Security Guidelines for Users

You may find the following set of guidelines useful for checking whether your login and your resources are secure:

• Choose a good password and protect it from other users. Do not use any strings formed from names or words that other people could guess easily, such as your first name followed by a digit, or any word in an English dictionary Do not tape a piece of paper with your password written on it anywhere near your terminal. Change your password regularly, especially if your system does not force you to do this.

• Encrypt sensitive files with an encryption algorithm providing the appropriate level of security. Encrypt all files that contain information you do not want even your system administrator to read. If your files are not extremely sensitive, but you want to afford them a moderate degree of protection, encrypt them the basic encryption facilities available on your system, for example, by using the crypt command, letting crypt prompt you for your key, or by using your editor with the -x option. Be sure to remember the key you use to encrypt a file, because you will not be able to recover your file otherwise. This makes your files difficult to read, but not totally invulnerable, because a persistent intruder can use a program that performs cryptanalysis to recover your original files. For extremely sensitive files, use a special-purpose encryption program such as PGP (or GPG) or use one of the ccrypt or mcrypt commands. This makes your encrypted files highly resistant to attack. Also, make sure to encrypt files and e-mail messages that you want to keep secure. You can use PGP to do this.

• Protect your files by setting permissions carefully. Set your umask (described in Chapter 3) as conservatively as is appropriate. Reset the permissions on files you copy or move, using cp and mv, respectively, to the permissions you want. Make sure the only directory you have that is writable by users other than those in your group is your rje (remote job entry) directory, which should remain writable by everyone, since it is sometimes used to send you the output of programs you run.

• Protect your .profile. Set the permissions on your .profile so that you are the only user with write permission and so that other users, not in your group, cannot read it. If other users can modify your .profile, they can change it to obtain access to your resources. Users who can read your .profile can find the directories where your commands are by looking at the value of your PATH variable. They could then possibly change these commands.

• Be extremely careful with any suid or sgid program that you own. If you have any suid or sgid programs, make sure they do not include any commands that allow shell escapes. Also, make sure they follow security guidelines for suid and sgid programs.

• Never leave your terminal unattended when you are logged on. Either log out whenever you leave the room, or use a terminal-locking program.

• Impede Trojan horses. Make sure your PATH variable is set so that system directories are searched before current directories.

• Beware of viruses and worms. Avoid viruses and worms by not running programs given to you by others. If you run programs from other users that you trust, make sure they did not get these programs from questionable sources.

• Monitor your last login time. Check the last login time the system displays for you to make sure no one used your account without your knowing it.

• Log out properly. Use either exit or CTRL-D to log out. This prevents another user from continuing your session.