security parameters for unix and linux...
TRANSCRIPT
M
Operating Method Organization of Networks, Carriers and IT Division Architecture and Security Department Architecture Prescriptions and Security
Organization of Networks, Carriers and IT Division Centre National de Sécurité du Système d’Information de France Télécom (CNS SI) Bâtiment LC3, 2 avenue Pierre Marzin. Technopole Anticipa. 22307 Lannion CEDEX Telephone: 02 96 05 06 07 - Fax: 02 96 05 19 00 SA au capital de 4 098 458 244 EUR - RCS Paris B 380 129 866
Reference MGS404 S2F0
Security parameters for Unix and Linux systems
Master Document PSI-RSI : PGS425
Location Securinoo
Summary This document describes security rules applicable for configuring UNIX systems.
Support Service
CNS SI ZZZ Permanence CNSSI
Keywords
Security, rules, UNIX, Linux, HP-UX, AIX, SUN Solaris
Type ⌧ Create " Cancels and replaces:
Addressees for action DSSI (Information System Security Delegates), MOAs and MOEs
Addressees for information Managers of National Departments, Operating Units and Subsidiaries
Validity ⌧ Permanent from 6th November 2000 " Temporary from to
Author
Verification
Approved by
Name
Patrick BREHIN Xavier GATELLIER
& al.
Name
Jean-Paul Guiguen Mickaël Davila
Name
Date
26/4/2004
Date
4/5/2004
Date
Signature
Signature
Signature
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 2/33
Modifications
Version N° Version date Nature of modification
S0F0 12.12.03 Document created from ROSSI-090 V2.0, MGS404 S1F2, MGS405 S1F3, MGS406 S1F2, MGS412 S1F2 and MGS422 S1F0
S0F1 – 11 16/12/2003 – 23/04/2004 Convergence of ROSSI and RSSI rules Re-numbering rules
Domain of attachment Domain code: GS Domain name: IS security management
Associated documents
Document code Document name BD/99/41 BRHF/99/205 SG/99/27
Record of Decision BD/BRHF/SG of 22 April 1999 “Organisation of France Telecom information system security” and associated charter.
Criminal Code Article 223 et seq. MGS411 Configuration of security parameters for http servers MGS402 S1F0 Warning to be inserted into title pages MGS401 S2F3 Authentifiers, identifiers and passwords MGS425 S1F0 OpenSSH configuration MGS-679 v0.2 Archiving of logs GUI-017 Tcp-wrappers installation and configuration guide MGS 601 V2.0 File transfer MGS 620 S0F1 Configuring anonymous UNIX FTP servers
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 3/33
Contents
1. Objective 5
2. Scope and general principles 5
3. Players concerned 5
4. General security information 6
5. Overview of Operation 7 5.1. UNIX system 7
5.1.1. Data organisation 7 5.1.2. File and directory rights 7 5.1.3. Software packages 8 5.1.4. Task automation 8 5.1.5. X-Window 8 5.1.6. Miscellaneous 8
5.1.6.1. .exrc file 8 5.1.6.2. chroot command 9
5.2. Network services 9 5.2.1. IP stack 9 5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind 10 5.2.3. Xinetd 10
6. General rules 11 6.1. Software packages and patches 11 6.2. Startup scripts 11 6.3. Miscellaneous 11
7. System security 12 7.1. File system 12 7.2. System stack 12 7.3. File and directory rights 13 7.4. Sensitive files 13 7.5. Automation 14 7.6. Logging configuration 14 7.7. Environment 15
8. Account (access) security 16 8.1. Access control 16 8.2. Remote access right 16 8.3. Account/environment configuration 16 8.4. Administration commands 18 8.5. Trust mechanism 19 8.6. Logging 19
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 4/33
9. Network security 20 9.1. IP stack 20 9.2. Administration flow security 21 9.3. Network service filtering 21
9.3.1. Configuration of Inetd / tcp-wrapper 21 9.3.2. Configuration of Xinetd 22
9.4. Routing 23 9.5. Name resolution 23 9.6. RPC (Remote procedure call) Portmapper (portmap), rpcbind 24 9.7. Network services to ban 24
10. Security of services 25 10.1. General comments 25 10.2. X-Window 25 10.3. File transfer service 25 10.4. Messaging service 25 10.5. Distributed names service 26 10.6. NFS (network file system) 26 10.7. Administration / supervision department 26 10.8. WEB 27 10.9. Domain names service 27
11. Appendix: rights and permissions for important files 28
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 5/33
1. Objective This document defines security rules applicable to UNIX and Linux security rules.
2. Scope and general principles The rules and principles are applicable to all UNIX and Linux systems in the France Telecom group information system. They must be observed when developing applications or working on existing systems. All rules in this document provide sufficient levels of security without overly restricting the freedom of action of users. It would however be possible, whenever necessary, to increase the level of security by strengthening these rules whilst ensuring system stability (therefore, a rule specifying that an unmask 022 is valid if the unmask is more restrictive, for example 027).
3. Players concerned • Systems administrators and operators • Principal Client and Principal Contractor Project Managers • Application architects
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 6/33
4. General security information Computer security is necessary because information technology needs to communicate to operate correctly. This involves aspects such as:
• protection of systems and data • the reliability of software and hardware • the performance and availability of services • proper protection of stored and exchanged information
It should be pointed out that:
• A system is never entirely secure • The security of a system is a compromise between resources and expected results • People outside the company are responsible for 25% of risks.
# Intrusion # service denial # spying, document/programme theft (industrial property) # data corruption # liability (identity falsification followed by criminal action, etc.) . . )
# . . . • People inside the company are responsible for 75% of risks.
# data leaks (theft) # irresponsible behaviour (brand image) # theft of resources (working on the side) # dissemination of illegal statements or images (liability of the organisation)
# … Reminders:
• A chain's level of security is that of its weakest link • There is no network security.
So: • Each system connected must be secure
We will apply the following basic principle:
EEvveerryytthhiinngg tthhaatt iiss nnoott eexxpplliicciittllyy aauutthhoorriisseedd iiss pprroohhiibbiitteedd
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 7/33
5. Overview of Operation 5.1. UNIX system
5.1.1. Data organisation
All the data in a UNIX system may be seen as an enormous catalogue of files, referenced in an unambiguous way. It is therefore a complex structure of data that must be able to manage the following high-level concepts simultaneously: filename, its attributes, its type (if that is meaningful for the system), its size, its physical storage, operations in process on the file (concurrent access management, modifications in process but not written onto the storage medium, etc.). The data is organised in a tree structure of files and directories. For easier handling, this structure is generally broken down into several sub-structures called file systems. File systems cannot be accessed directly. They have to undergo an operation known as mounting. Any mounted file system must be unmounted or the removable media containing it must be taken out before turning off the machine. Otherwise, any unwritten data will be permanently lost. The Unix file system tree structure is standard and can be broken down as follows: /etc Computer configuration files /bin Fundamental programmes (shell, etc.) that can be called up by
the user /lib Libraries (programme bank called up indirectly) /sbin System administration programmes /var Variable (dynamic) data /tmp ou /var/tmp Temporary data (limited lifetime) /root Administrator work file /usr Main system programmes and commands. Subdivided into
/usr/bin, /usr/sbin, /usr/lib, etc. /usr/local Same as /usr, but for programmes installed locally (not included
in the standard system distributed) /home (or others as applicable) User work files. E.g. /home/toto
5.1.2. File and directory rights
In UNIX systems, files may have read (r), write (w) and execute (x) protection. In this way, it is possible to choose whether a file can be read and/or modified and/or executed. This protection is based on the principle of file access rights. File rights are defined according to these access rights (rwx) and ownership of the file. Access rights to a file are defined for its owner, the group to which the file belongs and other users (those that are neither its owner nor par of the owner’s group). A file or directory may also be given the following other rights:
SetUID SetGID
s Applicable to the owner and/or owner group for executable files. It gives owner rights to the file during execution (or owner group rights, depending on the case) to the user executing the file in question.
StickyBIT t In a directory with the "stickyBit" set, only the owner of a file or directory may delete it.
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 8/33
5.1.3. Software packages
Nowadays, most companies commercialising UNIX systems organise the various software components and supply them in packages. The system is thus installed in homogeneous groups of files and the elements grouped in a package are generally highly interdependent (in practice they are files for the same application). When a package is installed, the user in fact installs specific software. However, certain packages are dependent on other packages; for example, packages containing the basic system are obviously used by all other packages. The installation programmes manage this dependency and inter-package conflicts relatively well, so that they can now be installed without too much difficulty.
In order to organise all these packages, companies often sort them into “series”. A series is simply a set of packages grouped by functional domain. This means that a given package can easily be found by searching in the series containing all the functionally similar packages. Grouping of packages into series in no way means that all packages in the same series need to be installed in order to obtain a given function but that the programmes within the series more or less concern this function. In fact, redundancy or conflict may exist between two packages in the same series. In this case, the user should select one or the other, according to the requirements.
5.1.4. Task automation In Unix, tasks can be configured to be executed automatically during a given period of time, on given dates or when the system load average is beneath a certain level. These commands enable commands/scripts to be executed at a point in the future. The system function cron is administered by the crontab command. The command "at" is used to submit a job to the system.
5.1.5. X-Window
X Window is not only a video board driver but also an application interface (API) enabling them to be displayed on the screen and receive input via the keyboard and mouse. X is also a network server, which means that it can also offer services via a network, enabling screen display of an application running on another machine, even if the two architectures are completely different. This is why we use the term X server to designate the graphical sub-system. The X Window system runs on almost all Unix systems and is even used under Windows and OS/2. Almost all graphical programmes under Unix use X. The user does not interact directly with X but rather with what are called X clients (as opposed to the X server). You undoubtedly already use clients such as a Window Manager or a Desktop Environment such as CDE, KDE or Gnome. To log on, you probably also use a Display Manager such as KDM, XDM or GDM. The applications are located above these clients. The X Window system (or X Window or even X) is a registered trademark of the X Consortium. The free X servers distributed with Linux come from the XFree86 project. Official sites: http://www.x.org http://www.xfree86.org
5.1.6. Miscellaneous
5.1.6.1. .exrc file
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 9/33
The ex or vi editors, for example, first look for the .exrc startup file in the current directory, then in your HOME directory. This file is normally used to define abbreviations and key-combination correspondence. However, it may also contain escape shells that enable commands to be executed when the editor is started.
5.1.6.2. chroot command Chroot is a command that modifies the location of the root of the file system; for example, a “decoy” can be set up for the programme so that ill-intentioned users cannot get into the real root.
5.2. Network services 5.2.1. IP stack
An IP “stack” is a group of interdependent protocols, each of them reliant on one or several others, which is why the word “stack” is used. It is a simplified form of the OSI 7-layer model which has proved robust and adaptable. The principal components of the TCP/IP stack are as follows:
• IP (Internet Protocol): This is a level-3 protocol. It transfers TCP/IP packets on the local network and with external networks via routers. The IP protocol works in offline mode, i.e. packets issued by level 3 are transferred independently (datagrams) without any guarantee of delivery.
