Professional Documents
Culture Documents
Basics
Perimeter
Unix
NT
Windows 2000
Giri
Procedural: E = D+R
Perimeter(Firewall): E = D+R
UNIX: E = D+R
NT/Windows 2000: E =D+R
3
CIS Rulers
Rulers list a set of minimal actions that need to be
12
14
15
16
17
Fire suppression?
Backups? Offsite backups?
18
2000 booklet.
Least Privilege Principle
Avoid granting unnecessary Admin privs.
Limit Domain Trust.
Restrict modems in workstations and servers.
Limit access to sniffer software (Network
Monitor).
19
authorization
User Accounts and Environment
Kernel Level TCP/IP tuning
Kernel Tuning
22
UMASK issues
File/Directory Permissions/Access
System Logging
SSH
Minimize network services
23
X11/CDE
General Administration Policies
Specific Servers
www, ftp, DB, Mail, NFS, Directory, Print,
Syslog
24
25
time, D
Install the latest version of TCP Wrappers
on appropriate network services
SSH for login, file copy and X11 encryption
Install crypto file signature function to
monitor changes in critical system binaries
and config files (tripwire)
26
software
Run NTP or some other time sync tool
Run logcheck or similar syslog analysis
or monitoring tool
Install the latest version of sudo
27
/etc/hosts.equiv
Create appropriate banner for any network
interactive service
Restrict direct root login to system console
Verify shadow password file format is used
Verify PAM configuration
28
secured
System handling of source routed packets
secured
System handling of broadcast packets
secured
Use strong TCP Initial Sequence Numbers
Harden against TCP SYN Flood attacks
29
and /etc/.login
Restrict batch file access to authorized users
Ensure cron files only readable by root or
cron user
30
permissions
Mount all filesystems RO or NOSUID
All filesystems except / mounted NODEV
31
by root
No World-write dirs in roots search path
Sticky bit set on all temp directories
No NIS/NIS+ features in passwd or group
files if NIS/NIS+ is disabled
32
/usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal {} \; 2 (SUID files)
/usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal {} \; 2 (SGID files)
find /\(-local o prune\) -perm 000002 print
find /name .netrc -print
find / -perm 1000
33
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
sys
sys
disk
root
floppy
disk
disk
disk
disk
disk
disk
disk
disk
disk
disk
26450
14,
4
14, 20
32,
0
5,
1
2,
1
16,
0
3,
0
3,
1
3, 10
3, 11
3, 12
3, 13
3, 14
3, 15
3, 16
Sep
Apr
Apr
May
May
May
May
May
May
May
May
May
May
May
May
May
24 1999 MAKEDEV
17 1999 audio
17 1999 audio1
5 1998 cm206cd
26 15:17 console
5 1998 fd1
5 1998 gscd
5 1998 hda
5 1998 hda1
5 1998 hda10
5 1998 hda11
5 1998 hda12
5 1998 hda13
5 1998 hda14
5 1998 hda15
5 1998 hda16
35
Review all world-writeable and SUID/SGID files on the system. Using freeware tools like
fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the
review, create a list of all the remaining approved World-writeable and SUID/SGID files on the
system and store in a secure place. Periodically, check the system against this list to identify
changes and ensure that such changes are approved.
NFS shared files, especially files in /usr, /opt and /var should be exported read-only to
specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like
/tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of
SUID privilege on NFS mounted files.
36
37
38
39
services (TCP/UDP)
40
Sample /etc/inetd.conf
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rshd
login
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rlogind
#exec
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rexecd
#comsat dgram
udp
wait
root
/usr/sbin/tcpd
in.comsat
talk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.talkd
ntalk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.ntalkd
Output Example
Fingerd running
Audit Method
Telnet localhost 79 to connect with the local systems finger daemon
Finding
Fingerd is active
42
current 6/15/01)
Restrict sendmail prog mailer
Verify privileged and checksums for mail
programs
Ensure X server is started with Xauth
Use SSH to access X programs on remote
hosts
44
No null passwords
Remove root equivalent users (UID=0)
No . in root PATH
No .files world or group writable
Remove .netrc, .exrc, .dbxrc files
User $HOME dirs should be < 755
45
IDS returns:
21:07:16.63 badguy.com.26617 > goodnhacked.com.5135: udp
21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp 69
48
49
50
51
52
53
54
55
57
to the Internet
Wide variety of opinions
Every site has a Firewall (FW) of some sort.
It may be a packet filtering router or a fancy
stateful FW.
What about wireless nets?
58
59
should include:
A properly configured border router.
A virus detection solution.
An authentication system for trust management.
Properly configured operating systems and
Internet applications. Personal FW software
installed on all hosts.
An Intrusion Detection System
Firewalls require monitoring and change control
management.
61
INTERNET
ISP
Front End
E
Firewall
DNS
Email
62
63
security policy
The notes contain a minimal Perimeter
audit plan!
Top Ten recommendations are shown in notes pages. There are examples
of implementations based on this security policy at:
http://www.sans.org/giactc/gcfw.htm ( practicals 30 - 35)
64
Section Review
Establishing and testing perimeter defenses
66
67