Professional Documents
Culture Documents
ht
rig
ull
f
ns
Securing Tru64 Unix
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
A Guide for the GIAC Agency
or
th
Au
2,
00
-2
Bobbi Spitzberg
00
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 1 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Overview
Executive Summary
s.
ht
rig
The plan for securing any host begins with determining how the host will
be used. The primary use of the machine described in this paper will be
ull
as the Tru64 Unix host in a Security Laboratory. The purpose of the
Security Lab is to test proof of concept for mitigation strategies for risk
f
management in the infrastructure for the GIAC Agency, Department of
ns
Health
Key and Human
fingerprint Services.
= AF19 FA27 It will
2F94 998D alsoDE3D
FDB5 be used
F8B5as06E4
a workstation
A169 4E46 for
tai
accessing a Major Application as defined by OMB Circular A-130,
Appendix III.
re
or
The operating system used on the backend database servers in the
th
production environment is Tru64 Unix. The version of Tru64 Unix
chosen for the lab machine is 5.1A, the most recent version released.
Au
This paper will serve as a guide for securing the production and
development servers as well as providing secure access to the both these
2,
environments.
00
-2
The security decisions made in this guide are based on general Security
Best Practices as taught in the SANS Institute Track 6 (Securing Unix),
00
Appendix S], specific Agency and Department security policies, and OMB
Circular A-130, Appendix III.
te
tu
Using the HHS system designation process, the Major Application was
sti
Page 1 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
certification. Therefore, emphasis will be given to the specifics for that
operating system.
Hardware
s.
The workstation being secured is a Compaq Alphaserver DS10 with the
ht
following hardware specifications:
rig
physical memory = 256.00 megabytes.
ull
COMPAQ AlphaStation XP900 617 MHz
f
DEC TULIP (10/100) Ethernet interface, hardware address 00-10-64-30-
ns
18-57
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
DEC TULIP (10/100) Ethernet interface, hardware address 00-10-64-30-
18-56
re
2 9 gigabyte internal disk drives
1 12 G/24 G DAT tape drive
or
th
Physical Security Au
2,
The host is located in an office. The access to the office area is restricted
00
The physical security will be increased when the office space has been
sti
Risk Analysis
SA
©
Since this machine has access through the application firewall to the
production servers, a successful compromise of this machine gains
Page 2 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
access to the production machines through the firewall. To reduce the
risk of a compromise, the machine will be shutdown at the end of the
day. Changing the root password or other compromises will be
minimized because of the protection offered by securing the SRM
console. Remote access will be severally limited by TCP wrappers. No
s.
remote root access will be allowed.
ht
rig
Because of its gateway function, this host needs to be very secure. We
are planning on installing a hardware firewall in front of this machine
ull
similar to those protecting the production servers.
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 3 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
OS Installation – Preparation
s.
Securing the SRM console
ht
rig
Before beginning the full installation, the host name and IP address
were registered with the local DNS server. [Fictitious network addresses
ull
and domains will be used in this paper.] The hostname is
f
sansproj.giac.dhhs.gov. The IP address is 172.29.126.142. The subnet
ns
mask
Key is 255.255.254.0
fingerprint = AF19 FA27and
2F94the gateway
998D is 172.29.126.1.
FDB5 DE3D An4E46
F8B5 06E4 A169 Ethernet
tai
cable was connected to tu0, but not connected to the Internet. The
machine is not to be connected to the Internet until it was hardened
re
sufficiently to risk that exposure.
or
The next step is to secure the SRM console. As described in the Security
th
Best Practices Evaluated Configuration paper cited in the References,
Au
there are two modes for the console – secure and user mode. User mode
allows access to all SRM commands. Secure mode only allows access to
2,
the following commands – start, continue, boot (only for the stored
00
parameters), and login. In secure mode, you cannot change the boot
-2
default device or boot from the CD-ROM without first successfully logging
in.
00
>>> login
In
>>> show devices (If the password has not been yet been entered,
Console is secure. Please login.
Key
>>> fingerprint
login = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Please enter the password:
>>> show devices
dka0.0.0.14.0 DKA0 (first internal disk)
Page 4 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
dkb100.1.0.14.0 DKB100 (second internal disk)
…
dqb0.0.1.13.0 DQB0 the CD-ROM
…
s.
ht
Firmware installation
rig
Place the firmware CD that was distributed with the Operating System
ull
CDs in the CD-ROM. A new version of firmware is always distributed
f
with an OS release. The firmware should be upgraded before the OS is
ns
installed or upgraded.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
>>> boot dqb0
re
The firmware update utility automatically determines the system type
or
and model. The instructions on the screen should be followed. The
th
firmware update should not be interrupted under any circumstances.
Au
Once it has completed the server is reset automatically. We are now
ready to begin the installation of the OS.
2,
00
>>> set auto_action halt [To return the machine to console prompt
after a system crash or power failure during installation. For a
sti
The installation for 5.x makes it easier to separate out /var from /usr, so
we will select that option during the installation process. It is also a Best
Practice to separate /tmp from the root domain and /var/tmp from /var.
By placing these mount points in a separate domain, we are reducing the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
probability of host downtime because the root partition (if /tmp is left in
/) or /var fills up. If /var fills up, the process that log to /var will stop,
unless they have alternate places to log or other ways of handling this
Page 5 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
full fileset situation. The layout (sizes approximate) for the 2 9G disks
will be:
s.
swap 512MB /dev/disk/dsk0b swap (2 times
ht
RAM)
rig
/usr 2G /dev/disk/dsk0g usr_domain#usr
/var 2G /dev/disk/dsk0h var_domain#var
ull
/usr/local 2G /dev/disk/dsk0e
local_domain#local
f
ns
/tmp 1G /dev/disk/dsk0f tmp_domain#tmp
Key fingerprint
/home = AF19
2GFA27 2F94 998D FDB5 DE3D
/dev/disk/dsk1eF8B5 06E4 A169 4E46
tai
home_domain#home
re
/var/tmp 1G /dev/disk/dsk1f
vartmp_domain#vartmp
or
/var/log 1G /dev/disk/dsk1h
th
varlog_domain#varlog
Au
The flexibility of AdvFS allows us to easily add or remove space to the file
2,
domains if needed. We have left sufficient space on the second disk drive
00
(255.255.254.0,172.29.126.1) configured.
te
A full installation will be done. The network interfaces have already been
configured. We will select system subsets in addition to the mandatory
subsets. These include C2 security support (OSFC2SEC520 and
OSFXC2SEC520), OSFDCMTEXTxxx – to enable password triviality
checks, OSFINCLUDE520 – system header files needed for the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
installation of security tools. These will be selectively installed after the
installation of the mandatory subsets. Please see Appendix A for a list of
the subsets installed. The mandatory subsets are in bold italics. Since
we will be doing some development on this machine as part of the lab,
Page 6 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
more subsets will be installed than there would be on a production
server.
s.
from the same device that was used for booting the firmware disk. (Login
ht
to the SRM console if you have not already done so.) The boot process
rig
can take several minutes. The time required depends on the hardware
complexity of the system.
ull
On systems with graphical displays, a window asking you to choose the
f
ns
language for the remainder of the installation will be displayed once the
Key fingerprint
system = AF19 FA27 2F94
has successfully 998D FDB5
rebooted. DE3D F8B5
The choices are06E4 A169
United 4E46
States
tai
English, Chinese, or Japanese. After the language is selected, the
re
Installation Welcome window is displayed. [See Appendix B]
or
If you prefer not to use the graphical user interface (gui), select the “Quit”
th
option from the file menu. You will then exit from this user interface.
Au
You will be at a root prompt. The command to proceed with the
command line interface is given below:
2,
00
# restart nogui
-2
We will assume that the gui is used for the installation. The process is
the same independent of whether the gui or command line interface is
00
used.
20
The next dialog box is the Host Information Dialog Box. [See Appendix
te
C.]
tu
sti
Proceed to set the time and date. The date is of the form mm dd [cc]yy.
The time is enter as hh mm where hh is entered using the 24-hour-clock
©
format. Use the pull down menus for setting area and location. This is
what sets the time zone.
After clicking on “Next”, you will proceed to the Set Root Password Dialog
Box.fingerprint
Key [Appendix D.] FA27
= AF19 The 2F94
root 998D
password
FDB5 must
DE3D be between
F8B5 6 and
06E4 A169 16
4E46
characters and should contain a combination of upper and lower case
letters. A minimum of one of the first characters must be a number, a
special character, or an upper case letter. This password will be changed
later as part of the Enhanced Security installation.
