S 3.204 Unix client
Description
This module examines a Unix system used as a stand-alone system or as a client in a network. Terminals, drives, printers, and other devices may be connected to it. Furthermore, the system may run a graphical user interface such as X-Windows. Accordingly, there may also be X terminals and graphic input devices connected to it. The following is based on the assumption that a Unix system will usually be a multi-user system.
Examples for classic Unix systems include the BSD series (FreeBSD, OpenBSD, and NetBSD), Solaris, and AIX. Even though Linux is not a classical, but a functional Unix system (the kernel is not based on the original source text from which the various Unix derivatives emerged), Linux is also covered by this module.
Threat scenario
The following typical threats to the IT-Grundschutz of a Unix system are assumed to exist:
Force Majeure
T 1.1 | Loss of personnel |
T 1.2 | Failure of the IT system |
T 1.8 | Dust, soiling |
Organisational Shortcomings
T 2.7 | Unauthorised use of rights |
T 2.9 | Poor adjustment to changes in the use of IT |
T 2.15 | Loss of confidentiality of sensitive data in the UNIX system |
Human Error
T 3.2 | Negligent destruction of equipment or data |
T 3.3 | Non-compliance with IT security measures |
T 3.6 | Hazards posed by cleaning staff or outside staff |
T 3.8 | Improper use of the IT system |
T 3.9 | Improper IT system administration |
T 3.21 | Improper use of code locks |
T 3.23 | Improper administration of a DBMS |
Technical Failure
T 4.11 | Lack of authentication possibilities between NIS server and NIS client |
T 4.12 | Lack of authentication possibilities between X server and X client |
Deliberate Acts
T 5.1 | Manipulation or destruction of equipment or accessories |
T 5.2 | Manipulation of information or software |
T 5.4 | Theft |
T 5.7 | Line tapping |
T 5.8 | Manipulation of lines |
T 5.9 | Unauthorised use of IT systems |
T 5.18 | Systematic trying-out of passwords |
T 5.19 | Abuse of user rights |
T 5.20 | Misuse of administrator rights |
T 5.21 | Trojan horses |
T 5.23 | Malicious software |
T 5.41 | Misuse of an UNIX system with the help of UUCP |
T 5.89 | Hijacking of network connections |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards need to be implemented for Unix clients, starting with planning its use and continuing through the operation phase up to the contingency planning phase. The steps to take to accomplish this as well as the safeguards to implement in each phase are listed in the following.
Planning and design
Before even using a Unix system for the first time, regardless of whether it will be used as a client, terminal server, application server, or stand-alone system, it is necessary to specify a series of requirements that form the foundation of proper and secure operation of the system. If an error is made here, then it is often very difficult to correct the error in later phases.
A procedure for assigning user IDs must be specified that guarantees clear separation of privileged and unprivileged user IDs. Furthermore, it must be ensured that it is impossible to gain uncontrolled access to the single-user mode, because otherwise it is possible to bypass all security safeguards specified for the runtime environment of the system.
Implementation
When configuring a Unix system, a series of safeguards need to be implemented (see in particular S 4.105 Initial measures after a Unix standard installation) to "harden" the security of this system, i.e. to close the security gaps that are generally present after performing a standard installation. This also includes only activating the network services actually needed (see S 5.72 Deactivation of unnecessary network services) and ensuring that the system logging function is enabled.
Furthermore, the access rights to user and system files and directories must be assigned according to an overall plan so that only those users and processes actually requiring access are granted this access, with special attention to be paid to the rights obtained using setuid and setgid (see also S 4.19 Restrictive allocation of attributes for Unix system files and directories).
Operation
In order to gain an overview of the security of a Unix system, it is essential to document the existing user profiles and their rights promptly, to keep these records up-to-date at all times and to verify their accuracy by means of regular checks. The security of the system must be checked regularly, and the logs created by the system must also be examined for any irregularities when performing these regular checks.
Contingency Planning
Due to its complexity, a successful attack on a Unix system often compromises the system in a manner that is hard to understand. For this reason, it is important to define rules in advance that specify the procedure to follow in case of a real or suspected loss of system integrity.
The bundle of safeguards for Unix clients is presented in the following.
The safeguards outlined in the relevant modules are to be implemented for any computers that may be connected (e.g. clients running Windows).
Furthermore, the following additional safeguards must be implemented:
Planning and design
S 2.33 | (Z) | Division of administrator roles under Unix |
S 4.13 | (A) | Careful allocation of identifiers |
S 4.18 | (A) | Administrative and technical means to control access to the system-monitor and single-user mode |
S 4.41 | (Z) | Use of a appropriate security products for IT systems |
S 5.34 | (Z) | Use of one-time passwords |
S 5.64 | (Z) | Secure Shell |
Implementation
S 2.32 | (Z) | Establishment of a restricted user environment |
S 4.9 | (A) | Use of the security mechanisms of X Windows |
S 4.14 | (A) | Mandatory password protection under Unix |
S 4.16 | (C) | Restriction on access to user IDs and/or terminals |
S 4.17 | (A) | Blocking and erasure of unneeded accounts and terminals |
S 4.19 | (A) | Restrictive allocation of attributes for Unix system files and directories |
S 4.20 | (B) | Restrictive allocation of attributes for Unix user files and directories |
S 4.21 | (A) | Preventing unauthorised acquisition of administrator rights |
S 4.22 | (Z) | Prevention of loss of confidentiality of sensitive data in the Unix system |
S 4.23 | (B) | Secure invocation of executable files |
S 4.105 | (A) | Initial measures after a Unix standard installation |
S 4.106 | (A) | Activation of system logging |
S 4.370 | (Z) | Use of Anoubis under Unix |
S 5.17 | (A) | Use of the NFS security mechanisms |
S 5.18 | (A) | Use of the NIS security mechanisms |
S 5.19 | (A) | Use of the sendmail security mechanisms |
S 5.20 | (A) | Use of the security mechanisms of rlogin, rsh, and rcp |
S 5.21 | (A) | Secure use of the telnet, ftp, tftp, and rexec |
S 5.35 | (A) | Use of the security mechanisms of UUCP |
S 5.72 | (A) | Deactivation of unnecessary network services |
Operation
S 4.25 | (A) | Use of logging in Unix systems |
S 4.26 | (C) | Regular security checks of Unix systems |
Contingency Planning
S 6.31 | (A) | Procedural patterns following a loss of system integrity |