Security Parameters For Unix and Linux Systems
Security Parameters For Unix and Linux Systems
Security Parameters For Unix and Linux Systems
Operating Method
Organization of Networks, Carriers and IT Division
Architecture and Security Department
Architecture Prescriptions and Security
Reference
MGS404 S2F0
Master Document
PSI-RSI : PGS425
Location
Securinoo
Summary
Support Service
security
rules
applicable
for
CNS SI
ZZZ Permanence CNSSI
Type
Keywords
Create
" Cancels and replaces:
Validity
Author
Verification
Name
Patrick BREHIN
Xavier GATELLIER
& al.
Name
Date
26/4/2004
Date
Signature
Jean-Paul Guiguen
Mickal Davila
4/5/2004
Signature
" Temporary
from
to
Approved by
Name
Date
Signature
Modifications
Version N
Version date
Nature of modification
S0F0
12.12.03
S0F1 11
16/12/2003 23/04/2004
Domain of attachment
Domain code: GS
Associated documents
Document code
BD/99/41
BRHF/99/205
SG/99/27
MGS411
MGS402 S1F0
MGS401 S2F3
MGS425 S1F0
MGS-679 v0.2
GUI-017
MGS 601 V2.0
MGS 620 S0F1
Document name
Record of Decision BD/BRHF/SG of 22 April 1999 Organisation of France
Telecom information system security and associated charter.
Criminal Code Article 223 et seq.
Configuration of security parameters for http servers
Warning to be inserted into title pages
Authentifiers, identifiers and passwords
OpenSSH configuration
Archiving of logs
Tcp-wrappers installation and configuration guide
File transfer
Configuring anonymous UNIX FTP servers
Page : 2/33
Contents
1.
Objective
2.
3.
Players concerned
4.
5.
Overview of Operation
Data organisation
File and directory rights
Software packages
Task automation
X-Window
Miscellaneous
.exrc file
chroot command
7
7
8
8
8
8
8
9
5.2.1. IP stack
5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind
5.2.3. Xinetd
6.
7.
8.
9
10
10
General rules
11
11
11
6.3. Miscellaneous
11
System security
12
12
12
13
13
7.5. Automation
14
14
7.7. Environment
15
16
16
16
16
18
19
8.6. Logging
19
Page : 3/33
9.
Network security
20
9.1. IP stack
20
21
21
21
22
9.4. Routing
23
23
24
24
25
25
10.2. X-Window
25
25
25
26
26
26
10.8. WEB
27
27
28
Page : 4/33
1. Objective
This document defines security rules applicable to UNIX and Linux security rules.
3. Players concerned
Page : 5/33
Page : 6/33
5. Overview of Operation
5.1.
UNIX system
All the data in a UNIX system may be seen as an enormous catalogue of files, referenced in an
unambiguous way. It is therefore a complex structure of data that must be able to manage the
following high-level concepts simultaneously: filename, its attributes, its type (if that is meaningful
for the system), its size, its physical storage, operations in process on the file (concurrent access
management, modifications in process but not written onto the storage medium, etc.).
The data is organised in a tree structure of files and directories. For easier handling, this structure is
generally broken down into several sub-structures called file systems.
File systems cannot be accessed directly. They have to undergo an operation known as mounting.
Any mounted file system must be unmounted or the removable media containing it must be taken
out before turning off the machine. Otherwise, any unwritten data will be permanently lost.
The Unix file system tree structure is standard and can be broken down as follows:
/etc
/bin
/lib
/sbin
/var
/tmp ou /var/tmp
/root
/usr
/usr/local
/home (or others as applicable)
In UNIX systems, files may have read (r), write (w) and execute (x) protection. In this way, it is
possible to choose whether a file can be read and/or modified and/or executed. This protection is
based on the principle of file access rights.
File rights are defined according to these access rights (rwx) and ownership of the file.
Access rights to a file are defined for its owner, the group to which the file belongs and other users
(those that are neither its owner nor par of the owners group).
A file or directory may also be given the following other rights:
SetUID
SetGID
StickyBIT
Page : 7/33
Nowadays, most companies commercialising UNIX systems organise the various software
components and supply them in packages. The system is thus installed in homogeneous groups of
files and the elements grouped in a package are generally highly interdependent (in practice they are
files for the same application). When a package is installed, the user in fact installs specific
software. However, certain packages are dependent on other packages; for example, packages
containing the basic system are obviously used by all other packages. The installation programmes
manage this dependency and inter-package conflicts relatively well, so that they can now be
installed without too much difficulty.
In order to organise all these packages, companies often sort them into series. A series is simply a
set of packages grouped by functional domain. This means that a given package can easily be found
by searching in the series containing all the functionally similar packages. Grouping of packages
into series in no way means that all packages in the same series need to be installed in order to
obtain a given function but that the programmes within the series more or less concern this function.
In fact, redundancy or conflict may exist between two packages in the same series. In this case, the
user should select one or the other, according to the requirements.
5.1.4. Task automation
In Unix, tasks can be configured to be executed automatically during a given period of time, on
given dates or when the system load average is beneath a certain level.