Page 7 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
We will now be choosing the Operating System Subsets to be installed.
[Appendix E contains the Software Selection Window.] It is important
not to install more subsets than is needed. The number one
vulnerability on the SANS Top Twenty list is the default installation of
s.
operating systems and applications. We do not want unnecessary
ht
services and ports available on the system for exploitation.
rig
There are two possible approaches at this point. We could proceed with
ull
a custom installation. If the Customize option is selected, be sure to
click on “Edit List” or you will get the Mandatory subsets without having
f
ns
the opportunity to select any optional subsets. Optional subsets
Key fingerprint
included = AF19
at this FA27
point 2F94be
would 998D FDB5
Perl, DE3DLSM,
AdvFS, F8B5 and
06E4the
A169 4E46
Kernel
tai
Debugging Tools. Some of the X demos are quite useful. We have used
re
cpuinfo in the past to very nicely show CPU utilization.
or
An alternate approach would be to do the mandatory installation and
th
manually add and delete subsets after the installation of the mandatory
Au
subsets completes. Instructions for doing this will be presented later is
this paper.
2,
00
The next selection is to choose the options that are to be built into the
kernel. Choose customize. [See Appendix G] These options will be
-2
The next step is to select the file system layout. [See Appendix H.] A
te
recommendation for laying out the disks has already been discussed.
tu
Choose “Customize File System Layout.” This gives you the opportunity
sti
to configure the disks and files systems as you choose. Since we will
In
need to relabel the disks, select “Edit Partitions from the “Custom File
System Layout” dialog box. [Appendix I.] It is best if an experienced
NS
the disk using the disklabel command. If this method is used then it is
not necessary to edit the disk partitions. This is the recommended
©
Separate
Key /var
fingerprint from FA27
= AF19 /usr 2F94
and 998D
selectFDB5
dsk0DE3D
and F8B5
the h06E4
partition for /var.
A169 4E46
Select dsk0 and the g partition for /usr. Root is always on the a
partition and we want it to be on dsk0. The file system type is AdvFS for
all. After the Operating System has been installed, we will separate /tmp
Page 8 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
from /, /var/tmp from /var, /var/log from /var, /usr/local from /usr
and create a home domain for user home directories.
s.
Click Next when the custom configuration is complete.
ht
rig
We now have the opportunity to check the choices we have made. When
satisfied that the Summary Box reflects your choices accurately, select
ull
Finish. You may choose to redo any previous settings by selecting it on
the Summary Box. [See Appendix J.]
f
ns
Key
Clickfingerprint
OK in the= AF19 FA27
Ready to2F94 998D
Begin FDB5 DE3D
Installation F8B5[See
Box. 06E4Appendix
A169 4E46K.] The
tai
full installation procedure will then begin. File systems are created first.
re
The software subsets will be loaded, followed by a reboot and the
software configuration phase. This will take about a half hour for the
or
system we are using.
th
Au
Since we elected to customize kernel components, the kernel build will
not proceed automatically as it would if the mandatory or full installation
2,
options had been selected. We have chosen to customize the kernel
00
build in order not to install code beyond what is essential for this
machine. A kernel option menu will appear after the system reboots.
-2
--------------------------------------------------------------
20
1 System V Devices
2 NTP V3 Kernel Phase Lock Loop (NTP_TIME)
te
5 IP-in-IP-Tunneling (IPTUNNEL)
In
6 IP Version 6 (IPv6)
7 Point-to-Point Protocol (PPP)
NS
10 X/Open
11 DVDFS
12 CDFS
13 Audit
14
Key fingerprintACL Subsystems
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
15 None of the above
16 Help
17 Display all options again
Page 9 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
--------------------------------------------------------------
s.
ht
rig
After the kernel is rebuilt, the system automatically reboots. When we
login as root, the System Setup Window will appear. We will exit from it
ull
at this time in order to do some preliminary housekeeping.
f
ns
Key
Postfingerprint = AF19customizations
Installation FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
Separating out /tmp, /var/tmp, /var/log, /usr/local, and user home
directories
or
th
As discussed previously, we will place /tmp, /var/tmp, /var/log, /home,
Au
and /usr/local in their own domains (virtual volumes). Compaq
recommends that /tmp and /var/tmp be separated from / and /usr. We
2,
will carry that recommendation further by separating them out into their
00
own domains.
-2
# cp –p /etc/fstab /etc/fstab.orig
# vi /etc/fstab
[insert the following lines in the file after var_domain#var /var advfs
rw 0 2]
Key fingerprint = AF19/tmp
tmp_domain#tmp FA27 2F94 998D
advfs rwFDB5
0 2 DE3D F8B5 06E4 A169 4E46
vartmp_domain#vartmp /var/tmp advfs rw 0 2
local_domain#local /usr/local advfs rw 0 2
home_domain#home /home advfs rw 0 2
Page 10 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
varlog_domain#varlog /var/log advfs rw 0 2
Miscellaneous preparations
s.
ht
#mkdir /etc/save.orig
rig
Copy the listed files into that directory preserving permissions. For
ull
example,
f
# cp –p /etc/ftpusers /etc/save.orig
ns
Key
The fingerprint
files and=directories
AF19 FA27 we
2F94will
998D FDB5
save are:DE3D F8B5 06E4 ftpusers,
audit_events, A169 4E46 motd,
tai
rc3.d,
re
auth.system.default, ftpusers, passwd, securettys,
auth.system.devassign, group, profile, /etc/shells, cron.deny,
or
inetd.conf, rc2.d, and skel.login.
th
Au
Before taking the system down to single user mode, verify that we will
prompted for root’s password before we are actually allowed to be in
2,
single mode. This is a new security feature with 5.x.
00
YES]
# YES
00
20
# YES
sti
# shutdown now
In
Enter root password at prompt. Verify that the new domains were
NS
mounted correctly.
# mount –a
SA
# mount
©
We will now manually install the subsets needed for enhanced security
and to build the tools we will be adding later. Place the Operating
Systems Volume 1 in the CD-ROM.
# mount
Key –r /dev/disk/cdrom0
fingerprint /mnt
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
# cd ALPHA/BASE
# setld –l . OSFC2SEC520 OSXC2SEC520 OSFCDMTEXT520
OSFINCLUDE520
Page 11 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
[Enhanced security, support for triviality checking, and standard headers
for tools compilation]
Select all subsets.
We could elect to install other subsets at this time as well if we chose the
s.
mandatory subsets with the intent of manually installing subsets at this
ht
time. When the subsets have been installed, we reboot the system.
rig
Customizing the setup
ull
f
When the system reboots, select Custom setup from the System Setup
ns
window. The Custom Setup will then be displayed. [Appendix M.]
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
License Installation
re
or
Select License Manager. Delete the default USR license. Select “Edit”
and “add”. Fill in the fields from the PAK on the license template
th
displayed. We will enter the OSF-BASE, OSF-USR, OSF-SVR, ADVFS-
Au
UTILITIES and LSM licenses. Many of the features of both AdvFS and
LSM that formerly required licenses have been incorporated in the base
2,
We will setup the network even though we are still not connected to the
network.
20
te
Both tu0 and tu1 are displayed when we start the network setup.
tu
no rwho. Do not restart the network at this time. We have not yet
In
We will now configure the DNS client. We will be using the local
SA
Page 12 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
associated with having accurate timestamps on system logs, particularly
for coordinating log information from multiple systems.
Select NTP on the Custom Setup box. We will configure the machine as
an NTP client. Select “add servers and peers V3.” Enter the NTP from
s.
the Network Related Information table. Select yes on the next screen.
ht
Since we are not currently on the network, don’t start the daemon now.
rig
Since we are setting up the network, this might be a good time to open
ull
up another terminal window and tune the kernel with the recommended
setting for avoiding SYN attacks. This recommendation comes from
f
ns
CERT® Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP
Key fingerprint
Stacks. = AF19the
To lessen FA27 2F94 998Dof
probability FDB5 DE3D F8B5SYN-ACK
a successful 06E4 A169attack
4E46 you
tai
essentially increase the size of the queue resources Tru64 UNIX will need
re
for all connections, and since many of the SYN-ACK attacks don't form a
complete connection, they get timed out and deleted. Setting the value of
or
the parameters sominconn and somaxconn to 65535 will harden Tru64
th
UNIX against the SYN attacks. This change can be made using the
following command: Au
# /sbin/sysconfig -r socket sominconn=65535
2,
# /sbin/sysconfig -r socket somaxconn-65535
00
disabled. Because of the way the page table is shared for shared
In
A new root password must now be set. The enhanced security will take
©
Account management
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Hardening user accounts
Page 13 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Edit /usr/skel/.login, /etc/profile, /and /usr/skel/ .cshrc to make sure
that the umask is 027. Add /usr/bin/Rsh (restricted shell) and
/usr/bin/false to /etc/shells.
