CHAPTER 28 System Security

28.11 SRI Security Report

SRI International released (April 1990) a report on system security: Improving the Security of your UNIX System, by David A. Curry. This is available as ftp://www-wks.acs.ohio-state.edu/pub/security/security-doc.tar.Z. The final security checklist of this document, Appendix A is reproduced here.

SECURITY CHECKLIST

This checklist summarizes the information presented in the paper (Improving the Security of your UNIX System, by David A. Curry), and can be used to verify that you have implemented everything described.

Account Security

[] Password policy developed and distributed to all users
[] All passwords checked against obvious choices
[] Expiration dates on all accounts
[] No ''idle'' guest accounts
[] All accounts have passwords or ''*'' in the password field
[] No group accounts
[] ''+'' lines in passwd and group checked if running Yellow Pages

Network Security

[] hosts.equiv contains only local hosts, and no ''+''
[] No .rhosts files in users' home directories
[] Only local hosts in ''root'' .rhosts file, if any
[] Only ''console'' labeled as ''secure'' in ttytab (servers only)
[] No terminals labeled as ''secure'' in ttytab (clients only)
[] No NFS file systems exported to the world
[] ftpd version later than December, 1988
[] No ''decode'' alias in the aliases file
[] No ''wizard'' password in sendmail.cf
[] No ''debug'' command in sendmail
[] fingerd version later than November 5, 1988
[] Modems and terminal servers handle hangups correctly

File System Security

[] No setuid or setgid shell scripts
[] Check all ''nonstandard'' setuid and setgid programs for security
[] Setuid bit removed from /usr/etc/restore
[] Sticky bits set on world-writable directories
[] Proper umask value on ''root'' account
[] Proper modes on devices in /dev

Backups

[] Level 0 dumps at least monthly
[] Incremental dumps at least bi-weekly

SECURITY CHECKLIST

Unix System Administration - 8 AUG 1996

[Next] [Previous] [Up] [Top] [Contents]