Restrict the Rest

Anything which is left on the system at this point should be restricted as much as possible to allow appropriate use and deny inappropriate use. Use of host-based firewalls is suggested to limit the services at a low level. Services which can in themselves restrict access should employ this application level security.

Restrict syslogd

The system logger, syslog, records kernel, system, and application log messages. It also will accept messages from other systems on the network. This network feature should be disabled so that other systems cannot utilize local resources.

• Linux , Red Hat 6, by default does not accept remote syslog messages. To enable this feature, edit /etc/rc.d/init.d/syslog and add the "-r" option so that the system logging deamon is started as:

   daemon syslogd -r 

• HP-UX accepts remote syslog messages by default. To disable this feature, add the "-N" option to /sbin/init.d/syslogd so that the line which starts the system logging deamon is:

   /usr/sbin/syslogd -DN 

  Earlier versions of HP-UX require patch PHCO_21023, which adds this feature to the system logging deamon.

Restrict the Privileged Group

Hackers can change the ownership of files to misdirect investigations or to let another user pay for resources which are not his in a bill-back environment. Non-privileged users really don't need to be able to change the ownership of files to other users.

Linux allows only the superuser to change the owner of a file.

HP-UX restricts the access to changing ownership through the privileged group mechanism. By default the "CHOWN" privilege is a global privilege and applies to all groups. To disable this privilege, the file /etc/privgroup should be created with permissions set at 400 and containing "-n". This will disable any privileged group.

Privileged groups is a process in HP-UX by which certain privileges can be delegated to specific groups of users. Manipulation of these privileged groups is controlled with the getprivgrp and setprivgrp commands. Table 21-1 lists the system capabilities which can be granted to groups.

Table 21-1. HP-UX Privileged Group

The default setting for privileged groups is to allow the "CHOWN" privilege to all groups. To change the default setting, the configuration file, /etc/privgroup , must be created and contain lines indicating which privilege is assigned to which group.

Convert to a Trusted System

HP-UX provides a facility called Trusted Systems, which implements " C2" level security. This includes password shadowing ” the process of removing the password hash from the /etc/password file and enhanced user access restrictions, and system auditing.

 /usr/lbin/tsconvert  passwd root 

Passwords on existing accounts will expire as a result of the conversion, which is why the password for root has to be changed after converting to a trusted system.

Restrict the Root User

On UNIX systems, the root user is all powerful. The root user, or any user with UID=0, bypasses all of the security policies which are enforced by the kernel and the file system. However, there are some things which can be done to help limit the root user and help track his activities.

• Restrict root login to the console ” By using the secure terminal facility, securetty , login access for the root user can be restricted to a specific list of terminals. If the root user is restricted to be able to log in only at the console, then physical security measures can be employed to provide more security. Administrators who know the root user password, can still su to root to perform their administrative functions, and this provides a log of who actually is performing these privileged activities. Put the following entry in /etc/securetty :

   console 

  and set the permissions:

   chown bin:bin /etc/securetty  chmod 400  /etc/securetty 

• Change root home directory to /root ” Moving the home directory for root to something other than /, helps eliminate unintentional security problems from files being accidentally placed in the root, /, directory. It also allows the permissions of the root user's home directory to be set more restrictively. This is accomplished by editing the password file entry to:

   root:*:0:3::/root:/sbin/sh 

  Then build the directory:

   mkdir /root  chown root:root /root  chmod 700 /root  mv /.profile /root  pwconv 

Restrict File Permissions

File permissions should be as restrictive as possible while still allowing the system to operate properly. This minimizes the scope of the damage which an unprivileged user or program can cause. Generally , this means that there should not be any files which are world-writable, except a very few temporary files. A freshly installed system will contain a number of files which are world-writable. These files can be listed with the following command:

 find / -perm -002 ! -type l -exec ls -ld {} \; 

Symbolic links are excluded from the search since the permission bits are not used.

