UNIX and Linux Technical Control SA Build Guideline (12192011)
UNIX and Linux Technical Control SA Build Guideline (12192011)
UNIX and Linux Technical Control SA Build Guideline (12192011)
Source
Control ID AIX: 1921 SUSE: 1281 Solaris: 2389 AIX: 1938 SUSE: 1288 Solaris: 2400 AIX: 1939 SUSE: 1290 Solaris: 2395 AIX: 1920 SUSE: 1276 Solaris: 2381
Section or Category
Brabeion
Auditing, Logging and Files should not be writeable by users other than their owner (i.e., world writeable) unless such permission is Monitoring required for system functionality.
yes
Brabeion
Permission to modify environmental control files in user home directories should be restricted to the owner of the file.
yes
Brabeion
Unless required for specific operational reasons NFS file systems should be exported using the "read only" parameter.
yes
Brabeion
Auditing, Logging and File system activities, such as the creation of exported file systems and remote file system mounting, should be Monitoring audited and reviewed.
no
Brabeion
Auditing, Logging and Set user ID (setUID) and set group ID (setGID) files should only exist if they are needed for the proper Monitoring functioning of the system, and they should only be writeable by the owner of the file.
no
Brabeion
All users should have a "umask" value, which defines the permissions to newly created files, of 022 or 027.
no
Brabeion
System Configuration
The account lockout feature, disabling an account after a number of failed log in attempts, should be enabled and the related parameters should be set in accordance with corporate security standards and guidelines.
Brabeion
User Accounts
Any account that has not logged into the system for an extended period of time should be disabled.
no
Brabeion
All su (switch user) commands, which allow a user to gain access to the root account, should be monitored and Auditing, Logging and reviewed in accordance with corporate standards. All successful and unsuccessful su attempts must be logged. Monitoring Regular reviews must be conducted on
no
Brabeion
User Management
yes
Brabeion
Password Management
Complex passwords should be enforced through the system configuration and password policy.
yes
Brabeion
System Configuration Network File Systems (NFS) should not be exported with ''''root='''' option.
Confidential AIX / SUSE Linux / Solaris / HP-UX Brabeion AIX: 1966 SUSE: 1336 Anonymous FTP should be disabled. If anonymous FTP is required, the host should be restricted to anonymous System Configuration FTP traffic and should not host other services. disabled
4/10/2012
Brabeion
no
AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
Brabeion
AIX: 1918 SUSE: 1273 Solaris: 2380 SUSE: 1322 Solaris: 2437 AIX: 1928 Solaris: 2421 AIX: 1978 Solaris: 2418 AIX: 1974 Solaris: 2425 AIX: 1979 SUSE: 1309 Solaris: 2426
Auditing, Logging and Available disk or file system capacity should be monitored. Monitoring
yes
System Configuration The automount daemon should not be running unless there is a documented operational or business need. Auditing, Logging and The Berkley r-services (e.g., rexec, rlogin, rsh) should be disabled unless there is a documented business or Monitoring operational need for their use. System Configuration The "rexd" daemon should be disabled. System Configuration The "rstatd" service should be disabled. System Configuration The "netstat" service should be disabled.
Brabeion
yes
Brabeion
AIX: 1982 SUSE: 1310 Solaris: 2428 AIX: 1984 SUSE: 1318 Solaris: 2434 AIX: 1962 Solaris: 2420 AIX: 1963 Solaris: 2430 AIX: 1965 SUSE: 1307 Solaris: 2424 AIX: 1969 Solaris: 2427 AIX: 1970 SUSE: 1297 Solaris: 2433
yes
AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
Brabeion
yes
System Configuration The "rwall" service should be disabled. System Configuration The "rusers" service should be disabled. System Configuration The "systat" service should be disabled. System Configuration The "uucp" service should be disabled.
Brabeion
System Configuration
If Sendmail is not necessary for business purposes it should be disabled. If it is necessary, the latest version should be installed and it should be configured with the minimum amount of functionality.
disabled
Brabeion
1977
System Configuration If required, Network File Systems (NFS) should be exported to specific, authorized hosts.
Brabeion
SUSE: 1331
System Configuration
The SNMP server should be disabled if it is not being used for remote management. If SNMP is used, the default PUBLIC community name should be changed.
Confidential AIX / SUSE Linux / Solaris / HP-UX Brabeion / IBM / Novell / TRMIS AIX: 1940 File System Access and Management The standard job scheduling programs "cron" and "at" should be available only to specifically authorized users. yes
4/10/2012
AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / Solaris / HPUX
Brabeion / TRMIS
AIX: 1944
All SUID and SGID programs should be inventoried and unauthorized programs removed.
no
CIS/NSA
CIS/NSA
CIS/NSA CIS/NSA
System Configuration Enable stack protection In order to remote make session hijacking attacks more difficult, a better TCP sequence number should be System Configuration used. Password Management
IBM
no
no
no
yes
AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
yes
System Configuration Desktop software, such as CDE, GNOME, or KDE, should not be installed on servers. User Accounts Password Management Password Management File System Access and Management File System Access and Management UNIX System Administrators must switch user (su) to root under his/her user ID when super user privileges are required. Anonymous root login must be allowed only from the system console for emergency purposes. The maximum password age should be set in accordance with corporate security standards and guidelines.