• ARP ( Address Resolution Protocol): A protocol that enables the level-3 address (the IP address) to be linked with a level-2 address (the MAC address)
• ICMP ( Internet Control and error Message Protocol) : Used for tests and diagnostics • TCP (Transport Control Protocol): A level-4 protocol that operates in online mode. On a
TCP connection between two network machines, messages (packets or TCP segments) are acknowledged and delivered in sequence.
• UDP ( User Datagram Protocol): A level-4 protocol in offline mode: messages (or UDP packets) are forwarded independently.
OSI TCP/IP 7 Application TELNET, FTP TFTP 6 Presentation SMTP, RPC DOMAIN 5 Session X11, HTTP NFS 4 Transport TCP UDP 3 Network IP (Internet Protocol), ICMP, ARP 2 Data Link Local Network Protocol 1 Physical (Ethernet, Fast Ethernet, FDDI...)
Files affected by OS: AIX /etc/rc.net for versions prior to AIX 5.2 ;
see the command n° to modify parameters, this file is not read on server start-up for more recent versions.
Solaris /etc/init.d/inetinit HP-UX /etc/rc.config.d/nddconf Linux kernel 2.2 /etc/sysctl.conf For further information, see the site: http://www.cymru.com/Documents/ip-stack-tuning.html
Configuration of UNIX and Linux Security Parameters
MGS404 Version S2F0 Page : 10/33
5.2.2. Rpc (Remote procedure call) Portmapper (portmap), rpcbind
The operating principle for remote procedure calls is as follows: Each programme wishing to provide RPC services "listens" on a TCP or UDP port for queries. Clients wishing to use these services must send their queries to this port, indicating all the information needed for execution of this query: query number and query parameters. The server executes the query and returns the result. RPC libraries provide the functions needed to transfer the parameters and the actual remote calls. However, in practice, clients do not know on which port the RPC is expecting their queries. A mechanism has therefore been set up to enable them to retrieve details of this port and then communicate with the server. Each RPC server is identified by a unique programme number and a version number. When they start up, the servers register with the system, specifying the port on which they will be listening for queries. Clients can then query the remote system to ask for the port where they will find a given server, based on the latter’s programme and version numbers. A special RPC service therefore exists, known as “portmapper” which provides clients that request them with the port numbers of other servers. The portmapper must of course always be contactable, which implies that it must systematically use the same port number. By convention, the portmapper is identified by programme number 100000 and it listens for client queries on the 111 ports of the TCP and UDP protocols. It must be started in a particular order in order to make RPC calls (which the NIS/NIS+ client programme does) to servers (as, for example an NIS/NIS+ server) on this machine. When the RPC server is started, it will inform the portmap daemon of the number of the port which it is scanning and the numbers of the RPC programmes with which it is ready to work. In principle, standard RPC servers are launched by inetd (inetd(8) manual ), so portmap must be launched before quinetdne. (All these elements are used by NIS/NIS+ and NFS among others, the portmapper administers nfsd, mountd, ypbind/ypserv, pcnfsd and “r” services such as ruptime and rusers.)
5.2.3. Xinetd
Xinetd is present on the following platforms at least: Solaris 2.6 (sparc and x86), Linux, BSDi, and IRIX 5.3 and 6.2. Xinetd offers access control capacities similar to those offered by tcp_wrapper. However, its possibilities extend far beyond this:
• access control for TCP, UDP and RPC services (not everything functions very well for the latter);
• access control based on time slots; • powerful logging, for both successful and failed logins; • efficient prevention of Deny of Services (DoS) attacks which block a machine by
saturating its resources • limitation of the number of servers of the same type that can run at the same time; • limitation of the total number of servers • limitation of the size of log files • attachment of a service to a specific interface: for example, this enables services to be
made accessible to your internal network but not to the outside world; • may serve as a proxy towards other systems which is very practical in the event of IP
masquerading (or NAT) in order to reach machines located on the internal network.
The main disadvantage concerns RPCs which are not yet very well supported. However, portmap and xinetd coexist perfectly.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
1/33
6. G
ener
al ru
les
6.1.
So
ftwar
e pa
ckag
es a
nd p
atch
es
N
° R
ule
Add
ition
al in
form
atio
n R
S-00
00
No
unne
cess
ary
softw
are
pack
ages
shou
ld b
e in
stal
led
on th
e sy
stem
. All
pack
ages
co
nsid
ered
unn
eces
sary
shou
ld, t
here
fore
, be
dele
ted.
Pa
rticu
larly
, mon
itor n
etw
ork
serv
ices
and
dev
elop
men
t too
ls
The
few
er th
e so
ftwar
e pa
ckag
es in
stal
led
on a
mac
hine
, the
gre
ater
its s
ecur
ity.
This
als
o re
duce
s mai
nten
ance
as w
ell a
s the
secu
rity
patc
hes t
o be
inst
alle
d.
RS-
0001
Th
e sy
stem
mus
t be
the
as u
p to
dat
e as
pos
sibl
e. T
his m
eans
that
the
late
st v
alid
ated
se
curit
y up
date
s mus
t be
inst
alle
d.
All
syst
ems m
ust b
e re
gula
rly u
pdat
ed.
6.2.
St
artu
p sc
ripts
Th
ese
scrip
ts a
re in
itiat
ed w
hen
the
syst
em is
sta
rted
and
are
resp
onsi
ble
for v
ario
us ta
sks
such
as
mou
ntin
g th
e re
ad/w
rite
file
syst
em, a
ctiv
atin
g sw
ap, s
ettin
g so
me
syst
em p
aram
eter
s and
laun
chin
g va
rious
dae
mon
s req
uire
d by
the
syst
em.
N
° R
ule
Add
ition
al in
form
atio
n R
S-01
00
The
unm
ask
valu
e fix
ed in
the
star
t-up
scrip
ts m
ust b
e po
sitio
ned
at 0
27.
To e
nabl
e th
e la
tter t
o cr
eate
file
s with
640
per
mis
sions
. A
ny w
aivi
ng o
f thi
s rul
e m
ust b
e ap
prov
ed b
y se
curit
y te
ams.
RS-
0101
A
ny se
rvic
e no
t nec
essa
ry to
serv
er fu
nctio
ns m
ust b
e de
activ
ated
. Th
eref
ore,
all
unne
cess
ary
star
tup
scrip
ts in
the
defa
ult s
tartu
p di
rect
ory
mus
t be
deac
tivat
ed o
ften
thos
e (o
ften
thos
e fr
om u
nnec
essa
ry p
acka
ges)
. 6.
3.
Mis
cella
neou
s
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
0200
Pr
ohib
it re
star
ting
via
the
keyb
oard
(CTR
L+A
LT+D
EL).
This
rule
is v
alid
for a
ll Li
nux
and
Sola
ris sy
stem
s run
ning
on
Inte
l pla
tform
s. R
S-02
01
In n
on-s
ecur
e en
viro
nmen
ts, p
rohi
bit s
tarti
ng o
f the
mac
hine
oth
erw
ise
than
via
the
syst
em
disk
. O
n In
tel p
latfo
rms,
this
mea
ns re
ques
ted
a pa
ssw
ord
for a
cces
s to
the
BIO
S to
pr
even
t the
boo
t seq
uenc
e be
ing
mod
ified
. R
S-02
02
Prot
ect t
he n
on-s
tand
ard
syst
em b
ootin
g w
ith a
pas
swor
d.
I.e. a
ny b
ootin
g vi
a C
D-R
oms o
r any
oth
er d
isk.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
2/33
7. S
yste
m s
ecur
ity
7.1.
Fi
le s
yste
m
N
° R
ule
Add
ition
al in
form
atio
n R
S-10
00
The
parti
tion
/var
mus
t be
mou
nted
on
a de
dica
ted
file
syst
em.
The
/var
par
titio
n co
ntai
ns lo
g, p
atch
, prin
t, e-
mai
l file
s, et
c..
The
disk
spac
e ta
ken
up b
y th
ese
files
ther
efor
e va
ries.
This
par
titio
n m
ust b
e se
para
te fr
om th
e ro
ot fi
le sy
stem
. Thi
s rul
e av
oids
satu
ratio
n of
logs
whi
ch w
ould
brin
g th
e se
rver
to
a st
ands
till.
RS-
1001
Pa
rtitio
ns a
nd re
mov
able
dev
ices
are
mou
nted
usi
ng th
e op
tions
: % %%%
node
v (e
xcep
t for
dev
ice
parti
tions
like
/dev
or /
devi
ces)
% %%%
noex
ec: f
or /v
ar a
nd /t
mp
% %%% no
suid
: for
par
titio
ns fo
r non
-sys
tem
and
non
-app
licat
ion
user
s (lik
e /h
ome
or /u
sers
) an
d re
mov
able
dev
ices
.
Thes
e m
ount
opt
ions
pre
vent
bin
arie
s run
ning
, pro
cess
ing
of th
e su
id/s
gid
bits
an
d in
terp
reta
tion
of th
e sp
ecia
l file
s. Th
e ai
m is
to m
anag
e rig
hts a
s pre
cise
ly a
s pos
sibl
e.
RS-
1002
A
utom
atic
mou
nt fu
nctio
ns fo
r rem
ovab
le d
evic
es m
ust b
e de
lete
d.
Thes
e fu
nctio
ns c
an b
e ac
cess
ed v
ia th
e vo
ld, a
utom
ount
or s
uper
mou
nt
daem
ons.
RS-
1003
U
ser m
ust b
e pr
ohib
ited
from
mou
ntin
g re
mov
able
dev
ices
to a
void
intro
duci
ng
pote
ntia
lly d
ange
rous
pro
gram
mes
or f
iles o
r lea
king
dat
a.
7.2.
Sy
stem
sta
ck
This
is th
e m
emor
y zo
ne o
f a p
roce
ss (a
pro
gram
me
bein
g ex
ecut
ed) d
edic
ated
to s
avin
g da
ta n
eces
sary
for t
he c
alls
(the
arg
umen
ts a
nd re
turn
add
ress
es a
re
stac
ked)
and
retu
rns (
argu
men
ts a
nd re
turn
add
ress
are
un-
stac
ked)
.
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
1100
Th
e ex
ecut
ion
stac
k m
ust b
e pr
otec
ted
agai
nst b
uffe
r ove
rflo
ws t
o pr
even
t atta
cks o
f thi
s ty
pe.
RS-
1101
Th
e si
ze o
f cor
e du
mps
mus
t be
conf
igur
ed so
that
the
size
is z
ero.
C
ore
files
con
tain
a m
emor
y im
age
of th
e pr
oces
s whi
ch re
ceiv
ed a
cer
tain
sign
al
and
is te
rmin
ate.
The
se fi
les t
ake
up d
isk
spac
e an
d m
ay c
onta
in se
nsiti
ve
info
rmat
ion.
N
othi
ng p
reve
nts T
EMPO
RA
RIL
Y c
hang
ing
the
core
file
lim
it to
an
adap
ted
valu
e if
a co
re fi
le re
ally
has
to b
e an
alys
ed.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
3/33
7.3.
