Remove What Is Not Needed

As a general rule, if you are not using it, take it off the system. This applies to programs, data, accounts, files, everything. Removing these things will not only make it more difficult for the hacker to probe and compromise your system, it will also free up resources, disk space, and processor cycles, which in turn will allow you to back up your system more quickly and on fewer removable media, saving you both time and money.

Information gathering and reporting tools should be restricted so that only the superuser can run them. If reports are left on the system, they should be encrypted. This may slow down the speed at which a hacker can infiltrate your system. Security auditing tools should be removed from the system. Keeping them on a removable disk, mounting them on the machine you are monitoring, and removing them when you are not using them, can make a convenient and secure process for the security administrator. This will also force the hacker to bring his own tools.

Remove Unused Accounts

Unused accounts are a vulnerability because hackers will use them as a place to hide. They are viewed as safe since there is no one using them, and therefore no one to notice their being used. Compromising one of these accounts can give a hacker access to a system that may go undetected for a long time.

Unused accounts should be removed from the system. An unused account can be defined as an account which does not own files and does not run processes The following commands will determine if there are any files owned by the user or group specified. If there are none then the file can be removed.

 find / -user  username  -exec ls -ls {} \;  userdel  username  find / -group  groupname  -exec ls -ls {} \;  groupdel  groupname  

On HP-UX, default users can include: uucp, lp, nuucp, hpdb, www, and daemon; and default groups can include: lp, nuucp, and daemon. Red Hat Linux can include the default users of: bin, daemon, adm, operator, and rpc; and groups of: root, bin, daemon, sys, adm, tty, disk, mem, and wheel. However, the exact list is dependent on the software installed on the system.

Remove Unneeded Set-ID Programs

Many of the methods used to compromise UNIX systems utilize set-ID programs. So it is somewhat surprising to see the number of set-ID files which are installed by default, especially , when most of these programs do not actually need the privilege. Administrative commands, which are expected to be executed by privileged users, have no need to be set-ID. Some commands which have privileges to enable regular users to use some of their features may be deemed unnecessary in a secure environment, particularly on a server where no one other than administrators are expected to be logged in.

The security of the system can be improved by removing programs with set-ID privileges, or by removing the set-ID privilege. To obtain a list of all files with either the set-uid or set-gid bit set on the system, execute this command:

 find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ld {} \; 

On HP-UX, removing the set-uid bit from the following software distributer and logical volume manager commands will greatly reduce the number of files with set-ID privileges, because of the number of links each file has.

 chmod u-s  /usr/sbin/ swinstall  chmod u-s  /usr/sbin/ vgcreate  chmod u-s  /sbin/vgcreate 

Some of the set-ID commands will function fine without the privilege using default or commonly used options. However, some of the functionality may be lost for non-privileged users. This may well be acceptable for most server installations.

One strategy is to remove the set-id bits from all files, then selectively add them back to just a few programs that need to be run by non-root users. The following commands will remove the set-uid and set-gid bit from all files, then add it back to su and the shared lib PAM version of the passwd command:

 find / -perm -4000 -type f -exec chmod u-s {} \;  find / -perm -2000 -type f -exec  chmod g-s {} \;  chmod u+s  /usr/bin/su  chmod u+s  /usr/bin/passwd 

If the system does not expect to have any login access, except for administrators, then the su command may be the only set-uid program needed.