Unix Security

System & Network Security, HP-UX

This document shows system administrators how to better secure their UNIX systems. There are no guarantees of its completeness. In addition, the author takes no responsibility if a person misuses this information. There are many versions of Unix. This paper gives examples for HP-UX.

For a shortened version, please see our security checklist

Physical Security

Often the subject of internal security is overlooked. However, often it is fairly easy for someone to get access to systems they are not supposed to have access by simply walking up to a valid users desk. This can be the cleaning staff or a disgruntled (ex)employee making a visit. This is the easiest type of security to implement and should definitely be included in any security plan.

• Console security
  
  Machines and consoles need to be secure. A person can simply turn off a computer if one has access to it. If they have access to the console, they can often interrupt the boot process to get access to the root prompt. If this doesn't work, they can keep guessing the root password in hopes of compromising the system.
  
  For these reasons (and more), the computers and associated consoles should be kept in a secure room. A limited number of people should have access to this room, of course with a limited number of keys. Some places actually have security guards let people into the computer rooms for guaranteed secure access.
  
  If your data is sensitive, be certain to verify that there are no alternative methods for getting into the room. This includes hidden spare keys in an unsecured place, gaps in the raised floors that go past the locked access point, and space above the ceilings.
  
  
• Data Security
  
  Companies that value their data need a detailed backup recovery scheme. This includes on site backups for least amount of down time, a copy of this data off site in case of computer room disasters, as well as contingency plans in place. Unfortunately, an easy way to get access to a companies data is to gain access to backup tapes and sensitive printouts. Hence, all sensitive information should be stored in locked cabinets. Backup tapes sent off site should be in locked containers. Old sensitive printouts and tapes should be destroyed.
  
  To protect against computer damage from power outages (and spikes), be certain to have your computers on a UPS. This provides consistent power, protects against outages, as well as protects the computer from power spikes. Ideally, there should be a backup generator for production systems. For non-production systems, there should be a automatic way to shutdown the computer if the power has switched to the UPS for more than 1/2 the time the UPS is rated to supply.
  
  To prevent snooping, secure network cables from exposure.
  
  
• Users practice secure measures?
  
  Always have users lock their screen when away from their desk. It is best if they log off of their terminal/workstation at night. There should be no written passwords or password hints on a users desk. If users are using X, verify that they are using xauth/xhost to prevent others from reading their screen.
  
  
• NO welcome banner on site
  
  Court cases have shown that initial banners must NOT say "welcome".?
  
  Your banner should say something like: "Only authorized access allowed; violators will be prosecuted". In addition, change /etc/issue?NOT to include the machine type/OS revision.

• IBAN Validation
  
  The IBAN validation service provides additional security for international bank transactions.
• Unix Network Security
  
  Once you put a computer on a network, you allow many more people potential access to the machine.
• Unix Account Security
  
  If your accounts are not secure, then your other steps won't help much. There is general password security as well as special steps to take for each type of account.
• Unix File System Security
  
  File system security is about making sure your users can only do what you want them to be able to do.
• Unix Security Testing
  
  Unix Security is an ongoing process...
• Unix Security Websites
  
  A list of resources to keep your Unix system secure.
• Unix Security Checklist
  
  This document shows system administrators how to secure their systems better...

Amazon.com security references:

Unix/Lunix Security News from Google & Yahoo

Eight Times More Malicious Email Attachments Spammed Out in Q3 ... - MarketWatch

Eight Times More Malicious Email Attachments Spammed Out in Q3 ... MarketWatch�- Oct 27, 2008 The most widespread attacks seen by Sophos are not designed to run on Unix and Mac OS X. "For Apple Mac and Unix lovers, these major spam attacks just mean ... Security firms report new statistics on spam SC Magazine UK Spam Attacks on the Rise in Q3 Redmond Developer News Sophos sees increase in malicious email attachments SearchSecurity.com SC Magazine US all 62 news articles

Mandriva Linux Security Update Advisory - emacs (MDVSA-2008:216) - Help Net Security

Mandriva Linux Security Update Advisory - emacs (MDVSA-2008:216) Help Net Security,�Croatia�- Oct 27, 2008 Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) ...

Unix News - ComputerWeekly.com

Unix News ComputerWeekly.com,�UK�- 18 hours ago This certification shows DirectControl for SAP to be a secure, compatible, reliable solution for single sign-on and security of the SAP Ne...Blog.

Red Hat and Tresys Partner to Deliver Enhanced Linux Security Services - Business Wire (press release)

Red Hat and Tresys Partner to Deliver Enhanced Linux Security Services Business Wire (press release),�CA�- Oct 7, 2008 Tresys is a recognized leader in Linux security services and a principal open source contributor to the Security-Enhanced Linux (SELinux) kernel. ...

Configuresoft Awarded Red Hat Enterprise Linux Benchmark ... - MarketWatch

Configuresoft Awarded Red Hat Enterprise Linux Benchmark ... MarketWatch�- Oct 23, 2008 ... Enterprise Configuration Manager (ECM) was awarded Red Hat Enterprise Linux Benchmark Certification from the Center for Internet Security (CIS). ...

Workstations News - ComputerWeekly.com

Workstations News ComputerWeekly.com,�UK�- 18 hours ago Laptop or portable Unix workstation? | Tech News on ZDNetTadpole Computer, the manufacturer of a line of Unix-based portable computers, ...

Google Android Flaw Reopens Open Source Security Debate - Redmondmag.com

Google Android Flaw Reopens Open Source Security Debate Redmondmag.com,�CA�- 19 hours ago ... a security researcher for Fortinet. "In general, today's threat-scape hosts threats [that] are mostly targeted toward Windows as opposed to Linux," ...

Server Configuration Manager - Enterprise IT Planet

Server Configuration Manager Enterprise IT Planet,�CT�- 11 hours ago The vendor states that the product collects over 80000 asset, security, and configuration settings from servers and workstations, which are transmitted to ...

Malicious Spam Up Eight Fold In 3Q - Security Pronews

Malicious Spam Up Eight Fold In 3Q Security Pronews,�KY�- Oct 29, 2008 But Cluley also says if you have a Mac or run UNIX, you're not near as at risk. If ever there was a good instance to not be cared about, this would be the ...

Gems and Additions from Datamation's Security Software Roundup - OStatic

Gems and Additions from Datamation's Security Software Roundup OStatic,�CA�- Oct 29, 2008 ClamAV gets a nod from Datamation in the anti-virus category for UNIX and Linux users. For Windows users ClamWin is also a very popular, solid choice. ...