Fi
le a
nd d
irect
ory
right
s
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
1200
R
ight
s and
per
mis
sion
s des
crib
ed in
file
s and
dire
ctor
ies m
entio
ned
in a
ppen
dix
to th
e pr
esen
t doc
umen
t mus
t be
resp
ecte
d.
RS-
1201
1)
N
on-u
sed
bina
ry fi
les
2)
Use
r file
s 3)
Sc
ripts
bel
ongi
ng to
root
m
ust n
ot b
e SU
ID/S
GID
Such
file
s are
ofte
n us
ed b
y ha
cker
s to
crea
te b
ackd
oors
(buf
fer o
verf
low
-type
at
tack
s, ov
erw
ritin
g of
syst
em fi
les o
r acc
ess r
oot p
rivile
ges)
.
RS-
1202
Th
e di
rect
ory
cont
aini
ng th
e ke
rnel
mus
t be
owne
d by
root
, its
gro
up m
ust b
e ze
ro a
nd
the
perm
issi
ons m
ust b
e se
t to
750
or b
ette
r. D
itto
for t
he c
onte
nt b
ut w
ith p
erm
issi
ons s
et
at 6
40 o
r bet
ter.
RS-
1203
N
o fil
e or
dire
ctor
y sh
ould
be
writ
e-au
thor
ised
for “
othe
r” u
sers
. Oth
erw
ise,
the
stic
ky-b
it sh
ould
be
set o
n th
e di
rect
orie
s inv
olve
d.
File
s writ
e-au
thor
ized
for e
very
one
allo
w h
acke
rs to
inse
rt m
alic
ious
cod
e in
the
files
. N
ote:
•
With
the
t-bit
set,
only
the
owne
r of t
he d
irect
ory
or ro
ot h
as th
e rig
ht to
de
lete
the
files
. •
This
mus
t alre
ady
be d
one
as st
anda
rd o
n /tm
p an
d /v
ar/tm
p di
rect
orie
s. •
This
may
cau
se p
robl
ems f
or sh
ared
dire
ctor
ies w
here
one
use
r can
cre
ate
a fil
e an
d an
othe
r can
del
ete
it.
R
S-12
04
Prev
ent t
he u
se o
f unc
ontro
lled
spec
ial f
iles (
C-b
it fo
r cha
ract
er a
nd B
for b
lock
) to
m
ount
an
atta
ck.
So-c
alle
d sp
ecia
l file
s, an
d th
em a
lone
, sho
uld
be in
a sp
ecia
lly a
lloca
ted
file
stru
ctur
e (s
uch
as /d
ev o
r /de
vice
s) a
nd o
nly
in th
at tr
ee st
ruct
ure.
Exce
ptio
ns:
Som
e sy
stem
s hav
e di
rect
orie
s and
syst
em sh
ell s
crip
ts in
/dev
. •
The
devi
ce c
reat
ion
exec
utab
le fi
le M
AK
EDEV
may
exi
st in
the
/dev
di
rect
ory.
Lea
ve it
ther
e, b
ut a
pply
the
com
man
d /u
sr/b
in/c
hattr
+I t
o pr
otec
t it
agai
nst m
odifi
catio
ns.
• D
irect
orie
s and
sym
bolic
link
s may
als
o ex
ist i
n th
e /d
ev tr
ee st
ruct
ure.
•
Sock
et-ty
pe fi
les (
type
s) m
ay b
e in
the
/tmp
or /v
ar tr
ee st
ruct
ure.
Sp
ecia
l file
s tha
t do
not f
it th
ese
case
s sho
uld
be d
elet
ed o
r mov
ed.
Link
s (sy
mbo
lic o
r not
) m
ay b
e co
nsid
ered
as n
orm
al e
xcep
t if t
hey
are
in a
di
rect
ory
that
can
be
writ
ten
by a
ll (p
artic
ular
ly /t
mp
and
/var
/tmp)
, whe
re th
ey
mus
t be
cons
ider
ed a
s sus
pect
and
if p
ossi
ble
dele
ted.
R
S-12
05
Any
file
or d
irect
ory
mus
t be
linke
d to
an
exis
ting
user
(UID
) and
to a
gro
up (G
ID).
Ther
e sh
ould
be
no o
rpha
n fil
es o
r dire
ctor
ies.
This
mak
es it
eas
ier t
o m
anag
e th
e us
er a
ccou
nts a
nd ri
ghts
. R
S-12
06
Link
-type
file
s poi
ntin
g to
abs
ent f
iles s
houl
d be
del
eted
.
7.4.
Se
nsiti
ve fi
les
All
oper
atin
g sy
stem
s con
tain
file
s of a
sens
itive
nat
ure
sinc
e th
ey a
re d
irect
ly o
r ind
irect
ly in
volv
ed in
the
secu
rity
of th
e sy
stem
.
N°
Rul
e A
dditi
onal
info
rmat
ion
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
4/33
RS-
1300
D
evel
opm
ent a
nd c
ompi
latio
n to
ols s
houl
d no
t be
pres
ent o
n th
e m
achi
ne.
If d
evel
opm
ent t
ools
are
pre
sent
on
a m
achi
ne, h
acke
rs c
an c
ompi
le e
xplo
its
mor
e ea
sily
and
repl
ace
thes
e to
ols w
ith o
ther
hac
ked
tool
s. R
S-13
01
No
tool
s tha
t may
reve
al a
ll or
par
t of t
he se
curit
y po
licy
shou
ld b
e pr
esen
t on
the
mac
hine
.
For e
xam
ple:
nes
sus,
sain
t, jo
hn th
e rip
per,
etc
…
RS-
1302
N
o ne
twor
k sn
iffer
s mus
t be
pres
ent o
n th
e m
achi
ne
E.g.
snoo
p, tc
pdum
p, e
tc…
7.
5.
Auto
mat
ion
N
° R
ule
Add
ition
al in
form
atio
n R
S-14
00
Cro
n an
d at
serv
ices
mus
t be
inva
lidat
ed fo
r sta
ndar
d us
ers
C
ron.
allo
w a
nd a
t.allo
w fi
les m
ust o
nly
cont
ain
root
. All
othe
r acc
ount
s can
be
in
cron
.den
y an
d at
.den
y fil
es.
RS-
1401
Th
e ro
ot c
ron
mus
t not
exe
cute
a fi
le th
at lo
ads o
ther
file
s not
hel
d by
root
or w
hich
are
w
rite-
acce
ssib
le fo
r oth
er u
sers
. A
Tro
jan
hors
e m
ay b
e pl
aced
in fi
les l
aunc
hed
by th
e ro
ot c
ron
RS-
1402
C
ront
ab e
ntrie
s exe
cute
d by
the
root
use
r sup
plie
d by
third
-par
ty p
rovi
ders
mus
t be
dele
ted.
Th
ird-p
arty
non
-con
stru
ctor
supp
liers
RS-
1403
Th
e cr
on d
aem
on a
ctiv
ity m
ust b
e lo
gged
7.6.
Lo
ggin
g co
nfig
urat
ion
The
sysl
og d
aem
on m
ust b
e co
nfig
ured
(via
sysl
og.c
onf –
the
log
file
acco
rdin
g to
the
syst
em) s
o th
at:
N
° R
ule
Add
ition
al in
form
atio
n R
S-15
00
RSS
I N° 6
79 “
Log
arch
ivin
g” m
ust b
e co
mpl
ied
with
.
RS-
1501
Lo
g fil
es m
ust b
e du
plic
ated
on
a se
cure
mac
hine
des
igna
ted
the
logh
ost (
pres
ent i
n /e
tc/h
osts
)
RS-
1502
A
n “e
mer
genc
y” p
riorit
y ev
ent m
ust b
e re
dire
cted
to th
e co
nsol
e in
a lo
cal l
og fi
le
(ded
icat
ed a
nd g
loba
l).
*.em
erg
<co
nsol
e de
vice
(for
exa
mpl
e: /d
ev/c
onso
le)>
*.
emer
g /v
ar/lo
g/ e
mer
g.lo
g R
S-15
03
An
“inf
o” p
riorit
y ev
ent (
or h
ighe
r) fo
r all
daem
ons (
exce
pt e
-mai
l and
aut
hent
icat
ion)
m
ust b
e re
dire
cted
to a
loca
l log
file
. *.
info
;mai
l.non
e;au
th.n
one
/var
/log/
mes
sage
.log
or
*.in
fo;m
ail.n
one;
auth
priv
.non
e /v
ar/lo
g/ m
essa
ge.lo
g R
S-15
04
A fa
cilit
ies k
erne
l eve
nt m
ust b
e re
dire
cted
to th
e co
nsol
e in
a lo
cal l
og fi
le (d
edic
ated
an
d gl
obal
). ke
rn.in
fo
<co
nsol
e de
vice
(for
exa
mpl
e: /d
ev/c
onso
le)>
ke
rn.in
fo
/var
/log/
kern
el.lo
g R
S-15
05
A m
ail a
nd a
uthe
ntic
atio
n fa
cilit
ies e
vent
mus
t be
redi
rect
ed in
a lo
cal r
estra
ined
acc
ess
log
file
(600
). au
th.in
fo;m
ail.i
nfo
/var
/log
/sec
ure.
log
or
auth
priv
.info
;mai
l.inf
o /v
ar/lo
g /s
ecur
e.lo
g R
S-15
06
Log
files
mus
t be
cent
ralis
ed in
a sp
ecifi
c di
rect
ory
(/var
/adm
or /
var/l
og).
They
mus
t be
prot
ecte
d by
setti
ng th
e rig
hts a
t 640
or b
ette
r for
file
s and
750
or b
ette
r for
the
dire
ctor
y co
ntai
ning
them
.
RS-
1507
A
ll “i
nfo”
prio
rity
even
ts (o
r hig
her)
mus
t be
redi
rect
ed to
a re
mot
e lo
g fil
e.
*.in
fo
@lo
ghos
t
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
5/33
7.7.
En
viro
nmen
t
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
1600
Pr
even
t a T
roja
n H
orse
bei
ng ru
n:
• C
heck
the
LD_L
IBR
AR
Y_P
ATH
var
iabl
e (o
r equ
ival
ent)
does
not
exi
st in
the
user
en
viro
nmen
t (ro
ot o
r oth
er),
or, i
f it e
xist
s, on
ly re
fere
nces
“su
re”
libra
ries.
• C
heck
that
the
files
exe
cute
d at
logi
n (/e
tc/p
rofil
e, b
ashr
c….)
do n
ot se
t the
se
varia
bles
to a
“du
biou
s” v
alue
.
For L
inux
, als
o ch
eck
/etc
/ld.so
.con
f
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
6/33
8. Ac
coun
t (ac
cess
) sec
urity
8.
1.
Acce
ss c
ontr
ol
In o
rder
to im
prov
e co
ntro
l of
a U
NIX
mac
hine
and
incr
ease
its
secu
rity,
we
reco
mm
end
the
use
of P
AM
s (P
lugg
able
Aut
hent
icat
ion
Mod
ules
). PA
M is
a
pow
erfu
l, fle
xibl
e, e
xten
sibl
e au
then
ticat
ion
tool
whi
ch e
nabl
es t
he s
yste
m a
dmin
istra
tor
to c
onfig
ure
auth
entic
atio
n se
rvic
es i
ndiv
idua
lly f
or e
ach
PAM
-co
mpl
iant
app
licat
ion,
with
out r
ecom
pilin
g an
y ap
plic
atio
ns.