The GIAC agency security policy requires that password expire after 6
s.
months. It also requires users to select strong passwords. Federal
ht
government security policy mandates further password controls such as
rig
limiting the number of unsuccessful attempts and protecting the secrecy
of passwords. The SANS Institute lists poor or non-existent passwords
ull
as the second of the Top
Twenty vulnerabilities.
f
ns
Key fingerprint
We will = AF19 FA27
use edauth 2F94
to edit the998D FDB5
trusted DE3D F8B5
database 06E4
files -- A169 4E46
tai
/etc/auth/system/default – the system default database and the two
re
terminal control databases -- /etc/auth/system/ttys.db and
/etc/auth/system/devassign.
or
th
To edit the system default database, enter the following command:
# edauth -dd default. Au
2,
We will be changing the following values in this file.
00
months. We will also set a password lifetime of 9 months. This will give
the user 3 months to reset the expired password after it has expired.
00
After a total of 9 months, the user account expires. The depth of the
20
• u_life=23328000
tu
• u_pwdepth#9
sti
In
• u_minlen#8
• u_maxlen#20
©
Page 14 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Locking accounts. Accounts will be locked when they are initialing set
up by the system administrator. The account will be unlocked when the
system administrator has contacted the user and the user has been
given the initial password for the account. Initial passwords are pre-
expired. An account will be locked after 5 consecutive unsuccessful
s.
tries. Terminals will be locked after 10 consecutive unsuccessful
ht
attempts. The delay between unsuccessful login attempts will be set to 2
rig
seconds as a defense against password cracking tools.
If successful authentication is not completed within the login timeout
ull
interval, the login is aborted.
• u_maxtries#5
f
ns
• u_lock [new accounts locked]
Key•fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
t_maxtries#10
tai
• t_logdelay#2
re
• t_login_timeout#300
or
th
Limiting Root Access
Au
Other changes we will be making to the trusted databases include
2,
logins. Only root and the user bobbi will be allowed to login at the
-2
console.
# edauth –dv console
00
console:\
:v_devs=/dev/console:v_type=terminal:v_users=root,bobbi:chkent:
20
te
# edauth -dv :0
tu
\:0|\:0.0:\
:v_devs=\:0,\:0.0:v_type=xdisplay:v_users= root,bobbi:chkent:
sti
In
console, from the X-display, and from tty00. We will, therefore, not
SA
Page 15 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Internet we need to remove unnecessary services from /etc/inetd.conf
and prevent unneeded services from starting at boot.
All services except for cfgmgr and suitjd can be removed from
/etc/inetd.conf. We will edit /etc/inetd.conf to prevent services from
s.
starting from inetd. To do this, edit inetd’s configuration file by place a
ht
number sign (#) as the first character in the line for everything except
rig
cfgmgr (configuration management server) and suitjd which are used by
the OS. Examples of configuration management requests are requests to
ull
configure, reconfigure, query, or unconfigure a subsystem. SysMan, the
tool for managing the system, uses suitjd. Since we are not yet
f
ns
connected to the Internet, we do not have to HUP inetd.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
We also need to prevent unnecessary services from starting from the
re
start scripts in /sbin/rc?.d.
or
Disable all startup files for services that are not needed from /sbin/rc2.d
th
and /sbin/rc3.d. The list below is partially drawn from the Tru64
Au
Security Guide at geocities. We will prevent services from starting by
changing the capital 'S' in the name of the script to a lowercase 's'. The
2,
following startup files should not be disabled:
00
In /sbin/rc2.d
-2
In /sbin/rc3.d
S00inet S00.50ip6host S21audit S59lsm
te
The machine is now secure enough that we can risk connection to the
Internet to download any patches to the OS. Connect the Network
Interface
Key Card
fingerprint to the
= AF19 Internet
FA27 port.FDB5 DE3D F8B5 06E4 A169 4E46
2F94 998D
# shutdown –r now
Page 16 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
When the machine reboots, verify that we are successfully online by
doing a nslookup, netstat –nr, netstat –a, date, etc. commands.
# mkdir /usr/local/patch
# cd /usr/local/patch
s.
ht
Any patches for the version of the OS we are installing will be found at
rig
ftp1.support.compaq.com. The only patch currently available for Tru64
Unix is rpc.ttdserverd, a buffer overflow security patch. Even though we
ull
do not plan to run rpc services, we will still download and install this
patch. A jumbo patch kit is expected to be released in January.
f
ns
Key fingerprint
Change to the= AF19 FA27directory
following 2F94 998Dpublic/unix/v5.1a.
FDB5 DE3D F8B5 06E4 A169 4E46
tai
mget t64v51assb*. This will download the patch, readme file and tarball.
re
Verify that checksum.
# more CHECKSUM
or
t64v51assb-c0000800-11707-er-20010928.tar 49656 1670
th
# sum t64v51assb-c0000800-11707-er-20010928.tar
Au
49656 1670 t64v51assb-c0000800-11707-er-20010928.tar
2,
The checksum validates the tarball was downloaded successfully.
00
# shutdown now
00
# mount –a
te
# cd /usr/local/patch/patch_kit
tu
# ./dupatch
sti
In
Page 17 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Using the editor set up for root, insert u_lock into the entry for daemon,
save the file and exit the editor. Repeat the process for the other
accounts we will lock.
s.
/usr/shells and inserting them in that file. We will then use dxaccounts
ht
through the System Setup Checklist to change the shells for uucp and
rig
adm to /usr/bin/Rsh (the restricted shell).
ull
Adding user accounts
f
ns
Previous to version 5.x, Compaq did not recommend using useradd,
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
usermod, and userdel for managing user accounts with Enhanced
Security. Only dxaccounts could be used. That is no longer true. We
re
can now use dxaccounts or the 3 user commands or sysman account
management to add the desired accounts on this host.
or
th
We will first add several groups for our users. We will be setting up 3
functional classes of users: Au
• System administrator – will have the ability to obtain root privilege
2,
through su initially and Compaq’s Division of Privileges (dop). We
00
exceed 8 characters.
tu
admins 2000
In
testers 12000
restrict 20000
NS
SA
Before adding users via the GUI interface, let’s add the groups we need
from the above table.
©
Page 18 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
# usermod -D -g testers -d /home -s /usr/bin/ksh [set defaults]
# usermod –D [display defaults]
Minimum User ID = 12
Next User ID = 1200
s.
Maximum User ID = 4294967293
ht
Duplicate User ID =0
rig
Use Hashed Database = 0
Max Groups Per User = 32
ull
Base Home Directory = /home
Administrative Lock =1
f
ns
Primary Group = testers
Key fingerprint =
Skeleton DirectoryAF19 FA27 2F94
= 998D FDB5 DE3D F8B5 06E4 A169 4E46
/usr/skel
tai
Shell = /usr/bin/ksh
re
Inactive Days =0
Expire Date = Never
or
th
Au
We will add the following accounts initially. Other accounts will be
added later as needed.
2,
00
…..
In
#
NS
These commands will add the users and create the home directories.
The default shell and the home directory structure have been established
SA
Even though we are not going to run the ftp daemon, we will set up the
ftpd security file to reject remote logins to local user accounts. The
Page 19 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
commands below can be combined into a script to run through root’s
crontab to keep this file current. The frequency needed to update the
file depends on how often users are added.
# cp –p /etc/ftpusers /etc/save.orig/ftpusers
s.
# rm /etc/ftpusers
ht
# cat /etc/passwd | cut –f1 –d: > /etc/ftpusers
rig
# chmod 600 /etc/ftpusers
ull
Monitoring suid and sgid programs, hidden files
f
ns
Key fingerprint
Set up = AF19inFA27
a directory 2F94 998D
/usr/local FDB5
that willDE3D F8B5
house 06E4 A169
baseline 4E46
information for
tai
comparison.
re
# mkdir /usr/local/secsave
or
th
Create a baseline of setuid and setgid programs.
