SECURITY AND COMMUNICATIONS

Excerpts from: DISA WESTHEM SECURITY, Unix Security, Technical Implementation Guide,
Version 1, Release 2, 1 August 1996.

Password Guidelines | Special Privilege Access | Root
Sticky Bit | Firewalls | Unix Security Tools | Network Security

Department of Defense (DOD) Directive 5200.28, Security Requirements for Automated Information Systems (AISs), requires the use of security mechanisms for AISs. The Defense Information Systems Agency Instruction (DISAI) 630-230-19, along with its supplements and enclosures, prescribes policy, assigns responsibilities, and provides procedures for the Defense Information Systems Agency (DISA) Automated Information Systems (AIS) Security Program.

This instruction requires that all processing be performed on platforms accredited to class C2 functionality, as defined in DOD 5200.28-STD, Trusted Computer System Evaluation Criteria (also referred to as the "Orange Book").

The DOD Inspector General (DODIG) has performed several audits of the security mechanisms in place at the DISA WESTHEM (Western Hemisphere) Defense Megacenters (DMCs). Many of these audits have revealed significant exposures in the security environment. As a result of these audits, a task force was enacted, at the request of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (C3I), to address the issues identified in the DODIG audit findings and to ensure that the security processes being used at DMCs are effective.

HP-UX is defined as having Class C2 security

DOD policy requires that each system user be uniquely identified to the operating environment and that access to resources be limited to those needed to accomplish a function. A user can either be a person or a task.

HP-UX uses a domain based protection system for file protection. Each user is associated with one of several domains. The four most common domains are user, group, other and superuser. Programs executed by users run in three domains at one time - user, group, and other. The superuser domain is reserved for root those whom root allows to use it. Each domain has it’s own set of restrictions. The superuser domain is restrictionless.

Every HP-UX file has an owner. The owner has user domain privileges when working with his files. These privileges include read, write and execute as the main three but there are others. These same files and directories have restrictions placed on them by the domains group and other over which the owner can exercise some control such as restricting or granting the read, write, and execute privileges. Owners can also implement ACLs (access control lists) and sticky bits to further protect their files and directories.


PASSWORD GUIDELINES -
The guidelines for password values are not clearly defined in the Class C2 criteria. DOD 5200.28-STD guidelines require that the operating system protect the authentication data (i.e., passwords) from access by an unauthorized user. This protection is accomplished by placing encrypted passwords in the /etc/shadow file, or in the equivalent file on other UNIX systems. This file is owned by the root, and has a permission bit of 700.

Industry analysis has shown that people are more likely to remember their passwords without writing them down if they are allowed to create their own. The most effective means is to allow users to select their own passwords, while enforcing certain guidelines regarding password composition. Users must also change their password on a regularly scheduled basis to prevent the possible threat of someone acquiring and using the account.

The passwd command changes the password or lists password attributes associated with the user’s login name. In addition the root user may use passwd to install or change passwords and attributes associated with any login name. All successful logins and logouts will be logged to an audit file to account for system access by individual accounts.

Apply the following mandatory standards to passwords:
All accounts will have a password assigned.
Passwords will be a minimum of six (6) alphanumeric characters in length. At a minimum, one alphabetic character will be capitalized and one character will be numeric.
Users on unclassified systems will be required to change their password every 90 days.
Passwords cannot be changed more than once every 24 hours without the assistance of the DMC ISSO or an authorized representative.
Passwords will not include any part of the user’s name, telephone number, or userid.
Users will not be permitted to reuse a password assigned within the last ten password changes.
Passwords will not contain consecutively repeating characters.
All automated jobs will require a login userid and password. Accounts for automated jobs will require password changes at least once a year.
All unsuccessful password attempts will be logged to an audit file.
After three unsuccessful password attempts, the userid will be locked out of the system.
The userid will remain locked until the ISSO manually unlocks the userid after a review of the circumstances behind the invalid login attempts.