N
° R
ule
Add
ition
al in
form
atio
n R
S-20
00
Use
PA
Ms
This
will
qui
ckly
upg
rade
you
r lev
el o
f sec
urity
. R
S-20
01
A w
arni
ng b
anne
r sho
uld
be d
ispl
ayed
bef
ore
the
auth
entic
atio
n di
alog
ue w
hen
logg
ing
in, i
n co
mpl
ianc
e w
ith M
GS4
02 S
1F0
“War
ning
to b
e in
serte
d in
the
title
pag
es”
8.2.
R
emot
e ac
cess
righ
t A
ll m
achi
nes m
ust c
ontro
l rem
ote
acce
ss ri
ghts
. A m
achi
ne m
ust d
efin
e th
e ac
coun
ts a
utho
rised
to lo
g in
from
a re
mot
e te
rmin
al.
N
° R
ule
Add
ition
al in
form
atio
n R
S-21
00
Roo
t acc
ess v
ia th
e ne
twor
k m
ust b
e im
poss
ible
. It
is b
ette
r to
use
a us
er a
ccou
nt th
en th
e su
com
man
d to
take
the
root
iden
tity
to
log
root
con
nect
ions
to a
syst
em.
8.3.
Ac
coun
t/env
ironm
ent c
onfig
urat
ion
N
° R
ule
Add
ition
al in
form
atio
n R
S-22
00
Acc
ount
and
pas
swor
d m
anag
emen
t mus
t com
ply
with
MG
S 40
1.
R
S-22
01
The
valu
e of
um
ask
mus
t be
as re
stric
tive
as p
ossi
ble
for e
ach
user
: •
for r
oot:
at le
ast 0
77
• fo
r oth
er u
sers
: at l
east
027
Ther
efor
e, e
ach
file
crea
ted
by th
e us
er w
ill a
utom
atic
ally
car
ry m
inim
um ri
ghts
.
RS-
2202
Fi
les e
nabl
ing
the
conf
igur
atio
n of
the
defa
ult u
ser e
nviro
nmen
t mus
t be
root
:root
and
64
4.
The
files
are
ofte
n th
ose
pres
ent i
n /e
tc/s
kel
RS-
2203
Th
e us
er P
ATH
mus
t firs
t con
tain
syst
em p
aths
BEF
OR
E th
e us
er p
aths
Th
is a
void
s exe
cutio
n of
Tro
jan
hors
es
RS-
2204
Th
e us
er P
ATH
mus
t not
con
tain
a re
lativ
e pa
th (s
tarti
ng w
ith a
“.”
) ex
cept
the
curr
ent
dire
ctor
y (o
nly
one
“.”)
. Th
is a
void
s exe
cutio
n of
Tro
jan
hors
es
RS-
2205
Th
ere
shou
ld b
e no
.net
rc,
.exr
c, .v
imrc
, .fo
rwar
d ty
pe fi
les i
n th
e tre
e st
ruct
ure
nor
.<so
met
hing
> ty
pe fi
les.
Not
es:
.exr
c (.v
imrc
) may
be
repl
aced
by
judi
ciou
s use
of t
he v
aria
ble
EXIN
IT
(VIM
INIT
) (a
.exr
c fil
e m
ay e
xist
any
whe
re a
nd th
eref
ore
be e
xecu
ted
inad
verte
ntly
from
ther
e). T
he b
ehav
iour
of a
Vim
is m
ore
secu
re o
n th
is p
oint
, bu
t file
s sho
uld
be m
onito
red
neve
rthel
ess.
.forw
ard
files
can
exe
cute
com
man
ds th
at a
re u
nfor
esee
n or
not
des
irabl
e on
mai
l re
cept
ion.
The
ir co
nten
t sho
uld
ther
efor
e be
mon
itore
d.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
7/33
.<so
met
hing
>-ty
pe fi
les a
re o
ften
used
to m
ask
mal
icio
us fi
les o
r dire
ctor
ies.
RS-
2206
Pa
ssw
ords
for a
ll us
ers m
ust b
e st
ored
usi
ng a
stro
ng h
ashi
ng a
lgor
ithm
(lik
e M
D5)
. Th
is a
lgor
ithm
is m
ore
resi
stan
t tha
n th
e cr
ypt f
unct
ion
usua
lly u
sed
on U
NIX
sy
stem
s.
RS-
2207
N
o ac
coun
t sho
uld
have
a H
OM
E-D
IREC
TOR
Y a
t “/”
.
RS-
2208
If
uuc
p an
d nu
ucp
exis
t, th
e sh
ell m
ay b
e co
ntro
lled
by a
fals
e sh
ell.
fals
e, n
olog
in O
R b
ash,
sh, k
sh a
nd c
sh a
re a
llow
ed.
RS-
2209
N
o ac
coun
t def
ined
in /e
tc/p
assw
d sh
ould
hav
e a
non-
spec
ified
shel
l.
The
case
of r
oot:
N
° R
ule
Add
ition
al in
form
atio
n R
S-22
10
Onl
y ro
ot is
the
syst
em su
per u
ser (
UID
and
GID
equ
al to
zer
o).
R
S-22
11
The
root
HO
ME
DIR
ECTO
RY
mus
t be
/root
, pe
rm 7
00, r
oot:r
oot
R
S-22
12
All
files
load
ed b
y ro
ot w
hen
it co
nnec
ts m
ust b
e ro
ot:ro
ot a
nd n
ot b
e gr
oup
or w
orld
w
ritab
le (g
-w, o
-rw
x fo
r wha
t is s
peci
fic to
root
and
o-w
for w
hat i
s com
mon
). th
e fo
llow
ing
scrip
ts o
r pro
gram
mes
in p
artic
ular
: - ~
/.log
in ,
~/.p
rofil
e an
d an
y ot
her l
ogin
initi
alis
atio
n fil
es
- ~/.e
xrc
and
any
othe
r pro
gram
me
initi
alis
atio
n fil
es (i
f aut
horis
ed )
- ~/.l
ogou
t and
any
oth
er e
nd-o
f-ses
sion
file
s - c
ront
ab a
nd a
t ent
ries (
see
cron
and
at r
ules
) R
S-22
13
All
root
PA
TH d
irect
orie
s mus
t be
root
:root
and
755
. In
par
ticul
ar to
avo
id a
Tro
jan
hors
e be
ing
put i
n pl
ace.
RS-
2214
A
ll sc
ripts
or b
inar
ies p
rese
nt in
the
root
PA
TH m
ust b
e ex
clus
ivel
y ow
ned
by ro
ot o
r a
syst
em a
ccou
nt a
nd m
ust n
ot b
e w
orld
and
gro
up-w
ritab
le (
g-w
, o-w
).
In p
artic
ular
to a
void
Tro
jan
hors
es b
eing
set u
p.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
8/33
8.4.
Ad
min
istr
atio
n co
mm
ands
C
erta
in U
NIX
com
man
ds, c
alle
d r
com
man
ds, e
nabl
e re
mot
e us
ers
eith
er t
o lo
g in
(rlo
gin)
or
to e
xecu
te c
omm
ands
(rs
h, r
cp, r
exec
) vi
a th
e ne
twor
k an
d th
eref
ore
carr
y ou
t rem
ote
oper
atio
n/ad
min
istra
tion
wor
k.
N
° R
ule
Add
ition
al in
form
atio
n R
S-23
00
Use
SSH
com
man
ds in
stea
d of
tel
net a
nd r
-com
man
ds (s
ee M
GS
425)
.
RS-
2301
If
teln
et c
anno
t be
repl
aced
by
SSH
, use
it o
n a
dedi
cate
d ne
twor
k, se
cure
acc
ess t
o te
lnet
by
xine
td o
r ine
td +
TC
P-W
rapp
er.
Lim
it th
e ad
dres
ses t
hat h
ave
to a
cces
s the
mac
hine
by
teln
et p
roto
cols
: •
If x
inet
d is
use
d, a
dd t
he o
ptio
n on
ly_f
rom
= a
ddre
ss1
addr
ess2
/mas
k ad
dres
s3/m
ask
…in
the
files
/etc
/xin
etd.
d/*t
elne
t and
/or
/etc
/xin
etd.
conf
to
limit
acce
ss.
• If
inet
d +
TCP-
Wra
pper
is u
sed,
upd
ate
the
files
/etc
/hos
ts.a
llow
and
/e
tc/h
osts
.den
y.
RS-
2302
If
ftp
cann
ot b
e re
plac
ed b
y SS
H, u
se it
on
the
dedi
cate
d ne
twor
k in
aut
hent
icat
ed
mod
e (u
nenc
rypt
ed p
assw
ord
on th
e ne
twor
k).
Spec
ialis
e th
e se
rver
(eith
er in
aut
hent
icat
ed m
ode
or a
nony
mou
s mod
e –
in th
is c
ase,
ap
ply
MG
S 62
0 S0
F1: C
onfig
urin
g an
onym
ous U
NIX
FTP
serv
ers)
. In
all
case
s, se
cure
FTP
acc
ess w
ith x
inet
d or
inet
d +
TCP-
Wra
pper
, lau
nch
the
FTP
serv
er in
a se
para
te e
nviro
nmen
t (ch
root
). D
o no
t aut
horis
e th
e up
load
func
tion
if it
is n
ot n
eces
sary
. Pr
ohib
it co
nnec
tion
to th
e FT
P w
ith to
o hi
gh ri
ghts
.
Lim
it th
e ad
dres
ses t
hat h
ave
to a
cces
s the
mac
hine
by
FTP
prot
ocol
s:
• If
xin
etd
is u
sed,
add
the
optio
n on
ly_f
rom
= a
ddre
ss1
addr
ess2
/mas
k ad
dres
s3/m
ask
… in
the
files
/etc
/xin
etd.
d/*F
TP a
nd/o
r /et
c/xi
netd
.con
f to
limit
acce
ss.
• If
inet
d +
TCP-
Wra
pper
is u
sed,
upd
ate
the
files
/etc
/hos
ts.a
llow
and
/e
tc/h
osts
.den
y.
Put a
ll us
ers w
hose
UID
is le
ss th
an 1
00 (5
00 if
Pl@
ton
arch
itect
ure)
in
/etc
/ftpu
sers
, as w
ell a
s the
use
r "nf
snob
ody"
(if i
t exi
sts)
, to
prev
ent F
TP a
cces
s to
thes
e us
ers.
Lim
it ac
cess
to F
TP fi
les /
etc/
ftpgr
oup,
/etc
/ftph
osts
(allo
w a
nd d
eny
optio
ns),
/etc
/ftpa
cces
s (no
retri
eve
<dire
ctor
y> o
ptio
ns, u
ploa
d op
tion
to n
o op
tion)
, cre
ate
non-
empt
y .n
otar
file
s (44
4 rig
hts)
in d
irect
orie
s whe
re d
ownl
oadi
ng is
pr
ohib
ited.