Au
# /bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
-exec ls -ldb {} \; > /usr/local/secsave/setuid.list
2,
00
# mkdir /.rhosts
NS
# touch /.rhosts/x
# chmod 0 /.rhosts/x
SA
# chmod 0 /.rhosts
©
Repeat the above for /.netrc and /etc/hosts.equiv and verify results.
# ls -ld /.rhosts
d--------- 2 root system 8192 Dec 17 22:05 /.rhosts
Key fingerprint
# ls -l /.rhosts = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
total 0
---------- 1 root system 0 Dec 17 22:05 x
# ls -ld /.netrc
Page 20 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
d--------- 2 root system 8192 Dec 17 22:08 /.netrc
# ls -l /.netrc
total 0
---------- 1 root system 0 Dec 17 22:08 x
s.
ht
Secure libraries and message file
rig
Libraries can be used as an attack. Compaq recommends disabling
ull
segment sharing, which we have already done when we configured
f
Enhanced Security. Compaq and Securing Unix Track 6 notes also
ns
recommend verifying the ownership and permissions for libraries.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
# ls -lL /usr/shlib/*.so
re
# chown –h root /usr/shlib/*.so
or
# chmod 600 /var/adm/messages
th
Secure terminal ports Au
2,
Terminal ports should only be readable by the owner. Modify the remote
00
login shell file by using the code suggested by the Tru64 Unix Security
manual.
-2
case "$TERM" in
none) ;;
20
*) /usr/bin/setacl -b ‘/usr/bin/tty‘ ;;
te
esac
tu
if ($?TERM) then
In
endif
endif
SA
©
Page 21 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
# chown root /usr/lib/cron/cron.allow [Suggested in the paper, but not
necessary for the system we are setting up since this are the permissions
already.]
# chmod 600 /usr/lib/cron/cron.allow
# cp –p /usr/lib/cron/cron.allow /usr/lib/cron/at.allow
s.
ht
To create the deny files
rig
# cat /etc/passwd | cut –f1 –d: |grep –v root |grep –v bobbi \
>/usr/lib/cron/cron.deny
ull
# chown root /usr/lib/cron/cron.deny
# chmod 600 /usr/lib/cron/cron.deny
f
ns
# cp –p /usr/lib/cron/cron.deny /usr/lib/cron/at.deny
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
File access controls
or
As recommended by Hal Pomeranz in the Securing Unix Track, we will
th
modify the way /usr is mounted. We do not want any files in the /usr
Au
partition comprised. We will change the way /usr is mounted to ro. This
will require a reboot to take effect.
2,
00
Edit /etc/fstab and change the entries for /usr and /home to the
following:
-2
Warning Banners
20
te
# cp –p /etc/motd /etc/motd.orig
Create a /etc/motd.new with a welcome message of your choosing.
©
Auditing
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 22 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
We will set up the Basic Audit Configuration. As we become more
familiar with the auditing subsystem and managing the disk space that it
uses, we will augment this initial setup.
s.
• Defining the configuration
ht
• Determining what is audited
rig
• Generating audit reports
• Manage the disk space used by the audit logs
ull
• Archiving the audit logs
f
ns
The following table maps system commands (root privileges required) to
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
tasks. The information in the table has been obtained from the man
pages for the commands as well as the Tru64 Unix Security manual.
re
or
auditconfig Defines the configuration used for auditing
auditmask Gets and sets audit masks
th
audgen Generates an audit record and places it in the audit log
auditd
Au
Audit daemon. Will display information about the auditing
configuration. Also administers audit subsystem data
2,
format.
00
system. We will setup auditing from the command line without using a
te
GUI tool.
tu
# sysman auditconfig
sti
…
In
PLEASE NOTE:
- This utility erases previous audit subsystem configurations.
©
Page 23 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Select [OK]
s.
ht
There are 5 possible actions if the audit logs fill up -- suspend auditing
rig
until space becomes available, change audit data location according to
'/etc/sec/auditd_loc' , overwrite the current log, terminate auditing, or
ull
halt the system.
f
ns
Select changing the audit data local by using the arrow keys and
Key fingerprint
pressing the =enter
AF19key
FA27 2F94 that
when 998Dchoice
FDB5 DE3D F8B5 06E4 A169
is highlighted. 4E46
Tab to [Next] and
tai
then enter.
re
We are then given a choice on how long to keep the audit logs. We will
or
be monitoring their growth and write our own scripts to back them up
th
and remove old logs as our experience grows. We therefore select
Au
“forever” as the amount of time to keep them. Tab to [Next] and hit
enter.
2,
00
The remaining choices for part one of the setup involve choosing where
audit information will be logged. We again select the default – syslog and
-2
select to audit trusted events. Tab to [Next] and hit enter. A list of the
sti
events to be audited for the profile we selected then appear. This seems
In
like a good list for us to use initially. We therefore proceed to the next
selection which lists the files to be audited. We proceed to the next
NS
if the audit log space fills up. We set up this secondary location in
/var/log since this is in a separate domain.
# mkdir /var/log/audit
# chmod
Key 700=/var/log/audit
fingerprint AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
# ls -ld /var/log/audit
drwx------ 2 root system 8192 Dec 23 18:35 /var/log/audit
Page 24 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Edit /etc/sec/auditd_loc to include this path.
s.
Audit data and msgs:
ht
-l) audit data destination = /var/audit/auditlog.sansproj.001
rig
-c) audit console messages = syslog
ull
Network:
-s) network audit server status (toggle) = off
f
ns
-t) connection timeout value (sec) =4
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Overflow control:
re
-f) % free space before overflow condition = 10
-o) action to take on overflow = change to next auditlog location
or
th
We will run our initial reports on login data. As our experience with the
Au
auditing subsystem grows, we can add and/or delete the events audited
and the files audited. We might also elect to set up /var/audit in its own
2,
fileset with a soft and/or hard limit set or in its own domain to protect
00
We plan to compress audit logs regularly and copy the compressed logs
to tape. After determining that the tape backups of the audit logs are
te
indeed valid, the backed up logs will be removed from the system. These
tu
# crontab –e
SA
Sendmail
Key fingerprint
Sendmail = AF19 FA27
historically has2F94
had998D FDB5
a large DE3D F8B5
number 06E4 A169 4E46Version
of vulnerabilities.
8.9.3 and above are more secure and more stable. However, since this
machine is not a mail relay, there is no need for it to run sendmail as a
Page 25 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
daemon (-bd) We will only run sendmail periodically to empty the mail
queue.
s.
# echo \$Z | /usr/sbin/sendmail -bt -d0
ht
Version 8.9.3
rig
….
ull
Although this version is usable from a security perspective, we will
rebuild sendmail from more recent source. Sendmail can be found at
f
ns
ftp.sendmail.org. It is located in the directory /pub/sendmail.
Key fingerprint
Download = AF19 FA27 2F94 998D
sendmail.8.11.6.gz. FDB5
After youDE3D
haveF8B5
built06E4 A169 4E46
sendmail, change the
tai
configuration so that you can run it as a null client. The OSTYPE will be
re
osf1 and the FEATURE (`nullclient’, mailhub’). Since we have disabled
sendmail from running automatically, we will need to set up a job in
or
crontab to run to empty the mail queue periodically. We will empty the
th
queue every hour at 15 past the hour. The crontab entry would therefore
be: Au
2,
15 * * * * /usr/lib/sendmail –q.
00
download these tools. Compaq provides compiled code for both ssh and
tu
TCP wrappers
NS
SA
Until the lab obtains a small firewall, TCP wrappers will be the means for
denying access from other than these 2 hosts.
Page 26 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Edit the Makefile to have the correct location for the standard system
daemons (REAL_DAEMON_DIR=/usr/sbin) and to log to the auth log
rather than mail log (FACILITY= LOG_AUTH).