These commands enable commands/scripts to be executed at a point in the future. The system
function cron is administered by the crontab command. The command "at" is used to submit a job to
the system.
5.1.5. X-Window
X Window is not only a video board driver but also an application interface (API) enabling them to
be displayed on the screen and receive input via the keyboard and mouse.
X is also a network server, which means that it can also offer services via a network, enabling
screen display of an application running on another machine, even if the two architectures are
completely different. This is why we use the term X server to designate the graphical sub-system.
The X Window system runs on almost all Unix systems and is even used under Windows and OS/2.
Almost all graphical programmes under Unix use X.
The user does not interact directly with X but rather with what are called X clients (as opposed to
the X server). You undoubtedly already use clients such as a Window Manager or a Desktop
Environment such as CDE, KDE or Gnome. To log on, you probably also use a Display Manager
such as KDM, XDM or GDM. The applications are located above these clients.
The X Window system (or X Window or even X) is a registered trademark of the X Consortium.
The free X servers distributed with Linux come from the XFree86 project.
Official sites:
http://www.x.org
http://www.xfree86.org
5.1.6. Miscellaneous
5.1.6.1.
MGS404 Version S2F0
.exrc file
Page : 8/33
The ex or vi editors, for example, first look for the .exrc startup file in the current directory, then in
your HOME directory. This file is normally used to define abbreviations and key-combination
correspondence. However, it may also contain escape shells that enable commands to be executed
when the editor is started.
5.1.6.2.
chroot command
Chroot is a command that modifies the location of the root of the file system; for example, a
decoy can be set up for the programme so that ill-intentioned users cannot get into the real root.
5.2.
Network services
5.2.1. IP stack
An IP stack is a group of interdependent protocols, each of them reliant on one or several others,
which is why the word stack is used. It is a simplified form of the OSI 7-layer model which has
proved robust and adaptable.
The principal components of the TCP/IP stack are as follows:
IP (Internet Protocol): This is a level-3 protocol. It transfers TCP/IP packets on the local
network and with external networks via routers. The IP protocol works in offline mode,
i.e. packets issued by level 3 are transferred independently (datagrams) without any
guarantee of delivery.
ARP ( Address Resolution Protocol): A protocol that enables the level-3 address (the IP
address) to be linked with a level-2 address (the MAC address)
ICMP ( Internet Control and error Message Protocol) : Used for tests and diagnostics
TCP (Transport Control Protocol): A level-4 protocol that operates in online mode. On a
TCP connection between two network machines, messages (packets or TCP segments) are
acknowledged and delivered in sequence.
UDP ( User Datagram Protocol): A level-4 protocol in offline mode: messages (or UDP
packets) are forwarded independently.
OSI
7 Application
6 Presentation
5
Session
4 Transport
3
Network
2
Data Link
1
Physical
TCP/IP
TELNET, FTP
TFTP
SMTP, RPC
DOMAIN
X11, HTTP
NFS
TCP
UDP
IP (Internet Protocol), ICMP, ARP
Local Network Protocol
(Ethernet, Fast Ethernet, FDDI...)
Solaris
HP-UX
Linux kernel 2.2
Page : 9/33
The operating principle for remote procedure calls is as follows: Each programme wishing to
provide RPC services "listens" on a TCP or UDP port for queries. Clients wishing to use these
services must send their queries to this port, indicating all the information needed for execution of
this query: query number and query parameters. The server executes the query and returns the result.
RPC libraries provide the functions needed to transfer the parameters and the actual remote calls.
However, in practice, clients do not know on which port the RPC is expecting their queries. A
mechanism has therefore been set up to enable them to retrieve details of this port and then
communicate with the server. Each RPC server is identified by a unique programme number and a
version number. When they start up, the servers register with the system, specifying the port on
which they will be listening for queries. Clients can then query the remote system to ask for the port
where they will find a given server, based on the latters programme and version numbers.
A special RPC service therefore exists, known as portmapper which provides clients that request
them with the port numbers of other servers. The portmapper must of course always be contactable,
which implies that it must systematically use the same port number. By convention, the portmapper
is identified by programme number 100000 and it listens for client queries on the 111 ports of the
TCP and UDP protocols. It must be started in a particular order in order to make RPC calls (which
the NIS/NIS+ client programme does) to servers (as, for example an NIS/NIS+ server) on this
machine. When the RPC server is started, it will inform the portmap daemon of the number of the
port which it is scanning and the numbers of the RPC programmes with which it is ready to work.
In principle, standard RPC servers are launched by inetd (inetd(8) manual ), so portmap must be
launched before quinetdne. (All these elements are used by NIS/NIS+ and NFS among others, the
portmapper administers nfsd, mountd, ypbind/ypserv, pcnfsd and r services such as ruptime and
rusers.)
5.2.3. Xinetd
Xinetd is present on the following platforms at least: Solaris 2.6 (sparc and x86), Linux, BSDi, and
IRIX 5.3 and 6.2.
