtheconfigurationof
thedefaultuserenvironmentmustbe
root:rootand
644.
Thefilesareoften
thosepresentin/etc/skel
RS-2203
TheuserPATHmustfirstcontainsystempathsBEFOREtheuserpaths
ThisavoidsexecutionofTrojanhorses
RS-2204
TheuserPATHmustnotcontaina
relativepath(startingwitha.)exceptthecurrent
directory(onlyone.).
ThisavoidsexecutionofTrojanhorses
RS-2205
Thereshouldbeno.netrc,.exrc,.vimrc,.forwardtypefilesinthetreestructurenor
.typefiles.
Notes:
.exrc(.vimrc)may
bereplacedbyjudicioususeofthevariableEXINIT
(VIMINIT)(a.exr
cfilemayexistanywhereandtherefo
rebeexecuted
inadvertentlyfrom
there).ThebehaviourofaVimismo
resecureonthispoint,
butfilesshouldbe
monitorednevertheless.
.forwardfilescanexecutecommandsthatareunforeseenornotdesirableonmail
reception.Theircontentshouldthereforebemonitored.
8/10/2019 Security Parameters for Unix and Linux Systems
17/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
17/33
.-type
filesareoftenusedtomaskmaliciou
sfilesordirectories.
RS-2206
Passwordsforallusersmustbesto
redusingastronghashingalgorithm
(likeMD5).
Thisalgorithmism
oreresistantthanthecryptfunctionusuallyusedonUNIX
systems.
RS-2207
NoaccountshouldhaveaHOME-DIRECTORYat/.
RS-2208
Ifuucpandnuucpexist,theshellm
aybecontrolledbyafalseshell.
false,nologinORbash,sh,kshandcshareallowed.
RS-2209
Noaccountdefinedin/etc/passwd
shouldhaveanon-specifiedshell.
Thecaseof
root:
N
Rule
Additionalinform
ation
RS-2210
Onlyrootisthesystemsuperuser(UIDandGIDequaltozero).
RS-2211
TherootHOMEDIRECTORYmustbe/root,perm700,root:root
RS-2212
Allfilesloadedbyrootwhenitconnectsmustberoot:rootandnotbegrouporworld
writable(g-w,o-rwxforwhatissp
ecifictorootando-wforwhatiscom
mon).
thefollowingscrip
tsorprogrammesinparticular:
-~/.login,~/.profileandanyotherlogininitialisationfiles
-~/.exrcandanyo
therprogrammeinitialisationfiles(if
authorised)
-~/.logoutandany
otherend-of-sessionfiles
-crontabandaten
tries(seecronandatrules)
RS-2213
AllrootPATHdirectoriesmustbe
root:rootand755.
Inparticulartoavo
idaTrojanhorsebeingputinplace.
RS-2214
AllscriptsorbinariespresentintherootPATHmustbeexclusivelyownedbyrootora
systemaccountandmustnotbeworldandgroup-writable(g-w,o-w).
Inparticulartoavo
idTrojanhorsesbeingsetup.
8/10/2019 Security Parameters for Unix and Linux Systems
18/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
18/33
8.4.
Adm
inistrationcommands
CertainUNI
Xcommands,calledrcommands,enableremoteuserseithertologin(rlogin)ortoexecutecommands(rsh,rcp,rexec)viathenetworkand
thereforecar
ryoutremoteoperation/administrationwork.
N
Rule
Additionalinform
ation
RS-2300
UseSSHcommandsinsteadoftel
netandr-commands(seeMGS425).
RS-2301
IftelnetcannotbereplacedbyS
SH,useitonadedicatednetwork,secureaccessto
telnetbyxinetdorinetd+TCP-Wrapper.
Limittheaddressesthathavetoaccessthemachinebytelnetprotocols:
Ifxinetdisused,addtheoptiononly_f
rom=
address1address2/mask
address3/maskinthefiles/etc/xinetd.d/*telnet
and/or/etc/xinetd.confto
limitaccess.
