UNIX SECURITY CHECKLIST

Mandatory actions must be completed as soon as practical. Non-mandatory actions should be completed unless there is an operational need to maintain a non-standard configuration. If not completed, a justification should be referred to in the "Complete" column.

Ref. Action Yes No

1.0 Quarterly, review the Web pages for the latest OS patches

2.0 Network Security

2.1 Remove the hosts.equiv file. If needed, configure as per reference 2.1 of the SA Handbook

2.2 Remove the $HOME/.rhosts files. If needed, configure as per reference 2.2 of the SA Handbook

2.3 Disable NFS

2.4 Remove /etc/hosts.lpd. If needed, configure as per reference 2.4 of the SA Handbook

2.5 Configure /etc/ttys, /etc/ttytab, /etc/default/login, and /etc/security as per reference 2.5 of the SA Handbook

2.6 Configure /etc/inetd.conf as per reference 2.6 of the SA Handbook

2.7 Configure /etc/services as per reference 2.7 of the SA Handbook

2.8 In TCP Wrappers, configure hosts.allow with the IP addresses of the machines allowed access to your machine. Do this for every applicable service. Confirm that hosts.deny denies all.

2.9 Configure /etc/aliases as per reference 2.9 of the SA Handbook

2.10 Quarterly, web sites for the latest version of sendmail.

2.11 Quarterly, web sites for the latest version of the http daemon.

3.0 FTP and Anonymous FTP

3.1 Quarterly, review web sites to obtain the latest version of the ftp daemon

3.2 Disable anonymous ftp

4.0 Password and Account Security

4.1 Configure the following non-default password/account parameters: Logintimeout = 60; maxage = 12; maxrepeat = 2; maxexpired = 4; histexpire = 52; histsize = 8; pwdwarntime = 5; minalpha = 3; minother = 1; minlen = 6; mindiff = 3

4.2 Configure the user account to be disabled after 3 unsuccessful attempts. Refer to 4.2 of the SA Handbook for instructions.

4.3 Disable NIS.

4.4 Check the /etc/passwd file. All files should be marked with a "*" or a "+". The "guest" account and vendor accounts should be removed or disabled.

4.5 Disable the shared id at the console and over the network.

4.6 Use the "env" command to show the root PATH. It should not include a ".". If it does, remove it.

4.7 Remove the ".netrc" file.

5.0 File System Security

5.1 Remove the ".exrc" and ".forward" files

5.2 Quarterly, check web sites for the latest version of the /usr/lib/expreserve

5.3 Disable NFS

5.4 Ensure that only approved devices are present on the system. The only /dev files that a user can read or write to are /dev/null, /dev/tty, and /dev/console.

5.5 Ensure that file permissions are set as per reference 5.5 of the SA Handbook

5.6 Set the sticky bit on /tmp and /var/tmp

5.7 Any file or directory that is world writeable must be authorized

5.8 Set suid or sgid bits on appropriate files

5.9 If a file is run by root, it must be owned by root and NOT group or world writeable

6.0 Security and X Windows

6.1 Quarterly, check web sites for the latest version of the xdm

6.2 Ensure that the system-wide xsession file, user xsession files, and other programs and scripts that use the X windows system do NOT contain the "xhost +" command

7.0 Administrative Actions

7.1 Check the audit logs (/var/adm/messages) for the following events:
- Successful/unsuccessful login attempts
- Actions by root users

7.2 Review Audit logs daily for:
- Unauthorized su attempts (/var/adm/sulog)
- Repeated login failures (/var/adm/messages)

7.3 Keep OS audit logs for 6 months

7.4 Disable dormant user accounts after 3 months; remove after 6 months

7.5 Enable resource restrictions for users

7.6 System Administrators must use absolute path names when root

7.7 Ensure the system displays an Agency approved Warning Banner at login

Ref. JUSTIFICATION FOR DEVIATIONS

SYSTEM ADMINISTRATOR DATE:

Signature:_________ ____

Ref.	Action	Yes	No
1.0	Quarterly, review the Web pages for the latest OS patches
2.0	Network Security
2.1	Remove the hosts.equiv file. If needed, configure as per reference 2.1 of the SA Handbook
2.2	Remove the $HOME/.rhosts files. If needed, configure as per reference 2.2 of the SA Handbook
2.3	Disable NFS
2.4	Remove /etc/hosts.lpd. If needed, configure as per reference 2.4 of the SA Handbook
2.5	Configure /etc/ttys, /etc/ttytab, /etc/default/login, and /etc/security as per reference 2.5 of the SA Handbook
2.6	Configure /etc/inetd.conf as per reference 2.6 of the SA Handbook
2.7	Configure /etc/services as per reference 2.7 of the SA Handbook
2.8	In TCP Wrappers, configure hosts.allow with the IP addresses of the machines allowed access to your machine. Do this for every applicable service. Confirm that hosts.deny denies all.
2.9	Configure /etc/aliases as per reference 2.9 of the SA Handbook
2.10	Quarterly, web sites for the latest version of sendmail.
2.11	Quarterly, web sites for the latest version of the http daemon.
3.0	FTP and Anonymous FTP
3.1	Quarterly, review web sites to obtain the latest version of the ftp daemon
3.2	Disable anonymous ftp
4.0	Password and Account Security
4.1	Configure the following non-default password/account parameters: Logintimeout = 60; maxage = 12; maxrepeat = 2; maxexpired = 4; histexpire = 52; histsize = 8; pwdwarntime = 5; minalpha = 3; minother = 1; minlen = 6; mindiff = 3
4.2	Configure the user account to be disabled after 3 unsuccessful attempts. Refer to 4.2 of the SA Handbook for instructions.
4.3	Disable NIS.
4.4	Check the /etc/passwd file. All files should be marked with a "*" or a "+". The "guest" account and vendor accounts should be removed or disabled.
4.5	Disable the shared id at the console and over the network.
4.6	Use the "env" command to show the root PATH. It should not include a ".". If it does, remove it.
4.7	Remove the ".netrc" file.
5.0	File System Security
5.1	Remove the ".exrc" and ".forward" files
5.2	Quarterly, check web sites for the latest version of the /usr/lib/expreserve
5.3	Disable NFS
5.4	Ensure that only approved devices are present on the system. The only /dev files that a user can read or write to are /dev/null, /dev/tty, and /dev/console.
5.5	Ensure that file permissions are set as per reference 5.5 of the SA Handbook
5.6	Set the sticky bit on /tmp and /var/tmp
5.7	Any file or directory that is world writeable must be authorized
5.8	Set suid or sgid bits on appropriate files
5.9	If a file is run by root, it must be owned by root and NOT group or world writeable
6.0	Security and X Windows
6.1	Quarterly, check web sites for the latest version of the xdm
6.2	Ensure that the system-wide xsession file, user xsession files, and other programs and scripts that use the X windows system do NOT contain the "xhost +" command
7.0	Administrative Actions
7.1	Check the audit logs (/var/adm/messages) for the following events: - Successful/unsuccessful login attempts - Actions by root users
7.2	Review Audit logs daily for: - Unauthorized su attempts (/var/adm/sulog) - Repeated login failures (/var/adm/messages)
7.3	Keep OS audit logs for 6 months
7.4	Disable dormant user accounts after 3 months; remove after 6 months
7.5	Enable resource restrictions for users
7.6	System Administrators must use absolute path names when root
7.7	Ensure the system displays an Agency approved Warning Banner at login
Ref.	JUSTIFICATION FOR DEVIATIONS








SYSTEM ADMINISTRATOR			DATE:
Signature:_________			____