Xinetd offers access control capacities similar to those offered by tcp_wrapper. However, its
possibilities extend far beyond this:
access control for TCP, UDP and RPC services (not everything functions very well for
the latter);
access control based on time slots;
powerful logging, for both successful and failed logins;
efficient prevention of Deny of Services (DoS) attacks which block a machine by
saturating its resources
limitation of the number of servers of the same type that can run at the same time;
limitation of the total number of servers
limitation of the size of log files
attachment of a service to a specific interface: for example, this enables services to be
made accessible to your internal network but not to the outside world;
may serve as a proxy towards other systems which is very practical in the event of IP
masquerading (or NAT) in order to reach machines located on the internal network.
The main disadvantage concerns RPCs which are not yet very well supported. However, portmap
and xinetd coexist perfectly.
Page : 10/33
The system must be the as up to date as possible. This means that the latest validated
security updates must be installed.
Rule
No unnecessary software packages should be installed on the system. All packages
considered unnecessary should, therefore, be deleted.
Startup scripts
RS-0001
RS-0000
RS-0202
RS-0200
RS-0201
Rule
Prohibit restarting via the keyboard (CTRL+ALT+DEL).
In non-secure environments, prohibit starting of the machine otherwise than via the system
disk.
Protect the non-standard system booting with a password.
Miscellaneous
RS-0101
6.3.
Rule
The unmask value fixed in the start-up scripts must be positioned at 027.
RS-0100
Page : 11/33
Additional information
This rule is valid for all Linux and Solaris systems running on Intel platforms.
On Intel platforms, this means requested a password for access to the BIOS to
prevent the boot sequence being modified.
I.e. any booting via CD-Roms or any other disk.
Additional information
To enable the latter to create files with 640 permissions.
Any waiving of this rule must be approved by security teams.
Therefore, all unnecessary startup scripts in the default startup directory must be
deactivated often those (often those from unnecessary packages).
These scripts are initiated when the system is started and are responsible for various tasks such as mounting the read/write file system, activating swap, setting
some system parameters and launching various daemons required by the system.
6.2.
6.1.
6. General rules
System stack
RS-1003
RS-1002
Additional information
The /var partition contains log, patch, print, e-mail files, etc.. The disk space
taken up by these files therefore varies. This partition must be separate from the
root file system. This rule avoids saturation of logs which would bring the server
to a standstill.
These mount options prevent binaries running, processing of the suid/sgid bits
and interpretation of the special files.
Rule
The partition /var must be mounted on a dedicated file system.
RS-1001
RS-1000
File system
RS-1101
RS-1100
Page : 12/33
Rule
Additional information
The execution stack must be protected against buffer overflows to prevent attacks of this
type.
The size of core dumps must be configured so that the size is zero.
Core files contain a memory image of the process which received a certain signal
and is terminate. These files take up disk space and may contain sensitive
information.
Nothing prevents TEMPORARILY changing the core file limit to an adapted
value if a core file really has to be analysed.
This is the memory zone of a process (a programme being executed) dedicated to saving data necessary for the calls (the arguments and return addresses are
stacked) and returns (arguments and return address are un-stacked).
7.2.
7.1.
7. System security
Any file or directory must be linked to an existing user (UID) and to a group (GID).
RS-1205
RS-1206
Sensitive files
Rule
Additional information
Page : 13/33
Exceptions:
Some systems have directories and system shell scripts in /dev.
The device creation executable file MAKEDEV may exist in the /dev
directory. Leave it there, but apply the command /usr/bin/chattr +I to protect
it against modifications.
Directories and symbolic links may also exist in the /dev tree structure.
Socket-type files (type s) may be in the /tmp or /var tree structure.
Special files that do not fit these cases should be deleted or moved.
Links (symbolic or not) may be considered as normal except if they are in a
directory that can be written by all (particularly /tmp and /var/tmp), where they
must be considered as suspect and if possible deleted.
There should be no orphan files or directories. This makes it easier to manage the
user accounts and rights.
Prevent the use of uncontrolled special files (C-bit for character and B for block) to
mount an attack.
So-called special files, and them alone, should be in a specially allocated file structure
(such as /dev or /devices) and only in that tree structure.
RS-1203
RS-1202
RS-1204
Additional information
Such files are often used by hackers to create backdoors (buffer overflow-type
1) Non-used binary files
attacks, overwriting of system files or access root privileges).
2) User files
3) Scripts belonging to root
must not be SUID/SGID
The directory containing the kernel must be owned by root, its group must be zero and
the permissions must be set to 750 or better. Ditto for the content but with permissions set
at 640 or better.
No file or directory should be write-authorised for other users. Otherwise, the sticky-bit Files write-authorized for everyone allow hackers to insert malicious code in the
should be set on the directories involved.
files.
Note:
With the t-bit set, only the owner of the directory or root has the right to
delete the files.
This must already be done as standard on /tmp and /var/tmp directories.
This may cause problems for shared directories where one user can create a
file and another can delete it.
Rule
Rights and permissions described in files and directories mentioned in appendix to the
present document must be respected.
RS-1201
RS-1200
All operating systems contain files of a sensitive nature since they are directly or indirectly involved in the security of the system.
7.4.
7.3.
The root cron must not execute a file that loads other files not held by root or which are
write-accessible for other users.
Crontab entries executed by the root user supplied by third-party providers must be
deleted.
