It is advisable to start working on network security items first;
they represent either locking the system down so you can work safely,
or installing the basic tools you need to do anything else comfortably.
|
/etc/xinetd.conf |
| Disable all unneeded services. Interactive access to the
system should be restricted to encrypted connections if
feasible.
|
|
standalone daemons |
| Disable boot-time start-up of all unneeded daemons;
depending on the O/S, check out rc.conf, rc.local,
/sbin/init.d, /etc/init.d, /etc/rc.d/init.d, /etc/rc.d.
|
|
hosts.allow |
| Use tcp_wrappers to restrict access only to hosts
within the local network domain wherever possible.
Also use to restrict services (except pidentd), paying
special attention to unencrypted services.
|
|
root logins |
| Disallow unencrypted root logins over the network; see
/etc/securettys, /etc/ttys, or /etc/ttytab depending on the
O/S.
|
|
check processes |
| Use "ps aux" right after a reboot: is anything running that
you don't recognize?
|
|
check listeners |
| Use "netstat -a" right after a reboot: are there any
connections or listeners that you don't understand?
|
|
authorized_keys |
| Check root's .ssh/authorized_keys file. Make sure that you
know and understand (and limit!) trust relationships between
hosts.
|
|
/etc/passwd |
| Make sure that all of the accounts in /etc/passwd are known
to you (or are managed by AGEM). Disable logins on system
accounts aside from root.
|
|
/etc/fstab |
| Mount /usr read-only if you can.
|
|
root path |
| root's path should not contain ".", or any
user-writable directories.
|
|
root UMASK |
| Consider using a restrictive UMASK when working as root;
in root's .cshrc and .profile, put "umask 077".
|
|
root .cshrc |
| To facilitate things for all of us, use a ~root/.cshrc
that sources each sysadmin's .cshrc.
|
|
privs and perms |
| Any remaining privileged (setuid/setgid) programs should
have all read and write permissions removed.
|
|
You should set up the following files in /local/pkg/_OS:
|
|
TRANSCRIPT |
| Documentation of initial O/S installation.
|
|
OSMODS |
| Any changes made to the O/S and configuration with respect to
the vendor's installation. (Note: there is an OSMODS file
with each software package that requires O/S modifications;
use the "general" OSMODS file only for modifications not
already documented with a software package.)
|
|
LOCALMODS |
| Any modifications required outside the O/S (i.e., outside /,
/usr, and /var partitions), which are not already documented
in a software package's LOCALMODS file.
|
|
SERVICE_CALLS |
| Support calls to the vendor, their outcome; and their status.
Useful to refer to when problems recur.
|
|
HISTORY |
| One-line descriptions of major events in the system's history,
such as O/S or hardware upgrades, hardware maintenance,
patchkit installations, etc.
|
|
WHERE_I_CAME_FROM |
| Provenance of O/S, O/S patches, and additional software
packages installed into the O/S (e.g. Compaq's additional
products).
|
|
disks/ |
| disk layouts (LAYOUT), partition tables (disklabel.xxN),
RAID information, special instructions for nonstandard
filesystems, and so on. (If you are generating some of those
files automatically, it is OK to just symlink to the
autogenerated version.)
|
|
kernel config file |
| Copy of /usr/src/linux/.config, or /sys/conf/HOSTNAME, or
whatever (i.e., the file used to configure and compile
the kernel).
|
|
These will not necessarily live on your system:
|
|
host information data sheet |
| Fill out and submit a host information sheet
for your host and give copy to Operations.
|
|
disaster recovery |
| Make sure that your system's disaster recovery info will be
pulled by Eridani.i (See below for required software.)
|
|
perl |
| (System package) Required by most of our tools, including publish.
|
|
publish |
| (Local software) Needed for all software installations, including perl's!
|
|
ssh |
| (System package) Required for working on the system remotely. Note
that there are some local hacks to ssh. Always use session encryption
(ssh) when becoming root!
|
|
pidentd |
| System package
|
|
tcp_wrappers |
| (System package)
|
|
remote file integrity checker |
| (tripwire/remoteMD5 or some equivalent)
|
|
tcsh |
|
|
|
lsof |
| System package
|
|
fsr |
| local install
|
|
**cracklib |
| (Required by yapasswd.)
See
this link for possible alternatives.
|
|
**yapasswd |
| (Requires cracklib.) See cracklib entry above for possible alternatives.
|
|
su |
| Make sure that "su" enforces group zero membership. This is done by modifying
/etc/pam.d/su to use_uid group=root root_only
|
|
See also the system monitoring and management section for
additional required packages.
|
|
/etc/syslog.conf |
| Make sure that all events of interest are logged, and use the
Unix group's standard filenames.
|
|
newsyslog |
| (Local install) Set up and test log file rotation. Can also investigate
possibility of using a system package in its place.
|
|
authstats |
| This program summarizes access control log entries from
authlog; set it up to run nightly. (Not required on Alcor.)
|
|
monitor-su |
| This program summarizes su entries and root logins from
authlog; set it up to run nightly.
|
|
Netbackup |
| Local install.
|
|
tiger |
| System tool for security audit and intrusion detection tool.
|
|
tmp-cleaners |
| (Local install) clean out old files in /tmp.
|
|
LOCAL.inform |
| (Local install) Notify sysadmin on boot and shutdown.
|
![[IITS Home]](/style/button_iits_home.gif)
![[Concordia Home]](/style/button_conu_home.gif)