IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
- For every IT system which needs to log into the local IT system via UUCP,
a separate user ID and password must be entered in /etc/passwd. The uucp
user's UID must not be selected for this; instead, each remote IT system
must have its own, individual UID.
- UUCP passwords are transferred in the uncoded form during
communication requests, and stored uncoded in the corresponding UUCP
configuration file for requests to remote computers. Depending on the
application and environment (particularly in the case of long-distance
networks), appropriate safeguards must be taken, e.g. use of one-time
passwords.
Various configuration files must be set up to allow the use of UUCP. All
settings must be documented, and deviations from the settings recommended
in the following must be explained to allow an understanding of these
modifications at a later stage.
The following files must be administered very carefully as they contain
critical information for security. The files are located in the /usr/lib/uucp and
/etc/uucp directories. Only the uucp user must have write access to these
directories.
- Systems: This file contains information required for establishing
connections with remote IT systems. The time periods over which UUCP
transmission is allowed can be specified here for every IT system. These
time periods must be as short as possible. This file also contains the
telephone numbers and log-in sequences for the IT systems with which
UUCP connections can be established. Only the uucp owner must have
read access to Systems, as passwords for remote IT systems are also
entered here.
- Permissions: Access rights for remote systems are specified here. No IT
systems are listed in Permissions on its delivery, i.e. no access is possible
via UUCP. For every computer that can call and log-in, and for every
computer that can be called, settings must be made to specify the
respective access rights and other conditions. The access rights for IT
systems called by the local one are specified in the entries listed under
MACHINE, and under LOGNAME for the calling IT system. Security can
be increased considerably through the use of these configuration
possibilities.
The uucheck -v command should be regularly used to check the options set
in the Permissions file. These options should be set as follows:
REQUEST
This option should be set to NO (default setting) to prevent
remote systems from reading local data.
COMMANDS
On no account should ALL be entered here; only required
commands like rnews or rmail should be allowed. The
commands should be stated with the full path name.
WRITE/READ
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000