UNCLASSIFIED UNCLASSIFIED UNIX SECURITY CHECKLIST Version 3 Release 1 1 13 December 2002 DISA FIELD SECURITY OPERATIONS UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED ii This page is intentionally left blank UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED iii TABLE OF CONTENTS 1Introduction 1 1 1 1Organization of the Checklist 1 1 1 2General Information 1 2 1 3Severity Codes 1 2 1 4Screen Sort Order Codes 1 2 1 5Referenced Documents 1 3 1 6UNIX Checklist Changelog 1 4 2SRR RESULTS REPORT 2 1 3SYSTEM CHECK PROCEDURES 3 1 APPENDIX A FILE TEMPLATE A 1 APPENDIX B ESM SECURITY POLICY B 1 APPENDIX C SRR COMMAND SCRIPTS C 1 UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED iv This page is intentionally left blank UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 1 1INTRODUCTION 1 1Organization of the Checklist The UNIX Security Checklist is composed of three major sections and four appendices The organizational breakdown proceeds as follows Section 1Introduction This section contains summary information about the sections and appendices that comprise the UNIX Security Checklist and defines its scope Supporting documents consulted are listed in this section Section 2SRR Results Report This section is the matrix that allows the reviewer to document vulnerabilities discovered during the Security Readiness Review SRR process The entries in this table sorted by Potential Discrepancy Item PDI are mapped to procedures referenced by paragraph number in Section 3 System Check Procedures Section 3System Check Procedures This section documents the procedures that instruct the reviewer on how to perform an SRR Each procedure maps to a PDI tabulated in Section 2 SRR Results Report Appendix AFile Template This appendix documents the allowed file ownership and permissions Appendix BESM Security Policy This appendix documents the security policy used by OmniGuard Enterprise Security Manager ESM to perform an SRR Appendix CSRR Command Scripts This appendix documents the command scripts used to perform an SRR UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 2 1 2General Information Security Readiness Review SRR personnel are not authorized to make changes to any system other than changes required to perform an SRR The changes required to perform an SRR consist of creating files within a named account directory or within the tmp directory These files consist of files downloaded from a remote host that contain automated SRR checks programs and or scripts and the files created by the automated SRR checks Other files may be created if the reviewer feels it is necessary to gather additional information to corroborate a finding or to analyze finding information 1 3Severity Codes Throughout the UNIX Security Checklist each Potential Discrepancy Item PDI has been given a Severity Code noted as a Category Code in Sections 2 and 3 of the checklist Severity codes range between I and IV and are defined below a Category I findings are any vulnerabilities that provide an attacker immediate access into a machine gain superuser access or bypass a firewall b Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder c Category III findings are any vulnerabilities that provide information that potentially could lead to compromise d Category IV vulnerabilities when resolved will prevent the possibility of degraded security 1 4Screen Sort Order Codes Due to the large number of UNIX operating systems it has become necessary to differentiate between generic checks that are possibly found on a majority or all flavors of UNIX and those checks that are tied to a specific implementation In addition a requirement to examine the configuration of applications that can have a significant security impact has been added over time requiring more codes to identify application specific checks Lastly a method to differentiate between Penetration checks that effect UNIX systems but that are not currently addressed in the UNIX STIG has become necessary To meet these goals a number of different identifiers are used in the Screen Sort Order field of the SRR Database A AA AD Administrative This check requires interviewing the SA and or the ISSO to determine whether documented procedures are being followed or that system documentation is being maintained G General This check is common to most UNIX variants though the method used to check the requirement may differ Information may be collected manually by the reviewer or through the use of automated tools L Linux This check is common to Linux systems only Reviews of Linux systems UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 3 are currently conducted manually MQ MQSeries This check is common to systems using the MQSeries application Information may be collected manually by the reviewer or through the use of automated tools NS Name Server This check is common to systems being used for Domain Name Service DNS Information may be collected manually by the reviewer or through the use of automated tools S SCO This check is common to SCO UNIX systems only Information may be collected manually by the reviewer or through the use of automated tools SG Silicon Graphics This check is common to IRIX UNIX systems only Reviews of IRIX systems are currently conducted manually SO Solaris This check is common to Solaris systems only Information may be collected manually by the reviewer or through the use of automated tools SyHP Hewlett Packard UNIX This check is common to HP UX systems only Information may be collected manually by the reviewer or through the use of automated tools SysAIX AIX This check is common to AIX UNIX systems only Reviews of AIX systems are currently conducted manually T Tivoli This check is common to systems using the Tivoli application Information may be collected manually by the reviewer or through the use of automated tools V Variable This check is a general UNIX check and is also performed by ISS during the Penetration testing of the network The results from the system SRR and the Penetration Test can be combined to validate the status of the check W Web Browser This check is common to systems that have a web browser installed Information may be collected manually by the reviewer or through the use of automated tools Z Zulu This check is performed by ISS during the Penetration Test and may apply to a UNIX system If this vulnerability is found during a Penetration Test it must be reviewed manually to validate the status of the check 1 5Referenced Documents The following table enumerates the document consulted UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 4 DATEDOCUMENT