One approach is to remove the world-write bit from all files, then selectively add it back to those files and directories where it is necessary. The following can be executed to remove the world-write bit from all files with it set:

 find / -perm -002 ! -type l -exec  chmod o-w {} \; 

Now we open up the permissions of files that need to be writable by the world:

 chmod 1777 /tmp /var/tmp /var/preserve  chmod 666 /dev/null 

The sticky bit should be set in publicly writable directories to prevent unprivileged users from removing or renaming files in the directory that they do not own.

The umask command sets the default permissions bits to be used when creating a file. For system start-up processes, the umask has to be set in a start-up script. The default umask for users has to be set in the user's session start-up scripts. One side-effect of converting to a trusted system is the default mask of 0 is changed to 07077, so nothing needs to be performed to tighten up the mask.

Security Network Tuning

Network tunable parameters can have a significant effect on the security of a system. Default parameters are generally set to optimize performance or to increase functionality, usually without concern for security.

On Linux, /proc is a pseudo-file system which is used as an interface to kernel data structures rather than reading and interpreting /dev/kmem . Most of it is read-only, but some files allow kernel variables to be changed.

 # Defend against  SYN attacks  /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280  /sbin/sysctl -w net.ipv4.tcp_syn_cookies=1  # Don't send IP redirects  /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0  /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0  # No source routing  /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0  /sbin/sysctl -w net.ipv4.conf.all.forwarding=0  /sbin/sysctl -w net.ipv4.conf.all.ms_forwarding=0  # Set the TIME_WAIT timeout  /sbin/sysctl -w net.ipv4.conf.vs.timeout_timewait=60  # Defend against SMURF attacks  /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 

HP-UX 11 introduces the ndd command to perform network tuning. Start-up scripts read /etc/rc.config.d/nddconfig and set initial values for the network parameters. ndd -h produces a list of help text for each supported and unsupported tunable parameter that can be changed. This output should be examined to determine what is best for your environment. The following is an example /etc/rc.config.d/nddconf file.

 # Defend against  SMURF attacks  # Don't forward directed broadcasts  TRANSPORT_NAME[0]=ip  NDD_NAME[0]=ip_forward_directed_broadcasts  NDD_VALUE[0]=0  # Don't respond to ICMP echo request broadcasts  TRANSPORT_NAME[1]=ip  NDD_NAME[1]=ip_respond_to_echo_broadcast  NDD_VALUE[1]=0  # Don't respond to ICMP address mask request broadcasts  TRANSPORT_NAME[2]=ip  NDD_NAME[2]=ip_respond_to_address_mask_broadcast  NDD_VALUE[2]=0  # Don't respond to ICMP timestamp request broadcasts  TRANSPORT_NAME[3]=ip  NDD_NAME[3]=ip_respond_to_timestamp_broadcast  NDD_VALUE[3]=0  # Don't respond to other broadcasts  # Don't forward packets with source route options  TRANSPORT_NAME[4]=ip  NDD_NAME[4]=ip_forward_src_routed  NDD_VALUE[4]=0  # Don't forward or redirect packets  # Disable IP forwarding  TRANSPORT_NAME[5]=ip  NDD_NAME[5]=ip_forwarding  NDD_VALUE[5]=0  # Don't send IP redirects  TRANSPORT_NAME[6]=ip  NDD_NAME[6]=ip_send_redirects  NDD_VALUE[6]=0  # Defend against  SYN attacks  # Increase TCP listen queue maximum  TRANSPORT_NAME[7]=tcp  NDD_NAME[7]=tcp_conn_request_max  NDD_VALUE[7]=500  TRANSPORT_NAME[8]=tcp  NDD_NAME[8]=tcp_syn_rcvd_max  NDD_VALUE[8]=1024  # Shorten the TIME_WAIT state timeout  TRANSPORT_NAME[9]=tcp  NDD_NAME[9]=tcp_time_wait_interval  NDD_VALUE[9]=60000  # Don't send text messages in TCP RST segments  TRANSPORT_NAME[10]=tcp  NDD_NAME[10]=tcp_text_in_resets  NDD_VALUE[10]=0