IBM/TRMIS
SUSE: 1333
The minimum password age should be set in accordance with corporate standards.
yes
TRMIS TRMIS
Ensure all files in the /dev or /devices directory are special files. Ensure that there are no unexpected special files outside /dev or /devices
yes yes
Confidential AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
4/10/2012 TRMIS Password Management File System Access and Management Remove or restrict to read only access root accounts .exrc and / or .vimrc file. yes
TRMIS
yes
TRMIS
User Accounts
An authorized use message must be displayed at login. All non essential system information, such as O/S and / or patch level must not be displayed pre-login.
yes
TRMIS
User Accounts
TRMIS
Password Management
Only one account with super-user privilege is permitted per TDBFG system. No other UID 0 accounts may exist other than root.
yes
TRMIS
Additional Applications and Services SUSE: 1303 Solaris: 2409 AIX: 1922 SUSE: 1280 Solaris: 2386 AIX: 1926 SUSE: 1279 Solaris: 2383 AIX: 1919 SUSE: 1275 Solaris: 2384 AIX: 1923 Solaris: 2387 AIX: 1995 SUSE: 1325 Solaris: 2443 AIX: 1956 SUSE: 1302 Solaris: 1408 AIX: 1991 SUSE: 1312 Solaris: 2439 AIX: 1976 SUSE: 1296 Solaris: 2429 AIX: 1950 SUSE: 1304 Solaris: 2410 AIX: 1929 SUSE: 1283 Solaris: 2391 AIX: 1951 SUSE: 1320 Solaris: 2411 AIX: 1931 SUSE: 1274 Password Management
Install eTrust Access Control for UNIX agent and enable the agent service.
no
SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX Common Technical Controls
Brabeion
yes
Brabeion
Auditing, Logging and All audit files should be archived and purged in accordance with corporate standards. Monitoring Auditing, Logging and Trust relationships should be evaluated regularly. Any relationships that do not serve a business or operational Monitoring purpose should be removed. Auditing, Logging and The server should only run software that supports documented business or operational needs. Monitoring Auditing, Logging and An audit data reduction tool should be used to facilitate log review. Monitoring User Management Password Management User Accounts Only users who require domain-wide access should be listed in the NIS/NIS+ password file. Default passwords supplied with software packages should be changed upon installation. In addition, these passwords should be complex and conform to corporate security standards and guidelines. User accounts should not be shared among multiple users.
yes
Brabeion
yes
no no -
Brabeion
Brabeion
Brabeion
System Configuration If it is necessary to run NIS as opposed to NIS+, NIS clients should be configured to use the server-list mode. Password Management
Brabeion
The root user should not be included in the NIS or NIS+ password file.
Auditing, Logging and System activities should be adequately logged and reviewed in accordance with corporate standards. Monitoring Password Management Password Management Auditing, Logging and Monitoring The password for the root account maintained on each server should be unique and changed in accordance with corporate standards. The password file should not be distributed using NIS unless there is a documented operational or business need. User access to data and executables should be audited in accordance with corporate policy.
AIX / SUSE Confidential Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
File System Access and Management System Configuration Additional Applications and Services User Accounts
Write access to terminals should be restricted. The latest security patches and any recommended maintenance must be applied according to corporate standards. Patches and maintenance must be verified and tested before being applied. Symantec Enterprise Security Manager (ESM) should be installed. The ESM agent service should be enabled on all PROD servers. To ensure a controlled environment with auditing and managing capabilities for the creation, modification and deletion of UNIX system logon Ids, UNIX access requests must be submitted by the Divisional Signature Authority (DIVSIG1) using the UNIX Access Request Form To ensure each group can be uniquely identified, GIDs must be requested through security operations. This unique GID is to be used on all required UNIX servers. The NIS domain name should not be easily guessable.
yes yes
4/10/2012
TRMIS
yes
TRMIS AIX: 1955 SUSE: 1300 Solaris: 2406 AIX: 1925 SUSE: 1278 Solaris: 2382 AIX: 1994
yes
Brabeion
yes
Brabeion
Repeated login failures (= 5) over 15 minutes must generate an alert in real time to the 7/24 Operations Auditing, Logging and monitoring team for action or page-out to the Technology Response Management team. Regular reviews of the Monitoring logs must be conducted to monitor abnormal. User Accounts Unnecessary default groups should be disabled or removed.
