Tuesday, January 19, 2010

13 security practices for SysAdmins

This information has been compiled to help system administrators certify that good security practices are being used BEFORE a computer is connected to the network.

Installing System Patches

It is recommended that based on the requirement, you install every patch recommended for your computer which isn’t
yet installed. Since some patches restore default configurations, it’s important that patches are put in place before any further security precautions are taken.

Before Recording System Defaults

Before starting to record system defaults, a directory should be created to store them. For example;

mkdir /usr/adm/checksIf an unauthorized user does gain access to root privileges on the computer and changes the accounting system, the
administrator will still have an original copy of it for comparison. For safety, the system administrator should check the files against the original about once a month.

Recording SUID and SGID Programs

Before any software is added to the basic operating system release, the system administrator should check for SUID and SGID programs. If unauthorized access occurs, frequently the intruder will leave a program that enables privileged
re-entry. The list of SUID and SGID programs should be stored both on and off the computer. The version on the computer will be used by a daily cron job to check for changes, while the version stored off of the computer will ensure that even if root access is acquired, a record of the system’s original state is available.

The command to list SUID and SGID files is:

find / -type f \( -perm -002000 -o -perm -004000 \)-type f: looks only at regular files-perm: checks for permissions-002000: checks for SGID programs-004000: checks for SUID programsCheck and Record Permissions on all Device Files

By changing the permissions on device files, an unauthorized user can gain access to devices, using this access to change files, impersonate another user, or listen in on conversations. Record the permissions on the device files on and off the computer using:

ls -al /dev/* sort > /usr/adm/checks/devicesPasswords and Shells on System Accounts

Check the system password file to ensure that all accounts have passwords. Many vendors ship their computers with no passwords on the system accounts. System accounts such as bin, lp, and sync should have a ‘*’ for the password field. No account should be left without a password.

Also, the system administrator should check to see if the computer comes with any passwords already assigned. Some
vendors give default passwords to system accounts. Since anyone who has the same type of system knows what the default passwords are, passwords should be changed immediately.

Every account needs to have a shell assigned to it. Most administrative accounts should have /bin/nologin as the shell, which
would disallow crackers from gaining shell access using obscure system holes.

Expire Inactive Accounts

Computers with large numbers of users tend to have accounts that become inactive. The beginning of a new fiscal year often
brings changes in who is using the computer, as users’ funding sources change. The system administrator needs to be sensitive to those accounts that become inactive, and disable them by replacing the password field in the /etc/password file with an ‘*’. If the user has left important data on the computer, eventually they will contact the system administrator to make arrangements to retrieve the data. Once this data is retrieved, the account should be removed.

Restrict Root Login to the Console

The ability to login to the root account should be restricted to the console. Anyone not at the console should have to use ’su’ to
become root. Tries to ’su’ are recorded in a file in /usr/adm such as /usr/adm/sulog, for accounting purposes

Check for Duplicate Groups

Replace any duplicated group with a group of its own. This will remove ambiguity and make membership in a group clearer.

Do Not Establish Guest Accounts

Do not establish accounts for guest usage. These accounts, often appearing as an account with login guest and password
account, are common holes exploited by unauthorized users. Every user of the computer should undergo the same security procedures, receive the same security briefing, and be held accountable to the same standards. When users are finished using the computer, their accounts should be removed from the password file.

‘remote’ Commands

Commands preceded by the letter ‘r’, such as ‘rlogin‘ or ‘rsh‘, should be disabled. They are a source of many attacks on sites
across the Internet. If you must use ‘r’ commands, make sure you filter the TCP ports (512,513,514) at the router; it is important to note this will only stop outsiders from abusing the commands.

Double Check the System Before Long Weekends

Double check the computer before long weekends to ensure there are no security problems with it. A backup just
before a long weekend is advisable.

Do a Monthly System Check

Run the cron script against the cron stored on the removable media in case the unauthorized user gained root access and altered the system without being noticed.

System Security Diary

Keep a diary of the security checks done on the computer and what their results are. Also, document what actions are taken if holes are found or problems occur. If there is a problem, others will want to know what the system administrator has been doing to secure the computer.


Home | About | Link | Link
Simple Proff Blogger Template Created By Herro | Inspiring By Busy Bee Woo Themes