Ifinetd+TCP
-Wrapperisused,updatethefiles/etc/hosts.allowand
/etc/hosts.deny.
RS-2302
IfftpcannotbereplacedbySSH
,useitonthededicatednetworkinauthenticated
mode(unencryptedpasswordonth
enetwork).
Specialisetheserver(eitherinauthenticatedmodeoranonymousmode
inthiscase,
applyMGS620S0F1:ConfiguringanonymousUNIXFTPservers).
Inallcases,secureFTPaccesswithxinetdorinetd+TCP-Wrapper,lau
nchtheFTP
serverinaseparateenvironment(c
hroot).
Donotauthorisetheuploadfunctionifitisnotnecessary.
ProhibitconnectiontotheFTPwithtoohighrights.
LimittheaddressesthathavetoaccessthemachinebyF
TPprotocols:
Ifxinetdisused,addtheoptiononly_f
rom=address1address2/mask
address3/maskinthefiles/etc/xinetd.d/*FTPand/or/etc/xinetd.confto
limitaccess.
Ifinetd+TCP
-Wrapperisused,updatethefiles/etc/hosts.allowand
/etc/hosts.deny.
PutalluserswhoseUIDislessthan100(500ifPl@ton
architecture)in
/etc/ftpusers,aswe
llastheuser"nfsnobody"(ifitexists
),topreventFTPaccess
totheseusers.
LimitaccesstoFT
Pfiles/etc/ftpgroup,/etc/ftphosts(allowanddenyoptions),
/etc/ftpaccess(noretrieveoptions,uploadoptiontonooption),create
non-empty.notarfiles(444rights)indirectorieswheredownloadingis
prohibited.
Note:
Thenoretreive.notaroptionmaycauseproblemsforInternetExplorer.Ensurein
thiscasenottoputtheoptionnoretreive.notarin/etc/ftpaccess.
8/10/2019 Security Parameters for Unix and Linux Systems
19/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
19/33
8.5.
Trus
tmechanism
Thetrusthostmachineconceptisbasedon
thefactthatusers,applicationsthatcallupfromatrusthostmachine,arenotobligedtosup
plyapassword(thereby
doingawaywithauthenticationmechanismsandendangeringthequalityofsystemsecurity).
N
Rule
Additionalinform
ation
RS-2400
Usingthe.rhostsfunctionisprohibited(evenforroot).Asaresult,alluserdefault
directoriesmustcontainanempty.rhostsDIRECTORYwith000rights(---------)with
root:rootproperties.
Ifitexists,thisfile
authorisesaccesstoyouraccountwithoutapasswordfor
localorremoteuserslistedinthisfile.Itdoesawaywithanyaccesscontrol
system.
RS-2401
Useofthehosts.equivfunctionisprohibited.
Therefore,themachinemusthaveanempty/etc/hosts.equivDIRECTO
RYwith000
rights(---------)androot:rootasproperties.
The/etc/hosts.equivfileenablesthefollowingtobedefinedatlocalmachine
level:
usersauthorisedtologintothelocalmachine(if
theirloginexists)
withoutsup
plyingpasswords.
usersnotau
thorisedtoconnecttothelocalmachine
Thisalsodoesawa
ywithanyaccesscontrolsystem
8.6.
Logging
Loggingisth
erecordingofapplicationeventsviaacentraldaemoninone
orseverallocaland/ordistantf
iles.
N
Rule
Additionalinform
ation
RS-2500
Useofthecommandsumustbelogged(inparticulartodetectchangesofunauthorised
privileges).
RS-2501
Allloginattempts(successfulorotherwise)mustbelogged.
Thisenablessuspiciousactivityonamachinetobemon
itored(attemptsat
hacking,forexample).
8/10/2019 Security Parameters for Unix and Linux Systems
20/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
20/33
9.
Networkse
curity
9.1.
