to the world, etc. + Includes an expert system that checks to see if a given user (usually ``root'') can be compromised, given that certain rules are true. + Checks for changes in the setuid status of programs on the system. The COPS package is available from the comp.sources.unix archive on ftp.uu.net, and also from the repository on wsmr- simtel20.army.mil. 4.4 SUN C2 SECURITY FEATURES With the release of SunOS 4.0, Sun has included security features that allow the system to operate at a higher level of security, patterned after the C2* classification. These features can be installed as one of the options when installing the system from the distribution tapes. The security features added by this option include + Audit trails that record all login and logout times, the execution of administrative commands, and the exe- cution of privileged (setuid) operations. + A more secure password file mechanism (``shadow pass- word file'') that prevents crackers from obtaining a list of the encrypted passwords. _________________________ * C2 is one of several security classifications defined by the National Computer Security Center, and is described in [NCSC85], the ``orange book.'' + DES encryption capability. + A (more) secure NFS implementation that uses public-key encryption to authenticate the users of the system and the hosts on the network, to be sure they really are who they claim to be. These security features are described in detail in [Sun88c]. 4.5 KERBEROS Kerberos [Stei88] is an authentication system developed by the Athena Project at the Massachusetts Institute of Technology. Kerberos is a third-party authentication service, which is trusted by other network services. When a user logs in, Kerberos authenticates that user (using a password), and provides the user with a way to prove her identity to other servers and hosts scat- tered around the network. This authentication is then used by programs such as rlogin [Sun88a, 418-419] to allow the user to log in to other hosts without a password (in place of the .rhosts file). The authenti- cation is also used by the mail system in order to guarantee that mail is delivered to the correct person, as well as to guarantee that the sender is who he claims to be. NFS has also been modi- fied by M.I.T. to work with Kerberos, thereby making the system much more secure. The overall effect of installing Kerberos and the numerous other programs that go with it is to virtually eliminate the ability of users to ``spoof'' the system into believing they are someone else. Unfortunately, installing Kerberos is very intrusive, requiring the modification or replacement of numerous standard programs. For this reason, a source license is usually necessary. There are plans to make Kerberos a part of 4.4BSD, to be released by the University of California at Berkeley sometime in 1990.  * SECTION 5 *  KEEPING ABREAST OF THE BUGS One of the hardest things about keeping a system secure is finding out about the security holes before a cracker does. To combat this, there are several sources of information you can and should make use of on a regular basis. 5.1 THE COMPUTER EMERGENCY RESPONSE TEAM The Computer Emergency Response Team (CERT) was established in December 1988 by the Defense Advanced Research Projects Agency to address computer security concerns of research users of the Internet. It is operated by the Software Engineering Institute at Carnegie-Mellon University. The CERT serves as a focal point for the reporting of security violations, and the dissemination of security advisories to the Internet community. In addition, the team works with vendors of various systems in order to coor- dinate the fixes for security problems. The CERT sends out security advisories to the cert-advisory mailing list whenever appropriate. They also operate a 24-hour hotline that can be called to report security problems (e.g., someone breaking into your system), as well as to obtain current (and accurate) information about rumored security problems. To join the cert-advisory mailing list, send a message to cert@cert.sei.cmu.edu and ask to be added to the mailing list. Past advisories are available for anonymous FTP from the host cert.sei.cmu.edu. The 24-hour hotline number is (412) 268-7090. 5.2 DDN MANAGEMENT BULLETINS The DDN Management Bulletin is distributed electronically by the Defense Data Network (DDN) Network Information Center under contract to the Defense Communications Agency. It is a means of communicating official policy, procedures, and other information of concern to management personnel at DDN facilities. The DDN Security Bulletin is distributed electronically by the DDN SCC (Security Coordination Center), also under contract to DCA, as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Anyone may join the mailing lists for these two bulletins by sending a message to nic@nic.ddn.mil and asking to be placed on the mailing lists. 5.3 SECURITY-RELATED MAILING LISTS There are several other mailing lists operated on the Inter- net that pertain directly or indirectly to various security issues. Some of the more useful ones are described below. 