Password requirements are enforced by UNIX password default configuration. The passwd default configuration is in the /etc/default directory. If the native UNIX operating system does not allow configuration to meet the required standards, the npasswd program or the passwd+ program can be downloaded from FTP.ASSIST.MIL (Automated Systems Security Incident Support Team). Test the program to ensure proper operations before placing the program on an operational platform.


SPECIAL PRIVILEGE ACCESS -
UNIX systems provide special privileges which, when assigned to a userid, allow the user to modify the security environment, to perform auditing tasks, and to perform functions that circumvent the security parameters. No account will be given privileged access unless authorized by the ISSO.


ROOT -
The root or superuser account is used by the UNIX operating system to accomplish basic functions. The root also has wide-ranging functional capabilities over the entire operating system. The root can access and execute essential system programs. Because of this, the root has almost no security restraints invoked for programs run by the root. The root will never be accessed directly. When root access is required, authorized users will log into the system under their normal userid and then invoke the su -command to access root.

Use the following standards to minimize any effects on the operating system:

Root access will be given only to personnel authorized by the ISSO.
Users allowed to perform security administration for application-related data will be limited to only change properties for which the user is responsible.
A UID of 0 will not be assigned to any user except the root. Some system processes or daemons, such as SMTP, require a UID of 0 for proper operation. If a system requires duplicate UIDs of 0 for processes or daemons, this requirement will be documented in the system Standard Operating Procedures (SOP).
Direct root login will be limited to only system consoles (i.e., directly connected devices).
Successful and unsuccessful root access and exits will always be logged to the audit file.
Any default password assigned by the vendor will be changed.
The duties of both the System Administrator (SA) and the ISSO will be performed according to the guidance provided in the DISA WESTHEM Security Handbook.


STICKY BIT -
Originally, the sticky bit setting on a program told the operating system to make the program 'stick' in memory to enhance performance. Now, it is used on directories. When it is set only the owner of a file within that directory, the owner of the directory, or root may delete that file. Users are prevented from deleting other users files when the sticky bit is set.

According to DOD, the following directories (including public directories), or their equivalents, will have the sticky bit set and be owned by either root/bin or bin/bin:

/etc and all its sub-directories
/dev and all its sub-directories
/nis and all its sub-directories
/var/mail
/var/spool/uucppublic
/vol/rmt
/vol/dsk
/vol/rdsk
/usr/tmp (where this is not a symbolic link)
/var/tmp (where this is not a symbolic link)
/tmp
All public directories will have the sticky bit set.

To set the sticky bit you must be root (to remove it you must be either the files owner or root) and type the following:

chmod 1444 [filename/directory name] - this sets file permissions to -r--r--r-t.

The sticky bit shows up as a "T" or "t" as the last character in the permissions area of a file list (-rwxrwxrwT or -r-xr-xr-t). It is a "T" if 'other' has execute permissions. It is a "t" if they do not. Any other chmod of the file removes the sticky bit. Copying the file removes the sticky bit.


FIREWALLS -

The Choke | The Gate

Firewalls are designed to make it difficult for attackers to jump from one network to another. The correct installation of a firewall can assist in reducing intrusions. A firewall consists of two parts, the gate and the choke. The gate passes data between two networks. The choke blocks all packets from an outside network destined for an inside network unless the packets are destined for the gate. The choke also blocks all packets from the inside network to the outside network unless the packets are originated from the gate. Both the choke and the gate can be either the same computer or a different computer. The gate can be either one computer or a different computer for each protocol.


The Choke -
The choke acts as a filtering device that allows only the gate machine to talk to the outside world. All packets from an outside network directed to an internal machine other than the gate are rejected. Internal machines that attempt to contact sites outside the network are also rejected. Apply the following standards to the choke machine:

Unauthorized protocols will be rejected.
The following protocols are unauthorized and will be rejected:
        tftp
        sunrpc
        printer
        rlogin
        rexec
        finger
Remote login of the choke machine will not be allowed.


