UNIX Operating System Security Review Following was contributed to AuditNet LLC by (Rey LeClerc) firstname.lastname@example.org Objectives: (1) Perform a limited review of the UNIX-based operating system to assess the adequacy of control. (2) Determine the potential impact of identified concerns on the system of internal control. A. On-Line Security General Information UNIX access is based on two levels: system access and file access. System level access is concerned with authorized access to the UNIX operating system and is mediated through a login/logout scheme. While file level access involves access to data under control of the UNIX operating system and is mediated through a file access permission scheme. UNIX implements system level access through the login procedure. The essential components of the login process include the user's identification code, password, and profile. During logon, before granting access, UNIX verifies the user-id/password combination submitted against a list of authorized users located in the /etc/passwd file. The user's access may also be modified by the user's profile. Audit Program Objective: To ensure that file and system access is adequately secured.
1. Identify the users and user groups defined to the system by listing the contents of the /etc/passwd and /etc/group files. The /etc/passwd file contains seven colon-separated fields: login name, password (encrypted) and password aging qualifiers, user id (UID, numbers below 100 are reserved by the system and 0 is the super user UID), group id, account name, home directory (i.e., the directory where the user is placed after logging in), program (i.e., program invoked after the user logs in, default program is /bin/sh, however, special shells such as the restricted shell (/bin/rsh) can be used).
The /etc/group file has four fields: group name, password (which should not be used), group id, and login names associated with the group id. For each user account in /etc/passwd file, a. Ensure a password is required and it is adequately aged. The password field consists of two entries: the encrypted password and aging qualifiers. The aging entry has the format: Mmww with M = max. duration in weeks and m = min. duration in weeks between changes. The week of the last password change is recorded in ww. Character codes for the Mm fields are: Code . / 0-9 A-Z a-z - Number of weeks 0 1 2-11 12-37 38-63.
b. Review the home directory. Ensure that the user's directory does not permit access to sensitive aspects of the operating system. Examples are the root and /etc directories. For each group in the /etc/group file: a. Review members of user groups to ensure that access permitted to group members is authorized. 2. Evaluate the use of passwords for special administrative and system logins. a. Determine if special administrative logins exist to execute specific commands, if so, then these logins should be password protected. Common commands/logins are listed below: br This command invokes the backup and restore menus. setup This command sets up the computer. sysadm This command allows access to many useful utilities that do not require a user to log in as root. powerdown Powers the computer down. checkfsys Initiates a check of the file system on the specified removable
media. makesys Makes a new file system on removable media. mountfys Mounts a file system on removable media for use. umountfsys Unmounts a specified mounted file on the system. b. System logins should also be password protected. include: root, bin, adm, uucp, and nuucp. System logins
Review if additional system logins that should be restricted. 3. Review access capabilities to operating system directories and files to determine if allowed access is appropriate. Initially, request a listing of all directories containing operating system files. Secondly, identify the users, users within the group, and other users allowed access to the operating system files and directories. Some of the operating system directories are as follows: / Root /bin Contains executable programs and UNIX utilities. /dev Contains special files which represent devices. /etc Contains miscellaneous administration utilities and data files for system administration. /lib Contains libraries for programs and languages. /stand Contains stand alone programs, including copy of operating system kernel loaded by disk-based boot loader. /tmp Contains temporary files that can be created by any user. /usr Contains user directories and files. /unix UNIX Kernel is located in this directory. You must use a logon id which has execute access to these directories. Ask the system administrator for an id with these capabilities (the system administration ID would suffice). While logged on, change the current directory to each of the above listed directories using the cd command (similar to cd command in MS-DOS) and while in the directory, issue at the $ prompt, ls -l. This command will display the access capabilities for each of the files within the directory. Repeat this step for subdirectories also. 4. Evaluate the effective user-ids and group-id flags set for operating system files. While in the root directory issue the command: find /-user root -perm-4100-exec ls -l . This command lists all set-UID programs owned by root. Review the directory listing and evaluate group names listed. Evaluate
the group names to see if they are authorized group names. 5. Review the table in the /etc/initab file which contains the instructions for the init utility. The init utility executes at system startup which calls the getty utility for each terminal. The getty utility displays a login prompt and accepts the user name. Next the getty utility calls the login utility and validates the user name, password and starts the shell to accept commands from the user. Determine if the getty and login utilities are replaced by other utilities/programs. These other programs/utilities are called by the init utility. If so, evaluate the utilities/programs to determine if on-line access is authorized. 6. Determine which login program is used by the UNIX operating system. Four versions of the login program can be linked to /bin/login. The most secure version, login.secure, requires a password for the superuser account (root) and restricts the superuser account to login only at the operator console. 7. User system access can be further modified by user profiles and restricted shells. Profiles, are files executed by the login process, and can modify parameters system-wide (/etc/profile) or for specific user accounts (.profile, located in the user's home directory). Restricted shells are default programs, specified in the /etc/passwd record, which prohibit a user from changing directories, changing values in their $PATH statement, issuing commands with /, and redirecting output. Often, restricted shells are used to limit users to very specific and restrictive environments. These are enforced after .profiles have been executed. a. List the contents of selected user's profile file. This file will determine which directory is accessed through the specification of path variables . Determine if the directory accessed is the appropriate directory given the user's job duties. Review also for the use of the unmask command in
either the system or user's access. b.
