Security Audit Checklist
Here are some typical steps to take during a security audit of an enterprise system with gateways to the internet. Not all of these may apply to your system...
Description Priority Scan UNIX boxes using nmap High Install OpenSSH. High Comment out all services in /etc/inet/inetd.conf High Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. High Install the latest recommended Sun patches High Install the latest recommended Apache patches High Install the latest recommended Redhat patches High Install Snort Low Use LogSentry or Configure Logcheck to monitor system logs. Low Audit system using Nessus Low Run ncheck -s to find setuid binary files Low The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set. Run aset using the highest security level and review the report files that are generated in /usr/aset/reports. /usr/aset/aset -l highLow Go to Sun Blueprints and download FixModes. Low Configure Tripwire Low Configure logs files to be rotated daily archiving old versions for 30 days in /etc/logadm.conf (Solaris >= 9): Low Disable network root logins by enabling the "CONSOLE" line in /etc/default/login. Low Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file. Low Create a master list of the remaining setuid/setgid programs and check that the list remains static over time. /bin/find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \;Low Use HostSentry to perform Login Anomaly Detection (LAD). Low Verify integrity of binaries Low To prevent the setting of NICs to promiscuous mode, tighten security on ifconfig. Low Turn off NFS (rpcbind) Low Once a week, check for Trojans Low Monitor network traffic Low Once a month, check for weak passwords by running John the Ripper Low Configure Sudo to allow admins to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Low Start Apache server as a non-root user Low Ensure that all of the startup scripts run with the proper umask by running umask.sh Low Control execution of the su(1M) command by adding and configuring a wheel group Low Because the /usr/lib/sendmail daemon is not running, you should add the following line to root's crontab file: 0 * * * * /usr/lib/sendmail -qLow Create a syslog box Low Set the default umask so that it does not include world access. Add "umask 027" to the following files: /etc/.login
/etc/profile
/etc/skel/local.cshrc
/etc/skel/local.login
/etc/skel/local.profileEnable the "UMASK" line in the /etc/default/login file and set the value to 027
Low Tighten /etc/cron.d Low Edit /etc/inet/ntp.conf. Have one server get its time from the internet. All other servers would get sync against this server. Low Encrypt and authenticate password page Low Remove gcc and Xwindows Low Harden Linux boxes using Bastille? Low Configure PentaSafe? Low
Processes to permanently disable
/usr/sbin/rpcbind Turn off on test machine. Test performance and functionality /usr/lib/autofs/automountd Turn off on test machine. Test performance and functionality /usr/lib/nfs/statd Turn off /usr/lib/nfs/lockd Turn off /usr/sbin/inetd -s Turn on if running telnet or ftp, otherwise, off /usr/sbin/vold Turn off /usr/lib/lpsched Turn off /usr/dt/bin/dtlogin -daemon Turn off /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf Turn off /usr/lib/dmi/snmpXdmid -s hostname Turn off /usr/lib/dmi/dmispd Turn off on test machine. Test performance and functionality mibiisa -r -p 32794 Turn off /usr/lib/sendmail -bd -q15m Turn off in.telnetd Turn off