IPstack
N
Rule
Additionalinform
ation
RS-3000
Configurationofthenetworkinterfaces
Forallmachines,preventinformationbeingrecoveredbythenetworkinterfaces'
"promiscuous"mode(sniffer).
Onaserver,toavoidspoofing:
Usingstaticratherthandynam
icaddressing(noDHCP).
Foreachmachineonthesame
networkcalledtodialoguewiththisserver,recording
oftheMACaddresscanbeforced(Ethernetaddress)withthecommandarp.
Means:
Detectpromiscuou
smodewithacommandputinthecr
ontabatruncyclically
(hourlyforexample).
Onaserver:
RemovetheD
HCPclientpackage(s)andconfigure
thenetworkinterfaces
manually
ForeachmachineforwhichtheMACaddressisrequired,enter:
arp-s
(thesecommandsmaybeaddedattheendofthefile/etc/rc.d/rc.localfor
example).
Notes:
Aswitchtopromiscuousmodecanonlyoccurwithrootrights.Thismay
thereforeindicateananomaly(machinealreadycompromised?).
Theuseofcertain
librariesintendedfornetworklistenin
gmaynotbedetected.
Inaserverhosting
environment,itispreferabletohave
amachinethatdetects
thismode(oreven
detectsintrusions).
RS-3001
ThesocketsqueuemustbeprotectedfromSYNflooding.
RS-3002
Packetswiththesourceroutingoptionmustnotberetransmittedorpr
ocessed
RS-3003
TheTIME_W
AITparameterforT
CPmustbesetto1min(60secs)
RS-3004
ThemachinemustbeprotectedagainstDOSattacksbyICMPflooding
RS-3005
TheIPstackmustbeprotectedinordertopreventredirectionofanIP
RS-3006
ARPqueryexpirytimemustbelim
itedto1minutemaximuminordertoreduceARP
spoofing/hijackingrisks.
RS-3007
GenerationofTCPsequencenumb
ersmustbeconfiguredtopreventitfrombeing
guessed(randommanagement).
8/10/2019 Security Parameters for Unix and Linux Systems
21/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
21/33
9.2.
Adm
inistrationflowsecurity
ApplyMGS
425OpenSSHwhichcontainsthesecurityrulesconcerningtheprotectionofnetworkflows
bymeansoftheOpen-SSLprotocol.
N
Rule
Additionalinform
ation
RS-3100
ApplyMGS425(OpenSSHconfig
uration)
RS-3101
Themachinemustbeadministered
throughaspecificnetworkinterface.
Methods:additional
networkboardorVPN(VirtualPrivateN
etwork).
RS-3102
Administrationservicesotherthan
SSHmustbefilteredwithXinetdorTCP-Wrapper.
IfXinetd:usebinda
ndonly_
fromoptions.
9.3.
Netw
orkservicefiltering
Filteringusestheaccesscontrolcomponents.Theroleoffilteringisnotto
formatnetworktrafficbetwee
ntwopointsbuttodecideifa
packetshouldorshould
notbeprocessed.Itcanberejected,acceptedormodified,accordingtoru
lesofvaryingcomplexity.Inm
anycases,filteringisusedtocontroland/orsecurean
internalnetw
orkfromtheoutsideworld(theInternetforexample).
N
Rule
Additionalinform
ation
RS-3200
AllservicesactivatedininetdorxinetdmustbeapprovedbytheCNSSIsecurityteams.
Specifytheappro
ach
RS-3201
Asfaraspossible,donotinstallaprinterserver.
Thisserviceishighlyvulnerable.
RS-3202
DonotuseNIS(dependsonRPCs,servicesthataretoovulnerable).
Ifsuchaserviceis
necessary,preferLDAP.
RS-3203
Limitaccesstonetworkservicesfo
rtheonlymachinesauthorisedusing
Xinetdor
inetd+TCPWrapper.