The cron daemon activity must be logged
Rule
Cron and at services must be invalidated for standard users
Logging configuration
RS-1403
RS-1402
RS-1401
RS-1400
Automation
RS-1507
Log files must be centralised in a specific directory (/var/adm or /var/log). They must be
protected by setting the rights at 640 or better for files and 750 or better for the directory
containing them.
All info priority events (or higher) must be redirected to a remote log file.
*.info
RS-1506
@loghost
auth.info;mail.info
or
authpriv.info;mail.info
A mail and authentication facilities event must be redirected in a local restrained access
log file (600).
RS-1505
/var/log /secure.log
/var/log /secure.log
Additional information
A facilities kernel event must be redirected to the console in a local log file (dedicated
and global).
Rule
RSSI N 679 Log archiving must be complied with.
Log files must be duplicated on a secure machine designated the loghost (present in
/etc/hosts )
An emergency priority event must be redirected to the console in a local log file
(dedicated and global).
An info priority event (or higher) for all daemons (except e-mail and authentication)
must be redirected to a local log file.
RS-1504
RS-1503
RS-1502
RS-1500
RS-1501
Page : 14/33
Additional information
Cron.allow and at.allow files must only contain root. All other accounts can be in
cron.deny and at.deny files.
A Trojan horse may be placed in files launched by the root cron
The syslog daemon must be configured (via syslog.conf the log file according to the system) so that:
7.6.
7.5.
No tools that may reveal all or part of the security policy should be present on the
machine.
No network sniffers must be present on the machine
RS-1301
RS-1302
RS-1300
RS-1600
Rule
Prevent a Trojan Horse being run:
Check the LD_LIBRARY_PATH variable (or equivalent) does not exist in the user
environment (root or other), or, if it exists, only references sure libraries.
Check that the files executed at login (/etc/profile, bashrc.) do not set these
variables to a dubious value.
Environment
7.7.
Additional information
For Linux, also check /etc/ld.so.conf
Page : 15/33
Access control
Rule
Use PAMs
A warning banner should be displayed before the authentication dialogue when logging
in, in compliance with MGS402 S1F0 Warning to be inserted in the title pages
Additional information
This will quickly upgrade your level of security.
RS-2205
RS-2203
RS-2204
RS-2202
RS-2200
RS-2201
Rule
Root access via the network must be impossible.
Rule
Account and password management must comply with MGS 401.
The value of umask must be as restrictive as possible for each user:
for root: at least 077
for other users: at least 027
Files enabling the configuration of the default user environment must be root:root and
644.
The user PATH must first contain system paths BEFORE the user paths
The user PATH must not contain a relative path (starting with a . ) except the current
directory (only one .).
There should be no .netrc, .exrc, .vimrc, .forward type files in the tree structure nor
.<something> type files.
Account/environment configuration
8.3.
RS-2100
Page : 16/33
.forward files can execute commands that are unforeseen or not desirable on mail
reception. Their content should therefore be monitored.
Notes:
.exrc (.vimrc) may be replaced by judicious use of the variable EXINIT
(VIMINIT) (a .exrc file may exist anywhere and therefore be executed
inadvertently from there). The behaviour of a Vim is more secure on this point,
but files should be monitored nevertheless.
Therefore, each file created by the user will automatically carry minimum rights.
Additional information
Additional information
It is better to use a user account then the su command to take the root identity to
log root connections to a system.
All machines must control remote access rights. A machine must define the accounts authorised to log in from a remote terminal.
8.2.
RS-2000
RS-2001
In order to improve control of a UNIX machine and increase its security, we recommend the use of PAMs (Pluggable Authentication Modules). PAM is a
powerful, flexible, extensible authentication tool which enables the system administrator to configure authentication services individually for each PAMcompliant application, without recompiling any applications.
8.1.
All scripts or binaries present in the root PATH must be exclusively owned by root or a
system account and must not be world and group-writable ( g-w, o-w ).
RS-2213
RS-2214
Rule
Only root is the system super user (UID and GID equal to zero).
The root HOME DIRECTORY must be /root , perm 700, root:root
All files loaded by root when it connects must be root:root and not be group or world
writable (g-w, o-rwx for what is specific to root and o-w for what is common).
RS-2210
RS-2211
RS-2212
RS-2209
RS-2207
RS-2208
If uucp and nuucp exist, the shell may be controlled by a false shell.
Passwords for all users must be stored using a strong hashing algorithm (like MD5).
RS-2206
Page : 17/33
Additional information
Administration commands
RS-2302
Rule
Use SSH commands instead of telnet and r-commands (see MGS 425).
RS-2301
RS-2300
Page : 18/33
Note:
The noretreive .notar option may cause problems for Internet Explorer. Ensure in
this case not to put the option noretreive .notar in /etc/ftpaccess.
Limit access to FTP files /etc/ftpgroup, /etc/ftphosts (allow and deny options),
/etc/ftpaccess (noretrieve <directory> options, upload option to no option), create
non-empty .notar files (444 rights) in directories where downloading is
prohibited.
Put all users whose UID is less than 100 (500 if Pl@ton architecture) in
/etc/ftpusers, as well as the user "nfsnobody" (if it exists), to prevent FTP access
to these users.
