---------------------------------------------------------------------------- IMPROVING THE SECURITY OF YOUR UNIX SYSTEM SunFLASH Vol 21 #4 September 1990 ---------------------------------------------------------------------------- In April of this year SRI International have published an excellent paper on UNIX security. Much of this paper is very applicable to SunOS system administration. This document is available using anonymous ftp from the site spam.itstd.sri.com. There are two versions of the document: pub/security-doc.tar.Z pub/security-doc.txt The security-doc.txt version is plain text. The tar file includes a postscript file and an 'roff-able version. (i.e. text formatter input.) I have included the table of contents for this paper (from the plain text version). As these files are pretty large (275Kb for the PostScript and 160Kb for the plain text) I have been talked out of sending them to SunFlash! However, if you really want a copy and you can't get a copy from the above ftp site, then send a request to me at: sunflash-request@sunvice.East.Sun.COM Place state if you want the plain text (fine for reading on line) or the PostScript version (only useful if you have OpenWindows 2.0 or a PostScript compatible printer). I may have to send this document in several pieces because some mailer programs place a size limit on mail messages. I have enclosed the table of contents from the paper in this message. -flash -------------------------------------------------------------------------------- IMPROVING THE SECURITY OF YOUR UNIX SYSTEM David A. Curry, Systems Programmer Information and Telecommunications Sciences and Technology Division ITSTD-721-FR-90-21 Approved: Paul K. Hyder, Manager Computer Facility Boyd C. Fair, General Manager Division Operations Section Michael S. Frankel, Vice President Information and Telecommunications Sciences and Technology Division SRI International 333 Ravenswood Avenue + Menlo Park, CA 94025 + (415) 326-6200 + FAX: (415) 326-5512 + Telex: 334486 CONTENTS 1 INTRODUCTION........................................... 1 1.1 UNIX Security.......................................... 1 1.2 The Internet Worm...................................... 2 1.3 Spies and Espionage.................................... 3 1.4 Other Break-Ins........................................ 4 1.5 Security is Important.................................. 4 2 IMPROVING SECURITY..................................... 5 2.1 Account Security....................................... 5 2.1.1 Passwords.............................................. 5 2.1.1.1 Selecting Passwords.................................... 6 2.1.1.2 Password Policies...................................... 8 2.1.1.3 Checking Password Security............................. 8 2.1.2 Expiration Dates....................................... 9 2.1.3 Guest Accounts......................................... 10 2.1.4 Accounts Without Passwords............................. 10 2.1.5 Group Accounts and Groups.............................. 10 2.1.6 Yellow Pages........................................... 11 2.2 Network Security....................................... 12 2.2.1 Trusted Hosts.......................................... 13 2.2.1.1 The hosts.equiv File................................... 13 2.2.1.2 The .rhosts File....................................... 14 2.2.2 Secure Terminals....................................... 15 2.2.3 The Network File System................................ 16 2.2.3.1 The exports File....................................... 16 2.2.3.2 The netgroup File...................................... 17 2.2.3.3 Restricting Super-User Access.......................... 18 2.2.4 FTP.................................................... 19 2.2.4.1 Trivial FTP............................................ 20 2.2.5 Mail................................................... 21 2.2.6 Finger................................................. 22 2.2.7 Modems and Terminal Servers............................ 23 2.2.8 Firewalls.............................................. 23 2.3 File System Security................................... 24 2.3.1 Setuid Shell Scripts................................... 25 2.3.2 The Sticky Bit on Directories.......................... 26 2.3.3 The Setgid Bit on Directories.......................... 26 2.3.4 The umask Value........................................ 27 2.3.5 Encrypting Files....................................... 27 2.3.6 Devices................................................ 28 2.4 Security Is Your Responsibility........................ 29 3 MONITORING SECURITY.................................... 31 3.1 Account Security....................................... 31 3.1.1 The lastlog File....................................... 31 3.1.2 The utmp and wtmp Files................................ 31 3.1.3 The acct File.......................................... 33 3.2 Network Security....................................... 34 3.2.1 The syslog Facility.................................... 34 3.2.2 The showmount Command.................................. 35 3.3 File System Security................................... 35 3.3.1 The find Command....................................... 36 3.3.1.1 Finding Setuid and Setgid Files........................ 36 3.3.1.2 Finding World-Writable Files........................... 38 3.3.1.3 Finding Unowned Files.................................. 38 3.3.1.4 Finding .rhosts Files.................................. 39 3.3.2 Checklists............................................. 39 3.3.3 Backups................................................ 40 3.4 Know Your System....................................... 41 3.4.1 The ps Command......................................... 41 3.4.2 The who and w Commands................................. 42 3.4.3 The ls Command......................................... 42 3.5 Keep Your Eyes Open.................................... 42 4 SOFTWARE FOR IMPROVING SECURITY........................ 45 4.1 Obtaining Fixes and New Versions....................... 45 4.1.1 Sun Fixes on UUNET..................................... 45 4.1.2 Berkeley Fixes......................................... 46 4.1.3 Simtel-20 and UUNET.................................... 47 4.1.4 Vendors................................................ 47 4.2 The npasswd Command.................................... 48 4.3 The COPS Package....................................... 48 4.4 Sun C2 Security Features............................... 49 4.5 Kerberos............................................... 50 5 KEEPING ABREAST OF THE BUGS............................ 51 5.1 The Computer Emergency Response Team................... 51 5.2 DDN Management Bulletins............................... 51 5.3 Security-Related Mailing Lists......................... 52 5.3.1 Security............................................... 52 5.3.2 RISKS.................................................. 52 5.3.3 TCP-IP................................................. 53 5.3.4 SUN-SPOTS, SUN-NETS, SUN-MANAGERS...................... 53 5.3.5 VIRUS-L................................................ 53 6 SUGGESTED READING...................................... 55 7 CONCLUSIONS............................................ 57 REFERENCES..................................................... 59 APPENDIX A - SECURITY CHECKLIST................................ 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Sunflash is an electronic mail news service from Sun Microsystems, Ft. Lauderdale, Florida, USA. It is targeted at Sun Users and Customers. For additional information about SunFlash send mail to info-sunflash@sunvice.East.Sun.COM SunFlash is distributed via a hierarchy of aliases. Try to address change requests to the owner of the alias that you belong to. If you want to be added to the SunFlash alias, please contact the systems engineers at your local Sun office and/or send mail to sunflash-request@sunvice.East.Sun.COM. Address comments to the SunFlash editor (John McLaughlin) at sun!sunvice!flash or flash@sunvice.East.Sun.COM. (305) 776-7770.