S 3.102 Servers under Unix
Description
Unix servers are computers that run the Unix operating system and offer services that can be requested by other IT systems in the network. The first Unix system was developed at the beginning of the 1970s. Meanwhile, there are numerous operating systems assigned to the Unix family. In this connection, the differentiation between
- classic Unix systems or Unix derivatives,
- certified UNIX systems (UNIX is a trademark of Open Group, only to be applied to certified systems meeting the corresponding specification), and
- functional Unix systems or Unix-style systems must be made.
Examples for classic Unix systems include the BSD series (FreeBSD, OpenBSD, and NetBSD), Solaris, and AIX. Linux is not a classic Unix system (the kernel is not based on the initial source code the development of the different Unix derivatives is based on), but a functional Unix system. This module considers all operating systems of the Unix family, i.e. also Linux as a functional Unix system.
This module only describes those threats and safeguards that apply specifically to Unix servers, which is why the threats and safeguards for general servers in module S 3.101 must be taken into account additionally.
Threat scenario
The following typical threats to the IT-Grundschutz of a Unix server are assumed to exist:
Organisational Shortcomings
| T 2.15 | Loss of confidentiality of sensitive data in the UNIX system |
Human Error
| T 3.10 | Incorrect export of file systems under UNIX |
| T 3.11 | Improper configuration of sendmail |
Technical Failure
| T 4.11 | Lack of authentication possibilities between NIS server and NIS client |
| T 4.12 | Lack of authentication possibilities between X server and X client |
Deliberate Acts
| T 5.41 | Misuse of an UNIX system with the help of UUCP |
| T 5.89 | Hijacking of network connections |
Method recommendation
To secure the information system examined, other modules must be implemented in addition to this module, with these modules being selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented to set up a server running Unix successfully, starting with the design and purchasing and continuing through operation of the server. The steps to take to accomplish this as well as the safeguards to implement in each phase are listed in the following.
Planning and design
The following safeguards relate to the secure configuration and operation of a Unix server that offers services to the clients in the network. The general plan of the network architecture is specified in module S 3.101 General server, with the plan specifying in particular the general network architecture and all rules and policies applying to the entire network. The requirements for servers resulting from this plan must be taken into account. It is recommended to install the server in a separate server room. The safeguards to be implemented are described in module S 2.4 Server room. If there is no server room available, a server cabinet should be used (see also module S 2.7 Protective cabinets for more information on this subject).
A procedure for assigning user IDs must be specified that guarantees that privileged and unprivileged user IDs are clearly separated. Furthermore, it must be ensured that it is impossible to gain uncontrolled access to the single-user mode, because otherwise it is possible to bypass all security safeguards specified for the runtime environment of the system.
Purchasing
The number of servers in the network as well as how they will be used by the clients is also specified in module S 3.101 General server, as well as the requirements for the products to be purchased.
Implementation
Some of the safeguards described in the following relate to the configurations of individual servers, while other measures must be implemented on all servers and clients in order to be effective. The safeguards described in the corresponding modules must be implemented on the clients connected to the server.
When configuring a Unix server, the first safeguard to be implemented after installation is S 4.105 Initial measures after a Unix standard installation. Depending on the operational scenario (see also S 3.101 General servers), the basic settings must be specified so that only those services needed are enabled, the precautions described have been taken, and the system log function is enabled.
Furthermore, the access rights to user and system files and directories must be assigned according to an overall plan so that only those users and processes actually requiring access are granted this access, with special attention to be paid to the rights obtained using setuid and setgid (see also safeguard S 4.19 Restrictive allocation of attributes for Unix system files and directories).
Operation
To reliably maintain the level of security of a server running Unix during live operation, it is absolutely necessary to regularly check if any security gaps have been opened and to close any gaps found as quickly as possible. The logs created by the system must also be examined for any irregularities when performing these regular checks.
Contingency Planning
Due to their complexity, a successful attack on a Unix system often compromises the system in a manner that is hard to understand. For this reason, it is important to define rules in advance that specify the procedure to follow in case of a real or suspected loss of system integrity.
The bundle of safeguards for servers running the Unix operating system is presented in the following.
Planning and design
| S 2.33 | (Z) | Division of administrator roles under Unix |
| S 4.13 | (A) | Careful allocation of identifiers |
| S 4.18 | (A) | Administrative and technical means to control access to the system-monitor and single-user mode |
| S 5.16 | (B) | Survey of network services |
| S 5.34 | (Z) | Use of one-time passwords |
| S 5.64 | (Z) | Secure Shell |
| S 5.83 | (Z) | Secure connection of an external network with Linux FreeS/WAN |
Implementation
| S 4.9 | (A) | Use of the security mechanisms of X Windows |
| S 4.14 | (A) | Mandatory password protection under Unix |
| S 4.19 | (A) | Restrictive allocation of attributes for Unix system files and directories |
| S 4.20 | (B) | Restrictive allocation of attributes for Unix user files and directories |
| S 4.21 | (A) | Preventing unauthorised acquisition of administrator rights |
| S 4.22 | (Z) | Prevention of loss of confidentiality of sensitive data in the Unix system |
| S 4.23 | (B) | Secure invocation of executable files |
| S 4.105 | (A) | Initial measures after a Unix standard installation |
| S 4.106 | (A) | Activation of system logging |
| S 5.17 | (A) | Use of the NFS security mechanisms |
| S 5.18 | (A) | Use of the NIS security mechanisms |
| S 5.19 | (A) | Use of the sendmail security mechanisms |
| S 5.20 | (A) | Use of the security mechanisms of rlogin, rsh, and rcp |
| S 5.21 | (A) | Secure use of the telnet, ftp, tftp, and rexec |
| S 5.35 | (A) | Use of the security mechanisms of UUCP |
| S 5.72 | (A) | Deactivation of unnecessary network services |
Operation
| S 4.25 | (A) | Use of logging in Unix systems |
| S 4.26 | (C) | Regular security checks of Unix systems |
Contingency Planning
| S 6.31 | (A) | Procedural patterns following a loss of system integrity |