Limit the addresses that have to access the machine by telnet protocols:
If xinetd is used, add the option only_from = address1 address2/mask
address3/mask in the files /etc/xinetd.d/*telnet and/or /etc/xinetd.conf to
limit access.
Additional information
Certain UNIX commands, called r commands, enable remote users either to log in (rlogin) or to execute commands (rsh, rcp, rexec) via the network and
therefore carry out remote operation/administration work.
8.4.
Trust mechanism
Logging
Rule
Using the .rhosts function is prohibited (even for root). As a result, all user default
directories must contain an empty .rhosts DIRECTORY with 000 rights ( --- --- ---) with
root:root properties.
Use of the hosts.equiv function is prohibited.
Therefore, the machine must have an empty /etc/hosts.equiv DIRECTORY with 000
rights ( --- --- ---) and root:root as properties.
Additional information
If it exists, this file authorises access to your account without a password for
local or remote users listed in this file. It does away with any access control
system.
The /etc/hosts.equiv file enables the following to be defined at local machine
level:
users authorised to log in to the local machine (if their login exists)
without supplying passwords.
users not authorised to connect to the local machine
This also does away with any access control system
RS-2501
RS-2500
Rule
Use of the command su must be logged (in particular to detect changes of unauthorised
privileges).
All login attempts (successful or otherwise) must be logged.
Page : 19/33
Additional information
Logging is the recording of application events via a central daemon in one or several local and/or distant files.
8.6.
RS-2401
RS-2400
The trust host machine concept is based on the fact that users, applications that call up from a trust host machine, are not obliged to supply a password (thereby
doing away with authentication mechanisms and endangering the quality of system security).
8.5.
RS-3007
RS-3001
RS-3002
RS-3003
RS-3004
RS-3005
RS-3006
RS-3000
Rule
Configuration of the network interfaces
For all machines, prevent information being recovered by the network interfaces'
"promiscuous" mode (sniffer).
On a server, to avoid spoofing:
Using static rather than dynamic addressing (no DHCP).
For each machine on the same network called to dialogue with this server, recording
of the MAC address can be forced (Ethernet address) with the command arp.
IP stack
9.1.
9. Network security
Page : 20/33
Notes:
A switch to promiscuous mode can only occur with root rights. This may
therefore indicate an anomaly (machine already compromised?).
The use of certain libraries intended for network listening may not be detected.
In a server hosting environment, it is preferable to have a machine that detects
this mode (or even detects intrusions).
On a server:
Remove the DHCP client package(s) and configure the network interfaces
manually
For each machine for which the MAC address is required, enter: arp -s
<IP_address> <MAC_ address>
(these commands may be added at the end of the file /etc/rc.d/rc.local for
example).
Additional information
Means:
Detect promiscuous mode with a command put in the crontab at run cyclically
(hourly for example).
Rule
Apply MGS 425 (OpenSSH configuration)
The machine must be administered through a specific network interface.
Administration services other than SSH must be filtered with Xinetd or TCP-Wrapper.
Methods: additional network board or VPN (Virtual Private Network).
If Xinetd: use bind and only_from options.
Additional information
Limit access to network services for the only machines authorised using Xinetd or
inetd+TCPWrapper.
Rule
All services activated in inetd or xinetd must be approved by the CNSSI security teams.
As far as possible, do not install a printer server.
Do not use NIS (depends on RPCs, services that are too vulnerable).
The inetd daemon must be started in standalone mode(-s) with the option t.
All TCP and UDP services open in /etc/inetd.conf must be encapsulated with TCPWrapper (using the nowait option).
Rule
Inetd must be associated with TCP-Wrapper
Connection requests must be recorded and filtered via inetd/TCP-wrapper
RS-3208
RS-3209
Rule
PARANOID mode must be activated.
Include one rule in /etc/hosts.deny refusing what is not authorised.
Configuration of tcpwrapper:
RS-3206
RS-3207
RS-3204
RS-3205
Configuration of inetd:
All services authorised to be present on machines should apply the following rules:
RS-3203
RS-3200
RS-3201
RS-3202
Page : 21/33
Additional information
For refusing all connections from a system whose name is not the same IP.
The file must contain a single ALL:ALL line.
Inetd alone does not permit network security (see the rules concerning TCPWrapper and xinetd)
Additional information
Additional information
Specify the approach
This service is highly vulnerable.
If such a service is necessary, prefer LDAP.
Filtering uses the access control components. The role of filtering is not to format network traffic between two points but to decide if a packet should or should
not be processed. It can be rejected, accepted or modified, according to rules of varying complexity. In many cases, filtering is used to control and/or secure an
internal network from the outside world (the Internet for example).
9.3.
RS-3100
RS-3101
RS-3102
Apply MGS 425 OpenSSH which contains the security rules concerning the protection of network flows by means of the Open-SSL protocol.
9.2.
The services declared in the configuration file xinetd.conf must contain the
parameter per_source m equalling the maximum number of simultaneous connections
authorised from the same machine.
Services declared in the configuration file xinetd.conf must use the parameter
max_load c .
Services declared in the configuration file xinetd.conf must use the parameter
instances n.