This command can modify default
Evaluate the need and use of restricted shells.
c. Ensure that write access to system and user profiles, and any restricted shells is appropriately restricted. This is achieved by reviewing file access permissions for these .profile files. UNIX OPERATING SYSTEM SECURITY REVIEW B. Network Security General Information Basic Networking Utilities permit computers to communicate with each other and with remote terminals. The Basic Networking Utilities consist of user programs, administrative programs, daemons(see definition below), and supporting data bases. The primary user programs are resident in /usr/bin. These are used to create connections and to transfer files between computers. Some utilities include: cu, ct, uucp, uuto, uux. Most administrative Basic Networking Utilities are resident in the /usr/lib/uucp directory and are of little interest from an audit perspective. However, uulog, which contains a record of each use of the Basic Networking Utilities for transferring files or executing commands on a remote computer (i.e., uucp, uuto, uux), is contained in the /usr/bin directory. Daemons are background processes which perform system wide functions such as file transfers and command executions. The supporting data bases are in /usr/lib/uucp. Files of interest include: Systems - which contains information required to establish a connection with a remote computer (i.e., telephone number, login id, and password), Permissions which defines the level of access granted to remote computers, and Sysfiles which can be used to define multiple files to be used by the Basic Networking Utilities (i.e., cu and uucio) that establish connections between computers. RFS is a component of the operating system which permits selective sharing of resources (i.e., directories, files, devices) across a network. RFS is
networking software, which facilitates networking by permitting creation of "domains". Domains are logical groupings of nodes (i.e., hosts) which are administered centrally with defined host accesses and sharable resources. RFS is initiated by rfstart and init 3 (run state 3) is required. Audit Program Objective: To ensure that system parameters provide a secure network environment. 1. Evaluate the systems file (i.e., /usr/lib/uucp/systems) to ensure that only secure and legitimate communication links are established with network nodes. Each entry in the system file (when used in conjunction with remote.unknown) defines nodes for establishing inbound and outbound connections. a. Determine that access to the system file and the System Administration Menu subcommand (i.e., systemmgmt) which supports the file is restricted. b. Determine that default permissions for remote.unknown have not been changed to prohibit execution (i.e., chmod 000 remote.unknown). This process will execute, when any machines not defined in systems attempts a conversation, and logs the request and fails to make the connection. If this file is inactivated, any/all conversation requests will be accepted. c. Evaluate system file entries. format: Each entry has the following
system-name, Time, Type, Class, Phone, Login. Points to consider include: * A given system-name can have multiple entries. represents a separate circuit. However, each
* Using Time field entries to restrict connections to specific days of the week
or time periods. Other subfields or qualifiers include: NEVER (places local node in a passive mode so that only inbound connections are established good control for master/slave relationships) and retry (establishes interval before failed attempts can be re-tried, default is 60 minutes). * The Login field is of the format: expect [-send-expect] send, where expect is the string received (usually a system-name) from a remote node and send is the string sent to the remote node when the expected string is received. To promote security the expect string should uniquely identify the remote node (it should never be null) and "-send" qualifier should always be used to ensure the send string is transmitted for only valid requests. 2. Evaluate the Permissions file (/usr/lib/uucp/Permissions) to ensure that a remote node's ability to login, access files and execute commands is adequately restricted. Permission file entries can be of be of two types, LOGNAME and MACHINE. LOGNAME defines permissions when a remote node logs onto the local computer. MACHINE entries are permissions in effect when the local computer logs onto the remote node. Both entry types have options which impact network security. Points to consider include: a. All remote login IDs, for UUCP communications, should only one LOGNAME entry. appear in
b. REQUEST OPTION defines whether a remote node's request for a file transfer is granted. The option can be used with both, LOGNAME and MACHINE, entries. The default value is NO. REQUEST OPTIONS with YES values, should be investigated. c. SENDFILES OPTIONS defines whether work completed by the local node and queued for the remote node will be transmitted to the remote node. This option is