N
ote:
Th
e no
retre
ive
.not
ar o
ptio
n m
ay c
ause
pro
blem
s for
Inte
rnet
Exp
lore
r. En
sure
in
this
cas
e no
t to
put t
he o
ptio
n no
retre
ive
.not
ar in
/etc
/ftpa
cces
s.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 1
9/33
8.5.
Tr
ust m
echa
nism
Th
e tru
st h
ost m
achi
ne c
once
pt is
bas
ed o
n th
e fa
ct th
at u
sers
, app
licat
ions
that
cal
l up
from
a tr
ust h
ost m
achi
ne, a
re n
ot o
blig
ed to
sup
ply
a pa
ssw
ord
(ther
eby
doin
g aw
ay w
ith a
uthe
ntic
atio
n m
echa
nism
s and
end
ange
ring
the
qual
ity o
f sys
tem
secu
rity)
.
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
2400
U
sing
the
.rhos
ts fu
nctio
n is
pro
hibi
ted
(eve
n fo
r roo
t). A
s a re
sult,
all
user
def
ault
dire
ctor
ies m
ust c
onta
in a
n em
pty
.rhos
ts D
IREC
TOR
Y w
ith 0
00 ri
ghts
( ---
--- -
--) w
ith
root
:root
pro
perti
es.
If it
exi
sts,
this
file
aut
horis
es a
cces
s to
your
acc
ount
with
out a
pas
swor
d fo
r lo
cal o
r rem
ote
user
s lis
ted
in th
is fi
le. I
t doe
s aw
ay w
ith a
ny a
cces
s con
trol
syst
em.
RS-
2401
U
se o
f the
hos
ts.e
quiv
func
tion
is p
rohi
bite
d.
Ther
efor
e, th
e m
achi
ne m
ust h
ave
an e
mpt
y /e
tc/h
osts
.equ
iv D
IREC
TOR
Y w
ith 0
00
right
s ( --
- ---
---) a
nd ro
ot:ro
ot a
s pro
perti
es.
The
/etc
/hos
ts.e
quiv
file
ena
bles
the
follo
win
g to
be
defin
ed a
t loc
al m
achi
ne
leve
l: •
user
s aut
horis
ed to
log
in to
the
loca
l mac
hine
(if t
heir
logi
n ex
ists
) w
ithou
t sup
plyi
ng p
assw
ords
. •
user
s not
aut
horis
ed to
con
nect
to th
e lo
cal m
achi
ne
This
als
o do
es a
way
with
any
acc
ess c
ontro
l sys
tem
8.
6.
Logg
ing
Logg
ing
is th
e re
cord
ing
of a
pplic
atio
n ev
ents
via
a c
entra
l dae
mon
in o
ne o
r sev
eral
loca
l and
/or d
ista
nt fi
les.
N
° R
ule
Add
ition
al in
form
atio
n R
S-25
00
Use
of t
he c
omm
and
su m
ust b
e lo
gged
(in
parti
cula
r to
dete
ct c
hang
es o
f una
utho
rised
pr
ivile
ges)
.
RS-
2501
A
ll lo
gin
atte
mpt
s (su
cces
sful
or o
ther
wis
e) m
ust b
e lo
gged
. Th
is e
nabl
es su
spic
ious
act
ivity
on
a m
achi
ne to
be
mon
itore
d (a
ttem
pts a
t ha
ckin
g, fo
r exa
mpl
e).
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
0/33
9. Ne
twor
k sec
urity
9.
1.
IP s
tack
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
3000
C
onfig
urat
ion
of th
e ne
twor
k in
terf
aces
Fo
r all
mac
hine
s, pr
even
t inf
orm
atio
n be
ing
reco
vere
d by
the
netw
ork
inte
rfac
es'
"pro
mis
cuou
s" m
ode
(sni
ffer)
. O
n a
serv
er, t
o av
oid
spoo
fing:
•
Usi
ng st
atic
rath
er th
an d
ynam
ic a
ddre
ssin
g (n
o D
HC
P).
• Fo
r eac
h m
achi
ne o
n th
e sa
me
netw
ork
calle
d to
dia
logu
e w
ith th
is se
rver
, rec
ordi
ng
of th
e M
AC
add
ress
can
be
forc
ed (E
ther
net a
ddre
ss) w
ith th
e co
mm
and
arp.
Mea
ns:
Det
ect p
rom
iscu
ous m
ode
with
a c
omm
and
put i
n th
e cr
onta
b at
run
cycl
ical
ly
(hou
rly fo
r exa
mpl
e).
On
a se
rver
: •
Rem
ove
the
DH
CP
clie
nt p
acka
ge(s
) and
con
figur
e th
e ne
twor
k in
terf
aces
m
anua
lly
• Fo
r eac
h m
achi
ne fo
r whi
ch th
e M
AC
add
ress
is re
quire
d, e
nter
: a
rp -s
<
IP_a
ddre
ss>
<M
AC_
addr
ess>
(th
ese
com
man
ds m
ay b
e ad
ded
at th
e en
d of
the
file
/etc
/rc.d
/rc.lo
cal
for
exam
ple)
. N
otes
: A
switc
h to
pro
mis
cuou
s mod
e ca
n on
ly o
ccur
with
root
righ
ts. T
his m
ay
ther
efor
e in
dica
te a
n an
omal
y (m
achi
ne a
lread
y co
mpr
omis
ed?)
. Th
e us
e of
cer
tain
libr
arie
s int
ende
d fo
r net
wor
k lis
teni
ng m
ay n
ot b
e de
tect
ed.
In a
serv
er h
ostin
g en
viro
nmen
t, it
is p
refe
rabl
e to
hav
e a
mac
hine
that
det
ects
th
is m
ode
(or e
ven
dete
cts i
ntru
sion
s).
RS-
3001
Th
e so
cket
s que
ue m
ust b
e pr
otec
ted
from
SY
N fl
oodi
ng.
R
S-30
02
Pack
ets w
ith th
e “s
ourc
e ro
utin
g” o
ptio
n m
ust n
ot b
e re
trans
mitt
ed o
r pro
cess
ed
R
S-30
03
The
TIM
E_W
AIT
par
amet
er fo
r TC
P m
ust b
e se
t to
1 m
in (6
0 se
cs)
R
S-30
04
The
mac
hine
mus
t be
prot
ecte
d ag
ains
t DO
S at
tack
s by
ICM
P flo
odin
g
RS-
3005
Th
e IP
stac
k m
ust b
e pr
otec
ted
in o
rder
to p
reve
nt re
dire
ctio
n of
an
IP
R
S-30
06
AR
P qu
ery
expi
ry ti
me
mus
t be
limite
d to
1 m
inut
e m
axim
um in
ord
er to
redu
ce A
RP
spoo
fing/
hija
ckin
g ris
ks.
RS-
3007
G
ener
atio
n of
TC
P se
quen
ce n
umbe
rs m
ust b
e co
nfig
ured
to p
reve
nt it
from
bei
ng
gues
sed
(ran
dom
man
agem
ent).
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
1/33
9.2.
Ad
min
istr
atio
n flo
w s
ecur
ity
App
ly M
GS
425
Ope
nSSH
whi
ch c
onta
ins t
he se
curit
y ru
les c
once
rnin
g th
e pr
otec
tion
of n
etw
ork
flow
s by
mea
ns o
f the
Ope
n-SS
L pr
otoc
ol.
N
° R
ule
Add
ition
al in
form
atio
n R
S-31
00
App
ly M
GS
425
(Ope
nSSH
con
figur
atio
n)
R
S-31
01
The
mac
hine
mus
t be
adm
inis
tere
d th
roug
h a
spec
ific
netw
ork
inte
rfac
e.
Met
hods
: add
ition
al n
etw
ork
boar
d or
VPN
(Virt
ual P
rivat
e N
etw
ork)
. R
S-31
02
Adm
inis
tratio
n se
rvic
es o
ther
than
SSH
mus
t be
filte
red
with
Xin
etd
or T
CP-
Wra
pper
. If
Xin
etd:
use
bin
d an
d on
ly_f
rom
opt
ions
.
9.3.
N
etw
ork
serv
ice
filte
ring
Filte
ring
uses
the
acce
ss c
ontro
l com
pone
nts.
The
role
of f
ilter
ing
is n
ot to
form
at n
etw
ork
traff
ic b
etw
een
two
poin
ts b
ut to
dec
ide
if a
pack
et s
houl
d or
sho
uld
not b
e pr
oces
sed.
It c
an b
e re
ject
ed, a
ccep
ted
or m
odifi
ed, a
ccor
ding
to ru
les
of v
aryi
ng c
ompl
exity
. In
man
y ca
ses,
filte
ring
is u
sed
to c
ontro
l and
/or s
ecur
e an
in
tern
al n
etw
ork
from
the
outs
ide
wor
ld (t
he In
tern
et fo
r exa
mpl
e).
N
° R
ule
Add
ition
al in
form
atio
n R
S-32
00
All
serv
ices
act
ivat
ed in
inet
d or
xin
etd
mus
t be
appr
oved
by
the
CN
SSI s
ecur
ity te
ams.
Spec
ify th
e ap
proa
ch
RS-
3201
A
s far
as p
ossi
ble,
do
not i
nsta
ll a
prin
ter s
erve
r. Th
is se
rvic
e is
hig
hly
vuln
erab
le.
RS-
3202
D
o no
t use
NIS
(dep
ends
on
RPC
s, se
rvic
es th
at a
re to
o vu
lner
able
).
If su
ch a
serv
ice
is n
eces
sary
, pre
fer L
DA
P.
R
S-32
03
Lim
it ac
cess
to n
etw
ork
serv
ices
for t
he o
nly
mac
hine
s aut
horis
ed u
sing
Xin
etd
or
inet
d+TC
PWra
pper
.
9.
3.1.
C
onfig
urat
ion
of In
etd
/ tcp
-wra
pper
A
ll se
rvic
es a
utho
rised
to b
e pr
esen
t on
mac
hine
s sho
uld
appl
y th
e fo
llow
ing
rule
s:
Con
figur
atio
n of
inet
d:
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
3204
In
etd
mus
t be
asso
ciat
ed w
ith T
CP-
Wra
pper
RS-
3205
C
onne
ctio
n re
ques
ts m
ust b
e re
cord
ed a
nd fi
ltere
d vi
a in
etd/
TCP-
wra
pper
In
etd
alon
e do
es n
ot p
erm
it ne
twor
k se
curit
y (s
ee th
e ru
les c
once
rnin
g TC
P-W
rapp
er a
nd x
inet
d)
RS-
3206
Th
e in
etd
daem
on m
ust b
e st
arte
d in
stan
dalo
ne m
ode(
-s) w
ith th
e op
tion
–t.
R
S-32
07
All
TCP
and
UD
P se
rvic
es o
pen
in /e
tc/in
etd.
conf
mus
t be
enca
psul
ated
with
TC
P-W
rapp
er (u
sing
the
now
ait o
ptio
n).