9.3.1.ConfigurationofInetd/tcp-wr
apper
Allservic
esauthorisedtobepresentonmachinesshouldapplythefollo
wingrules:
Configur
ationofinetd:
N
Rule
Additionalinform
ation
RS-3204
InetdmustbeassociatedwithTCP
-Wrapper
RS-3205
Connectionrequestsmustberecordedandfilteredviainetd/TCP-wrapp
er
Inetdalonedoesnotpermitnetworksecurity(seetherulesconcerningTCP-
Wrapperandxinetd)
RS-3206
Theinetddaemonmustbestartedinstandalonemode(-s)withtheoptio
nt.
RS-3207
AllTCPandUDPservicesopenin
/etc/inetd.confmustbeencapsulated
withTCP-
Wrapper(usingthenowaitoption).
Configur
ationoftcpwrapper:
N
Rule
Additionalinform
ation
RS-3208
PARANOIDmodemustbeactivated.
Forrefusingallconnectionsfromasystemwhosename
isnotthesameIP.
RS-3209
Includeonerulein/etc/hosts.deny
refusingwhatisnotauthorised.
ThefilemustcontainasingleALL:ALLline.
8/10/2019 Security Parameters for Unix and Linux Systems
22/33
8/10/2019 Security Parameters for Unix and Linux Systems
23/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
23/33
a.R
S-3219:athresholdfixedatbetween85%and95%helpspre
ventanypossiblesystemsaturation.Forlessimportantservices,alowerthresholdcan
b
efixedtoleaveprioritytoothe
rservices.
b.R
S-3220:thisoptiondependsheavilyontheservice;generally,thevalueshouldlessthan50.
c.R
S-3221:general,amaximum
ofthreeconnectionspersec
ondsisnecessary.Forheavilydemandedservices,itispossibletoincreaseto10
c
onnectionspersecond
9.4.
Routing
Routingisth
emethodofcarryinginformation(orpackets)tothecorrect
destinationviaanetwork.Acc
ordingtothetypesofnetwork
,dataissentbypackets
anditspathchoseneachtime(adaptiverouting)orapathischosenonce
andforall(thetwocanbecombined).Amachinethathandlesroutingiscommonly
calledarouter.
N
Rule
Additionalinform
ation
RS-3300
Routingdaemonsmustbedeactiva
tedordeleted(e.g.:gated,routed)
Routingdaemonsareonlyusedformachinesconnected
toseveralnetworksused
asmachinestorou
tepackets.
9.5.
Nam
eresolution
N
Rule
Additionalinform
ation
RS-3400
Nameresolutionmustfirstlybecarriedoutlocallybeforeanyothermethod(DNSand
LDAP).
Thisrequiresnameresolutiontobefirstofallcarriedoutviaalocalfilethenvia
aDNS.ThisenablesDNSspoofingtobeavoided.
8/10/2019 Security Parameters for Unix and Linux Systems
24/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
24/33
9.6.
RPC
(Remoteprocedurecall)Portmapper(portmap),rpc
bind
N
Rule
Additionalinform
ation
RS-3500
AllRPCnetworkservicesstartedb
ytheportmapper,includingtheportmappermustbe
deactivated.
Allservicestobestartedbytheportmappermustreceiv
etheapprovalofsecurity
teams
RS-3501
IfRPCnetworkservicesarenec
essary,accessmustbesecuredandlo
ggedtothe
maximum.
9.7.
Netw
orkservicestoban
N
Rule
Additionalinform
ation
RS-3600
NonetworkserviceotherthanSSH
mustbeactivatedonthemachine.
Particularlydaytim
e,discard,chargen,echo,fingerd,rquotad,rusersd,rwalld,
rexd,systat,time,
netstat.
8/10/2019 Security Parameters for Unix and Linux Systems
25/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
25/33
10.Securityofservices
Thischaptercoverstherulesthatapplytotheprincipalservices(functions)offeredbyUnixservers
10.1.Generalcomments
N
Rule
Additionalinform
ation
RS-4000
Allsensitiveservicesshouldbesta
rtedinach-rootedenvironment.
