Sunday, June 22, 2008

Linux and Unix Software Security Basics - Part 3

Howdy,

Continuing along, following our first 3 posts on basic Linux and Unix installation security, even more security measures and user, group and account-based security, we're ready to move on to the next section. Today, we'll be focusing more specifically on locking down and/or removing existing software on your newly-installed system.

Again, I hope this series of posts is able to help out, if just a little bit, and I welcome any suggestions for improvement or expansion to include other OS's :)

See you tomorrow for the wrap-up!

Cheers,

OS Installation Guidelines, Part 3: Existing Software Modifications

1. chmod o-w /var/adm/utmp, /var/adm/wtmp, /var/adm/wtmpx, /var/adm/utmpx - any and/or all on Solaris. On RedHat, these files should be in /var/log. If only one of the four files exists, you're okay.

2. touch /var/adm/loginlog.

3. Add “/usr/lib/acct/accton /var/adm/pacct” to /etc/init.d/syslog, if possible considering the caveats in our previous posts. Again, this is only necessary on Solaris. The psacct RPM for RedHat should take care of this for you.

4. chmod 0 /usr/bin/at or /usr/sbin/at.

5. chmod 0 /usr/bin/finger or /usr/sbin/finger.

6. rm /etc/acct/holidays (If this generates errors, just create a file with one line, indicating what year it is).

7. chmod o-rwx /etc/security. On RedHat, or Solaris with PAM enabled, limit access to /etc/pam.d, as well, if possible.

IMPORTANT NOTE: For points 8 through 15, the file locations are general and your particular release of either Solaris of RedHat may place the binaries elsewhere, but you can generally find them in one of the directories we go through in these steps. It should also be noted that, removing the pkg's or RPM's associated with these files should have, theoretically, removed them already, but I don't believe in things working the way they should (a hazard of my profession ;) Obviously, if you're using lp or CUPS, you won't want to delete any of the print commands. For all of these steps, my recommendation is to always ask if you're unsure. If I started a new job and removed all the NIS commands on a box and then found out that's what they used for their directory service... ouch!

8. In /usr/bin, rm if necessary and possible (ask first, if unsure):

cu
disable
enable
tip
uucp
uuencode
uudecode
uuglist
uulog
uuname
uupick
uustat
uuto
uux
cancel
lp
lpget
lpset
lpstat
rsh
<--- The remote shell as opposed to restricted sh!
rdate
rdist
rcp
remsh
rlogin
rup
ruptime
rusers
rwho
yppasswd
nispasswd


9. In /etc, rm if possible (ask first, if unsure):

–r lp
–r uucp


10. In /usr/lib, rm if possible (ask first, if unsure):

accept
–r lp
print
reject
lpadmin
lpfilter
lpforms
lpsched
lpshut
lpmove
lpsystem
lpusers
–r uucp
–r nfs
–r netsvc
rsh


11. In /usr/sbin, rm if possible (ask first, if unsure):

lpmove
lpadmin
lpfilter
lpforms
lpshut
lpsystem
lpusers
accept
reject
sadmind


12. For /usr/sbin/in.*, remove all except the following files, if possible (ask first, if unsure):

in.ftpd
in.telnetd
in.rarpd


13. In /usr/sbin/static (on Solaris only), rm if possible (ask first, if unsure):

rcp

14. In /usr/ucb (also only on Solaris), rm if possible (ask first, if unsure):

lpc
lpq
lpr
lprm
lptest
rcp
rdate
rdist
rlogin
rsh
ruptime
rusage
rwho


15. In /var, rm if possible (ask first, if unsure):

–r lp
–r uucp
–r spool/lp
–r spool/uucp
-r spool/print


16. Comment out all of /etc/rpc except the rpcbind line. NOTE: If using Solstice Disk Suite (Volume Manager) software, do not comment out the following lines (on Solaris 9 leave all lines uncommented near the bottom of the file, beginning with the line for metad and ending with the last line of the file). As always, be sure not to comment out any services you really need:

rpc.metad
metad
rpc.metamhd
metamhd


17. chmod –R 0 , if possible, /usr/openwin/bin/* on Solaris and /usr/X11R6 on RedHat.

18. chmod –R 0 , if possible, /usr/dt/bin/* on Solaris. Additional locations of X-Windows binary files might be in many different locations on RedHat. Check out the man pages for your system and Gnome, KDE, etc, to be sure that you're disabling all access to the GUI.

19. All device files have should have good permissions at first. Do not change them unless it's really necessary or you're looking to do enhanced network security of the order we went over in an older post on securing all network programs at once using extended ACL's. That goes a bit beyond the scope of this series ;)

to be continued...

, Mike