no
Brabeion
no
Brabeion
AIX: 1992 AIX: 1967 SUSE: 1294 Solaris: 2417 SUSE: 1317 Solaris: 2444 AIX: 1924 SUSE: 1272 Solaris: 2388 AIX: 1935 SUSE: 1287 Solaris: 2396 AIX: 1937 SUSE: 1271 Solaris: 2397 AIX: 1945 SUSE: 1291 Solaris: 2401 AIX: 1972 SUSE: 1311 Solaris: 2431 AIX: 1954 Solaris: 2404 AIX: 1917 SUSE: 1282 Solaris: 2390 AIX: 1980 SUSE: 1339 Solaris: 2413 AIX: 1959 SUSE: 1321 Solaris: 2405 AIX: 1971 Solaris: 2414 AIX: 1936 SUSE: 1289 Solaris: 2398
User Accounts
no
System Configuration File systems should only be exported to fully qualified hostnames. User Management Vendor accounts should be disabled after each specific instance of service.
Auditing, Logging and Security configuration file changes should be monitored in accordance with corporate standards. Unauthorized Monitoring changes to security configuration files should be investigated. File System Access and Management File System Access and Management File System Access and Management System Configuration Password Management Public directories, such as /tmp/, should have restrictions to protect files located within them from deletion by users other than their owners. Access to application data and programs should be restricted based on the user's business requirements. Rolebased access control should be used, granting access based on the principle of least-privilege. Sensitive operating system files and directories should be secured against unauthorized access. A legal notice and warning should be implemented in order to provide adequate protection and awareness of legal issues. All user accounts should have passwords.
Brabeion
yes *
Brabeion
yes only if ssh key auth is not used yes * yes (when FTP enabled) yes (No NIS in AIX) yes *
Brabeion
Brabeion
Auditing, Logging and Authorized password "cracking" programs should be periodically run to validate adherence to corporate Monitoring password policy. System Configuration Access to the File Transfer Protocol (FTP) server should be restricted by user.
Brabeion
AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX
Brabeion
Password Management
NIS+ servers should operate at a level 2 security mode (as opposed to running in NIS compatibility mode).
Brabeion
System Configuration
If the UNIX System is being used as a DNS Server, only the recent version of DNS Software (BIND) should be used. UNIX DNS servers should be single-purpose, and should have other services disabled..
Brabeion
File systems should not be exported outside the administrative scope of the system.
yes
Technology Confidential
Source
Reason for control not in baseline build We have not look at this option On hardening NFS function is disabled, but they is no
Semi Harden
Fully Harden
AIX
Brabeion
1934
AIX AIX
Brabeion Brabeion
1949 1960
If the System administrator relies exclusively on the auditing functionality of AIX then the Auditing, Logging and /etc/security/audit/config file should contain a list of users Monitoring that are being audited as well as the level of auditing associated with each user. NFS v4 may be enabled for AIX 5.3 systems to increase NFS NFS security. Security Configuration Enable the sedmgr in AIX 5.3 to prevent execution of Controls code on the stack. System Configuration Telnet banners should not reveal system information. User Accounts Temporary accounts should be disabled if not in use.
no
no
no
AIX AIX
Brabeion Brabeion
1961 1987
AIX
Brabeion / TRMIS
1988
AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX Specific Controls
IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS
To ensure each end user can be uniquely identified, assign each end user the same UID consistently on all User Accounts required UNIX servers. Refer to the Access Request Portal for the Unix Access Request Form (UARF). New installations should be backed up and stored in a System Configuration secure location. System Configuration The "discard" service should be disabled. System Configuration The "dtspc" service should be disabled. System Configuration The "bootps" service should be disabled. System Configuration The "comsat" service should be disabled. System Configuration The "ftp" service should be disabled. The "i4ls" service should be disabled for production System Configuration machines only. System Configuration The "uprintfd" service should be disabled. System Configuration The "writesrv" service should be disabled. Use an alias for the "ls" command to show hidden files System Configuration and characters in a file name. Use an alias for the "rm" command to avoid accidentally System Configuration deleting files from the system. Network Security "bcastping" should be disabled. Network Security "clean_partial_conns" should be enabled Network Security Network Security Network Security Network Security Network Security Network Security "directed_broadcast" should be disabled. "icmpaddressmask" should be disabled. "ipforwarding" should be disabled. "ipignoreredirects" should be enabled "ipsendredirects" should be disabled. "ip6srcrouteforward" should be disabled.