Services declared in the configuration file xinetd.conf must use the parameter cps x y .
RS-3218
RS-3219
(1)
RS-3220
(1)
RS-3221
(1)
RS-3222
Additional information
Page : 22/33
(1) : for rules RS-3219, RS-3220 et RS-3221, the parameters are entirely dependent on the use of the server and the services used. They must therefore be
configured appropriately. However, the following values may be used as a basis:
Rule
Connection requests must be recorded via xinetd
Connection requests must be filtered per service via xinetd.
The xinetd.conf default configuration file must contain:
disable = yes
The xinetd.conf default configuration file must contain:
no_access = 0.0.0.0/0
The xinetd.conf default configuration file must contain:
log_type = SYSLOG authpriv
The xinetd.conf default configuration file must contain:
log_on_failure = HOST
RS-3217
RS-3216
RS-3215
RS-3214
RS-3211
RS-3212
RS-3213
All services authorised to be present on machines should apply the following rules:
For further information on the installation and configuration of TCP-Wrapper, refer to the guide MGS 499 S1F3 available from securinoo
RS-3210
Routing
RS-3400
Rule
Routing daemons must be deactivated or deleted (e.g.: gated, routed)
Rule
Name resolution must firstly be carried out locally before any other method (DNS and
LDAP).
Name resolution
9.5.
RS-3300
Page : 23/33
Additional information
This requires name resolution to be first of all carried out via a local file then via
a DNS. This enables DNS spoofing to be avoided.
Additional information
Routing daemons are only used for machines connected to several networks used
as machines to route packets.
Routing is the method of carrying information (or packets) to the correct destination via a network. According to the types of network, data is sent by packets
and its path chosen each time (adaptive routing) or a path is chosen once and for all (the two can be combined). A machine that handles routing is commonly
called a router.
9.4.
a. RS-3219: a threshold fixed at between 85% and 95% helps prevent any possible system saturation. For less important services, a lower threshold can
be fixed to leave priority to other services.
b. RS-3220: this option depends heavily on the service; generally, the value should less than 50.
c. RS-3221: general, a maximum of three connections per seconds is necessary. For heavily demanded services, it is possible to increase to 10
connections per second
RS-3600
Rule
All RPC network services started by the portmapper, including the portmapper must be
deactivated.
If RPC network services are necessary, access must be secured and logged to the
maximum.
Rule
No network service other than SSH must be activated on the machine.
RS-3501
RS-3500
9.7.
9.6.
Page : 24/33
Additional information
Particularly daytime, discard, chargen, echo, fingerd, rquotad, rusersd, rwalld,
rexd, systat, time, netstat.
Additional information
All services to be started by the portmapper must receive the approval of security
teams
Rule
All sensitive services should be started in a ch-rooted environment.
Rule
Apply MGS 601 V2.0: File transfer
RS-4300
Rule
A mail service transfer agent is necessary for distributing messages.
This agent must not be run as a network service. In addition, its configuration should be
modified so it is not used as an uncontrolled mail service relay.
RS-4200
Additional information
Additional information
Additional information
In the process of standardisation
Page : 25/33
Rule
Additional information
If an X server is necessary (X11 or Xfree), use the most up to date valid version possible.
X server authentication must be carried out by the xauth function
Unlike filtering via xhost which uses authentication based on the client host
name, the xauth method uses a shared secret in order to guarantee authentication
of the two parties. But the communication remains in clear language
The data exchanged between the client and the X server must be encoded via an SSH
tunnel, in compliance with MGS 425.
RS-4102
RS-4100
RS-4101
10.2. X-Window
RS-4000
This chapter covers the rules that apply to the principal services (functions) offered by Unix servers
10.Security of services
Rule
Use security functions (LDAPS) supplied by LDAP.
Rule
The NFS server must not be installed or started up.
RS-4606
RS-4604
RS-4605
RS-4603
RS-4600
RS-4601
RS-4602
Additional information
If the NFS server is necessary, the file /etc/exports must respect the following
characteristics:
must belong to root:root and permissions be 644.
domain names must be fully qualified if possible
must verify exports using the access option
must not export the file to itself (localhost entry)
must prefer nosuid and read only mounting options
Additional information
Page : 26/33
Rule
Additional information
The SNMP protocol must not be used if not necessary.
If the SNMP protocol is necessary, the version 3 must be used
If the version 3 is not available, version 2 is tolerated. In any case, ban version 1.
If the SNMP protocol is necessary, there should be no named public or private
SNMP community chains, nor the names supplied as standard by manufacturers (default
parameters).
If the SNMP protocol is necessary, all community chains must comply with the password
management policy.
Access to the SNMP server must be restricted to authorised stations only.
If the SNMP protocol is necessary, sending of SNMP traps must be protected by
identifiers in compliance with the password management policy
If the SNMP protocol is necessary, access to the SNMP service is only read-authorised
and not write-authorised.
RS-4500
RS-4400
Rule
Apply MGS 411
RS-4800
RS-4801
Rule
Use Bind or LDAP as the domain names service
Always use the latest available validated and maintained version of the domain name
service.