# make alpha
s.
ht
After wrappers has been built successfully, move the binaries to
rig
/usr/local/etc.
ull
# mv tcpd tcpdchk tcpdmatch try-from safe-finger moduli /usr/local/etc
f
ns
We will wrap ftp and telnet in /etc/inetd.conf for the moment. After ssh
Key
has fingerprint = AF19 we
been installed, FA27 2F94
will 998D FDB5
comment outDE3D
theseF8B5 06E4 A169 4E46
lines.
tai
ftp stream tcp nowait root /usr/local/etc/tcpd ftpd
re
telnet stream tcp nowait root /usr/local/etc/tcpd telnetd
or
To complete the TCP wrappers set up, we need to configure
th
/etc/hosts.allow and /etc/hosts.deny. The rules in /etc/hosts.allow are
Au
checked first and if no match is found there then /etc/hosts.deny is
checked. The first rule that matches causes an exit. If the match is in
2,
/etc/hosts.allow, the connection is allowed. If the match is in
00
for this host is very simple, we will deny all access except for ssh from
two specific hosts. To test our setup we will allow ALL services from the
00
two trusted IP addresses. After ssh has been installed, we will change
20
/etc/hosts.deny
tu
ALL: ALL
sti
In
/etc/hosts.allow
ALL: 192.168.231.95, 192.168.127.186
NS
Make sure that permissions for these files are set appropriately.
SA
# ls -l /etc/hosts.*
-rw-r----- 1 root system 161 Dec 17 23:26 /etc/hosts.allow
-rw-r----- 1 root system 107 Dec 24 21:03 /etc/hosts.deny
The fingerprint
Key TCP wrappers
= AF19logs
FA27all connections
2F94 998D FDB5to the log
DE3D F8B5facility that4E46
06E4 A169 is specified
in the Makefile. Both successful and unsuccessful connections are
logged.
Page 27 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
[The following is from auth.log]
s.
Dec 24 21:05:02 sansproj sshd[1108]: Accepted password for bobbi \
ht
from 192.168.127.186 port 3547 ssh2
rig
In order to make sure that tcpd.h and libwrap.a will be found during the
ull
installation of ssh, we will copy them to /usr/local/lib.
f
ns
cp –p tcpd.h /usr/local/lib
Key fingerprint
cp –p libwrap.a= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
/usr/local/lib
tai
re
Secure Shell – ssh
or
th
As described by SSH Communications Security Corporation, ssh is a
Au
mechanism for secure remote access over the inherently insecure
Internet. Ssh provides security with strong authentication of both the
2,
client and the server. It uses public key cryptography with strong
00
There is really very little similarity between version 1 and 2. Ssh version
20
Compaq does have a free version of ssh available for download for Tru64
sti
Unix. We have chosen not to use this so we can configure ssh with tcp
In
wrappers.
NS
This table gives the information we need to obtain the necessary tools.
©
Build zlib.
Page 28 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
# gunzip zlib-1.1.3.tar.gz | tar –xvf -
# cd zlib-1.1.3
s.
# ./configure
ht
# make test
rig
# make install
ull
Build OpenSSL.
f
ns
# gunzip openssl-0.9.6b.tar.gz | tar –xvf –
Key
# cdfingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
openssl-0.9.6b
tai
re
Read the README and Makefile files.
or
# ./configure
th
# make
# make test Au
# make install
2,
00
We are now ready to install ssh itself. We will select 3 options to be used
with the configure script. We will be compiling ssh with TCP wrappers
-2
support
(--with-tcp-wrappers). We want to prevent the ssh from using rsh if a
00
Build ssh.
tu
sti
# cd openssh-3.0.2p1
NS
Page 29 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Random number collection: Builtin (timeout 200)
Manpage format: man
PAM support: no
s.
KerberosIV support: no
ht
Smartcard support: no
rig
AFS support: no
S/KEY support: no
ull
TCP Wrappers support: yes
MD5 password support: no
f
ns
IP address in $DISPLAY hack: no
Key fingerprint
Use IPv4 =by AF19 FA27hack:
default 2F94 998D
no FDB5 DE3D F8B5 06E4 A169 4E46
tai
Translate v4 in v6 hack: no
re
Host: alphaev67-dec-osf5.1
or
Compiler: cc
th
Compiler flags: -g
Preprocessor flags: -I/usr/local/ssl/include Au
Linker flags: -L/usr/local/ssl/lib
2,
Libraries: -lwrap -lz -lsecurity -ldb -lm -laud -lcrypto
00
WARNING: you are using the built-in random number collection service.
-2
that the CDs used to install the OS clearly state the version to be 5.1A.
tu
sti
The only settings we change from the original configuration file for the
In
11d10
< ListenAddress 172.29.126.142
©
32,33c31
< #PermitRootLogin yes
< PermitRootLogin no
---
> PermitRootLogin
Key fingerprint = AF19yes
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
71c69
Page 30 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
We are not going to use X11 forwarding at the present time. There are
no changes that need to be made to the client configuration file at this
time.
Let’s make sure that all the files we need to run ssh are in /usr/local/etc
s.
with the correct permissions.
ht
rig
# ls -l /usr/local/etc
total 365
ull
-rwxr-x--- 1 root system 29312 Dec 16 09:02 safe_finger
-rw-r----- 1 root system 1088 Dec 16 10:48 ssh_config
f
ns
-rw-r----- 1 root system 1050 Apr 3 2001 ssh_config.orig
Key fingerprint
-rw------- 1 root= AF19 FA27 2F94
system 998D
668FDB5
DecDE3D F8B5 ssh_host_dsa_key
16 11:33 06E4 A169 4E46
tai
-rw-r----- 1 root system 618 Dec 16 11:33 ssh_host_dsa_key.pub
re
-rw------- 1 root system 543 Dec 16 11:33 ssh_host_key
-rw-r----- 1 root system 347 Dec 16 11:33 ssh_host_key.pub
or
-rw------- 1 root system 883 Dec 16 11:33 ssh_host_rsa_key
th
-rw-r----- 1 root system 238 Dec 16 11:33 ssh_host_rsa_key.pub
-rw-r----- 1 root system Au
2256 Dec 16 10:01 ssh_prng_cmds
-rw-r----- 1 root system 2039 Dec 16 10:36 sshd_config
2,
-rw-r----- 1 root system 1988 Sep 20 19:15 sshd_config.orig
00
# make host-key
sti
…..
In
a5:bd:08:44:b3:0c:44:05:09:e4:6a:01:f0:09:2a:27
root@sansproj.giac.dhhs.gov
©
Page 31 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
0c:ee:6d:d7:47:d8:60:73:c4:f7:c4:7b:25:df:80:bf
root@sansproj.giac.dhss.gov
s.
ht
One last task to complete the installation of ssh. We need a start/stop
rig
script in /sbin/init.d. The following is an adaptation of the sample script
from the course notes on Securing Unix – SANS Institute Track 6.5 –
ull
Solaris Practicum by Hal Pomeranz.
f
ns
#!/bin/sh
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
# SSH2 start/stop script
re
case $1 in
or
start)
th
# Start the daemon
echo "Starting ssh service" Au
if [ -x /usr/local/sbin/sshd -a -f /usr/local/etc/sshd_config
2,
]; then
00
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config
fi
-2
;;
00
stop)
20
PID=`cat /var/run/sshd.pid`
tu
if [ -z "$PID"]
sti
then
In
;;
*)
©
Set the
Key permissions
fingerprint appropriately
= AF19 FA27 2F94 998D and
FDB5set up F8B5
DE3D the link
06E4inA169
/sbin/rc3.d.
4E46
Page 32 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
# ln –s /sbin/init.d/sshd /rc0.d/K15ssh
s.
ht
Division of Privileges
rig
Tru64 Unix, as discussed in the Tru64 Unix Security manual, has a
ull
proprietary feature for distributing superuser administrative privileges
f
among multiple users. The concept behind the dop utility is that
ns
particular
Key classes
fingerprint = AF19ofFA27
administrative tasks
2F94 998D FDB5 can F8B5
DE3D be assigned to 4E46
06E4 A169 specific
tai
users or classes of users. This leads to access limitations to the root
account itself in a similar way to the freeware tool sudo. The goal is to
re
limit access to root’s password while providing a secure mechanism for
or
the sharing of administrative tasks that require superuser privileges.
th
Related administrative tasks have been organized into logical groupings.
Au
Appendix O is a table listing the various roles for the division of
privileges.