10.2.X-Window
N
Rule
Additionalinform
ation
RS-4100
IfanXserverisnecessary(X11orXfree),usethemostuptodatevalid
versionpossible.
RS-4101
Xserverauthenticationmustbecarriedoutbythexauthfunction
Unlikefilteringviaxhostwhichusesauthenticationbas
edontheclienthost
name,thexauthmethodusesasharedsecretinorderto
guaranteeauthentication
ofthetwoparties.
Butthecommunicationremainsinc
learlanguage
RS-4102
ThedataexchangedbetweentheclientandtheXservermustbeencode
dviaanSSH
tunnel,incompliancewithMGS425.
10.3.File
transferservice
N
Rule
Additionalinform
ation
RS-4200
ApplyMGS601V2.0:Filetransfe
r
Intheprocessofstandardisation
10.4.Messagingservice
N
Rule
Additionalinform
ation
RS-4300
Amailservicetransferagentisnecessaryfordistributingmessages.
Thisagentmustnotberunasanetworkservice.Inaddition,itsconfigurationshouldbe
modifiedsoitisnotusedasanuncontrolledmailservicerelay.
8/10/2019 Security Parameters for Unix and Linux Systems
26/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
26/33
10.5.Distributednamesservice
N
Rule
Additionalinform
ation
RS-4400
Usesecurityfunctions(LDAPS)suppliedbyLDAP.
10.6.NFS
(networkfilesystem)
N
Rule
Additionalinform
ation
RS-4500
TheNFSservermustnotbeinstalledorstartedup.
IftheNFSserver
isnecessary,thefile/etc/exportsmu
strespectthefollowing
characteristics:
mustbelo
ngtoroot:rootandpermissionsbe64
4.
domainnamesmustbefullyqualifiedifpossible
mustverifyexportsusingtheaccessoption
mustnotexportthefiletoitself(localhostentry)
mustprefernosuidandreadonlymountingoptions
10.7.Adm
inistration/supervisiond
epartment
N
Rule
Additionalinform
ation
RS-4600
TheSNMPprotocolmustnotbeusedifnotnecessary.
RS-4601
IftheSNMPprotocolisnecessary,theversion3mustbeused
Iftheversion3isnotavailable,version2istolerated.Inanycase,banversion1.
RS-4602
IftheSNMPprotocolisnecessary,thereshouldbenonamedpublico
rprivate
SNMPcommunitychains,northenamessuppliedasstandardbymanufacturers(default
parameters).
RS-4603
IftheSNMPprotocolisnecessary,allcommunitychainsmustcomplyw
iththepassword
managementpolicy.
RS-4604
AccesstotheSNMPservermustb
erestrictedtoauthorisedstationsonly.
RS-4605
IftheSNMPprotocolisnecessary,sendingofSNMPtrapsmustbeprotectedby
identifiersincompliancewiththepasswordmanagementpolicy
RS-4606
IftheSNMPprotocolisnecessary,accesstotheSNMPserviceisonlyread-authorised
andnotwrite-authorised.
8/10/2019 Security Parameters for Unix and Linux Systems
27/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
27/33
10.8.WEB
N
Rule
Additionalinform
ation
RS-4700
ApplyMGS411
10.9.Dom
ainnamesservice
N
Rule
Additionalinform
ation
RS-4800
UseBindorLDAPasthedomainnamesservice
RS-4801
Alwaysusethelatestavailablevalidatedandmaintainedversionofthedomainname
service.
8/10/2019 Security Parameters for Unix and Linux Systems
28/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
28/33
11.Appendix
:rightsandpermissionsforimportantfiles
Thetablebelowpresentsanon-exhaustivelistoffilesforwhichownership
anduserrightsshouldbemon
itoredwithvigilance.
Therightssh
ownarethemaximumadmissibleforawell-securedinstallati
on.Theserightscanneverthele
ssbefurtherrestricted.
