IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.21 Preventing unauthorised acquisition of
administrator rights
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
With the su command, any user can obtain superuser privileges if he knows
the relevant password. Since there is no upper limit on the number of
unsuccessful attempts at log-on in the case of su, there is an increased risk that
the password may be discovered by systematic try-out with the help of
suitable programs. Therefore, su should be available only to the superuser.
Alternatively, a modified su can be installed under which the number of
unsuccessful attempts is restricted, the delay before su can be invoked again is
longer, and, after a certain number of unsuccessful attempts, it is not possible
to executability of su and/or the terminal as a whole is blocked. All use of the
su command should be logged.
Where permitted by the given system, a log-in name other than root may be
selected for the superuser. However, only Administrator log-ins should be
created as additional superuser log-ins (see S 2.33 Division of Administrator
roles under UNIX)
To prevent discovery of the Administrator's password through line tapping, he
should only be allowed to work from the console. Under Solaris, for instance,
this can be achieved by appropriately configuring the /etc/default/login file.
Under BSD UNIX, root can only log on at terminals designated as secure in
the /etc/ttytab file. If this option is removed from all terminals, an
Administrator can only log on at a terminal with the command su as root.
Consideration should be given to setting up a user group to which execution of
the command su is limited.
If under BSD UNIX, the console is designated as secure in the /etc/ttytab file,
no password is requested during start-up in the single-user mode. It is
therefore essential that this entry is removed.
The file /etc/ftpusers contains the log-in names which are not allowed to log
on via ftp. With ftp, passwords are transmitted over an unprotected plain text
connection. Therefore administrative accesses (root, bin, daemon, sys, adm,
lp, smtp, uucp, nuucp, etc.) should be entered in this file. Under some standard
installations, root is not contained in this file.
If a user or a user program executes a superuser file (files with the owner root
and with s bit set), this user or program will, during execution, obtain
superuser rights. This is required for certain applications, but can in instances
also be abused. Therefore, care must be taken to ensure that only essential
program files are superuser files and that no extra superuser files can be added
by third persons.
Automatic mounting of devices for exchangeable data media
With s bit programs in the mounted drive, an ordinary user can acquire
superuser rights. Therefore, automatic mounting (automounting) must be
restricted. Some versions of UNIX offer a variant of the mount command
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Restrict access to su
Administrative tasks
should only be
performed at the console
Do not designate
console as secure
Block ftp for
administrative accesses
Avoid s bit
Avoid automatic
mounting