You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Unix</strong> Security<br />
- HP-UX V7.0 is C2 level<br />
- <strong>OS</strong>F will soon use Mach kernel = B2 security<br />
Sushi<br />
- first thing a bad person might try once root<br />
# cp /bin/sh /own/bad/sushi<br />
# chmod 4755 /own/bad/sushi<br />
- untraceable access via super-user shell interactive<br />
$ cd /own/bad<br />
$ sushi<br />
#<br />
- never let anyone use root password or login<br />
- no program that is SUID root should be writable<br />
- don't use any SUID shell programs<br />
- checks for SUID programs<br />
- do not use SUID on programs <strong>with</strong> a shell escape<br />
- use chmod 4755 not chmod +s<br />
- restrict chown to root<br />
find / -user root -perm -4000 -exec ls -l () \; \<br />
| mail root # setuid<br />
find 'echo $PATH | tr ":" " "’ -perm -0002 –exec ls -l ()\; \<br />
| mail root # writable<br />
Crontab<br />
/usr/lib/crontab<br />
/usr/lib/atrun<br />
is started by cron every 10 minutes<br />
User Protection<br />
- Horne directories should not be writable<br />
find 'awk -F: '{print $6}' /etc/passwd' \<br />
-prune -perm -02 -exec ls -ld '{}' \;<br />
- Users .profile, .cshrc, .login, etc<br />
find 'awk -F: '{print "%s/.profile\n", $6}' /etc/passwd' \<br />
-prune -perm -022 -exec ls -1 '{}' \;<br />
- Users .rhosts not readable or writable<br />
find 'awk -F: '(print "%s/.rhosts\n", $6)' /etc/passwd' \<br />
-prune -perm -066 -exec ls -1 '{}' \;<br />
Device Files<br />
- Protect memory and swap files: mem, krnem, swap.<br />
- All devices should be in /dev<br />
# find devices outside /dev<br />
find / -hidden -name /dev -prune -o -type b -exec ls -1 {} \;<br />
# before mounting disks check for SUID files<br />
ncheck -s /dev/dsk/[device name]<br />
# disable SUID files<br />
/etc/mount -o nosuid /dev/dsk/[device name] [mount point]<br />
- Write protect all disk special files to stop corruption<br />
- Read protect disk special files to prevent disclosure<br />
- Individual users should never own a device file o<strong>the</strong>r than a terminal device<br />
Network Security<br />
204