Con
figur
atio
n of
tcpw
rapp
er:
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
3208
PA
RA
NO
ID m
ode
mus
t be
activ
ated
. Fo
r ref
usin
g al
l con
nect
ions
from
a sy
stem
who
se n
ame
is n
ot th
e sa
me
IP.
RS-
3209
In
clud
e on
e ru
le in
/etc
/hos
ts.d
eny
refu
sing
wha
t is n
ot a
utho
rised
. Th
e fil
e m
ust c
onta
in a
sing
le A
LL:A
LL li
ne.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
2/33
RS-
3210
Th
e la
st li
ne o
f the
file
/etc
/hos
t.allo
w m
ust p
rohi
bit e
very
thin
g.
The
file
mus
t con
tain
a si
ngle
ALL
:ALL
:DEN
Y li
ne.
For f
urth
er in
form
atio
n on
the
inst
alla
tion
and
conf
igur
atio
n of
TC
P-W
rapp
er, r
efer
to th
e gu
ide
MG
S 49
9 S1
F3 a
vaila
ble
from
secu
rinoo
9.
3.2.
C
onfig
urat
ion
of X
inet
d A
ll se
rvic
es a
utho
rised
to b
e pr
esen
t on
mac
hine
s sho
uld
appl
y th
e fo
llow
ing
rule
s:
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
3211
C
onne
ctio
n re
ques
ts m
ust b
e re
cord
ed v
ia x
inet
d
RS-
3212
C
onne
ctio
n re
ques
ts m
ust b
e fil
tere
d pe
r ser
vice
via
xin
etd.
RS-
3213
Th
e xi
netd
.con
f def
ault
conf
igur
atio
n fil
e m
ust c
onta
in:
disa
ble
= ye
s A
ll se
rvic
es a
re d
eact
ivat
ed b
y de
faul
t.
RS-
3214
Th
e xi
netd
.con
f def
ault
conf
igur
atio
n fil
e m
ust c
onta
in:
no_a
cces
s = 0
.0.0
.0/0
B
y de
faul
t no
netw
ork
can
conn
ect i
n (th
e on
ly_f
rom
par
amet
er e
nabl
es th
e ne
twor
ks a
utho
rised
to c
onne
ct in
to b
e sp
ecifi
ed)
RS-
3215
Th
e xi
netd
.con
f def
ault
conf
igur
atio
n fil
e m
ust c
onta
in:
log_
type
= S
YSL
OG
aut
hpriv
Se
nt to
sysl
og a
s aut
hpriv
.info
.
RS-
3216
Th
e xi
netd
.con
f def
ault
conf
igur
atio
n fil
e m
ust c
onta
in:
log_
on_f
ailu
re =
HO
ST
For l
oggi
ng th
e fo
llow
ing
info
rmat
ion
in th
e ev
ent
of c
onne
ctio
n fa
ilure
: •
HO
ST: c
lient
add
ress
RS-
3217
Th
e xi
netd
.con
f def
ault
conf
igur
atio
n fil
e m
ust c
onta
in:
log_
on_s
ucce
ss =
HO
ST D
UR
ATI
ON
PID
EX
IT
For l
oggi
ng th
e fo
llow
ing
info
rmat
ion
in th
e ev
ent o
f suc
cess
ful c
onne
ctio
n:
• H
OST
: clie
nt a
ddre
ss
• D
UR
ATI
ON
: the
dur
atio
n of
the
sess
ion
• PI
D: t
he se
rver
PID
•
EXIT
: the
exi
t sta
tus o
f the
pro
cess
R
S-32
18
The
serv
ices
dec
lare
d in
the
conf
igur
atio
n fil
e xi
netd
.con
f mus
t con
tain
the
para
met
er p
er_s
ourc
e m
equ
allin
g th
e m
axim
um n
umbe
r of s
imul
tane
ous c
onne
ctio
ns
auth
oris
ed fr
om th
e sa
me
mac
hine
.
The
para
met
er d
eter
min
es th
e m
axim
um n
umbe
r of s
imul
tane
ous c
onne
ctio
ns
auth
oris
ed fr
om th
e sa
me
mac
hine
. In
gene
ral,
a va
lue
low
er th
an o
r equ
al to
128
co
nnec
tions
per
serv
er is
mor
e th
an n
eces
sary
. En
able
s ser
vice
den
ials
to b
e pr
even
ted
RS-
3219
(1
) Se
rvic
es d
ecla
red
in th
e co
nfig
urat
ion
file
xine
td.c
onf m
ust u
se th
e pa
ram
eter
m
ax_l
oad
c .
The
para
met
er (e
xpre
ssed
as a
per
cent
age)
cor
resp
onds
to th
e av
erag
e C
PU lo
ad
over
a m
inut
e be
yond
whi
ch c
onne
ctio
ns to
this
serv
ice
will
be
refu
sed.
En
able
s ser
vice
den
ials
to b
e av
oide
d R
S-32
20
(1)
Serv
ices
dec
lare
d in
the
conf
igur
atio
n fil
e xi
netd
.con
f mus
t use
the
para
met
er
inst
ance
s n.
This
par
amet
er d
eter
min
es th
e m
axim
um n
umbe
r of s
imul
tane
ous a
cces
ses t
o th
is
serv
ice.
En
able
s ser
vice
den
ials
to b
e av
oide
d R
S-32
21
(1)
Serv
ices
dec
lare
d in
the
conf
igur
atio
n fil
e xi
netd
.con
f mus
t use
the
para
met
er c
ps x
y .
The
para
met
ers c
orre
spon
d to
an
“x”
thre
shol
d of
aut
horis
ed c
onne
ctio
ns p
er
seco
nd b
eyon
d w
hich
the
serv
ice
will
be
deac
tivat
ed fo
r “y”
seco
nds.
Enab
les s
ervi
ce d
enia
ls to
be
avoi
ded
RS-
3222
Th
e xi
netd
.con
f in
clud
edir
opt
ion
mus
t be
used
.
(1
) : f
or r
ules
RS-
3219
, RS-
3220
et R
S-32
21, t
he p
aram
eter
s ar
e en
tirel
y de
pend
ent o
n th
e us
e of
the
serv
er a
nd th
e se
rvic
es u
sed.
The
y m
ust t
here
fore
be
conf
igur
ed a
ppro
pria
tely
. How
ever
, the
follo
win
g va
lues
may
be
used
as a
bas
is:
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
3/33
a.
RS-
3219
: a th
resh
old
fixed
at b
etw
een
85%
and
95%
hel
ps p
reve
nt a
ny p
ossi
ble
syst
em sa
tura
tion.
For
less
impo
rtant
serv
ices
, a lo
wer
thre
shol
d ca
n be
fixe
d to
leav
e pr
iorit
y to
oth
er se
rvic
es.
b.
RS-
3220
: thi
s opt
ion
depe
nds h
eavi
ly o
n th
e se
rvic
e; g
ener
ally
, the
val
ue sh
ould
less
than
50.
c.
R
S-32
21:
gene
ral,
a m
axim
um o
f th
ree
conn
ectio
ns p
er s
econ
ds i
s ne
cess
ary.
For
hea
vily
dem
ande
d se
rvic
es,
it is
pos
sibl
e to
inc
reas
e to
10
conn
ectio
ns p
er se
cond
9.4.
R
outin
g R
outin
g is
the
met
hod
of c
arry
ing
info
rmat
ion
(or p
acke
ts) t
o th
e co
rrec
t des
tinat
ion
via
a ne
twor
k. A
ccor
ding
to th
e ty
pes
of n
etw
ork,
dat
a is
sen
t by
pack
ets
and
its p
ath
chos
en e
ach
time
(ada
ptiv
e ro
utin
g) o
r a p
ath
is c
hose
n on
ce a
nd fo
r all
(the
two
can
be c
ombi
ned)
. A m
achi
ne th
at h
andl
es ro
utin
g is
com
mon
ly
calle
d a
rout
er.
N
° R
ule
Add
ition
al in
form
atio
n R
S-33
00
Rou
ting
daem
ons m
ust b
e de
activ
ated
or d
elet
ed (e
.g.:
gate
d, ro
uted
) R
outin
g da
emon
s are
onl
y us
ed fo
r mac
hine
s con
nect
ed to
seve
ral n
etw
orks
use
d as
mac
hine
s to
rout
e pa
cket
s. 9.
5.
Nam
e re
solu
tion
N
° R
ule
Add
ition
al in
form
atio
n R
S-34
00
Nam
e re
solu
tion
mus
t firs
tly b
e ca
rrie
d ou
t loc
ally
bef
ore
any
othe
r met
hod
(DN
S an
d LD
AP)
. Th
is re
quire
s nam
e re
solu
tion
to b
e fir
st o
f all
carr
ied
out v
ia a
loca
l file
then
via
a
DN
S. T
his e
nabl
es D
NS
spoo
fing
to b
e av
oide
d.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
4/33
9.6.
R
PC (R
emot
e pr
oced
ure
call)
Por
tmap
per (
port
map
), rp
cbin
d
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
3500
A
ll R
PC n
etw
ork
serv
ices
star
ted
by th
e po
rtmap
per,
incl
udin
g th
e po
rtmap
per m
ust b
e de
activ
ated
. A
ll se
rvic
es to
be
star
ted
by th
e po
rtmap
per m
ust r
ecei
ve th
e ap
prov
al o
f sec
urity
te
ams
RS-
3501
If
RPC
net
wor
k se
rvic
es a
re n
eces
sary
, acc
ess m
ust b
e se
cure
d an
d lo
gged
to th
e m
axim
um.
9.7.
N
etw
ork
serv
ices
to b
an
N
° R
ule
Add
ition
al in
form
atio
n R
S-36
00
No
netw
ork
serv
ice
othe
r tha
n SS
H m
ust b
e ac
tivat
ed o
n th
e m
achi
ne.
Parti
cula
rly d
aytim
e, d
isca
rd, c
harg
en, e
cho,
fing
erd,
rquo
tad,
ruse
rsd,
rwal
ld,
rexd
, sys
tat,
time,
net
stat
.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
5/33
10.S
ecur
ity o
f ser
vice
s Th
is c
hapt
er c
over
s the
rule
s tha
t app
ly to
the
prin
cipa
l ser
vice
s (fu
nctio
ns) o
ffer
ed b
y U
nix
serv
ers
10.1
. G
ener
al c
omm
ents
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
4000
A
ll se
nsiti
ve se
rvic
es sh
ould
be
star
ted
in a
“ch
-roo
ted”
env
ironm
ent.
10
.2.
X-W
indo
w
N
° R
ule
Add
ition
al in
form
atio
n R
S-41
00
If a
n X
serv
er is
nec
essa
ry (X
11 o
r Xfr
ee),
use
the
mos
t up
to d
ate
valid
ver
sion
pos
sibl
e.
