Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2021795
  • 博文数量: 593
  • 博客积分: 20034
  • 博客等级: 上将
  • 技术积分: 6779
  • 用 户 组: 普通用户
  • 注册时间: 2006-02-06 14:07
文章分类

全部博文(593)

文章存档

2016年(1)

2011年(101)

2010年(80)

2009年(10)

2008年(102)

2007年(16)

2006年(283)

我的朋友

分类:

2006-05-28 14:54:57

System Security Guidelines

The following guidelines are for system administrators who need to implement and maintain system security.

Introduction

Attention: Any operating environment may have unique security requirements that are not addressed in these guidelines. To ensure a secure system, system administrators may need to implement additional security measures not discussed here.

This information does not provide security guidelines for all operational environments. It is impossible to create a single set of guidelines for all security requirements. These guidelines are not intended to represent the only requirements for achieving a secure system.

It is helpful to plan and implement your security policies before you begin using the system. Security policies are very time consuming to change later, so a little planning now can save a lot of time later.

The security guidelines by category are:

Basic Security

Every system should maintain the level of security represented by these basic security policies.

User Accounts

Many attributes can be set for each user account, including password and login attributes. (For a list of configurable attributes, see the table in AIX Version 4.3 System Management Guide: Operating System and Devices. .) The following are recommended:

  • Each user should have a user ID that is not shared with any other user. All of the security safeguards and accountability tools only work if each user has a unique ID.
  • Give user names that are meaningful to the users on the system. Actual names are best, since most electronic mail systems use the user ID to label incoming mail.
  • Add, change, and delete users using the Web-based System Manager or SMIT interface. Although you can perform all these tasks from the command line, these interfaces help reduce small errors.
  • Do not give a user account an initial password until the user is ready to log on to the system. If the password field is defined as an * (asterisk) in the /etc/passwd file, account information is kept, but no one can log in to that account.
  • Do not change the system-defined user IDs that are needed by the system to function properly. The system-defined user IDs are listed in the /etc/passwd file.
  • In general, do not set the admin parameter to true for any user IDs. Only the root user can change attributes for users with admin=true set in the /etc/security/user file.

File Ownership and User Groups

When a file is created, the operating system assigns the user ID of the new file the effective user ID of the process that created it. The group ID of the file is either the effective group ID of the process or the group ID of the directory that contains the file, based on the set group ID (SUID) bit of that directory.

File ownership can be changed with the command.

The command shows your user ID (UID), group ID (GID), and the names of all groups you belong to.

In file listings (such as the listings shown by the or command), the three groups of users are always represented in the following order: user, group, and others. If you need to find out your group name, the command shows all the groups for a user ID.

The "File Ownership and User Groups" in AIX Version 4.3 System User's Guide: Operating System and Devices contains more information about file and directory access modes.

Groups

Groups are collections of users who can share access permissions for protected resources. Plan your system groups before you begin creating them. Groups can make administration easier, but once you start using the system, it is harder to change your group organization. There are three types of groups: user, system administrator, and system-defined.

User Groups

In general, create as few user groups as possible.

Groups should be made for people who need to share files on the system, such as people who work in the same department, or people who are working on the same project.

For example, consider a small engineering office with three sets of people in the office: office support personnel, system administrators, and engineers. Only two user groups, one for each function in the office, are needed: OFFICE (for the office management staff), and ENGINEER (for the engineers). Later, for example, if a small group of engineers begins work on a special project, a new group called PROJECT can be created and those engineer user IDs can be added to the PROJECT group. Though users can be in more than one group at a time, as in this case, they can only have one primary group at a time. Users can change their primary group with the command.

It is also recommended for simple systems that you do not set the admin characteristic when creating groups. If a group has admin=true set in the /etc/security/group file, only the root user can administer that group.

System Administrator Groups

System administrators should be members of the SYSTEM group. SYSTEM group membership allows an administrator to perform some system maintenance tasks without having to operate with root authority.

System-Defined Groups

There are several system-defined groups. The STAFF group is the default group for all nonadministrative users created in the system. You can change the default group by using the chsec command to edit the /usr/lib/security/mkuser.default file.

The SECURITY group is a system-defined group having limited privileges for performing security administration. SECURITY group members have access to programs and files in /etc/security directory. SECURITY group members can change most attributes for nonadministrative users and groups, such as the user's login shell or the membership of a nonadministrative group.

Most systems do not need to use this group; only multiuser systems with many users should consider using this group. Otherwise, system administrators can perform the same tasks as SECURITY group members by using the command to gain root privilege.

The other system-defined groups are used to control certain subsystems. Consult the subsystem information to see if certain users should be defined as a member of those groups. The system-defined groups and users appear in the /etc/group file.