2,
00
- Accounts [accounts]
| Manage local users [users]
20
DESCRIPTION
NS
SA
Page 33 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
easily divided to match specific administrative roles. In our environment,
each system administrator performs a wide variety of administrative
tasks; so full root privileges are needed for all administrative roles.
s.
configuration. The example below is for a password change for user
ht
testusr3 done by user bobbi, our system administrator. We will use
rig
sysman dopconfig to give bobbi AccountManagement privileges.
ull
$ dop accounts
f
ns
No password is needed for dop. The command above takes you to the
Key fingerprint
sysman menu = AF19 FA27 2F94 998D FDB5 DE3D
for AccountManagement. F8B5 testusr3
The user 06E4 A169was
4E46selected
tai
and given a new password.
re
Here is the audit information for the password change using this
or
mechanism.
th
AUID:RUID:EUID PID RES/(ERR) Au
EVENT
-------------- --- --------- -----
2,
5497:0:0 1873 0x0 auth_event ( Local Protected
00
Notice the reference to dxaccounts even though the interface used was
NS
We will evaluate the dop facility. Once the user has been set up, no
password is needed. There is flexibility in the commands that the user
©
Page 34 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Ongoing maintenance
Backups
s.
The third SANS Top Twenty Vulnerabilities is “non-existent or incomplete
ht
backups.” Appendix S contains a simple backup script that will be used
rig
regularly to backup all files on the system. The capability of the DAT
(12G/24G) tapes is sufficient to back up all file systems on our 2 9-
ull
gigabyte disks.
f
A good backup strategy is essential in any security plan. Backups
ns
provide
Key a means
fingerprint to FA27
= AF19 restore a compromised
2F94 system
998D FDB5 DE3D whether
F8B5 06E4 A169the system
4E46
tai
was compromised by a hardware failure, a natural disaster or a security
breach.
re
or
Backups alone are not sufficient, however. They must be tested regularly
by doing restores to ensure their integrity. No backup policy is complete
th
without incorporating regular restore testing.
Au
2,
The backup script will be run weekly and after any major modification to
00
the system.
-2
Integrity checks
te
tu
run regularly.
In
The following, from the Security manual, explains the role of fverify in
integrity checking.
Page 35 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Fverify – The fverify program reads subset inventory records from
standard input and verifies that the attributes for the files on the system
match the attributes listed in the corresponding records. Missing files
and inconsistencies in file size, checksum, user ID, group ID,
s.
permissions, and file type are reported.
ht
rig
ull
Patches
f
ns
It is important to be aware of all patches to the system as they become
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
available, particularly security patches. The best way to do this is to
subscribe to the mailing lists for both security patches and for the OS in
re
general. To do this, use the Compaq web site patch mailing lists and
or
follow the directions for subscribing to security and Tru64 Unix patches.
The URL is: http://www.support.compaq.com/patches/mailing-
th
list.shtml.
Au
2,
Logs
00
-2
We also want to investigate how the Event Manager can be used to help
notice us of security related problems.
20
te
The auditing script sends us mail when it is run, but we still have to
tu
scrutinize it manually.
sti
In
Password customizations
©
• Test that new accounts are initially locked and have pre-expired
passwords
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
o Set up a new account – testusr4
o Login as testusr4
Page 36 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
o The following is the verification that the account is locked
initially. The information was obtained by running the script
to look at the audit log.
s.
denies account access locked_out_acct_es reason(s) for lockout are
ht
Account has explicit administrative lock. )
rig
o Use edauth to remove the administrative lock
§ # edauth testusr4 – remove administrative lock by
ull
changing the ulock entry to be u_lock@
f
§ # edauth –g testusr4
ns
testusr4:u_name=testusr4:u_id#22222:u_pwd=Lcr5fZd
Key fingerprint = AF19LLX2wo.S5LJ7EXq2o:u_succhg#1009463823:\
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
:u_unsucchg#1009463831:u_pwdict=mYzQ0CfNidNYQ
re
:u_oldcrypt#0:u_suclog#1009463823:\
:u_suctty=pts/3:u_unsuctty=INET#capu-dsl-128-
or
231-150-
th
95.net.nih.gov:u_unsuclog#1009463361:u_lock@:\
:chkent: Au
§ attempt to login again
2,
00
from capu-dsl-128-231-150-95.net.nih.gov
There have been 1 access failures for your account.
00
20
Old password:
tu
Last successful password change for testusr4: Thu Dec 27 09:28:36 EST
sti
2001
In
Select
Key ONE item
fingerprint by FA27
= AF19 number:
2F94 1
998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 37 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Generating random pronounceable password for testusr4.
The password, along with a hyphenated version, is shown.
(Password generation will be a bit slow.)
s.
Hit <RETURN> or <ENTER> until you like the choice.
ht
When you have chosen the password you want, type it in.
rig
Note: type your interrupt character or `quit' to abort at any time.
ull
Password: bludfomcuhehekta Hyphenation: blud-fom-cu-he-hek-ta
Enter password:
f
ns
Password: vequefvihegnircebaf Hyphenation: ve-quef-vi-heg-nirc-eb-af
Key fingerprint
Enter password:= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Password: manhajoidwuwatejsi Hyphenation: man-haj-oid-wu-wat-ej-si
re
Enter password:
Password: lenuvpotil Hyphenation: len-uv-pot-il
or
th
• Au
One of our policies established that new passwords couldn’t be
changed for 24 hours.
2,
sansproj.giac.dhhs.gov> whoami
00
testusr4
sansproj.giac.dhhs.gov> passwd
-2
Password not changed: minimum time between changes has not elapsed.
• Minimum password length – attempt to enter a password less than
00
8 characters
20
sansproj.giac.dhhs.gov> passwd
te
Old password:
Last successful password change for bobbi: Mon Dec 24 12:06:05 EST
tu
2001
sti
Last unsuccessful password change for bobbi: Thu Dec 27 09:49:15 EST
In
2001
NS
Key fingerprint
Select ONE item= AF19
by FA27 2F94 4
number: 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 38 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Password must be from 8 to 80 characters long.
s.
• Triviality checks – verify that existing group names and user
ht
names cannot be used and that dictionary words cannot be used
rig
sansproj.giac.dhhs.gov> passwd
Old password:
ull
Last successful password change for bobbi: Mon Dec 24 12:06:05
f
EST 2001
ns
Last unsuccessful password change for bobbi: NEVER
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
Do you want (choose one option only):
or
1 Pronounceable passwords generated for you
th
2 A string of characters generated for you
3 Au
A string of letters generated for you
4 To pick your password
2,
00
New password:
`restrict' is (or looks too much like) a group name to be a password.
te
tu
New password:
In
Connectivity checks
• Can we get to our host from the allowed hosts?
Dec 25 21:25:32 sansproj sshd[1374]: Accepted password for bobbi
Key fingerprint = AF19 FA27 2F94
from 172.29.150.95 998D
port FDB5
4420 DE3D F8B5 06E4 A169 4E46
ssh2
Page 39 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
prd1.giac.dhhs.gov
s.
Dec 27 10:28:57 sansproj sshd[4272]: Failed password for root
ht
from 172.29.150.95 port 1383 ssh2
rig
ull
Interesting attempts logged
f
ns
While
Key checking
fingerprint the FA27
= AF19 logs we discovered
2F94 998D FDB5some
DE3Dbreak-in
F8B5 06E4attempts.
A169 4E46
tai
-1:0:0 972 (err 2) auth_event ( ftp Anonymous ftp
account missing ftpd )
re
-1:0:0 15424 (err 2) auth_event ( (unknown) argv[0]=-ca-
or
ol-angers-17-86.abo.wanadoo.fr: Invalid account )
-1:0:0 15426 (err 2) auth_event ( (unknown) argv[0]=-
th
AMarseille-101-1-2-214.abo.wanadoo Invalid account )
-1:0:0 15438 (err 2)
Au
auth_event ( anonymous Anonymous
ftp account missing ftpd )
2,
# mount
sti
…
Now, we attempt to create a file.
SA
# touch /usr/bin/TESTIT
©
The Future
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
We plan on installing host-based intrusion detection software and
working with ACLs. We also want to run password cracking software
regularly.
Page 40 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
We also will install a firewall to better protect the lab host. This host will
be used to test out log checking scripts. Logs will be checked manually
until the suite of automated tools are in place.
s.
against attack. We will continue to test out mechanism to identify and
ht
mitigate the most serious risks.
