Security Audit Checklist


Here are some typical steps to take during a security audit of an enterprise system with gateways to the internet. Not all of these may apply to your system...

Description Priority
Scan UNIX boxes using nmap High
Install OpenSSH. High
Comment out all services in /etc/inet/inetd.conf High
Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. High
Install the latest recommended Sun patches High
Install the latest recommended Apache patches High
Install the latest recommended Redhat patches High
Install Snort Low
Use LogSentry or Configure Logcheck to monitor system logs. Low
Audit system using Nessus Low
Run ncheck -s to find setuid binary files Low
The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set. Run aset using the highest security level and review the report files that are generated in /usr/aset/reports.

/usr/aset/aset -l high
Low
Go to Sun Blueprints and download FixModes. Low
Configure Tripwire Low
Configure logs files to be rotated daily archiving old versions for 30 days in /etc/logadm.conf (Solaris >= 9): Low
Disable network root logins by enabling the "CONSOLE" line in /etc/default/login. Low
Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file. Low
Create a master list of the remaining setuid/setgid programs and check that the list remains static over time.

/bin/find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \;
Low
Use HostSentry to perform Login Anomaly Detection (LAD). Low
Verify integrity of binaries Low
To prevent the setting of NICs to promiscuous mode, tighten security on ifconfig. Low
Turn off NFS (rpcbind) Low
Once a week, check for Trojans Low
Monitor network traffic Low
Once a month, check for weak passwords by running John the Ripper Low
Configure Sudo to allow admins to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Low
Start Apache server as a non-root user Low
Ensure that all of the startup scripts run with the proper umask by running umask.sh Low
Control execution of the su(1M) command by adding and configuring a wheel group Low
Because the /usr/lib/sendmail daemon is not running, you should add the following line to root's crontab file:
0 * * * * /usr/lib/sendmail -q
Low
Create a syslog box Low
Set the default umask so that it does not include world access. Add "umask 027" to the following files:

/etc/.login
/etc/profile
/etc/skel/local.cshrc
/etc/skel/local.login
/etc/skel/local.profile

Enable the "UMASK" line in the /etc/default/login file and set the value to 027

Low
Tighten /etc/cron.d Low
Edit /etc/inet/ntp.conf. Have one server get its time from the internet. All other servers would get sync against this server. Low
Encrypt and authenticate password page Low
Remove gcc and Xwindows Low
Harden Linux boxes using Bastille? Low
Configure PentaSafe? Low

 

Processes to permanently disable

/usr/sbin/rpcbind Turn off on test machine. Test performance and functionality
/usr/lib/autofs/automountd Turn off on test machine. Test performance and functionality
/usr/lib/nfs/statd Turn off
/usr/lib/nfs/lockd Turn off
/usr/sbin/inetd -s Turn on if running telnet or ftp, otherwise, off
/usr/sbin/vold Turn off
/usr/lib/lpsched Turn off
/usr/dt/bin/dtlogin -daemon Turn off
/usr/lib/snmp/snmpdx -y -c /etc/snmp/conf Turn off
/usr/lib/dmi/snmpXdmid -s hostname Turn off
/usr/lib/dmi/dmispd Turn off on test machine. Test performance and functionality
mibiisa -r -p 32794 Turn off
/usr/lib/sendmail -bd -q15m Turn off
in.telnetd Turn off


 

Home