RS-4700
10.8. WEB
Additional information
Additional information
Page : 27/33
Owner
root
root
root
root
root
root
root
root
root
root
root
root, bin
root
root
root
bin
root
root
Files/Directories
/
/bin
/bin/bash
/bin/login
/bin/mount
/bin/netstat
/bin/su
/boot
/boot/*
/boot/grub/grub.conf
/crash
/dev
/dev/console
/dev/full
/dev/kmem
/dev/kmem
/dev/kmem
/dev/kmem
ROOT
ROOT, bin
ROOT, bin
ROOT, bin
root
root
ROOT, bin
root
root
root
ROOT
ROOT, sys, bin
ROOT, sys
root
ROOT
sys
kmem
sys
Group
0755
0755
0755
4555
0550
0550
4755
0750
0640
0600
0750
0755
0633
0666
0640
0640
0640
0640
Rights
ALL
ALL
Linux
ALL
Linux
Linux
ALL
Linux
Linux
Linux
Solaris
ALL
ALL
Linux
AIX
HP-UX
Linux
Solaris
Systems
Page : 28/33
A sealing tool (TripWire for example study available at Securinoo) would be an additional advantage for ensuring that critical files have not been modified
particularly on servers.
The keyword ALL shows the rights for all systems other than those the subject of a specific line in the rights table (for the same file/directory).
The group named ROOT corresponds to the group whose GID is 0 (zero), that name of this group may differ from one system to another.
When rights have to be modified, use the form given as parameter of the command /bin/chmod
The rights shown are the maximum admissible for a well-secured installation. These rights can nevertheless be further restricted.
The table below presents a non-exhaustive list of files for which ownership and user rights should be monitored with vigilance.
Owner
root
root
bin
root
root
root, bin
root
root, bin
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Files/Directories
/dev/MAKEDEV
/dev/mem
/dev/mem
/dev/mem
/dev/mem
/dev/null
/dev/random
/dev/tty
/dev/urandom
/dev/zero
/etc
/etc/aliases
/etc/aliases.db
/etc/anacrontab
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.d/at.allow
/etc/cron.d
/etc/cron.d/at.deny
/etc/cron.d/cron.allow
/etc/cron.d/cron.deny
/etc/cron.deny
/etc/default/useradd
/etc/default
/etc/default/init
/etc/default/login
/etc/default/passwd
/etc/default/su
/etc/defaultrouter
/etc/environment
/etc/exclude.rootvg
/etc/exports
root
ROOT
sys
kmem
sys
ROOT, sys, bin
root
ROOT, tty, bin
root
ROOT, sys
ROOT, sys, bin
ROOT, bin
root
root
root
root
root
root
sys
root
sys
sys
root
bin
root, sys
sys
sys
sys
sys
root
ROOT
ROOT
root
Group
0700
0640
0640
0640
0640
0666
0644
0666
0644
0666
0755
0600
0600
0600
0600
0600
0600
0600
0750
0600
0600
0600
0600
0640
0750
0644
0644
0644
0644
0644
0644
0644
0600
Rights
Linux
AIX
HP-UX
Linux
Solaris
ALL
Linux
ALL
Linux
Solaris, Linux, Aix
ALL
Solaris, Linux, Aix
Linux
Linux
Linux
Linux
Linux
Solaris
Solaris
Solaris
Solaris
Solaris
Linux
HP-UX
Linux, Solaris, HP-UX
Solaris
Solaris
Solaris
Solaris
Solaris
AIX
AIX
ALL
Systems
Page : 29/33
Owner
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Files/Directories
/etc/fstab
/etc/fstab
/etc/ftpaccess
/etc/ftpconversions
/etc/ftpgroups
/etc/ftphosts
/etc/ftpusers
/etc/group
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/hosts.equiv
/etc/hosts.lpd
/etc/inet/hosts
/etc/inet/inetd.conf
/etc/inet/services
/etc/inetd.conf
/etc/init.d
/etc/init.d/*
/etc/inittab
/etc/issue*
/etc/lilo.conf
/etc/login.defs
/etc/mail
/etc/mail/*
/etc/motd
/etc/mtab
/etc/netgroup
/etc/notrouter
/etc/passwd
/etc/printcap
/etc/profile
/etc/rc.*
sys
root
root
root
root
root
root
ROOT
ROOT
ROOT
ROOT
ROOT
ROOT
root
root
root
ROOT
root
root
ROOT
root
root
root
root
root
ROOT
root
Root
root
ROOT
root
ROOT
ROOT
Group
0640
0600
0400
0400
0400
0400
0400
0644
0644
0640
0640
0000
0600
0444
0644
0644
0644
0750
0750
0644
0644
0600
0600
0755
0644
0644
0644
0644