The Gate -
The gate is the security enforcer. The choke forces all communications both inside and outside the network to flow through the gate. The gate then authenticates users, sanitizes data, and forwards data. The gate should have a very stripped down operating system, and will be tightly controlled. The gate will be configured as user-unfriendly. Apply the following standards to the gate:

Regular user accounts will not be allowed. Accounts will be established only for users who require incoming connections, for system accounts for needed services, and for the root.
Imported directories from the Network File System (NFS) or the Remote File Service (RFS) will not be allowed.
The permission bit for all system binaries will be changed to 500.
All system directories will have a permission bit of 711.
Full audit capabilities will be enabled on the gate.
All disks will be mounted as read only.
No trusted hosts will be allowed.
All network services that are not required will be disabled.
The audit files will be checked daily for attempted break-ins.
The /etc/hosts.equiv file will be on all systems. The file will be empty, will be owned by the root, and will have a permission bit of 700.


UNIX SECURITY TOOLS -
This section outlines tools to assist in securing a UNIX platform. These tools should be used in conjunction with standard UNIX security practices. The security tools, their configuration files, and their data bases will be maintained on off-line media. System Administrators will download and use the security tools. The permission bit for security tools will be 700, and will be owned by the root. Not all security tools work for all systems. A combination of security tools is much better than just one security tool. When downloading the security tools, check the MD5 value to ensure that a correct and legitimate copy is being used.


UNIX OS Vulnerability Assessment Tools


COPS | Security Profile Inspector (SPI) | Tiger |Npasswd
Passwd+ | TCP/IP Wrapper Program | Crack | Tripwire | Ifstatus

The following tools are provided by Government agencies to assist the ISSO and the System Administrator in assessing the security posture of the UNIX operating system. Not all tools will work or compile on all systems. Each tool is provided with the required documentation to compile and run the tool. The ISSO will develop Standard Operating Procedures (SOP), and will ensure that at least one of the tools described in the sections below is utilized on each UNIX system:

Apply the following standards to the use of UNIX vulnerability assessment tools:

System Administrators will run a vulnerability tool utility on UNIX platforms on a quarterly basis.
The reports produced by running the vulnerability tool will be maintained for a period of one year by the ISSO.
All security problems noted will be reported to the proper authorities.
All security problems noted will be corrected as soon as possible.
A record of the corrective actions taken on security errors discovered by running the vulnerability tool will be maintained by the ISSO, along with the vulnerability tools security reports.


The following packages are available at the ASSIST.MIL site. Explore the ftp and new areas for these and other security software packages.


Security Profile Inspector (SPI)
SPI is a set of UNIX security inspectors that check file and data integrity.


Npasswd -
The software package, npasswd, is a program suite that allows the ISSO to enforce policies for selecting passwords. This software will be downloaded and used if the native UNIX operating system does not provide password options as described in this document. Test the software before replacing the native passwd program.


Passwd+
The software package, passwd+, is a program suite that allows the ISSO to enforce policies for selecting passwords. This software will be downloaded and used if the native UNIX operating system does not provide password options as described in this document. Test the software before replacing the native passwd program.


TCP/IP Wrapper Program -
The TCP/IP Wrapper program provides additional network logging information. It gives a System Administrator the ability to deny or allow access from certain systems or domains to the host on which the program is installed. Installation of this software does not require any modification to existing network software or to network configuration files. The TCP/IP Wrapper program should be loaded on all UNIX hosts connected to a network.


CRACK -
CRACK is a freely available program designed to identify standard UNIX DES (Data Encryption Standards) encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the CRACK documentation.

Apply the following standards to the use of the CRACK utility:

CRACK will be run quarterly as a regular system administration procedure.
Users with crackable passwords will be notified to change their passwords.


Tripwire -
Tripwire is a utility that checks both file and directory integrity. It compares a designated set of files and directories to information stored in a previously generated data base. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, Tripwire enables the detection of changes in critical system files and facilitates immediate damage control measures.
Apply the following standards to the use of the Tripwire utility:

Tripwire will be run initially to obtain a baseline data base on all system and application executable files.
Tripwire will be executed weekly. The results will be compared against the baseline data base.
All discrepancies will be investigated for a possible security problem.
All security problems noted will be reported to the proper authorities.


