IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.105 Initial measures after a Unix standard
installation
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Most Unix systems do not satisfy the system security requirements after a
standard installation. Often too many sensitive services and configurations are
activated by the vendors or else these are provided with access rights which
are not sufficiently restrictive.
This section is intended to show by way of example how to make the system
secure following a standard installation.
- Prior to installation the administrator should be given appropriate training,
especially as regards the security aspects. This should include informing
him of all the potential security weaknesses of the IT system (see also
S 2.35 Obtaining information on security weaknesses of the system).
Subscribing to appropriate mailing lists should also be covered.
- After the installation has been completed, the System Administrator's
account should be assigned a good password (see S 2.11 Provisions
governing the use of passwords).
- A review should be made of which services are running on the IT system.
It is possible to check this e.g. by entering the command netstat -a | grep
listen. Services which are not needed should be disabled or removed (see
S 5.72 Deactivation of unnecessary network services).
- If the system does not function as a mail server, the mail daemon should be
deactivated as a network service. If mail is to be delivered locally on the
system, sendmail can be started with the option -q15 or as a cron process:
1 * * * * /usr/sbin/sendmail -q 2>&1 >/dev/null
The mail queue is emptied at regular intervals and the mail is delivered
locally.
- The latest version of the vendor's sendmail should be installed (see also
S 4.107 Use of vendor resources and S 5.19 Use of the sendmail security
mechanisms). Alternatively, public domain mail programs such as a qmail
can be used. The version number of the installed version of sendmail can
be identified with the command telnet localhost 25.
- After the standard installation, the security patches provided by the vendor
should be installed (see also S 4.107 Use of vendor resources). It is
extremely important then to check that no unnecessary services have been
activated as a result of the patch installation.
- The file systems should be imported or exported only to the necessary
extent. Care must be taken to ensure that file systems are not exported in
such a way that anyone can write to them.
- If there is no alternative to using NIS, then NIS+ should be used as
additional security mechanisms are incorporated into this.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000