type suid { name "Setuid Binary Category"; description "Setuid binaries change the identity of the user running the binary to the owner of the binary so that the user can perform priveledged operations. Bugs or improper configuration may result in security holes, so it is often advisable to disable setuid binaries that will not be used."; policy suid-everyone { name "Everyone can execute"; hapiness 0; description "Any user can execute this binary and the setuid flag will allow them to execute the operation as the owner of the file. This may be required for proper functionality of the binary, but may also pose a security risk."; details { forfile "chmod a+x $; chmod u+s $"; } } policy suid-operator { hapiness 1; name "Operator group can execute"; description "Only users in the Operator group may execute this binary. This limits the risk of a setuid binary, as now only members of a trusted group may use the binary."; details { /* This may not work to restore binaries to */ /* functionality that are sgid + suid */ forfile "chgrp operator $ ; chmod o-rwx $"; } } policy suid-disable { hapiness 2; name "Setuid disabled"; description "If setuid is disabled, only root or the owner of the binary may be able to perform the operation. While this is most secure, it may impair functionality of the system. Also, it requires root access for operations that might otherwise have not required it, so may increase exposure of the root account to risk."; details { forfile "chmod u-s $"; } } } type sgid { name "Setgid Binary Category"; description "Setgid binaries allow the executor of a binary to aquire membership of the group of the binary for the course of execution of that binary. This can allow unpriveledged users to examine process information or network statistics that would otherwise require access to priveledged files. Bugs or improper configuration may result in security holes, so it is often advisable to disable setgid binaries that will not be used."; policy sgid-everyone { name "Everyone can execute"; hapiness 0; description "Any user can execute this binary and the setgid flag will allow them to execute the operation with the group of the file. This may be required for proper functionality of the binary, but may also pose a security risk."; details { forfile "chmod a+x $; chmod g+s $"; } } policy sgid-disable { name "Setgid disabled"; hapiness 2; description "If setgid is disabled, only root or members of the group of the binary may be able to perform the operation. While this is most secure, it may impair functionality of the system. Also, it requires root access or group memebership where otherwise it would not have been required, so may increase exposure of the root account or the group to risk."; details { forfile "chmod g-s $"; } } } type inetddaemon { name "Inetd Daemon"; description "Inetd daemons are network service daemons run automatically by the inetd daemon when an incoming connection on their port is discovered. A fair number of these daemons are not useful in all environments, and can be disabled to improve security by reducing risk."; policy inetddaemon-enable { Name "Inetd Daemon enabled"; hapiness 0; description "If the daemon is enabled, it will be able to offer services. However, if some services increase risk by allowing remote login, or leaking of account information. If a service is not intended for use, it should be disabled to improve security."; details { uncomment { file "/etc/inetd.conf"; linebeginning "#$\s"; } } } policy inetddaemon-disable { Name "Inetd Daemon disabled"; hapiness 2; description "If a daemon is disabled, it reduces the risk associated with making that service available on the network. However, disabling the service may reduce the functionality of the system, and the effects of disabling a daemon should be carefully considered before removing it."; details { comment { file "/etc/inetd.conf"; linebeginning "$\s"; } } } } category suid-binaries { name "Setuid Binary Policy"; description suid.description; entry cu { name "cu - terminal program"; oftype suid; default suid-everyone; advice "Enable only if you need to dial out"; details { file "/usr/bin/cu"; } } entry man { name "man - manual pages"; oftype suid; default suid-everyone; advice "Leave enabled"; details { file "/usr/bin/man"; } } entry uucp { name "uucp - Unix to Unix Copy"; oftype suid; default suid-everyone; advice "Enable only if you use UUCP"; details { file "/usr/bin/uucp"; file "/usr/bin/uuname"; file "/usr/bin/uustat"; file "/usr/bin/uux"; file "/usr/libexec/uucp/uucico"; file "/usr/libexec/uucp/uuxqt"; } } entry suidperl { name "suidperl - perl scripts can be set suid"; oftype suid; default suid-everyone; advice "Enable only if you use setuid perl scripts"; details { file "/usr/bin/suidperl"; file "/usr/bin/sperl4.036"; } } entry at { name "at - aperiodic scheduling of processes"; oftype suid; default suid-everyone; advice "Enable only if you use at"; details { file "/usr/bin/at"; file "/usr/bin/atq"; file "/usr/bin/atrm"; file "/usr/bin/batch"; } } entry passwd { name "passwd - utilities to let users change their fields in /etc/passwd"; oftype suid; default suid-everyone; advice "Leave enabled or users will not be able to change their passwords"; details { file "/usr/bin/chpass"; file "/usr/bin/chfn"; file "/usr/bin/chsh"; file "/usr/bin/ypchpass"; file "/usr/bin/ypchfn"; file "/usr/bin/ypchsh"; file "/usr/bin/lock"; file "/usr/bin/passwd"; file "/usr/bin/yppasswd"; } } entry skey { name "skey - one-time password support"; oftype suid; default suid-everyone; advice "Disable unless you use skey"; details { file "/usr/bin/keyinfo"; file "/usr/bin/keyinit"; } } entry login { name "login - log in as a different user from the shell prompt"; oftype suid; default suid-everyone; advice "Disable unless you routinely type login at a shell prompt"; details { file "/usr/bin/login"; } } entry quota { name "quota - display disk quota"; oftype suid; default suid-everyone; advice "Disable unless you use quotas and want users to be able to see their own"; details { file "/usr/bin/quota"; } } entry rsh { name "rsh - remote shell commands"; oftype suid; default suid-everyone; advice "Disable unless you use outgoing rsh connections"; details { file "/usr/bin/rlogin"; file "/usr/bin/rsh"; file "/bin/rcp"; } } entry crontab { name "crontab - period process scheduling"; oftype suid; default suid-everyone; advice "Disable unless you want users to be able to schedule their own cron events"; details { file "/usr/bin/crontab"; } } entry su { name "su - switch user"; oftype suid; default suid-everyone; advice "Limit to users in Operator group unless you want users to be able to switch to accounts of other users"; details { file "/usr/bin/su"; } } entry lpr { name "lpr - line printer support"; oftype suid; default suid-everyone; advice "Disable unless you use printers on the system"; details { file "/usr/bin/lpq"; file "/usr/bin/lpr"; file "/usr/bin/lprm"; } } entry mail { name "mail - mail delivery from local users"; oftype suid; default suid-everyone; advice "Enable unless local users always send mail via SMTP directly from programs"; details { file "/usr/bin/newaliases"; file "/usr/bin/mailq"; file "/usr/bin/hoststat"; file "/usr/libexec/mail.local"; file "/usr/sbin/sendmail"; file "/usr/sbin/purgestat"; } } entry kerberos { name "kerberos - allow users to register their own kerberos principals"; oftype suid; default suid-everyone; advice "Disable unless you use kerberosIV and allow users to register their own principals"; details { file "/usr/bin/register"; } } entry multicast { name "multicast - multicast debugging tools"; oftype suid; default suid-everyone; advice "Disable unless you use multicast and users need to be able to debug connections"; details { file "/usr/sbin/mrinfo"; file "/usr/sbin/mtrace"; } } entry pppslip { name "pppslip - PPP and Slip dialup support"; oftype suid; default suid-everyone; advice "Disable unless you allowing incoming or outgoing ppp/slip from non-root users"; details { file "/usr/sbin/ppp"; file "/usr/sbin/pppd"; file "/usr/sbin/sliplogin"; } } entry timedc { name "timedc - time daemon control program"; oftype suid; default suid-everyone; advice "Disable unless you allow non-root users to control your time daemon"; details { file "/usr/sbin/timedc"; } } entry ping { name "ping - network debugging utilities"; oftype suid; default suid-everyone; advice "Enable unless you don't mind restricting use of ping or traceroute"; details { file "/usr/sbin/traceroute"; file "/sbin/ping"; } } entry route { name "route - route manipulation tool"; oftype suid; default suid-everyone; advice "Why the heck is this suid!?" details { file "/sbin/route"; } } entry shutdown { name "shutdown - allow operators to shut down the system"; oftype suid; default suid-operator; advice "Disable unless non-root should be able to shutdown/reboot the system"; details { file "/sbin/shutdown"; } } } category inetd-daemons { name "Inetd Daemon Policy"; description inetddaemon.description; entry ftp { name "ftp - ftp daemon"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to using incoming ftp"; details { name "ftp"; } } entry telnet { name "telnet - telnet daemon"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to use incoming telnet"; details { name "telnet"; } } entry shell { name "shell - rsh remote shell"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to use incoming rsh"; details { name "shell"; } } entry login { name "login - rlogin remote login"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to use incoming rlogin"; details { name "login"; } } entry finger { name "finger - fingerd remote finger"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to allow incoming finger requests"; details { name "finger"; } } entry exec { name "exec - rexec remote execution"; oftype inetddaemon; default inetddaemon-enable; advice "Disable this service unless you plan to allow incoming rexec requests"; details { name "exec"; } } }