DESCRIPTION 5 January 2001UNIX Security Technical Implementation Guide V3R1 1 Field Security Operations FSO Defense Information Systems Agency DISA 1 6UNIX Checklist Changelog 26 Jul 01 Added G505 iPlanet web servers expose sensitive data via buffer overflow New IAVA check 20 Aug 01 Added G507 The telnet daemon telrcv function is vulnerable to a buffer overflow New IAVA check Added SO029 The Solaris line printer daemon in lpd is vulnerable to a buffer overflow New IAVA check specific to Solaris Added additional information for check G501 Changed heading in Section 3 9 Linux to forbid the use of Linux with DISA per the Enclave STIG 27 Sep 01 Updated patches for SO029 26 Oct 01 Updates patches for V2345 G345 G365 and SO025 Added new IAVA reference to G345 Added language to G345 and G507 If a patch is not currently available the service MUST be disabled by re naming the binary or removing it from the system Language added due to wording of applicable IAVA s Added language to make G031 Not Applicable Corrected language in G087 to make the check read correctly Added language to find the audit output files in Solaris 04 Dec 01 Modified G031 to read There is no host based intrusion detection tool The check was modified to make it application independent instead of referring to ITA only Removed G091 ESM is available and not being used weekly This check was redundant UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 5 Added information to some checks to make them easier to implement Added list of tools that provide file system integrity password strength and host based intrusion detection capabilities Added information regarding the AIX operating system to all checks that required it 21 Dec 01 Added G511 The password integrity check discovered easily guessable passwords Check was added with the inclusion of CRACK into the scripts to check password Integrity Added G513 Ssh Version 1 is vulnerable to a remote integer overflow New IAVA check Added G515 Gauntlet Firewall WebShield CSMAP and smap smapd have a buffer overflow vulnerability New IAVA check Added G517 The OpenSSH UseLogin feature has Multiple Vulnerabilities New IAVA check Added G519 The Common Desktop Environment CDE Subprocess Control Service has a buffer overflow vulnerability New IAVA check Added G521 There are Multiple Vulnerabilities in the BSD line printer daemon New IAVA check Updated patches for G507 30 Jan 02 Made corrections for typographical and spelling errors Updated patches for G345 Updated patches for G365 Updated Solaris patches for G507 Updated patches for G519 Updated patches for G521 UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 6 Updated patches for SO024 Added G523 There is a Login daemon overflow vulnerability New IAVA check 26 Feb 02 Changed IAVA to IAVM per CERT change Updated short description for G507 Added G525 SNMP Has Vulnerable Trap Handling GetRequest and GetnRequest Routines New IAVM check Added G527 The SSH Secure Shell 3 0 0 server sshd2 has a short password vulnerability New IAVM check 29 Mar 02 Added G529 The Washington University FTP daemon WU FTPD has a remote code execution vulnerability New IAVM check 26 Apr 02 Many minor changes to the document format to shorten the overall length Added information to G006 specifying what must be documented for shared accounts Modified the note for G010 to remove references to version 1 of SSH which can no longer be used Added note to G031 regarding approved host based intrusion detection software Updated table for G033 Added note to G140 regarding the location of the ftpusers file on HP UX 11 X Added note to G190 regarding approved security tool software Added note to G198 regarding Linux systems Updated patches for G521 Made correction for file to search for in T002 Added check V132 The SNMP service is running UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 7 24 May 02 Added G533 A buffer overflow vulnerability exists in the Sun Solaris cachefsd daemon New IAVM check Added G535 The Solaris rpc rwall daemon service has a message format string vulnerability New IAVM check 28 Jun 02 Made corrections for typographical and spelling errors Changed the Severity Code for G004 from a Category III to a Category II Changed the Severity Code for G008 from a Category II to a Category III Changed the Severity Code for G019 from a Category III to a Category II Changed the Severity Code for G030 from a Category III to a Category IV Changed the Severity Code for G047 from a Category II to a Category I Changed the Severity Code for G049 from a Category II to a Category I Changed the Severity Code for G051 from a Category II to a Category IV Changed the Severity Code for G052 from a Category III to a Category IV Changed the Severity Code for G062 from a Category II to a Category I Changed the Severity Code for G072 from a Category II to a Category I Changed flag for Solaris for G104 to monitor successful and failed file modifications Changed flag for Solaris for G106 to monitor successful and failed file modifications Changed the Severity Code for G155 from a Category II to a Category I Removed G156 The uucp user account has not been disabled This check was redundant Changed the Severity Code for G0164 from a Category III to a Category II Removed G175 NIS object permissions are not checked weekly UNCLASSIFIED UNIX Security Checklist V3R1 1Field Security Operations 13 December 2002Defense Information Systems Agency UNCLASSIFIED 1 8 This check was redundant Removed BSD operating system from G507 as the operating system is not vulnerable Updated IAVM reference for G525 Added new patches for SO028 Updated patches for SO029 Added note to V155 to clarify under what situation the check should be performed 26 July 02 Updated patches for G535 Added G537 There are Vulnerabilities in the OpenSSH Challenge Response handling New IAVM check Added G539 ISC BIND has a denial of service vulnerability in 9 X versions prior to 9 2 1 New IAVM check Added G541 There are multiple vulnerabilities in the Common Desktop Environment Tooltalk database server rpc ttdbserverd New IAVM check Added G543 The Apache Web server has a vulnerability in the invalid requests handling routines New IAVM check 1 Oct 02 Added G545 Open Secure Socket Layer OpenSSL has multiple vulnerabilities New IAVM check Added G547 The Hypertext Preprocessor PHP versions 4 2 0 and 4 2 1 has multiple vulnerabilities New IAVM check Added G549 Sun remote procedure call Sun Rpc derived external data representation XDR libraries contain an integer overflow vulnerability New IAVM check Removed V118 rwho is enabled UNCLASSIFIED UNIX Security