File System Security

All file system objects (including files, directories, special files, link files, symbolic link files, and pipes) have security mechanisms associated with them. The most commonly used is the access control list (ACL), but the following additional ways of controlling file security can also be used:

Base ACLs Specifies the permissions for the owner, group, and others. These permissions are controlled through the command. For more information, see the section on "File Directory and Access Modes" in the AIX Version 4.3 System User's Guide: Operating System and Devices.
Extended ACLs Provides finer access control than the base ACLs. For more information about the extended ACLs, see the section on "Access Control Lists" in the AIX Version 4.3 System User's Guide: Operating System and Devices.
Status of Extended ACLs The extended ACL must be enabled for a file system object; otherwise, the extended ACL is ignored.
Owner ID This is the user ID of the owner of the file system object. Only this user ID has the permissions granted for the owner of the object.
Group ID This is the ID of the group associated with the object. Only members of this group have the permissions granted for the group associated with the object.
Sticky bit If the sticky bit is set for a directory, only the owner of the directory or the owner of a file can delete or rename a file within that directory, even if others have write permission to the directory. This can be set with the t flag with the command.
TCB bit If the TCB bit is set for a file system object, it identifies that object as part of the Trusted Computing Base (TCB).
umask The umask environment parameter specifies the default permissions for any file or directory created.
Status of the file system A file system can be mounted with read/write or read-only permissions.

Follow these guidelines when dealing with file system objects:

  • In general, do not use extended ACLs. For most systems, base ACLs are sufficient for administration. If you do need the extra security control provided by extended ACLs, use them only when necessary and in an organized manner. Maintaining relevant entries in many extended ACLs can become very time-consuming. Also, do not use extended ACLs at all if you are in a heterogeneous network because they are only recognized by AIX systems.
  • Use the sticky bit on directories where everyone has write permissions.
  • Protect user .profile files with 740 permissions.
  • Do not let users have write access to system directories.
  • Do not change permissions on any files or directories installed as part of the system. Changing those permissions affects system integrity.

Root Access

Attention: The root account should always have a password, and it should never be shared. Only one person, the system administrator, should know the root password. System administrators should only operate as root to perform system administration functions that require root privileges, and then return to a normal user account. Routinely operating as root can result in damage to the system as root overrides many safeguards in the system.

The system administrator should have the root password to gain root authority by using the command. Immediately after the system is installed, the root account should be given a password.

The root account should always be authenticated by means of the local security files.

PATH Environment Variable

The PATH environment variable is an important security control. It specifies the directories to be searched to find a command. The default systemwide PATH value is specified in the /etc/profile file, and each user normally has a PATH value in the user's $HOME/.profile file. The PATH value in the .profile file either overrides the systemwide PATH value or adds extra directories to it.

Unauthorized changes to the PATH environment variable can enable a user on the system to "spoof" other users (including root users). Spoofing programs (also called Trojan Horse programs) replace system commands and then capture information meant for that command, such as user passwords.

For example, suppose a user changes the PATH value so that the system searches the /tmp directory first when a command is executed. Then the user places in the /tmp directory a program called su that asks for the root password just like the command. Then the /tmp/su program mails the root password to the user and calls the real su command before exiting. In this scenario, any root user who used the su command would give away the root password and not even be aware of it. This is just one of many scenarios for gaining confidential information by altering PATH values.

However, following a few simple steps will prevent any problems with the PATH environment variable for system administrators and users:

  • When in doubt, specify full path names. If a full path name is specified, the PATH environment variable is ignored.
  • Never put the current directory (specified by . (period)) in the PATH value specified for the root user. Never allow the current directory to be specified in /etc/profile.
  • The PATH value in the /etc/profile file is used by the root user. Only specify directories that are secure, that is, that only root can write to. It is recommended also that you do not create a .profile file in the / (root) directory. The .profile files should only be in users' $HOME directories.
  • Warn other users not to change their .profile files without consulting the system administrator. Otherwise, an unsuspecting user could make changes that allow unintended access. A user's .profile file should have permissions set to 740.
  • System administrators should not use the su command to gain root privilege from a user session, because the user's PATH value specified in the .profile file is in effect. User's can set their .profile files to whatever they please. System administrators should log on to the user's machine as root, or should use the following command:
    su - root
    This will ensure that root's environment is used during the session. If a system administrator does operate as root in another user's session, then the system administrator should specify full path names throughout the session.
  • Protect the IFS (input field separator) environment variable from being changed in the /etc/profile file. And beware of any user who changes the IFS variable in the .profile file. It too can be used to alter the PATH value.

Advanced Security

These security policies provide a greater level of security, but also require more work to maintain. Consequently, many system administrators use these security features only in a limited way, or not at all.

Accounting

System accounting is not a direct security function, but the information it gathers is important for detecting security problems. You should activate basic accounting on your system, as explained in , although you may want to consider not activating disk accounting and printing accounting as specified in the procedure. Both of these accounting functions produce a large amount of data, and they are not vital to system security.

Auditing

For smaller systems, auditing is generally not necessary. However, on large multiuser systems, it can provide useful information about system activity. For more information, see .

Trusted Computing Base (TCB)

The Trusted Computing Base (TCB) allows administrators to closely monitor trusted programs and enhance the security of the system.

Most systems should use only two parts of the TCB: the command and the default /etc/security/sysck.cfg configuration file. The tcbck command uses information in the /etc/security/sysck.cfg file to compare the security status of key elements of the system against the base data stored in the file. All the administrator must do is protect the sysck.cfg file and run the tcbck command regularly.

阅读(736) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~