Tru64 Security Guide

This document provides a list of configuration changes which enhance the security of a Compaq Tru64 (Digital Unix V4.X) system.


Auditing

  1. The types of events to log are listed in the /etc/sec/audit_events file. Backup the original audit_events file for future reference: 
    cp -p /etc/sec/audit_events /etc/sec/audit_events.orig
    Audit log files can consume large amounts of disk space, so you may want to prune the types of events to be logged. The following types are suggested: 
    !  Audited system calls:
mknod                 succeed  fail
mount                 succeed  fail
unmount               succeed  fail
setuid                succeed  fail
setlogin              succeed  fail
reboot                succeed  fail
revoke                succeed  fail
chroot                succeed  fail
sethostname           succeed  fail
settimeofday          succeed  fail
setreuid              succeed  fail
setregid              succeed  fail
setgid                succeed  fail
shutdown              succeed  fail
adjtime               succeed  fail
sethostid             succeed  fail
setsid                succeed  fail
setdomainname         succeed  fail
execve                succeed  fail
exportfs              succeed  fail
alternate setsid      succeed  fail
swapon                succeed  fail
utc_adjtime           succeed  fail
security              succeed  fail
uadmin                succeed  fail
audcntl               succeed  fail
setsysinfo            succeed  fail
rename                succeed  fail
truncate              succeed  fail
ftruncate             succeed  fail

!  Audited trusted events:
audit_start           succeed  fail
audit_stop            succeed  fail
audit_setup           succeed  fail
audit_suspend         succeed  fail
audit_log_change      succeed  fail
audit_log_creat       succeed  fail
audit_xmit_fail       succeed  fail
audit_reboot          succeed  fail
audit_log_overwrite   succeed  fail
audit_daemon_exit     succeed  fail
login                 succeed  fail
logout                succeed  fail
auth_event            succeed  fail
audgen8               succeed  fail

  2. Enable the Audit Subsystem: 
    /usr/sbin/audit_setup

    You will be prompted for information as the script runs. The default options should be sufficient for most configurations.

  3. Create /etc/sec/newauditlog.sh: 
    #!/sbin/sh
#
# newauditlog.sh - Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit"

/usr/sbin/auditd -x

cd $AUDIT_DIR # in case it is a link
/usr/bin/find . $AUDIT_DIR -type f -name 'auditlog.*' -mtime +$AUDIT_EXPIRE \
    -exec rm {} > /dev/null 2>&1 \;

  4. Run the script nightly from cron: 
    /usr/bin/crontab -e root
0 0 * * * /etc/sec/newauditlog.sh
  5. The audit files generated are not human readable. The audit_tool(8) command can be used to output selected records in ASCII format.

Boot files

  1. Disable all startup files for services that are not needed from /sbin/rc2.d and /sbin/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files should not be disabled: 

    S00savecore    S05paging      S10recpasswd   S35streams
S01libmsetup   S06mfsmount    S25enlogin

    S00inet        S21audit       S30rmtmpfiles  S59lsm         S85vectored_x
S08startlmf    S25preserve    S45xntpd       S60motd        S90ws
S09syslog      S26security    S55inetd       S63write
S10binlog      S27sia         S57cron        S80crashdc

  2. In order to ensure that all of the startup scripts run with the proper umask, execute the following script: 

    umask 022  # make sure umask.sh gets created with the proper mode
echo "umask 022" > /sbin/init.d/umask.sh
for d in /sbin/rc?.d
do
   ln /sbin/init.d/umask.sh $d/S00umask.sh
done

  3. In order to log as much information as possible, add the following lines to your /etc/syslog.conf: 

    mail.debug              /var/log/syslog
*.info;mail.none        /var/adm/messages

    Note: Tabs must be used to separate the fields.

    This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.

  4. Set the permissions on the log files as follows: 

    chmod 600 /var/adm/messages /var/log/syslog
  5. Create /sbin/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777. 
    #!/bin/sh
#ident  "@(#)tmpfix 1.0    95/09/14"

if [ -d /tmp ]
then
/usr/bin/chmod 1777 /tmp
/usr/bin/chgrp sys /tmp
/usr/bin/chown sys /tmp
fi
    [Source: Titan psfix module]

    Network Services

    1. Deny services executed by inetd(3) the ability to create core files by editing the /sbin/rc3.d/S55inetd file: 

      'start')
        if [ "X$Pid" = "X" ]
        then
                ulimit -c 0
                if /usr/sbin/inetd; then
                        echo "Internet services provided."