Whenrights
havetobemodified,usethefo
rmgivenasparameterofthecommand/bin/chmod
ThegroupnamedROOTcorrespondstothe
groupwhoseGIDis0(zero),thatnameofthisgroupmaydifferfromonesystemtoanother.
Thekeyword
ALLshowstherightsforallsystemsotherthanthosethesub
jectofaspecificlineintherightstable(forthesamefile/directory).
Asealingtool(TripWireforexamplestu
dyavailableatSecurinoo)wouldbeanadditionaladvantage
forensuringthatcriticalfiles
havenotbeenmodified
particularlyonservers.
Files/Directories
Owner
Group
Rights
Systems
/
root
ROOT
0755
ALL
/bin
root
ROOT,bin
0755
ALL
/bin/bash
root
ROOT,bin
0755
Linux
/bin/login
root
ROOT,bin
4555
ALL
/bin/mount
root
root
0550
Linux
/bin/netstat
root
root
0550
Linux
/bin/su
root
ROOT,bin
4755
ALL
/boot
root
root
0750
Linux
/boot/*
root
root
0640
Linux
/boot/grub/grub.con
f
root
root
0600
Linux
/crash
root
ROOT
0750
Solaris
/dev
root,bin
ROOT,sys,bin
0755
ALL
/dev/console
root
ROOT,sys
0633
ALL
/dev/full
root
root
0666
Linux
/dev/kmem
root
ROOT
0640
AIX
/dev/kmem
bin
sys
0640
HP-UX
/dev/kmem
root
kmem
0640
Linux
/dev/kmem
root
sys
0640
Solaris
8/10/2019 Security Parameters for Unix and Linux Systems
29/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
29/33
Files/Directories
Owner
Group
Rights
Systems
/dev/MAKEDEV
root
root
0700
Linux
/dev/mem
root
ROOT
0640
AIX
/dev/mem
bin
sys
0640
HP-UX
/dev/mem
root
kmem
0640
Linux
/dev/mem
root
sys
0640
Solaris
/dev/null
root,bin
ROOT,sys,bin
0666
ALL
/dev/random
root
root
0644
Linux
/dev/tty
root,bin
ROOT,tty,bin
0666
ALL
/dev/urandom
root
root
0644
Linux
/dev/zero
root
ROOT,sys
0666
Solaris,Linux,Aix
/etc
root
ROOT,sys,bin
0755
ALL
/etc/aliases
root
ROOT,bin
0600
Solaris,Linux,Aix
/etc/aliases.db
root
root
0600
Linux
/etc/anacrontab
root
root
0600
Linux
/etc/at.allow
root
root
0600
Linux
/etc/at.deny
root
root
0600
Linux
/etc/cron.allow
root
root
0600
Linux
/etc/cron.d/at.allow
root
root
0600
Solaris
/etc/cron.d
root
sys
0750
Solaris
/etc/cron.d/at.deny
root
root
0600
Solaris
/etc/cron.d/cron.allo
w
root
sys
0600
Solaris
/etc/cron.d/cron.den
y
root
sys
0600
Solaris
/etc/cron.deny
root
root
0600
Linux
/etc/default/useradd
root
bin
0640
HP-UX
/etc/default
root
root,sys
0750
Linux,Solaris,HP-UX
/etc/default/init
root
sys
0644
Solaris
/etc/default/login
root
sys
0644
Solaris
/etc/default/passwd
root
sys
0644
Solaris
/etc/default/su
root
sys
0644
Solaris
/etc/defaultrouter
root
root
0644
Solaris
/etc/environment
root
ROOT
0644
AIX
/etc/exclude.rootvg
root
ROOT
0644
AIX
/etc/exports
root
root
0600
ALL
8/10/2019 Security Parameters for Unix and Linux Systems
30/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
