IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.33 Division of Administrator roles under UNIX
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
In most UNIX systems, there is only one Administrator role (the superuser,
who is known as root and has the user ID (UID) 0). Persons with access to this
role have full control over the system. In particular, they can read, modify and
delete any file, irrespective of access rights.
The superuser password must only be known to the Administrators.
Disclosure of that password must be restricted to the cases defined in the
pertinent procedures, and must be documented. The superuser log-in root can
additionally be protected by applying the two-person rule, e.g. through
organisational measures such as a split password. In that case, the password
must have an extended minimum length (12 characters or more). Steps must
be taken to ensure that the password, in its full minimum length, is checked by
the system.
For a number of UNIX systems, division of responsibilities can be achieved
by making use of existing Administrator roles. In such cases, those roles must
be assumed by different persons.
A number of administration activities can also be carried out without access to
the root log- in. Where Administrators with such special functions exist, use
should be made of this option. Especially in those cases where, for large
systems, administration functions have to be assigned to several persons, the
risks involved can be reduced through appropriate division of responsibilities.
This can be done in two ways:
- Introduction of administrative log-ins. While these have the UID 0, only
one program will be started during log-in, with which the administrative
function can be executed and which ends with a log-out. Examples:
designation of new users, mounting of a drive. In UNIX V.4, for example,
the administrative log-in names setup, sysadm, powerdown, checkfsys,
mountfsys and umountfsys may be configured with programs of identical
names.
- Use of log-ins without the UID 0: These log-in names (sys, bin, adm, uucp,
nuucp, daemon and lp) are owners of files and programs which are crucial
for the functionality of the system and thus are afforded particular
protection. In most UNIX systems, they have been preconfigured for
administration of the relevant services.
To determine which log-ins have Administrator rights, auxiliary programs
such as USEIT, cops, tiger should be used regularly to search for log-ins
which contain UID 0 in the password file.
Additional controls:
- Who knows the superuser password?
- Have Administrator roles been split up?
- Which log-ins have the UID 0?
- Are there any log-ins with UID 0 and shell access?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000