RS-
4101
X
serv
er a
uthe
ntic
atio
n m
ust b
e ca
rrie
d ou
t by
the
xau
th fu
nctio
n U
nlik
e fil
terin
g vi
a xh
ost
whi
ch u
ses a
uthe
ntic
atio
n ba
sed
on th
e cl
ient
hos
t na
me,
the
xaut
h m
etho
d us
es a
shar
ed se
cret
in o
rder
to g
uara
ntee
aut
hent
icat
ion
of th
e tw
o pa
rties
. But
the
com
mun
icat
ion
rem
ains
in “
clea
r lan
guag
e”
RS-
4102
Th
e da
ta e
xcha
nged
bet
wee
n th
e cl
ient
and
the
X se
rver
mus
t be
enco
ded
via
an S
SH
tunn
el, i
n co
mpl
ianc
e w
ith M
GS
425.
10.3
. Fi
le tr
ansf
er s
ervi
ce
N
° R
ule
Add
ition
al in
form
atio
n R
S-42
00
App
ly M
GS
601
V2.
0: F
ile tr
ansf
er
In th
e pr
oces
s of s
tand
ardi
satio
n 10
.4.
Mes
sagi
ng s
ervi
ce
N
° R
ule
Add
ition
al in
form
atio
n R
S-43
00
A m
ail s
ervi
ce tr
ansf
er a
gent
is n
eces
sary
for d
istri
butin
g m
essa
ges.
This
age
nt m
ust n
ot b
e ru
n as
a n
etw
ork
serv
ice.
In a
dditi
on, i
ts c
onfig
urat
ion
shou
ld b
e m
odifi
ed so
it is
not
use
d as
an
unco
ntro
lled
mai
l ser
vice
rela
y.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
6/33
10.5
. D
istr
ibut
ed n
ames
ser
vice
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
4400
U
se se
curit
y fu
nctio
ns (L
DA
PS) s
uppl
ied
by L
DA
P.
10.6
. N
FS (n
etw
ork
file
syst
em)
N
° R
ule
Add
ition
al in
form
atio
n R
S-45
00
The
NFS
serv
er m
ust n
ot b
e in
stal
led
or st
arte
d up
. If
the
NFS
serv
er is
nec
essa
ry, t
he fi
le /e
tc/e
xpor
ts m
ust r
espe
ct th
e fo
llow
ing
char
acte
ristic
s:
• m
ust b
elon
g to
root
:root
and
per
mis
sion
s be
644.
•
dom
ain
nam
es m
ust b
e fu
lly q
ualif
ied
if po
ssib
le
• m
ust v
erify
exp
orts
usi
ng th
e ac
cess
opt
ion
• m
ust n
ot e
xpor
t the
file
to it
self
(loca
lhos
t ent
ry)
• m
ust p
refe
r nos
uid
and
read
onl
y m
ount
ing
optio
ns
10.7
. Ad
min
istr
atio
n / s
uper
visi
on d
epar
tmen
t
N°
Rul
e A
dditi
onal
info
rmat
ion
RS-
4600
Th
e SN
MP
prot
ocol
mus
t not
be
used
if n
ot n
eces
sary
.
RS-
4601
If
the
SNM
P pr
otoc
ol is
nec
essa
ry, t
he v
ersi
on 3
mus
t be
used
If
the
vers
ion
3 is
not
ava
ilabl
e, v
ersi
on 2
is to
lera
ted.
In a
ny c
ase,
ban
ver
sion
1.
RS-
4602
If
the
SNM
P pr
otoc
ol is
nec
essa
ry, t
here
shou
ld b
e no
nam
ed “
publ
ic”
or “
priv
ate”
SN
MP
com
mun
ity c
hain
s, no
r the
nam
es su
pplie
d as
stan
dard
by
man
ufac
ture
rs (d
efau
lt pa
ram
eter
s).
RS-
4603
If
the
SNM
P pr
otoc
ol is
nec
essa
ry, a
ll co
mm
unity
cha
ins m
ust c
ompl
y w
ith th
e pa
ssw
ord
man
agem
ent p
olic
y.
RS-
4604
A
cces
s to
the
SNM
P se
rver
mus
t be
rest
ricte
d to
aut
horis
ed st
atio
ns o
nly.
RS-
4605
If
the
SNM
P pr
otoc
ol is
nec
essa
ry, s
endi
ng o
f SN
MP
traps
mus
t be
prot
ecte
d by
id
entif
iers
in c
ompl
ianc
e w
ith th
e pa
ssw
ord
man
agem
ent p
olic
y
RS-
4606
If
the
SNM
P pr
otoc
ol is
nec
essa
ry, a
cces
s to
the
SNM
P se
rvic
e is
onl
y re
ad-a
utho
rised
an
d no
t writ
e-au
thor
ised
.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
7/33
10.8
. W
EB
N
° R
ule
Add
ition
al in
form
atio
n R
S-47
00
App
ly M
GS
411
10
.9.
Dom
ain
nam
es s
ervi
ce
N
° R
ule
Add
ition
al in
form
atio
n R
S-48
00
Use
Bin
d or
LD
AP
as th
e do
mai
n na
mes
serv
ice
R
S-48
01
Alw
ays u
se th
e la
test
ava
ilabl
e va
lidat
ed a
nd m
aint
aine
d ve
rsio
n of
the
dom
ain
nam
e se
rvic
e.
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
8/33
11.A
ppen
dix:
righ
ts a
nd p
erm
issi
ons
for i
mpo
rtan
t file
s Th
e ta
ble
belo
w p
rese
nts a
non
-exh
aust
ive
list o
f file
s for
whi
ch o
wne
rshi
p an
d us
er ri
ghts
shou
ld b
e m
onito
red
with
vig
ilanc
e.
The
right
s sho
wn
are
the
max
imum
adm
issi
ble
for a
wel
l-sec
ured
inst
alla
tion.
The
se ri
ghts
can
nev
erth
eles
s be
furth
er re
stric
ted.
W
hen
right
s hav
e to
be
mod
ified
, use
the
form
giv
en a
s par
amet
er o
f the
com
man
d /b
in/c
hmod
Th
e gr
oup
nam
ed R
OO
T co
rres
pond
s to
the
grou
p w
hose
GID
is 0
(zer
o), t
hat n
ame
of th
is g
roup
may
diff
er fr
om o
ne sy
stem
to a
noth
er.
The
keyw
ord
ALL
show
s the
righ
ts fo
r all
syst
ems o
ther
than
thos
e th
e su
bjec
t of a
spec
ific
line
in th
e rig
hts t
able
(for
the
sam
e fil
e/di
rect
ory)
. A
sea
ling
tool
(Trip
Wire
for e
xam
ple
– st
udy
avai
labl
e at
Sec
urin
oo) w
ould
be
an a
dditi
onal
adv
anta
ge fo
r ens
urin
g th
at c
ritic
al fi
les
have
not
bee
n m
odifi
ed
parti
cula
rly o
n se
rver
s.
Fi
les/
Dir
ecto
ries
O
wne
r G
roup
R
ight
s Sy
stem
s
/ ro
ot
RO
OT
0755
A
LL
/bin
ro
ot
RO
OT,
bin
07
55
ALL
/b
in/b
ash
root
R
OO
T, b
in
0755
Li
nux
/bin
/logi
n ro
ot
RO
OT,
bin
45
55
ALL
/b
in/m
ount
ro
ot
root
05
50
Linu
x /b
in/n
etst
at
root
ro
ot
0550
Li
nux
/bin
/su
root
R
OO
T, b
in
4755
A
LL
/boo
t ro
ot
root
07
50
Linu
x /b
oot/*
ro
ot
root
06
40
Linu
x /b
oot/g
rub/
grub
.con
f ro
ot
root
06
00
Linu
x /c
rash
ro
ot
RO
OT
0750
So
laris
/d
ev
root
, bin
R
OO
T, sy
s, bi
n 07
55
ALL
/d
ev/c
onso
le
root
R
OO
T, sy
s 06
33
ALL
/d
ev/fu
ll ro
ot
root
06
66
Linu
x /d
ev/k
mem
ro
ot
RO
OT
0640
A
IX
/dev
/km
em
bin
sys
0640
H
P-U
X
/dev
/km
em
root
km
em
0640
Li
nux
/dev
/km
em
root
sy
s 06
40
Sola
ris
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 2
9/33
File
s/D
irec
tori
es
Ow
ner
Gro
up
Rig
hts
Syst
ems
/dev
/MA
KED
EV
root
ro
ot
0700
Li
nux
/dev
/mem
ro
ot
RO
OT
0640
A
IX
/dev
/mem
bi
n sy
s 06
40
HP-
UX
/d
ev/m
em
root
km
em
0640
Li
nux
/dev
/mem
ro
ot
sys
0640
So
laris
/d
ev/n
ull
root
, bin
R
OO
T, sy
s, bi
n 06
66
ALL
/d
ev/ra
ndom
ro
ot
root
06
44
Linu
x /d
ev/tt
y ro
ot, b
in
RO
OT,
tty,
bin
06
66
ALL
/d
ev/u
rand
om
root
ro
ot
0644
Li
nux
/dev
/zer
o ro
ot
RO
OT,
sys
0666
So
laris
, Lin
ux, A
ix
/etc
ro
ot
RO
OT,
sys,
bin
0755
A
LL
/etc
/alia
ses
root
R
OO
T, b
in
0600
So
laris
, Lin
ux, A
ix
/etc
/alia
ses.d
b ro
ot
root
06
00
Linu
x /e
tc/a
nacr
onta
b ro
ot
root
06
00
Linu
x /e
tc/a
t.allo
w
root
ro
ot
0600
Li
nux
/etc
/at.d
eny
root
ro
ot
0600
Li
nux
/etc
/cro
n.al
low
ro
ot
root
06
00
Linu
x /e
tc/c
ron.
d/at
.allo
w
root
ro
ot
0600
So
laris
/e
tc/c
ron.
d ro
ot
sys
0750
So
laris
/e
tc/c
ron.
d/at
.den
y ro
ot
root
06
00
Sola
ris
/etc
/cro
n.d/
cron
.allo
w
root
sy
s 06
00
Sola
ris
/etc
/cro
n.d/
cron
.den
y ro
ot
sys
0600
So
laris
/e
tc/c
ron.