    2. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:

      shell		login		exec
uucp		finger		tftp
comsat		talk		ntalk
bootps		time		daytime
echo		discard		chargen
kdebug		cfgmgr		rquotad
rusersd		sprayd		walld
rpc.cmsd	rpc.ttdbserverd

    Access Controls

    1. Disable network root logins by editing the /etc/securettys file. The file should contain a only two (2) devices: 

      /dev/console
local:0

    2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "*Nologin" in the password field of the /etc/password file.

    3. Only add accounts for users who require access to the system. If using NIS, remove the trailing + at the end of the /etc/passwd file and add a line for each user: 

      +nis_user:::::/home_dir:/bin/sh

    4. Create an /etc/issue file to display the following warning banner: 

      WARNING: To protect the system from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to criminal and civil
penalties.
      Source: CIAC-2317 Windows NT Network Security: A Manager's Guide

      Add the banner to the /etc/motd file: 
      cp /etc/motd /etc/motd.orig
cat /etc/issue /etc/motd.orig > /etc/motd

    5. Create a master list of the setuid/setgid programs on your system and check that the list remains static over time. 

      /bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
            -exec ls -ldb {} \;

    6. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems. 
      /usr/sbin/groupadd -g 22 wheel
/usr/bin/chgrp wheel /usr/bin/su 
/usr/bin/chmod 4550 /usr/bin/su

      The GID for the wheel group does not need to be 22, any valid GID can be used. You will need to edit the /etc/group file to add users to the wheel group.

    7. Create an /etc/ftpusers file: 
      cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
chown root /etc/ftpusers
chmod 600 /etc/ftpusers
      Remove any users that require ftp access from the /etc/ftpusers file.

    8. Set the default umask so that it does not include world access. Add "umask 027" to the following files: 
      /.new...cshrc       /.new...profile     /.proto...cshrc    /.proto...profile
/.new...login       /.proto...login     /etc/csh.login     /etc/profile
    9. The files in /usr/lib/cron control which users can use the cron(8) and at(1) facilities.

      Create an /usr/lib/cron/cron.allow file: 
      echo "root" > /usr/lib/cron/cron.allow
chown root /usr/lib/cron/cron.allow
chmod 600 /usr/lib/cron/cron.allow
      Create an /usr/lib/cron/at.allow file: 
      cp -p /usr/lib/cron/cron.allow /usr/lib/cron/at.allow
      Create an /usr/lib/cron/cron.deny file: 
      cat /etc/passwd | cut -f1 -d: | grep -v root > /usr/lib/cron/cron.deny
/usr/bin/chown root /usr/lib/cron/cron.deny
/usr/bin/chmod 600 /usr/lib/cron/cron.deny
      Create an /usr/lib/cron/at.deny file: 
      /usr/bin/cp -p /usr/lib/cron/cron.deny /usr/lib/cron/at.deny

    10. If CDE is installed, replace the default CDE "Welcome" greeting. If the /etc/dt/config/C directory does not exist, create the directory structure and copy the default configuration file: 

      mkdir -p /etc/dt/config/C
chmod -R a+rX /etc/dt/config
cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
      Add the following lines to /etc/dt/config/C/Xresources: 
      Dtlogin*greeting.labelString:       %LocalHost%
Dtlogin*greeting.persLabelString:   login: %s

    11. If CDE is installed, disable XDMCP connection access by creating or replacing the /etc/dt/config/Xaccess file: 

      #
# Xaccess - disable all XDMCP connections
#
!*
      Set the permissions on /etc/dt/config/Xaccess to 444: 
      chmod 444 /etc/dt/config/Xaccess

    Time Synchronization

    Add the following lines to the /etc/ntp.conf file: 
    #
# Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm
#
server clock.llnl.gov

    Recommended Tools

    Sudo
    Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

    TCP Wrappers

    With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

    Secure Shell (ssh)

    Ssh is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecured channels. It is intended as a replacement for rlogin, rsh, and rcp.

    Logcheck

    Logcheck is a perl script that monitors system logs for unusual activity.


    Resources

    Tru64 Patches

    Tru64 Documentation


    jrr