IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.22 Prevention of loss of confidentiality of
sensitive data in the UNIX system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
With UNIX commands such as ps, finger, who and last, information can be
obtained about a user (e.g. his work behaviour). Many UNIX derivatives
contain additional commands which achieve the same effect under Solaris,
e.g. listusers. Consideration should be given as to whether or not every user
should be allowed to execute these commands (data privacy, unauthorised
disclosure of log-in names, and the like). In case of doubt, access to these
commands should be restricted.
When commands are invoked, no sensitive information, e.g. a password,
should be entered along with them as a parameter, as other users could view
this entry via ps.
If possible, log files such as wtmp, utmp, wtmpx, utmpx, should be protected
against unauthorised reading through appropriate access rights, as a large
amount of information about the users is contained in these files.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Restrict access to
commands
Do not enter passwords
as command parameters