IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.14 Mandatory password protection under UNIX
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Password protection for each account in a UNIX computer ensures that only
an authorised user can log in with his log-in name, as, after entry of the log-in
name, authentication is effected through entry of the password.
When using passwords for users and groups, the rules described under S 2.11
Provisions governing the use of passwords must be observed. It must be borne
in mind that in some systems only a limited number of characters are
considered during password verification. For implementation of these
measures, appropriate program versions of passwd which ensure compliance
with these rules or administrative measures, e.g. shell scripts and pertinent
cron entries, should be applied.
Another possibility is to replace the UNIX standard command passwd with
other extended functionality password programs. These include the public
domain programs anlpasswd, npasswd and passwd+, which scrutinise new
passwords chosen by users on changing their passwords and reject them if
they are too weak. For example, these programs can be obtained from the FTP
server at ftp://ftp.cert.dfn.de/pub/tools/password/.
Passwords should not be stored in the universally readable /etc/passwd file,
but in a shadow password file that cannot be read by the users. Newer UNIX
systems come with this shadow option, but unfortunately it is not always
activated following initial installation. Thus, for example, under RedHat Linux
when the standard installation is completed, use of the shadow password file is
activated via the command pwconv.
The /etc/passwd file must be regularly checked for user IDs without a
password. If such an ID is found, the user must be suspended. If mandatory
password use has been agreed for groups, the /etc/group file must be reviewed
accordingly. However, assignment of group passwords is not recommended.
Each group entry should contain as few users as possible. This facilitates
changing from one group to another for which a user has been entered, while
unauthorised changes by means of appropriate programs are precluded.
All log-ins, especially ones with UID 0, should be scrutinised regularly to
ensure that there is a password and that it is of an acceptable type (see also
S 2.11 and S 4.26). In addition to the programs described in S 4.26 Regular
security checks of the UNIX system, such log-ins can also be detected, for
example with
awk -F: '{if ($3=="0") print $1}' /etc/passwd
awk -F: '{if ($2=="") print $1}' /etc/passwd
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Use appropriate version
of passwd
Suspend user IDs
without a password