The following packages are available from the CERT Coordination Center. Again, probe around a bit. You'll also find md5, crack, tcp wrappers and tripwire, among others. This site is the System Engineering Institute of Carnegie Mellon University. CERT means Computer Emergency Response Team and is a registered/trademarked name.


Ifstatus -
The ifstatus program can be run on UNIX systems to identify network interfaces that are in either the debug or promiscuous modes. Network interfaces in these modes may be the sign of an intruder performing network monitoring to obtain passwords and other data. The program does not print any output unless -v is specified, or unless it finds interfaces in the debug or promiscuous modes. The ifstatus will be run from cron on a weekly basis. If a system has a modern cron that mails the output of cron jobs to its owner, use the following script to mail the results, put this line in the cron script:

00 * * * * /usr/local/etc/ifstatus

With a version of cron that does not mail the results to the owner, use the run-ifstatus shell script instead (editing it as needed to use the right path to the command):

00 * * * * /usr/local/etc/run-ifstatus


COPS -
The Computer Oracle and Password System (COPS) is a publicly available collection of programs that attempt to identify security problems in a UNIX system. COPS does not attempt to correct any discrepancies found. It simply produces a report of its findings.


The next one - TIGER - can be found at Texas A&M
download tiger-2.2.3.tar.gz. Again, look around you may find something else of interest.


TIGER -
TIGER is a set of Bourne shell and C program files used to perform a security audit of a UNIX host. TIGER has one specific task, which is to report on ways the root UID can be compromised. TIGER does not attempt to correct any discrepancies. It simply produces a report of its findings.

NETWORK SECURITY -

Inetd.sec | Telnet | Trusted Hosts | Rlogin and Rsh
Anonymous File Transfer Protocol | FTP | tftp - Trivial File Transfer Protocol | X Windows

Networks have made dramatic changes in communications between computer systems. Networks allow people and systems to exchange information across a building or across the world. With the proliferation of networks, the number of network security concerns has increased.

The two distinct types of networks are Local Area Networks (LANs) and Wide Area Networks (WANs). Communication then takes the form of either Serial Line Internet protocol (SLIP) or Point-to-Point Protocol (PPP). UNIX offers the following network services:

Remote virtual terminals (e.g., telnet and rlogin) allow a user to log into a host on the network.
Remote file services allow users to access files on a host connected to the network.
Electronic directory services (e.g., finger, whois) allow remote users to query a host for information concerning users assigned to a host.
Date and time services allow a remote computer to automatically synchronize its clock with a host machine.


Inetd.sec -
One fairly effective method of network security is to restrict access to the system in the first place. It is possible to limit the use of telnet, ftp, login and many other "services". A list of "services" which can be performed on HP-UX 10.XX can be found in /etc/services.

Allowing or denying access to any or all of the listed services can be accomplished with the used of inetd.sec. This is a text file and can be changed to meet your needs.

To restrict access to the system by anyone outside your immediate network you would add the following line to the inetd.sec file:

telnet allow 158.15.* - this restricts access to anyone except those whose IP address starts with 158.15. Add chloe.disa.mil after the * and a space, to allow chloe to access the system. You can keep adding individuals and/or networks. The only stipulation is when you add a new line backslash (\) do not put a space after it.
tftp deny - will not let anyone tftp to the system.


Telnet -
Telnet uses the telnet and telnetd programs to provide remote virtual terminal service. Telnet is the client program, and telnetd is the server program. Apply the following standards to telnet services:

The /etc/services file will have the telnet service configured to port 23.
The /etc/inetd.conf file will have a permission bit of 640.
The /etc/inetd.conf file will be owned by the root.
The /etc directory will have the sticky bit set.