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 41 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendices
s.
ht
Subset Status Description
rig
------ ------ -----------
ESVFBIN200 installed Modified and New Commands and APIs (Extended
System V Functionality)
ull
ESVFMAN200 installed Man pages for the Modified and New Commands
and APIs(Extended System V Functionality)
f
FSFGZIPSRC520 installed GNU Gzip Source (GNU Source)
FSFINDENTSRC520 installed GNU Indent Source (GNU Source)
ns
FSFM4V14520 installed "m4 Sources" (GNU Source)
Key fingerprint = AF19
FSFPERL520 FA27 2F94 998D
installed FDB5
perl DE3D
SourcesF8B5
(GNU 06E4 A169 4E46
Source)
tai
FSFRCSSRC520 installed GNU Revision Control System Source (GNU
Source)
re
OSFACCT520 installed System Accounting Utilities (System
Administration)
OSFADVFS520 installed AdvFS Commands (System Administration)
or
OSFADVFSBIN520 installed AdvFS Kernel Modules (Kernel Build
Environment)
th
OSFADVFSBINOBJECT520 installed AdvFS Kernel Objects (Kernel Software
Development)
OSFADVFSDAEMON520 installed
Au
AdvFS Daemon (System Administration)
OSFBASE520 installed Base System (- Required -)
OSFBIN520 installed Standard Kernel Modules (Kernel Build
2,
Environment)
00
Development)
OSFC2SEC520 installed Enhanced Security (System Administration)
00
Environment)
OSFCLINET520 installed Basic Networking Services (Network-
tu
Server/Communications)
OSFCMPLRS520 installed Compiler Back End (Software Development)
sti
Processing)
OSFEXER520 installed System Exercisers (System Administration)
NS
Page 42 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
OSFLSMX11520 installed Logical Storage Manager GUI (System
Administration)
OSFMANOP520 installed Ref Pages: Programming (Reference Pages)
OSFMANOS520 installed Ref Pages: Admin/User (Reference Pages)
OSFMITFONT520 installed X Fonts (Windowing Environment)
OSFNETCONF520 installed Basic Networking Configuration
Applications(System Administration)
s.
OSFNETSCAPE520 installed Netscape Communicator V4.76 (Windows
Applications)
ht
OSFNFS520 installed NFS(tm) Utilities (Network-
Server/Communications)
rig
OSFOEMBASE520 installed Tru64 UNIX Base System (- Required -)
OSFPAT00000031520 installed Patch Tools (- Required -)
OSFPATC0000800520 installed Patch: Fixes problem reported in
ull
SSRT0767U.(Common Desktop Environment (CDE) Patches)
OSFPERL520 installed perl 5.6.0 Runtime (General Applications)
f
OSFSER520 installed X Servers Base (Windowing Environment)
OSFSERPC520 installed X Servers for PCbus (Windowing Environment)
ns
OSFSERVICETOOLS520 installed Service Tools (System Administration)
Key fingerprint = AF19
OSFSYSMAN520 FA27 2F94 998D FDB5
installed Base DE3D
System F8B5 06E4Applications
Management A169 4E46 and
tai
Utilities(System Administration)
OSFTCLBASE520 installed Tcl Commands (General Applications)
re
OSFTKBASE520 installed Tk Toolkit Commands (General Applications)
OSFX11520 installed Basic X Environment (Windowing Environment)
or
OSFXADMIN520 installed Graphical System Administration
Utilities(System Administration)
th
OSFXADVFS520 installed AdvFS Graphical User Interface (System
Administration)
OSFXC2SEC520
OSFXDEMOS520
installed
installed
Au
Enhanced Security GUI (System Administration)
Demo X Applications (Windows Applications)
OSFXSYSMAN520 installed Graphical Base System Management Utilities(System Administration)
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 43 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix B – Welcome screen
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 44 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix C – Host Information Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 45 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix D
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 46 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix E - Software Selection Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 47 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix F – Software Selection Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 48 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix G – Kernel Options Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 49 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix H – Select File System Layout Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 50 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix I – Custom File Layout Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 51 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix J – Installation Summary Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 52 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix K – Ready to Begin Installation Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 53 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix L – System Setup Window
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 54 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 55 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix M – Custom Setup Dialog Box
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 56 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix N – Audited events - /etc/sec/audit_events
[events that are not audited have been deleted to save space]
# more /etc/sec/audit_events
! Audited system calls:
mknod succeed fail
mount succeed fail
s.
ht
unmount succeed fail
setuid succeed fail
rig
setlogin succeed fail
reboot succeed fail
ull
revoke succeed fail
f
chroot succeed fail
ns
sethostname
Key fingerprint = AF19 FA27succeed fail
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
settimeofday succeed fail
setreuid succeed fail
re
setregid succeed fail
or
truncate succeed fail
ftruncate succeed fail
th
setgid succeed fail
shutdown succeed fail Au
adjtime succeed fail
2,
sethostid succeed fail
00
Page 57 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix O - Table of Division of Privileges Roles
s.
Mail Configuration Process Management
ht
Printer Management File Management
rig
Printer Configuration Power Management
Distributive Printing Keyboard Configuration
ull
Advanced Printing Security
Event Management Host Management
f
Event Configuration Account Management
ns
Superuser CDE Configuration CDE
Key fingerprint = AF19 FA27 2F94 998D FDB5 Configuration
DE3D F8B5 06E4 A169 4E46
tai
Cluster Configuration Software Management
Cluster Monitoring SysMan Accounts, including local
re
users, local groups, NIS users, NIS
groups
or
th
Au
Appendix P – Sample script for Tru64 Unix Security manual to extract
login and logout information from the audit logs
2,
00
# more /var/adm/local/login.extract
-2
#!/usr/bin/ksh -ph
# Script to return summary of login/logout activities on the
00
export PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/sbin
# where this script should run
te
Bdir=/var/adm/local
tu
Ofile="${Bdir}/lasttime"
In
Nfile="${Bdir}/newtime"
Afile="${Bdir}/lastdata"
NS
Tfile="${Bdir}/lastmsg"
SA
Events="-e trusted_event"
umask 077
©
s.
done
ht
: > "${Afile}"
rig
for af in $(find "$Adir" -name "auditlog.*" -newer "${Ofile}" \
-print | sort)
ull
do
audit_tool -b -t $(<"${Ofile}") -T $(<"${Nfile}") >> \
f
ns
"${Afile}" -o -Q $Events "${af}" 2>/dev/null
Keysuppressed
# the fingerprint = AF19 FA27
errors are 2F94 998D
for the FDB5 DE3D F8B5messages
{un,}compressed 06E4 A169 4E46
tai
done
re
TZ=:localtime
or
if [ -s "${Afile}" ]
th
then
audit_tool -B -Q "${Afile}" > "${Tfile}" Au
if [ -s "${Tfile}" ]
2,
then
00
fi
mv -f "${Nfile}" "${Ofile}"
00
rm -f "${Afile}"
20
te
tu
Warning Notice!
NS
administrative action.
s.
Exhibit III-A: Matrix of Minimum Security Safeguards
ht
rig
ull
Explanation: This matrix is used to identify a minimum set of safeguards, by security
level, which should be implemented to protect AISs, AIS facilities, and/or
f
ITUs.1
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Justification for non-implementation of these safeguards should be based
re
on the results of a formal risk analysis (and cost-benefit) study.
or
Directions: Scan the Xs and Os beneath each security level designation. An X means
th
that the security safeguard listed to the left is a requirement. An O means
that the security safeguard is optional. Au
2,
00
Level 4 Level 3
-2
High High
Sensitivity/ Sensitivit
00
Criticality, y/
Nat'l Criticality
20
Security
te
1. Ensure that a complete and current set of documentation exists for all operating systems.
tu
X X
sti
2. Require use of current passwords and log-on codes to protect sensitive AIS data from
unauthorized access. X X
In
3. Establish procedures to register and protect secrecy of passwords and log-on codes,
NS
5. Develop means whereby the user's authorization can be determined. (This may include
©
answerback capability.) X X
7. Implement methods, which may include the establishment of encryption, to secure data being
transferred between two points. X X
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
8. Ensure that the operating system contains controls to prevent unauthorized access to the
executive or control software system. X X
1OMB Circular A-130 requires formal risk analyses for sensitive AISs, AIS facilities, and ITUs. Required
security safeguards may change as a result of the risk analysis.
Page 60 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Level 4 Level 3
High High
Sensitivity/ Sensitivit
Criticality, y/
Nat'l Criticality
Security
s.
ht
9. Ensure that the operating system contains controls that separate user and master modes of
operations. X X
rig
10. Record occurrences of nonroutine user or operator activity (such as unauthorized access
ull
attempts and operator overrides) and report to the organizational ISSO. X X
f
11. Ensure that the operating system provides methods to protect operational status and
ns
subsequent restart integrity during and after shutdown. X X
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
12. Install software feature(s) that will automatically lock out the terminal if it is not used for a
predetermined period of lapsed inactive time, for a specified time after normal closing time,
re
or if a password is not entered correctly after a specified number of times. X X
or
13. Ensure that the operating system contains controls to secure the transfer of data between all
configuration devices. X 0
th
14.
controlling the availability and flow of data.