deny
ro
ot
root
06
00
Linu
x /e
tc/d
efau
lt/us
erad
d ro
ot
bin
0640
H
P-U
X
/etc
/def
ault
root
ro
ot, s
ys
0750
Li
nux,
Sol
aris
, HP-
UX
/etc
/def
ault/
init
root
sy
s 06
44
Sola
ris
/etc
/def
ault/
logi
n ro
ot
sys
0644
So
laris
/e
tc/d
efau
lt/pa
ssw
d ro
ot
sys
0644
So
laris
/e
tc/d
efau
lt/su
ro
ot
sys
0644
So
laris
/e
tc/d
efau
ltrou
ter
root
ro
ot
0644
So
laris
/e
tc/e
nviro
nmen
t ro
ot
RO
OT
0644
A
IX
/etc
/exc
lude
.root
vg
root
R
OO
T 06
44
AIX
/e
tc/e
xpor
ts
root
ro
ot
0600
A
LL
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 3
0/33
File
s/D
irec
tori
es
Ow
ner
Gro
up
Rig
hts
Syst
ems
/etc
/fsta
b ro
ot
sys
0640
H
P-U
X
/etc
/fsta
b ro
ot
root
06
00
Linu
x /e
tc/ft
pacc
ess
root
ro
ot
0400
Li
nux
/etc
/ftpc
onve
rsio
ns
root
ro
ot
0400
Li
nux
/etc
/ftpg
roup
s ro
ot
root
04
00
Linu
x /e
tc/ft
phos
ts
root
ro
ot
0400
Li
nux
/etc
/ftpu
sers
ro
ot
root
04
00
Sola
ris, L
inux
/e
tc/g
roup
ro
ot
RO
OT
0644
A
LL
/etc
/hos
ts
root
R
OO
T 06
44
ALL
/e
tc/h
osts
.allo
w
root
R
OO
T 06
40
ALL
/e
tc/h
osts
.den
y ro
ot
RO
OT
0640
A
LL
/etc
/hos
ts.e
quiv
ro
ot
RO
OT
0000
A
LL
/etc
/hos
ts.lp
d ro
ot
RO
OT
0600
A
IX
/etc
/inet
/hos
ts
root
ro
ot
0444
So
laris
/e
tc/in
et/in
etd.
conf
ro
ot
root
06
44
Sola
ris
/etc
/inet
/ser
vice
s ro
ot
root
06
44
Sola
ris
/etc
/inet
d.co
nf
root
R
OO
T 06
44
ALL
/e
tc/in
it.d
root
ro
ot
0750
So
laris
, Lin
ux
/etc
/init.
d/*
root
ro
ot
0750
So
laris
, Lin
ux
/etc
/initt
ab
root
R
OO
T 06
44
ALL
/e
tc/is
sue*
ro
ot
root
06
44
Sola
ris, L
inux
, HP-
UX
/etc
/lilo
.con
f ro
ot
root
06
00
Linu
x /e
tc/lo
gin.
defs
ro
ot
root
06
00
Linu
x /e
tc/m
ail
root
ro
ot
0755
So
laris
, Lin
ux, H
P-U
X/e
tc/m
ail/*
ro
ot
root
06
44
Sola
ris, L
inux
, HP-
UX
/etc
/mot
d ro
ot
RO
OT
0644
So
laris
, Lin
ux, A
IX
/etc
/mta
b ro
ot
root
06
44
Linu
x /e
tc/n
etgr
oup
root
R
oot
0644
H
P-U
X
/etc
/not
rout
er
root
ro
ot
0644
So
laris
/e
tc/p
assw
d ro
ot
RO
OT
0644
A
LL
/etc
/prin
tcap
ro
ot
root
06
44
Linu
x /e
tc/p
rofil
e ro
ot
RO
OT
0644
A
LL
/etc
/rc.*
ro
ot
RO
OT
0750
A
IX, L
inux
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 3
1/33
File
s/D
irec
tori
es
Ow
ner
Gro
up
Rig
hts
Syst
ems
/etc
/rc.c
onfig
.d
bin
bin
0755
H
P-U
X
/etc
/rc.c
onfig
.d/*
bi
n bi
n 06
44
HP-
UX
/e
tc/rc
.d/*
/*
root
R
OO
T 07
00
AIX
, Lin
ux
/etc
/rc.d
/rc?.
d ro
ot
RO
OT
0755
A
IX, L
inux
/e
tc/rc
.d/rc
?.d/
* ro
ot
RO
OT
0744
A
IX, L
inux
/e
tc/rc
?.d
root
ro
ot
0755
So
laris
/e
tc/rc
?.d/
* ro
ot
root
07
44
Sola
ris
/etc
/reso
lv.c
onf
root
R
OO
T 06
44
ALL
/e
tc/rp
c ro
ot
RO
OT,
sys,
bin
0644
A
LL
/etc
/sec
uret
ty
root
ro
ot
0600
Li
nux
/etc
/sec
urity
ro
ot
root
07
55
AIX
/e
tc/s
ecur
ity/g
roup
ro
ot
secu
rity
0640
A
IX
/etc
/sec
urity
/pas
swd
root
se
curit
y 06
00
AIX
/e
tc/s
ecur
ity/u
ser
root
se
curit
y 06
40
AIX
/e
tc/s
endm
ail.c
f ro
ot
root
06
44
Linu
x, A
IX
/etc
/ser
vice
s ro
ot
RO
OT
0644
A
LL
/etc
/sha
dow
ro
ot
root
, sys
06
00
Sola
ris, L
inux
/e
tc/s
kel
root
ro
ot
0755
So
laris
, Lin
ux, H
P-U
X/e
tc/s
kel/*
ro
ot
root
06
44
Sola
ris, L
inux
, HP-
UX
/etc
/snm
p/co
nf/s
nmpd
.con
f ro
ot
root
06
44
Sola
ris
/etc
/Snm
pAge
nt.d
/snm
pd.c
onf
root
ro
ot
0644
H
P-U
X
/etc
/snm
pd.c
onf
root
R
OO
T 06
44
AIX
/e
tc/s
sh
root
R
OO
T 07
55
Linu
x, A
IX
/etc
/ssh
/* (o
ther
than
abo
ve)
root
R
OO
T 06
44
Linu
x, A
IX
/etc
/ssh
/*_k
ey
root
R
OO
T 06
00
Linu
x, A
IX
/etc
/ssh
/ssh
d_co
nfig
ro
ot
RO
OT
0600
Li
nux,
AIX
/e
tc/s
yslo
g.co
nf
root
R
OO
T 06
44
ALL
/e
tc/s
yste
m
root
ro
ot
0644
So
laris
/e
tc/x
inet
d.co
nf
root
R
OO
T 06
40
ALL
/e
tc/x
inet
d.d
root
R
OO
T 07
50
ALL
/e
tc/x
inet
d.d/
* ro
ot
RO
OT
0640
A
LL
/root
/*
root
R
OO
T 07
00
ALL
/ro
ot/.r
host
s ro
ot
RO
OT
0000
A
LL
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 3
2/33
File
s/D
irec
tori
es
Ow
ner
Gro
up
Rig
hts
Syst
ems
/sbi
n ro
ot
RO
OT,
bin
07
55
ALL
/s
bin/
arp
root
R
OO
T 07
55
Linu
x /s
bin/
init.
d ro
ot
root
07
50
HP-
UX
/s
bin/
init.
d/*
root
ro
ot
0744
H
P-U
X
/sbi
n/m
ount
ro
ot
root
05
50
HP-
UX
/s
bin/
rc?.
d ro
ot
root
07
55
HP-
UX
/s
bin/
rc?.
d/*
root
ro
ot
0744
H
P-U
X
/sbi
n/ro
ute
root
ro
ot
0550
Li
nux
/sys
tem
ro
ot
RO
OT
0755
A
IX, L
inux
, HP-
UX
/s
yste
m/p
rodu
cts
root
ro
ot
0555
Li
nux
/sys
tem
/pro
duct
s/su
do/lo
g/su
do.lo
gro
ot
root
06
44
Linu
x /tm
p ro
ot
RO
OT
1777
A
LL
/use
rs
root
R
OO
T 05
55
ALL
/u
sr/b
in
root
R
OO
T, b
in
0755
A
LL
/usr
/bin
/at
root
R
OO
T 45
55
ALL
/u
sr/b
in/fi
nger
ro
ot
root
05
50
ALL
/u
sr/b
in/n
etst
at
root
ro
ot
0550
So
laris
, AIX
, HP-
UX
/u
sr/b
in/p
assw
d ro
ot
RO
OT,
bin
45
55
ALL
/u
sr/b
in/rd
ate
root
ro
ot
0550
So
laris
/u
sr/b
in/rd
ist
root
ro
ot
0550
So
laris
, AIX
, HP-
UX
/u
sr/b
in/rp
cinf
o ro
ot
root
05
50
Sola
ris, A
IX, H
P-U
X
/usr
/bin
/ruse
rs
root
ro
ot
0550
So
laris
, AIX
, HP-
UX
/u
sr/b
in/rw
ho
root
ro
ot
0550
So
laris
, AIX
, HP-
UX
/u
sr/b
in/ta
lk
root
ro
ot
0550
So
laris
, AIX
, HP-
UX
/u
sr/b
in/w
all
root
tty
25
55
Linu
x /u
sr/b
in/w
rite
root
tty
, bin
25
55
ALL
/u
sr/g
ames
ro
ot
root
07
55
Linu
x /u
sr/li
b ro
ot
RO
OT,
bin
07
55
ALL
/u
sr/s
bin/
arp
root
R
OO
T 07
55
Sola
ris, A
IX, H
P-U
X
/usr
/sbi
n/ch
root
ro
ot
root
05
50
ALL
/u
sr/s
bin/
mou
nt
root
ro
ot
0550
So
laris
, AIX
/u
sr/s
bin/
rout
e ro
ot
root
05
50
Sola
ris, A
IX, H
P-U
X
/usr
/sbi
n/rp
cinf
o ro
ot
root
05
50
Linu
x
Con
figur
atio
n of
UN
IX a
nd L
inux
Sec
urity
Par
amet
ers
MS
G40
4 V
ersi
on S
2F0
Pag
e : 3
3/33
File
s/D
irec
tori
es
Ow
ner
Gro
up
Rig
hts
Syst
ems
/usr
/sbi
n/w
all
root
tty
, bin
25
55
AIX
, Sol
aris
, HP-
UX
/v
ar/a
dm/c
ron
root
R
OO
T, c
ron
0755
A
IX, H
P-U
X
/var
/adm
/cro
n/at
.allo
w
root
R
OO
T, c
ron
0640
A
IX, H
P-U
X
/var
/adm
/cro
n/at
.den
y ro
ot
RO
OT,
cro
n 06
40
AIX
, HP-
UX
/v
ar/a
dm/c
ron/
cron
.allo
w
root
R
OO
T, c
ron
0640
A
IX, H
P-U
X
/var
/adm
/cro
n/cr
on.d
eny
root
R
OO
T, c
ron
0640
A
IX, H
P-U
X
/var
/adm
/cro
n/lo
g ro
ot
RO
OT
0644
A
IX, H
P-U
X
/var
/adm
/mes
sage
s ro
ot
RO
OT
0644
A
LL
/var
/adm
/sys
log/
* ro
ot
root
06
44
HP-
UX
, Sol
aris
/v
ar/c
ron/
log
root
ro
ot
0644
So
laris
/v
ar/lo
g/*
root
ro
ot
0640
So
laris
, Lin
ux
/var
/log/
wtm
p ro
ot
utm
p 06
00
Linu
x /v
ar/ru
n/sy
slog
d.pi
d ro
ot
root
06
40
Sola
ris, L
inux
, HP-
UX
/var
/run/
utm
p ro
ot
utm
p 64
4 Li
nux
/var
/spo
ol
RO
OT,
bin
R
OO
T, b
in
0755
A
LL
/var
/spo
ol/a
t da
emon
da
emon
07
00
Linu
x /v
ar/s
pool
/cro
n ro
ot
root
07
00
ALL
/v
ar/tm
p ro
ot
root
17
77
ALL