I l @ ve RuBoard |
Anything which is left on the system at this point should be restricted as much as possible to allow appropriate use and deny inappropriate use. Use of host-based firewalls is suggested to limit the services at a low level. Services which can in themselves restrict access should employ this application level security. Restrict syslogdThe system logger, syslog, records kernel, system, and application log messages. It also will accept messages from other systems on the network. This network feature should be disabled so that other systems cannot utilize local resources.
Restrict the Privileged GroupHackers can change the ownership of files to misdirect investigations or to let another user pay for resources which are not his in a bill-back environment. Non-privileged users really don't need to be able to change the ownership of files to other users. Linux allows only the superuser to change the owner of a file. HP-UX restricts the access to changing ownership through the privileged group mechanism. By default the "CHOWN" privilege is a global privilege and applies to all groups. To disable this privilege, the file /etc/privgroup should be created with permissions set at 400 and containing "-n". This will disable any privileged group. Privileged groups is a process in HP-UX by which certain privileges can be delegated to specific groups of users. Manipulation of these privileged groups is controlled with the getprivgrp and setprivgrp commands. Table 21-1 lists the system capabilities which can be granted to groups. Table 21-1. HP-UX Privileged Group
The default setting for privileged groups is to allow the "CHOWN" privilege to all groups. To change the default setting, the configuration file, /etc/privgroup , must be created and contain lines indicating which privilege is assigned to which group. Convert to a Trusted SystemHP-UX provides a facility called Trusted Systems, which implements " C2" level security. This includes password shadowing ” the process of removing the password hash from the /etc/password file and enhanced user access restrictions, and system auditing. /usr/lbin/tsconvert passwd root Passwords on existing accounts will expire as a result of the conversion, which is why the password for root has to be changed after converting to a trusted system. Restrict the Root UserOn UNIX systems, the root user is all powerful. The root user, or any user with UID=0, bypasses all of the security policies which are enforced by the kernel and the file system. However, there are some things which can be done to help limit the root user and help track his activities.
Restrict File PermissionsFile permissions should be as restrictive as possible while still allowing the system to operate properly. This minimizes the scope of the damage which an unprivileged user or program can cause. Generally , this means that there should not be any files which are world-writable, except a very few temporary files. A freshly installed system will contain a number of files which are world-writable. These files can be listed with the following command: find / -perm -002 ! -type l -exec ls -ld {} \; Symbolic links are excluded from the search since the permission bits are not used. One approach is to remove the world-write bit from all files, then selectively add it back to those files and directories where it is necessary. The following can be executed to remove the world-write bit from all files with it set: find / -perm -002 ! -type l -exec chmod o-w {} \; Now we open up the permissions of files that need to be writable by the world: chmod 1777 /tmp /var/tmp /var/preserve chmod 666 /dev/null The sticky bit should be set in publicly writable directories to prevent unprivileged users from removing or renaming files in the directory that they do not own. The umask command sets the default permissions bits to be used when creating a file. For system start-up processes, the umask has to be set in a start-up script. The default umask for users has to be set in the user's session start-up scripts. One side-effect of converting to a trusted system is the default mask of 0 is changed to 07077, so nothing needs to be performed to tighten up the mask. Security Network TuningNetwork tunable parameters can have a significant effect on the security of a system. Default parameters are generally set to optimize performance or to increase functionality, usually without concern for security. On Linux, /proc is a pseudo-file system which is used as an interface to kernel data structures rather than reading and interpreting /dev/kmem . Most of it is read-only, but some files allow kernel variables to be changed. # Defend against SYN attacks /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=1280 /sbin/sysctl -w net.ipv4.tcp_syn_cookies=1 # Don't send IP redirects /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # No source routing /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 /sbin/sysctl -w net.ipv4.conf.all.forwarding=0 /sbin/sysctl -w net.ipv4.conf.all.ms_forwarding=0 # Set the TIME_WAIT timeout /sbin/sysctl -w net.ipv4.conf.vs.timeout_timewait=60 # Defend against SMURF attacks /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 HP-UX 11 introduces the ndd command to perform network tuning. Start-up scripts read /etc/rc.config.d/nddconfig and set initial values for the network parameters. ndd -h produces a list of help text for each supported and unsupported tunable parameter that can be changed. This output should be examined to determine what is best for your environment. The following is an example /etc/rc.config.d/nddconf file. # Defend against SMURF attacks # Don't forward directed broadcasts TRANSPORT_NAME[0]=ip NDD_NAME[0]=ip_forward_directed_broadcasts NDD_VALUE[0]=0 # Don't respond to ICMP echo request broadcasts TRANSPORT_NAME[1]=ip NDD_NAME[1]=ip_respond_to_echo_broadcast NDD_VALUE[1]=0 # Don't respond to ICMP address mask request broadcasts TRANSPORT_NAME[2]=ip NDD_NAME[2]=ip_respond_to_address_mask_broadcast NDD_VALUE[2]=0 # Don't respond to ICMP timestamp request broadcasts TRANSPORT_NAME[3]=ip NDD_NAME[3]=ip_respond_to_timestamp_broadcast NDD_VALUE[3]=0 # Don't respond to other broadcasts # Don't forward packets with source route options TRANSPORT_NAME[4]=ip NDD_NAME[4]=ip_forward_src_routed NDD_VALUE[4]=0 # Don't forward or redirect packets # Disable IP forwarding TRANSPORT_NAME[5]=ip NDD_NAME[5]=ip_forwarding NDD_VALUE[5]=0 # Don't send IP redirects TRANSPORT_NAME[6]=ip NDD_NAME[6]=ip_send_redirects NDD_VALUE[6]=0 # Defend against SYN attacks # Increase TCP listen queue maximum TRANSPORT_NAME[7]=tcp NDD_NAME[7]=tcp_conn_request_max NDD_VALUE[7]=500 TRANSPORT_NAME[8]=tcp NDD_NAME[8]=tcp_syn_rcvd_max NDD_VALUE[8]=1024 # Shorten the TIME_WAIT state timeout TRANSPORT_NAME[9]=tcp NDD_NAME[9]=tcp_time_wait_interval NDD_VALUE[9]=60000 # Don't send text messages in TCP RST segments TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_text_in_resets NDD_VALUE[10]=0 |
I l @ ve RuBoard |