Au
Establish controls over the handling of sensitive data, including labeling materials and
X X
2,
15. Require that all sensitive material be stored in a secure location when not in use. X X
00
16. Dispose of unneeded sensitive hard copy documents and erase sensitive data from storage
-2
17. Prepare and maintain lists of persons authorized to access facilities and AISs processing
00
sensitive data. X X
20
18. Establish procedures for controlling access to facilities and AISs processing sensitive data.
X X
te
tu
19. Furnish locks and other protective measures on doors and windows to prevent unauthorized
access to computer and support areas. X X
sti
20. Install emergency (panic) hardware on "Emergency Exit Only" doors. Ensure that emergency
In
21. Specify fire-rated walls, ceilings, and doors for construction of new computer facilities or
modifications of existing facilities. X X
SA
22. Install smoke and fire detection systems with alarms in the computer facility. When feasible,
connect all alarms to a control alarm panel within the facility and to a manned guard station X X
©
or fire station.
23. Install fire suppression equipment in the computer facility, which may include area sprinkler
systems with protected control valves and/or fire extinguishers. X X
24. Provide emergency power shutdown controls to shut down AIS equipment and air
Key fingerprint
conditioning = in
systems AF19 FA27
the event of fire 2F94
or other 998D FDB5
emergencies. DE3D
Include F8B5
protective 06E4
covers for A169 4E46
X X
emergency controls to prevent accidental activation.
25. Provide waterproof covers to protect computers and other electronic equipment from water
damage. X X
26. Establish a fire emergency preparedness plan to include training of fire emergency response
teams, development and testing of an evacuation plan, and on-site orientation visits for the
Page 61 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Level 4 Level 3
High High
Sensitivity/ Sensitivit
Criticality, y/
Nat'l Criticality
Security
s.
ht
local fire department. X X
rig
27. Secure communication lines. X X
ull
29. Ensure that all requirements of NSDD-145 (National Security Decision Directive) are met.
f
X 0
ns
30. Key
Establish detailed risk
fingerprint management
= AF19 FA27 program.
2F94 X
998D FDB5 DE3D F8B5 06E4 A169 4E46 X
tai
31. Establish Computer Systems Security Plans for sensitive systems. X X
re
32. Conduct formal risk analyses. X X
or
33. Establish employee security awareness and training programs. X X
th
34. Maintain accurate inventory of all hardware and software. X X
38. Ensure that all personnel positions have been assigned security level designations.
X X
00
40. Ensure that all personnel, including contractors, have received appropriate background
te
investigations. X X
tu
41. Maintain a list of all personnel, including contractors, who have been approved for 6C (High
sti
Risk Public Trust), 5C (Moderate Risk Public Trust), 4C (Top Secret, requiring special security X X
considerations), 3C (Top Secret), and 2C (Secret or Confidential) risk level positions.
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 62 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Appendix S – Backup Script
#!/bin/ksh
# preliminary script to backup system filesets to 4mm tape
s.
# Bobbi Spitzberg
ht
# This script is for v5.1a
rig
VDUMP=/sbin/vdump
ull
VRESTORE=/sbin/vrestore
f
ADMIN="bobbi"
ns
DEV=/dev/ntape/tape0
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
LOG=/usr/local/sys/backup/backup.log
# get date
re
MMDDYY=`date +"% m%d%y"`
FSYSLIST="/ /usr /var /usr/local /home"
or
th
# Check to see if tape is in drive ?
mt -f $DEV rewind Au
status=$?
2,
if [ $status != "0" ]
00
then
echo "$0 : invalid tape"
-2
exit
fi
te
tu
# backups
sti
for fs in $FSYSLIST
do
NS
TIME=`date +"%H:%M"`
$VDUMP -NC0uf $DEV $fs
SA
#rewind tape
mt -f $DEV rewind
Page 63 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
for fs in $FSYSLIST
do
if [ $fs = "/" ]
then
fs="root"
s.
fi
ht
fsr=`echo $fs | tr -d '/'`
rig
echo "listing $fsr"
$VRESTORE -t -f $DEV > $BDIR/$fsr.vdump.$MMDDYY
ull
done
f
ns
# rewind the tape
mt Key fingerprint
-f $DEV rewind= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
#mt -f $DEV unload
re
or
Appendix T – Some Compaq Security Recommendations
th
Au
•Ensure that the /tmp /var/tmp and /var/spool directories are on a
file system other than that of the root (/) and /usr directories.
2,
•The ability to verify the integrity of the trusted computing base (TCB)
00
as follows:
–For user-chosen passwords (u_pickpw field in the
20
(u_maxlen#80 .
tu
Page 64 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
(u_policy
Use the Account Manager (dxaccounts) or the edauth program to change
the default settings.
The libraries on your system can be used in an attack.Secure the libraries
as follows:
s.
•Disable segment sharing by answering yes when prompted by
ht
secconfig
rig
•Verify that the permissions are correct (no write access except
for the owner)and that the ownership is root on shared libraries
ull
(/usr/shlib/*.so ,including any linked target files.Use the ls lL
command for this procedure.
f
ns
Configure user accounts as follows:
Key fingerprint
•Using = AF19 FA27
the provided 2F94templates,create
default 998D FDB5 DE3Daccount
F8B5 06E4 A169 4E46that
templates
tai
reflect your site ’s security policy.
re
•Set the umask in the /usr/skel/.login file.(Compaq recommends
a value of 027.)
or
•Designate a restricted shell (Rsh for users where appropriate.
th
•Verify that each user has a valid entry path (login shell)on the system.
Au
Users can be placed directly into an application by executing the
application from the user ’s /home/.profile or from the entry in the
2,
/etc/passwd file or as a start point for the user with the execution of
00
a startup program.
Before the audit subsystem kernel option can be configured,it needs to be
-2
included for the kernel build. Use the sysman auditconfig utility to
configure the audit subsystem any time after the kernel build.Compaq
00
If you are starting the audit daemon from the command line,use the
following command:
©
# /sbin/init.d/audit start
Because root access must be carefully controlled and monitored,make sure
the following conditions are met:
•That all passwords are changed after a system installation or after
support
Key vendors
fingerprint have
= AF19 had
FA27 access
2F94 998D to your
FDB5 machine.
DE3D F8B5 06E4 A169 4E46
•That the root password is changed before vendor access is granted to
prevent exposure of your password generation methodology.
•That the single-user password feature is enabled.See the sulogin 8)
reference page.
Page 65 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
•That using the su command to become root is logged by audit.
•That the /var/spool/cron/crontabs files are accessible only by root
or the owner.
•That root access is restricted to certain devices for login or that
users must use the su command to access the root account.See the
s.
securettys 4)reference page for more information.
ht
•The logins for the system-supplied UIDs are limited (setting the u_lock
rig
field)where appropriate.The following table provides the restrictions
recommended by Compaq:
ull
UID Recommended login Status
root Restricted
f
ns
daemon Not allowed
Key
bin fingerprint
Not allowed= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
sys Not allowed
re
uucp Restricted
nobody Not allowed
or
adm Restricted
th
lp Not allowed
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 66 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
References
s.
ht
Sil, “Minimizing Denial of Service Attacks”, 13 July, 2001. URL:
rig
http://www.antioffline.com/stoppingdos.html
ull
“CERT® Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP
f
Stacks”, 4 December 2000. URL:
ns
http://www.cert.org/advisories/CA-2000-21.html
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Department of Health and Human Services, “Automated Information Systems
re
Security Program Handbook” Release 2.0, May 1994. URL:
http://irm.cit.nih.gov/policy/aissp.html
or
th
“Tru64 Security Guide”.
Au
URL:http://www.geocities.com/sabernet_net/papers/Tru64.html
2,
http://www.tru64unix.compaq.com/docs/best_practices/BP_EVAL/bp_eval.pd
00
2001. URL:
http://www.tru64unix.compaq.com/internet/security/sshdown.html
20
http://www.ssh.com/products/ssh/administrator24/SSH_Secure_Shell.html
tu
sti
http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A
_HTML/ARH95DTE/TITLE.HTM
NS
Pomeranz, Hal and Lee Brotzman, Securing Unix Systems, July, 2001, SANS
Institute.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Page 67 of 68
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.