Trusted Hosts -
Trusted host is a term used to define trust between hosts on a network. If one host trusts another host, then any user who has the same userid on both hosts can log in from one host to the other without a password. When a system is listed in host.equiv, its security must be as good as local security. One insecure system listed in host.equiv compromises the security of the entire system.
To maintain system security, take the following actions to protect the system from rlogin and rsh:

No trusted hosts will be allowed.
The /etc/hosts.equiv file will be on all systems. The file will be empty, will be owned by the root, and will have a permission bit of 700.
All r commands will be disabled in the /etc/inetd.conf file.
No account users will have a .rhosts file in their home directories.


Rlogin and Rsh -
The rlogin and rlogind programs provide remote terminal service similar to telnet. The client program is rlogin, and the server program is rlogind. The two important differences between rlogin and telnet are as follows:

Rlogin does not require that the user type a userid.
If the rlogin connection is coming from a trusted host or a trusted user, no password is required for login.

The rsh program is similar to rlogin. The client program is rsh, and the server program is rshd. The rsh command allows a user to execute a program on a host machine without logging into the host. The rsh command only works from trusted hosts and UNIX systems.

Use the following standards to control system exposures to rlogin and rsh:
All r commands (e.g., rlogin, rsh) in the /etc/inetd.conf file will be disabled. The /etc/inetd.conf file will have a permission bit of 640.


Anonymous File Transfer Protocol
A File Transfer Protocol (FTP) can be configured for anonymous access. This allows network users without a valid account on the host to upload or download files from a specified directory. Anonymous FTP (AFTP) will not be allowed.


FTP -
File Transfer Protocol (FTP) allows the transfer of files between systems. The client program is ftp, and the server program is ftpd. When ftp is used to contact a remote host, the remote host requires the use of a valid userid and password. FTP logins are recorded in the /var/adm/wtmp file. Apply the following standards to the management of ftp connections:

A file named ftpusers will be created and placed in the /etc directory. This file will contain all accounts that are not human users, e.g., root, uucp, news, bin, ingress, nobody, and daemon.
The ftpusers file will be owned by the root and will have a permission bit of 555.
The in.ftpd file will be owned by a privileged user such as bin or root.
The in.ftpd file will have a permission bit of 555.


tftp - Trivial File Transfer Protocol -
A Trivial File Transfer Protocol (TFTP) is a UDP (User Datagram Protocol) based file transfer program that provides no security. tftp security features will be tested for each UNIX host. No site will run tftp unless required for operation (e.g., X-Terminals). The tfpt entry will be commented out in the inetd.conf file. If a site is required to run tftp, the protocol will run in a secure manner. It will be directed to a specific directory with the absolute minimum number of files required.

The protocol will be tested for secure operation in the following manner on each host:

Log in as the root, and enter the following:
        tftp localhost
        tftp> get /etc/passwd > passtest

If the system responds with a message, Error code 1: File not found, or if the system locks up, the host is secure. If the command creates a file named passtest, immediately perform the following tasks:

Disable tftp service in the /etc/inetd.conf file.
If required for operation, reconfigure the tftp in the /etc/inetd.conf file and retest.
If the tftp test fails again, proceed to the next step.
Contact the system vendor and obtain an updated tftp program.
Retest the tftp protocol.
If the test fails again, disable the tftp in the /etc/inetd.conf file.
Contact DISA WESTHEM, WE5, for guidance.


X Windows -
X Windows is a network-based window system that allows many programs to share a single graphics display. X Windows-based programs display their output in windows, which can be either on the same computer or on any computer in the network. Each device that runs X Windows is controlled by a program named X Windows server. Other programs known as X clients connect to the X Windows server through the network. The X Windows system is a major security hazard. Apply the following standards to X Windows usage:

Each user will be given a copy of the X Windows security-related template files (.xserverrc and .xinitrc) in the user’s home directory.
The permission bit on /tmp will be set to 1777. The sticky bit will be set. The owner will be the root, and the group ID will be 0.
The sticky bits will be set on all sub-directories of /tmp.

Prepared by: Everette Smith, Impact Innovations Government Group, Inc.


Back

Home | Index | Startup & Shutdown | SAM | LVM | Devices
| Security | Workbook | Disaster | Information Sources | Glossary
Continue