UNIX SECURITY CHECKLIST


Mandatory actions must be completed as soon as practical. Non-mandatory actions should be completed unless there is an operational need to maintain a non-standard configuration. If not completed, a justification should be referred to in the "Complete" column.

Ref.ActionYesNo
1.0Quarterly, review the Web pages for the latest OS patches  
2.0Network Security  
2.1 Remove the hosts.equiv file. If needed, configure as per reference 2.1 of the SA Handbook  
2.2 Remove the $HOME/.rhosts files. If needed, configure as per reference 2.2 of the SA Handbook  
2.3Disable NFS  
2.4Remove /etc/hosts.lpd. If needed, configure as per reference 2.4 of the SA Handbook  
2.5Configure /etc/ttys, /etc/ttytab, /etc/default/login, and /etc/security as per reference 2.5 of the SA Handbook  
2.6Configure /etc/inetd.conf as per reference 2.6 of the SA Handbook  
2.7Configure /etc/services as per reference 2.7 of the SA Handbook  
2.8In TCP Wrappers, configure hosts.allow with the IP addresses of the machines allowed access to your machine. Do this for every applicable service. Confirm that hosts.deny denies all.  
2.9Configure /etc/aliases as per reference 2.9 of the SA Handbook  
2.10Quarterly, web sites for the latest version of sendmail.  
2.11 Quarterly, web sites for the latest version of the http daemon.  
3.0FTP and Anonymous FTP  
3.1Quarterly, review web sites to obtain the latest version of the ftp daemon  
3.2Disable anonymous ftp  
4.0Password and Account Security  
4.1Configure the following non-default password/account parameters: Logintimeout = 60; maxage = 12; maxrepeat = 2; maxexpired = 4; histexpire = 52; histsize = 8; pwdwarntime = 5; minalpha = 3; minother = 1; minlen = 6; mindiff = 3  
4.2Configure the user account to be disabled after 3 unsuccessful attempts. Refer to 4.2 of the SA Handbook for instructions.  
4.3Disable NIS.  
4.4Check the /etc/passwd file. All files should be marked with a "*" or a "+". The "guest" account and vendor accounts should be removed or disabled.  
4.5Disable the shared id at the console and over the network.  
4.6Use the "env" command to show the root PATH. It should not include a ".". If it does, remove it.  
4.7Remove the ".netrc" file.  
5.0File System Security  
5.1Remove the ".exrc" and ".forward" files  
5.2Quarterly, check web sites for the latest version of the /usr/lib/expreserve  
5.3 Disable NFS  
5.4Ensure that only approved devices are present on the system. The only /dev files that a user can read or write to are /dev/null, /dev/tty, and /dev/console.  
5.5 Ensure that file permissions are set as per reference 5.5 of the SA Handbook  
5.6 Set the sticky bit on /tmp and /var/tmp  
5.7Any file or directory that is world writeable must be authorized  
5.8Set suid or sgid bits on appropriate files  
5.9If a file is run by root, it must be owned by root and NOT group or world writeable  
6.0Security and X Windows  
6.1Quarterly, check web sites for the latest version of the xdm  
6.2Ensure that the system-wide xsession file, user xsession files, and other programs and scripts that use the X windows system do NOT contain the "xhost +" command  
7.0Administrative Actions  
7.1Check the audit logs (/var/adm/messages) for the following events:
- Successful/unsuccessful login attempts
- Actions by root users
  
7.2Review Audit logs daily for:
- Unauthorized su attempts (/var/adm/sulog)
- Repeated login failures (/var/adm/messages)
  
7.3 Keep OS audit logs for 6 months  
7.4Disable dormant user accounts after 3 months; remove after 6 months  
7.5Enable resource restrictions for users  
7.6System Administrators must use absolute path names when root  
7.7Ensure the system displays an Agency approved Warning Banner at login  
Ref.JUSTIFICATION FOR DEVIATIONS
  
  
  
  
  
  
  
  
SYSTEM ADMINISTRATORDATE:
Signature:_____________