UNIX System Hardening Checklist

Æleen Frisch
26 August 2002
The following checklist summarizes the major activities which are required in order to harden a UNIX system. For full information about any of the topics listed here, consult a system administration reference such as Essential System Administration, 3rd Edition (O‚Reilly & Associates, 2002).

Preliminary Planning

• Understand the functions the system will be used to perform. Determine what software will be needed to provide them.
• Plan the disk partition and file system layout with security in mind.
• Plan the system‚s user account and group structure.
• Gather all required software:
• Operating system installation media.
• Patches to the operating system since the media was made.
• Additional software packages you will need, including any patches that they require.
• Document the hardening process as you go

Physical System Security

• Select a location which minimizes risk from accidental damage (e.g., no overhead sprinklers).
• If appropriate, secure the physical system location with locks and other security devices.
• Secure the cabling to network and other devices.
• Install an uninterruptible power supply (UPS) on key servers.
• Assign a BIOS/RAM/EEPROM password to prevent unauthorized users from modifying setup settings or perform unauthorized boots.
• Attach any equipment identification tags/stickers to the computer and its component that are used by your organization.

Operating System Installation

• Set up disk partitioning (or logical volumes) taking into account any security considerations.
• After the initial operating system installation, apply any operating system patches that have been released since the installation media was created.
• Enable the high security/trusted operating system version if appropriate.
• Build a custom kernel which supports only the features you need, and remove support for ones you don‚t need. For example, for systems which are not operating as routers, you should remove the IP forwarding capabilities. Intruders can‚t exploit features that aren‚t there.
• Configure automatic booting so that administrator intervention is not allowed (if appropriate).
• Secure the boot loader program (e.g., lilo or GRUB) with a password.
• Enable the single user mode password if necessary (e.g., Red Hat Linux).

Securing Local File Systems

• Look for inappropriate file and directory permissions, correcting any problems that are found. The most important of these are:
• Group and/or world writable system executables and directories.
• Group and/or world writable user home directories.
• SetUID and SetGID commands.
• Select mount options for local file systems that take advantage of any security features provided by the operating system (e.g., nosuid).
• On some systems under some conditions, if /usr is a separate file system, it can be mounted read only.
• Encrypt sensitive data present on the system.

Configuring and Disabling Services

• Remove or disable all unneeded services. Keep in mind that services are started in several different ways: within /etc/inittab, from system boot scripts, by inetd. When possible, the software for an unneeded service should be removed from the system completely.
• Use secure versions of daemons when they are available.
• If at all possible, run server processes a special user created for that purpose and not as root.
• When appropriate, run servers in an isolated directory tree via the chroot facility.
• Specify a maximum number of instances for servers which let you.
• Specify access control and logging for all services. Install TCP Wrappers if necessary. Allow only the minimum access necessary. Include an entry in /etc/hosts.deny that denies access to everyone (so only access allowed in /etc/hosts.allow will be permitted).
• Use any per-service user level access control that is provided. For example the cron and at subsystems allow you to restrict which users can use them at all. Some people recommend limiting at and cron to administrators.
• Secure all services, whether they seem security-related or not (e.g., printing).

Securing the root Account

• Select a secure root password, and plan a schedule for changing it regularly.
• If possible, restrict the use of the su to command to a single group.
• Use sudo or system roles to grant other ordinary users limited root privilege when needed.
• Prevent direct root logins except on the system console.

User Authentication and User Account Attributes

• Set up the shadow password file (if necessary).
• Configure PAM as appropriate for the relevant commands.
• Define user account password selection and aging settings.
• Set up other default user account restrictions as appropriate (e.g., resource limits).
• Plan the system‚s group structure if necessary, as well as other similar items like projects.
• Set up default user initialization files, in /etc/skel or elsewhere, as well as the system-wide initialization files.
• Ensure that administrative and other accounts to which no one should ever log in have a disabled password and /bin/false or another non-login shell.
• Remove unneeded predefined accounts.

Securing Remote Authentication

• Disable /etc/hosts.equiv and .rhosts passwordless authentication.
• Use ssh and its related commands for all remote user access. Disable rlogin, rsh, telnet, ftp, rcp and so on.
• Configure PAM as appropriate for the relevant commands. Be sure that direct root access is not allowed.

Setup Ongoing System Monitoring

• Configure the syslog facility. Send/copy syslog messages to a central syslog server for redundancy.
• Enable process accounting.
• Install Tripwire, configure it, and record system baseline data. Write the data to removable media and then remove it from the system. Finally, configure Tripwire to run on a daily basis.
• Design and implement a plan for monitoring log information for security-related events. The Swatch facility can be very useful in this respect.

Backups

• Perform a full system and verify the backup media.
• Creating two copies of the media is a good idea.
• Plan and implement a system backup schedule.

Miscellaneous Activities

• Remove any remaining source code for the kernel or additional software packages from the system.
• Add the new host to the security configuration on other systems, in router access control lists, and so on, as appropriate for your site.
• Sign up for security mailing lists if you have not already done so.
• Get in the habit of checking vendor security web pages on a regular basis.

Copyright © 2002, O‚Reilly & Associates and Exponential Consulting, LLC. All rights reserved.