30/33
Files/Directories
Owner
Group
Rights
Systems
/etc/fstab
root
sys
0640
HP-UX
/etc/fstab
root
root
0600
Linux
/etc/ftpaccess
root
root
0400
Linux
/etc/ftpconversions
root
root
0400
Linux
/etc/ftpgroups
root
root
0400
Linux
/etc/ftphosts
root
root
0400
Linux
/etc/ftpusers
root
root
0400
Solaris,Linux
/etc/group
root
ROOT
0644
ALL
/etc/hosts
root
ROOT
0644
ALL
/etc/hosts.allow
root
ROOT
0640
ALL
/etc/hosts.deny
root
ROOT
0640
ALL
/etc/hosts.equiv
root
ROOT
0000
ALL
/etc/hosts.lpd
root
ROOT
0600
AIX
/etc/inet/hosts
root
root
0444
Solaris
/etc/inet/inetd.conf
root
root
0644
Solaris
/etc/inet/services
root
root
0644
Solaris
/etc/inetd.conf
root
ROOT
0644
ALL
/etc/init.d
root
root
0750
Solaris,Linux
/etc/init.d/*
root
root
0750
Solaris,Linux
/etc/inittab
root
ROOT
0644
ALL
/etc/issue*
root
root
0644
Solaris,Linux,HP-UX
/etc/lilo.conf
root
root
0600
Linux
/etc/login.defs
root
root
0600
Linux
/etc/mail
root
root
0755
Solaris,Linux,HP-UX
/etc/mail/*
root
root
0644
Solaris,Linux,HP-UX
/etc/motd
root
ROOT
0644
Solaris,Linux,AIX
/etc/mtab
root
root
0644
Linux
/etc/netgroup
root
Root
0644
HP-UX
/etc/notrouter
root
root
0644
Solaris
/etc/passwd
root
ROOT
0644
ALL
/etc/printcap
root
root
0644
Linux
/etc/profile
root
ROOT
0644
ALL
/etc/rc.*
root
ROOT
0750
AIX,Linux
8/10/2019 Security Parameters for Unix and Linux Systems
31/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
31/33
Files/Directories
Owner
Group
Rights
Systems
/etc/rc.config.d
bin
bin
0755
HP-UX
/etc/rc.config.d/*
bin
bin
0644
HP-UX
/etc/rc.d/*/*
root
ROOT
0700
AIX,Linux
/etc/rc.d/rc?.d
root
ROOT
0755
AIX,Linux
/etc/rc.d/rc?.d/*
root
ROOT
0744
AIX,Linux
/etc/rc?.d
root
root
0755
Solaris
/etc/rc?.d/*
root
root
0744
Solaris
/etc/resolv.conf
root
ROOT
0644
ALL
/etc/rpc
root
ROOT,sys,bin
0644
ALL
/etc/securetty
root
root
0600
Linux
/etc/security
root
root
0755
AIX
/etc/security/group
root
security
0640
AIX
/etc/security/passwd
root
security
0600
AIX
/etc/security/user
root
security
0640
AIX
/etc/sendmail.cf
root
root
0644
Linux,AIX
/etc/services
root
ROOT
0644
ALL
/etc/shadow
root
root,sys
0600
Solaris,Linux
/etc/skel
root
root
0755
Solaris,Linux,HP-UX
/etc/skel/*
root
root
0644
Solaris,Linux,HP-UX
/etc/snmp/conf/snmpd.conf
root
root
0644
Solaris
/etc/SnmpAgent.d/s
nmpd.conf
root
root
0644
HP-UX
/etc/snmpd.conf
root
ROOT
0644
AIX
/etc/ssh
root
ROOT
0755
Linux,AIX
/etc/ssh/*(otherthanabove)
root
ROOT
0644
Linux,AIX
/etc/ssh/*_key
root
ROOT
0600
Linux,AIX
/etc/ssh/sshd_config
root
ROOT
0600
Linux,AIX
/etc/syslog.conf
root
ROOT
0644
ALL
/etc/system
root
root
0644
Solaris
/etc/xinetd.conf
root