yes tsm or nim backed up yes yes no yes yes yes no yes no no yes no yes yes yes no no no
yes tsm or nim backed up yes yes yes yes yes yes no yes no no yes no yes yes yes no no no
yes tsm or nim backed up yes yes yes yes yes yes no yes no no yes no yes yes yes no no no
yes no no
Network Security Network Security Network Security Network Security Network Security Network Security
"ipsrcrouteforward" should be disabled. "ipsrcrouterecv" should be disabled. "ipsrcroutesend" should be disabled. "nonlocsroute" should be disabled. "tcp_pmtu_discover" should be disabled. "udp_pmtu_discover" should be disabled.
no yes no yes no no
no yes no yes no no
no yes no yes no no
Technology Confidential
Source
Control ID
Section or Category File System Access and Management Password and Account Management Password and Account Management Server Configuration Server Configuration
Control Statement Base Build Anonymous and unauthenticated access should not be enabled for Samba file shares. LDAP should be configured to utilize encryption to protect system authentication information from unauthorized access. The LDAP bind passwords should be protected from unauthorized access. The DES encryption algorithm should not be used for system password hashing. Credentials (usernames and passwords) to Windows file shares should not be stored in /etc/fstab for automounting Samba/Windows shares. X -Windows servers should not be running on SuSE servers unless there is a documented business or operational need. If graphical user interfaces are required, XWindows should be tunnelled through SSH.
Reason for control not Semi Harden Fully Harden in baseline build no no
SUSE Linux
Brabeion
1341
no
no
SUSE Linux
Brabeion
1344
no
no
no
no
Brabeion Brabeion
1345 1334
yes yes
yes yes
SUSE Linux
Brabeion
1340
yes
yes
yes
yes
SUSE Linux
Brabeion
1323
System Configuration
yes
yes
yes
yes
SUSE Linux SUSE Linux SUSE Linux SUSE Linux SUSE Linux
1337 1338
The sudo command should be utilized to restrict access to root privileges. The ability to su to root should be limited to User Management users that are authorized to have root access. System The "IMAP" service should be disabled. Configuration System The "POP" service should be disabled. Configuration GUI Login should be disabled. Users should System login via SSH or a normal text-based Configuration console. User Management System Configuration System Configuration NFS server and client processes should be disabled. NIS server and client processes should be disabled.
yes yes yes yes yes unless there is a business requirement unless there is a business requirement
SUSE Linux
Novell
yes
yes
yes
yes
SUSE Linux
Novell
yes
yes
yes
yes
Technology
Source
Solaris
Brabeion
2423
System Configuration
Solaris
Brabeion
2432
System Configuration
Solaris
CIS/NSA
Auditing, Logging and Monitoring File System Access and Management File System Access and Management System Configuration System Configuration
Solaris
CIS/NSA
Solaris
CIS/NSA
Solaris Solaris
CIS/NSA CIS/NSA
Solaris
CIS/NSA
System Configuration
Solaris Solaris
Current State Control Statement Base Build Reason for control not in Semi Harden Fully Harden baseline build Sending this password poses no no a huge operational risk sendmail daemon is not yes yes allowed It is a huge performance no no and log mgmt issue are we using Solaris as a no no desktop
An EEPROM password should be used on the server. The verify and expn commands within sendmail should be disabled. System accounting should be enabled
no
Yes
no
A default locking screensaver timeout should be set. Disable "nobody" access for secure RPC. Restrict NFS client requests to privileged ports Set EEPROM security-mode and log failed access. The "printer" service should be disabled.
yes
yes
yes
no
The "rquotad" service should be disabled. OpenWindows servers should not be running unless there is a documented business or operational need.
yes yes
yes no
yes no
Future State Base Build Reason for control not in baseline build Fully Harden
yes
yes
yes
no
no
N/A
N/A
yes
yes
yes
yes
yes
no
yes no
yes no
Technology Confidential
Source
Control ID
Section or Category
System Configuration The "printer" service should be disabled. Password Management Passwords should not include standard UNIX words.
yes
Reason for control not in baseline build could be a business requirement for printer services
Fully Harden no
System Configuration Desktop software, such as CDE, GNOME, or KDE, should not be installed on servers. Password Management The minimum password age should be set in accordance with corporate standards. yes yes yes yes
System Configuration The "rquotad" service should be disabled. The "auth" service should be disabled. The "shell" service should be disabled. The "ncpmd" service should be disabled.
HP-UX
The "dtspcd" service should be disabled. Enable inetd logging by adding "export INETD_ARGS=-l" to /etc/rc.config.d/netdaemons Disable syslogd from listening on the network by modifying /etc/rc.config.d/syslogd Remove or lock unneeded pseudo accounts (nuucp, mysql, uucp, hpdb, lp, www, daemon) Tighten global privileges on chown Configure nsswitch.conf to not be DNS resolver (chmod 444 /etc/nsswitch.conf) Disable rpcbind daemon Disable pwgrd (password and group caching daemon The "bootps" service should be disabled.
12