0644
0644
0644
0644
0750
Rights
HP-UX
Linux
Linux
Linux
Linux
Linux
Solaris, Linux
ALL
ALL
ALL
ALL
ALL
AIX
Solaris
Solaris
Solaris
ALL
Solaris, Linux
Solaris, Linux
ALL
Solaris, Linux, HP-UX
Linux
Linux
Solaris, Linux, HP-UX
Solaris, Linux, HP-UX
Solaris, Linux, AIX
Linux
HP-UX
Solaris
ALL
Linux
ALL
AIX, Linux
Systems
Page : 30/33
/etc/rc.config.d
/etc/rc.config.d/*
/etc/rc.d/*/*
/etc/rc.d/rc?.d
/etc/rc.d/rc?.d/*
/etc/rc?.d
/etc/rc?.d/*
/etc/resolv.conf
/etc/rpc
/etc/securetty
/etc/security
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/sendmail.cf
/etc/services
/etc/shadow
/etc/skel
/etc/skel/*
/etc/snmp/conf/snmpd.conf
/etc/SnmpAgent.d/snmpd.conf
/etc/snmpd.conf
/etc/ssh
/etc/ssh/* (other than above)
/etc/ssh/*_key
/etc/ssh/sshd_config
/etc/syslog.conf
/etc/system
/etc/xinetd.conf
/etc/xinetd.d
/etc/xinetd.d/*
/root/*
/root/.rhosts
Files/Directories
bin
bin
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Owner
bin
bin
ROOT
ROOT
ROOT
root
root
ROOT
ROOT, sys, bin
root
root
security
security
security
root
ROOT
root, sys
root
root
root
root
ROOT
ROOT
ROOT
ROOT
ROOT
ROOT
root
ROOT
ROOT
ROOT
ROOT
ROOT
Group
0755
0644
0700
0755
0744
0755
0744
0644
0644
0600
0755
0640
0600
0640
0644
0644
0600
0755
0644
0644
0644
0644
0755
0644
0600
0600
0644
0644
0640
0750
0640
0700
0000
Rights
HP-UX
HP-UX
AIX, Linux
AIX, Linux
AIX, Linux
Solaris
Solaris
ALL
ALL
Linux
AIX
AIX
AIX
AIX
Linux, AIX
ALL
Solaris, Linux
Solaris, Linux, HP-UX
Solaris, Linux, HP-UX
Solaris
HP-UX
AIX
Linux, AIX
Linux, AIX
Linux, AIX
Linux, AIX
ALL
Solaris
ALL
ALL
ALL
ALL
ALL
Systems
Page : 31/33
/sbin
/sbin/arp
/sbin/init.d
/sbin/init.d/*
/sbin/mount
/sbin/rc?.d
/sbin/rc?.d/*
/sbin/route
/system
/system/products
/system/products/sudo/log/sudo.log
/tmp
/users
/usr/bin
/usr/bin/at
/usr/bin/finger
/usr/bin/netstat
/usr/bin/passwd
/usr/bin/rdate
/usr/bin/rdist
/usr/bin/rpcinfo
/usr/bin/rusers
/usr/bin/rwho
/usr/bin/talk
/usr/bin/wall
/usr/bin/write
/usr/games
/usr/lib
/usr/sbin/arp
/usr/sbin/chroot
/usr/sbin/mount
/usr/sbin/route
/usr/sbin/rpcinfo
Files/Directories
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
Owner
ROOT, bin
ROOT
root
root
root
root
root
root
ROOT
root
root
ROOT
ROOT
ROOT, bin
ROOT
root
root
ROOT, bin
root
root
root
root
root
root
tty
tty, bin
root
ROOT, bin
ROOT
root
root
root
root
Group
0755
0755
0750
0744
0550
0755
0744
0550
0755
0555
0644
1777
0555
0755
4555
0550
0550
4555
0550
0550
0550
0550
0550
0550
2555
2555
0755
0755
0755
0550
0550
0550
0550
Rights
ALL
Linux
HP-UX
HP-UX
HP-UX
HP-UX
HP-UX
Linux
AIX, Linux, HP-UX
Linux
Linux
ALL
ALL
ALL
ALL
ALL
Solaris, AIX, HP-UX
ALL
Solaris
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Solaris, AIX, HP-UX
Linux
ALL
Linux
ALL
Solaris, AIX, HP-UX
ALL
Solaris, AIX
Solaris, AIX, HP-UX
Linux
Systems
Page : 32/33
/usr/sbin/wall
/var/adm/cron
/var/adm/cron/at.allow
/var/adm/cron/at.deny
/var/adm/cron/cron.allow
/var/adm/cron/cron.deny
/var/adm/cron/log
/var/adm/messages
/var/adm/syslog/*
/var/cron/log
/var/log/*
/var/log/wtmp
/var/run/syslogd.pid
/var/run/utmp
/var/spool
/var/spool/at
/var/spool/cron
/var/tmp
Files/Directories
root
root
root
root
root
root
root
root
root
root
root
root
root
root
ROOT, bin
daemon
root
root
Owner
tty, bin
ROOT, cron
ROOT, cron
ROOT, cron
ROOT, cron
ROOT, cron
ROOT
ROOT
root
root
root
utmp
root
utmp
ROOT, bin
daemon
root
root
Group
2555
0755
0640
0640
0640
0640
0644
0644
0644
0644
0640
0600
0640
644
0755
0700
0700
1777
Rights
AIX, Solaris, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
AIX, HP-UX
ALL
HP-UX, Solaris
Solaris
Solaris, Linux
Linux
Solaris, Linux, HP-UX
Linux
ALL
Linux
ALL
ALL
Systems
Page : 33/33