ROOT
0640
ALL
/etc/xinetd.d
root
ROOT
0750
ALL
/etc/xinetd.d/*
root
ROOT
0640
ALL
/root/*
root
ROOT
0700
ALL
/root/.rhosts
root
ROOT
0000
ALL
8/10/2019 Security Parameters for Unix and Linux Systems
32/33
Con
figura
tiono
fUNI
Xan
dLinux
Securi
tyParame
ters
MSG404Vers
ion
S2
F0
Page:
32/33
Files/Directories
Owner
Group
Rights
Systems
/sbin
root
ROOT,bin
0755
ALL
/sbin/arp
root
ROOT
0755
Linux
/sbin/init.d
root
root
0750
HP-UX
/sbin/init.d/*
root
root
0744
HP-UX
/sbin/mount
root
root
0550
HP-UX
/sbin/rc?.d
root
root
0755
HP-UX
/sbin/rc?.d/*
root
root
0744
HP-UX
/sbin/route
root
root
0550
Linux
/system
root
ROOT
0755
AIX,Linux,HP-UX
/system/products
root
root
0555
Linux
/system/products/su
do/log/sudo.log
root
root
0644
Linux
/tmp
root
ROOT
1777
ALL
/users
root
ROOT
0555
ALL
/usr/bin
root
ROOT,bin
0755
ALL
/usr/bin/at
root
ROOT
4555
ALL
/usr/bin/finger
root
root
0550
ALL
/usr/bin/netstat
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/passwd
root
ROOT,bin
4555
ALL
/usr/bin/rdate
root
root
0550
Solaris
/usr/bin/rdist
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/rpcinfo
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/rusers
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/rwho
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/talk
root
root
0550
Solaris,AIX,HP-UX
/usr/bin/wall
root
tty
2555
Linux
/usr/bin/write
root
tty,bin
2555
ALL
/usr/games
root
root
0755
Linux
/usr/lib
root
ROOT,bin
0755
ALL
/usr/sbin/arp
root
ROOT
0755
Solaris,AIX,HP-UX
/usr/sbin/chroot
root
root
0550
ALL
/usr/sbin/mount
root
root
0550
Solaris,AIX
/usr/sbin/route
root
root
0550
Solaris,AIX,HP-UX
/usr/sbin/rpcinfo
root
root
0550
Linux
8/10/2019 Security Parameters for Unix and Linux Systems
33/33
fUNI
Xan
dLinux
Securi
tyParame
ters
on
S2
F0
Page:
33/33
Files/Directories
Owner
Group
Rights
Systems
/usr/sbin/wall
root
tty,bin
2555
AIX,Solaris,HP-UX
/var/adm/cron
root
ROOT,cron
0755
AIX,HP-UX
/var/adm/cron/at.allow
root
ROOT,cron
0640
AIX,HP-UX
/var/adm/cron/at.deny
root
ROOT,cron
0640
AIX,HP-UX
/var/adm/cron/cron.allow
root
ROOT,cron
0640
AIX,HP-UX
/var/adm/cron/cron.deny
root
ROOT,cron
0640
AIX,HP-UX
/var/adm/cron/log
root
ROOT
0644
AIX,HP-UX
/var/adm/messages
root
ROOT
0644
ALL
/var/adm/syslog/*
root
root
0644
HP-UX,Solaris
/var/cron/log
root
root
0644
Solaris
/var/log/*
root
root
0640
Solaris,Linux
/var/log/wtmp
root
utmp
0600
Linux
/var/run/syslogd.pid
root
root
0640
Solaris,Linux,HP-UX
/var/run/utmp
root
utmp
644
Linux
/var/spool
ROOT,bin
ROOT,bin
0755
ALL
/var/spool/at
daemon
daemon
0700
Linux
/var/spool/cron
root
root
0700
ALL
/var/tmp
root
root
1777
ALL