only valid with LOGNAME entries. Possible values are YES (transmit) and CALL (transmit only if the local node initiated the connection). The default is CALL. Investigate all YES options. d. READ and WRITE OPTIONS define where the uucico utility (i.e., the daemon used to establish network connections) can read from or write to. The option can be used with both LOGNAME and MACHINE entries. The default value is the path /usr/spool/uucpublic. Any legitimate path is an acceptable value. The options, NOREAD and NOWRITE, define exceptions to the READ and WRITE options. Any entries without the default values should be reviewed. e. Review the use of the CALLBACK option. It is used with LOGNAME entries to require callbacks of the remote system initiating the connection. The default value is NO. f. a local COMMAND OPTION defines the commands a remote node can execute on
machine. The default commands are set with the string COMMANDS=rmail for example. However, COMMAND options with a MACHINE entry override the default value and should be investigated. The ALL value permits the remote node to execute any command. This value should not be allowed. Whenever, significant commands are permitted remote execution, the use of the VALIDATE OPTIONS should be reviewed. This option indicates login IDs (remote node system names) and specific commands these ids are allowed to execute. g. Determine if multiple copies of the systems file exist (i.e., review /urs/lib/uucp/Sysfiles). If so, evaluate impact on network security.
3. Determine if the RFS facility is in use. a. Before RFS can be used, the network must be configured. Many of these files are contained in the /usr/nserve directory. Review the contents of this directory to determine if the rfs facility is used. 4. If the RFS facility has been configured, the RFS security should be evaluated. RFS security can occur on three levels: connect, mount, and user/group levels. The connect level specifies whether all or only specific remote hosts can establish a connection. The mount level security defines whether "advertised" resources can be mount by all or only specific remote nodes which have established connections. While the user/group level security maps remote users to specific access permissions. Based on the configuration of the RFS network, evaluate the adequacy of the RFS security. UNIX OPERATING SYSTEM SECURITY REVIEW C. System Logging and Reporting General Information Audit Program Objective: To ensure that system use is subject to adequate monitoring and review. 1. Determine that the following system logs are being reviewed: a. /etc/wtmp - contains a history of system logins. b. /usr/adm/sulog - Review use of the su command. The su(super accessing files belonging to other must know the password of the file the use of a the contents of this file which logs the user) command can compromise security by users without their knowledge. owner. The user
Use of this command will evidence
password by other users. c. /usr/lib/cron/log - contains a history of actions taken by /etc/cron. d. /usr/bin/uulog - contains a history of each use of uucp, uuto, and uux. 2. Check each log for adequate size and restricted access. 3. Review reports used to monitor system performance. UNIX OPERATING SYSTEM SECURITY REVIEW D. System Backup General Information Audit Program Objective: Ensure that data,application, and operating system files are adequately backed up. 1. Determine if the sync utility is periodically executed to copy disk buffers to disk so that loss of data is kept at a minimum in the event of system failure. This can be verified by reviewing the contents of the table stored in the \etc\crontab file which lists the programs executed periodically. These programs are executed by the cron utility as background processes. The \etc\crontab file is typically maintained by the system administrator. 2. Determine if the "br" command is password protected. A password can be assigned by the system administrator via the admpasswd command. To invoke backup and restore, the user while not being logged in at the root directory, types "br" and should be prompted for a password. The "br" command changes directory to \backups and runs the backup and restore facility as the user br, which has root permissions. If the user is logged in at the root, "br" can be entered via the sysadm program. 3. Observe the execution of the utility to determine if the system is in single user mode (i.e. run level s). If the system is not in single user mode file
systems may be active and backups can be invalidated. When "br" is executed it will detect which level the system is running at, and will display messages on the console. 4. Ensure that backup and restore procedures are logged to log files \backups\files\logincr or \backups\files\logfull. Logging of backups provides an audit trail of backup procedures. This would provide a means to determine if an unattended backup procedure did not execute properly. Also review the contents of this file and determine if all vital file systems are included in this procedure. Next, compare this information with the contents of the file \backups\files\diskinfo which is a text file that contains a list of file systems and partitions which are backed up during a full backup. This file provides the backup_restore command with a description of the systems in order to execute a proper backup and restore . 5. Ensure that write verify passes are made to enhance the reliability of the new archive. Write verify passes will occur by default unless they are disabled. Write verify is an option for the backup_restore command.