unix - secure distribution guidelines
The following are guidelines for a semisecure unix-based distribution. As can
be expected, following these guidelines does not ensure that a newly installed
system will be secure, but rather gives some sort of security forethought while
minimally impacting the end-user. Once this list is complete (and ordered by
category), it will become the subject of a semitechnical whitepaper.
Please note the difference between the words "must" and "should". Placements
of these words may change during the development of these guidelines.
-
Boot scripts must never drop to a shell unauthenticated. Proper
authentication (i.e. a password) must be satisfied before granting any
privileged access.
-
Network services must be disabled by default, and the user should
explicitly input which services to activate. If any services need to be
activated to satisfy a specified configuration, the user should be alerted
to this fact.
-
Services which can run as a non-root user must always do so, and should
use a specialized account with a unique uid and gid. This account should
have a locked password.
-
uids and gids for services should be out of range of normal uids and gids.
For example, on many systems, uids below 1000, gids below 100, and uids and
gids above 60000 (65535 being the maximum for a 64k field, of course) are
unavailable for normal user accounts. Therefore, these uids and gids would
be good candidates for services.
-
There must be no account on the system allowing login without a password
or with a preset password. System accounts should have a locked password
unless explicitly set by the user. Furthermore, there should be no guest
accounts on the system period, unless explicitly created by the user.
Anonymous ftp is acceptable only if the user explicitly requests it.
-
Programs which come with an option for chroot()ing should be chroot()ed by
default.
-
Binaries on the system should be writable only to the owner, and should be
owned by either root or a specialized user. If a specialized user is
chosen, this user should not own anything unrelated to binary files on the
system, must not run any services, and must not own any setuid files.
Likewise, any files with a special binary group must not be setgid.
-
System logs should not be world-readable, and should be accessable only by
root or a special user and/or group.
-
User accounts should be created with their own specialized groups (e.g., a
user with uid 2003 may have gid 2003, which should then be defined as the
group belonging to that individual user). Users may also be members of a
populated group (e.g., 'users' or 'lab'), but their default gids should be
uniquely their own.
-
If there is a patch or option available that reliably disables an
executable user stack, it should be applied by default. If it is not
applied by default, it must be an option highly recommended to the user.
-
During installation, all network services must be disabled, unless
specifically required for installation (such as services in place to
communicate with nfs-mounted directories). If any services permitting
login are required, the user must specify the password used for any login
account.
-
During installation, at any time the external network is configured,
filtering firewall rules should be in place to ignore any network activity
to ports not required for installation. These filters should be activated
before the external network is configured, and should not be deactivated
until the external network has been deconfigured.
-
setuid bits...
-
filtering firewalling rules...
-
shadow passwd/group files...
-
documentation regarding security measures...
see also