5.3.1 Security The UNIX Security mailing list exists to notify system administrators of security problems before they become common knowledge, and to provide security enhancement information. It is a restricted-access list, open only to people who can be veri- fied as being principal systems people at a site. Requests to join the list must be sent by either the site contact listed in the Network Information Center's WHOIS database, or from the ``root'' account on one of the major site machines. You must include the destination address you want on the list, an indica- tion of whether you want to be on the mail reflector list or receive weekly digests, the electronic mail address and voice telephone number of the site contact if it isn't you, and the name, address, and telephone number of your organization. This information should be sent to security-request@cpd.com. 5.3.2 RISKS The RISKS digest is a component of the ACM Committee on Com- puters and Public Policy, moderated by Peter G. Neumann. It is a discussion forum on risks to the public in computers and related systems, and along with discussing computer security and privacy issues, has discussed such subjects as the Stark incident, the shooting down of the Iranian airliner in the Persian Gulf (as it relates to the computerized weapons systems), problems in air and railroad traffic control systems, software engineering, and so on. To join the mailing list, send a message to risks- request@csl.sri.com. This list is also available in the USENET newsgroup comp.risks. 5.3.3 TCP-IP The TCP-IP list is intended to act as a discussion forum for developers and maintainers of implementations of the TCP/IP pro- tocol suite. It also discusses network-related security problems when they involve programs providing network services, such as sendmail. To join the TCP-IP list, send a message to tcp-ip- request@nic.ddn.mil. This list is also available in the USENET newsgroup comp.protocols.tcp-ip. 5.3.4 SUN-SPOTS, SUN-NETS, SUN-MANAGERS The SUN-SPOTS, SUN-NETS, and SUN-MANAGERS lists are all dis- cussion groups for users and administrators of systems supplied by Sun Microsystems. SUN-SPOTS is a fairly general list, dis- cussing everything from hardware configurations to simple UNIX questions. To subscribe, send a message to sun-spots- request@rice.edu. This list is also available in the USENET newsgroup comp.sys.sun. SUN-NETS is a discussion list for items pertaining to net- working on Sun systems. Much of the discussion is related to NFS, Yellow Pages, and name servers. To subscribe, send a mes- sage to sun-nets-request@umiacs.umd.edu. SUN-MANAGERS is a discussion list for Sun system administra- tors and covers all aspects of Sun system administration. To subscribe, send a message to sun-managers-request@eecs.nwu.edu. 5.3.5 VIRUS-L The VIRUS-L list is a forum for the discussion of computer virus experiences, protection software, and related topics. The list is open to the public, and is implemented as a mail reflec- tor, not a digest. Most of the information is related to per- sonal computers, although some of it may be applicable to larger systems. To subscribe, send the line SUB VIRUS-L your full name to the address listserv%lehiibm1.bitnet@mitvma.mit.edu.  * SECTION 6 *  SUGGESTED READING This section suggests some alternate sources of information pertaining to the security and administration of the UNIX operat- ing system. UNIX System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass Prentice Hall, 1989, $26.95 This is perhaps the best general-purpose book on UNIX system administration currently on the market. It covers Berkeley UNIX, SunOS, and System V. The 26 chapters and 17 appen- dices cover numerous topics, including booting and shutting down the system, the file system, configuring the kernel, adding a disk, the line printer spooling system, Berkeley networking, sendmail, and uucp. Of particular interest are the chapters on running as the super-user, backups, and security. UNIX Operating System Security F. T. Grammp and R. H. Morris AT&T Bell Laboratories Technical Journal October 1984 This is an excellent discussion of some of the more common security problems in UNIX and how to avoid them, written by two of Bell Labs' most prominent security experts. Password Security: A Case History Robert Morris and Ken Thompson Communications of the ACM November 1979 An excellent discussion on the problem of password security, and some interesting information on how easy it is to crack passwords and why. This document is usually reprinted in most vendors' UNIX documentation. On the Security of UNIX Dennis M. Ritchie May 1975 A discussion on UNIX security from one of the original crea- tors of the system. This document is usually reprinted in most vendors' UNIX documentation. The Cuckoo's Egg Clifford Stoll Doubleday, 1989, $19.95 An excellent story of Stoll's experiences tracking down the German crackers who were breaking into his systems and sel- ling the data they found to the KGB. Written at a level that nontechnical users can easily understand. System and Network Administration Sun Microsystems May, 1988 Part of the SunOS documentation, this manual covers most aspects of Sun system administration, including security issues. A must for anyone operating a Sun system, and a pretty good reference for other UNIX systems as well. Security Problems in the TCP/IP Protocol Suite S. M. Bellovin ACM Computer Communications Review April, 1989 An interesting discussion of some of the security problems with the protocols in use on the Internet and elsewhere. Most of these problems are far beyond the capabilities of the average cracker, but it is still important to be aware of them. This article is technical in nature, and assumes familiarity with the protocols. A Weakness in the 4.2BSD UNIX TCP/IP Software Robert T. Morris AT&T Bell Labs Computer Science Technical Report 117 February, 1985 An interesting article from the author of the Internet worm, which describes a method that allows remote hosts to ``spoof'' a host into believing they are trusted. Again, this article is technical in nature, and assumes familiarity with the protocols. Computer Viruses and Related Threats: A Management Guide John P. Wack and Lisa J. Carnahan National Institute of Standards and Technology Special Publication 500-166 This document provides a good introduction to viruses, worms, trojan horses, and so on, and explains how they work and how they are used to attack computer systems. Written for the nontechnical user, this is a good starting point for learning about these security problems. This document can be ordered for $2.50 from the U. S. Government Printing Office, document number 003-003-02955-6.  * SECTION 7 *  CONCLUSIONS Computer security is playing an increasingly important role in our lives as more and more operations become computerized, and as computer networks become more widespread. In order to protect your systems from snooping and vandalism by unauthorized crack- ers, it is necessary to enable the numerous security features provided by the UNIX system. In this document, we have covered the major areas that can be made more secure: + Account security + Network security + File system security. Additionally, we have discussed how to monitor for security vio- lations, where to obtain security-related software and bug fixes, and numerous mailing lists for finding out about security prob- lems that have been discovered. Many crackers are not interested in breaking into specific systems, but rather will break into any system that is vulnerable to the attacks they know. Eliminating these well-known holes and monitoring the system for other security problems will usually serve as adequate defense against all but the most determined crackers. By using the procedures and sources described in this document, you can make your system more secure. REFERENCES [Eich89] Eichin, Mark W., and Jon A. Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. Massachusetts Institute of Technology. February 1989. [Elme88] Elmer-DeWitt, Philip. `` `The Kid Put Us Out of Action.' '' Time, 132 (20): 76, November 14, 1988. [Gram84] Grammp, F. T., and R. H. Morris. ``UNIX Operating Sys- tem Security.'' AT&T Bell Laboratories Technical Jour- nal, 63 (8): 1649-1672, October 1984. [Hind83] Hinden, R., J. Haverty, and A. Sheltzer. ``The DARPA Internet: Interconnecting Heterogeneous Computer Net- works with Gateways.'' IEEE Computer Magazine, 16 (9): 33-48, September 1983. [McLe87] McLellan, Vin. ``NASA Hackers: There's More to the Story.'' Digital Review, November 23, 1987, p. 80. [Morr78] Morris, Robert, and Ken Thompson. ``Password Security: A Case History.'' Communications of the ACM, 22 (11): 594-597, November 1979. Reprinted in UNIX System Manager's Manual, 4.3 Berkeley Software Distribution. University of California, Berkeley. April 1986. [NCSC85] National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, Department of Defense Standard DOD 5200.28-STD, December, 1985. [Quar86] Quarterman, J. S., and J. C. Hoskins. ``Notable Com- puter Networks.'' Communications of the ACM, 29 (10): 932-971, October 1986. [Reed84] Reeds, J. A., and P. J. Weinberger. ``File Security and the UNIX System Crypt Command.'' AT&T Bell Labora- tories Technical Journal, 63 (8): 1673-1683, October 1984. [Risk87] Forum on Risks to the Public in Computers and Related Systems. ACM Committee on Computers and Public Policy, Peter G. Neumann, Moderator. Internet mailing list. Issue 5.73, December 13, 1987. [Risk88] Forum on Risks to the Public in Computers and Related Systems. ACM Committee on Computers and Public Policy, Peter G. Neumann, Moderator. Internet mailing list. Issue 7.85, December 1, 1988. [Risk89a] Forum on Risks to the Public in Computers and Related Systems. ACM Committee on Computers and Public Policy, Peter G. Neumann, Moderator. Internet mailing list. Issue 8.2, January 4, 1989. [Risk89b] Forum on Risks to the Public in Computers and Related Systems. ACM Committee on Computers and Public Policy, Peter G. Neumann, Moderator. Internet mailing list. Issue 8.9, January 17, 1989. [Risk90] Forum on Risks to the Public in Computers and Related Systems. ACM Committee on Computers and Public Policy, Peter G. Neumann, Moderator. Internet mailing list. Issue 9.69, February 20, 1990. [Ritc75] Ritchie, Dennis M. ``On the Security of UNIX.'' May 1975. Reprinted in UNIX System Manager's Manual, 4.3 Berkeley Software Distribution. University of Califor- nia, Berkeley. April 1986. [Schu90] Schuman, Evan. ``Bid to Unhook Worm.'' UNIX Today!, February 5, 1990, p. 1. [Seel88] Seeley, Donn. A Tour of the Worm. Department of Com- puter Science, University of Utah. December 1988. [Spaf88] Spafford, Eugene H. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823. Department of Computer Science, Purdue University. November 1988. [Stee88] Steele, Guy L. Jr., Donald R. Woods, Raphael A. Finkel, Mark R. Crispin, Richard M. Stallman, and Geoffrey S. Goodfellow. The Hacker's Dictionary. New York: Harper and Row, 1988. [Stei88] Stein, Jennifer G., Clifford Neuman, and Jeffrey L. Schiller. ``Kerberos: An Authentication Service for Open Network Systems.'' USENIX Conference Proceedings, Dallas, Texas, Winter 1988, pp. 203-211. [Stol88] Stoll, Clifford. ``Stalking the Wily Hacker.'' Com- munications of the ACM, 31 (5): 484-497, May 1988. [Stol89] Stoll, Clifford. The Cuckoo's Egg. New York: Double- day, 1989. [Sun88a] Sun Microsystems. SunOS Reference Manual, Part Number 800-1751-10, May 1988. [Sun88b] Sun Microsystems. System and Network Administration, Part Number 800-1733-10, May 1988. [Sun88c] Sun Microsystems. Security Features Guide, Part Number 800-1735-10, May 1988. [Sun88d] Sun Microsystems. ``Network File System: Version 2 Protocol Specification.'' Network Programming, Part Number 800-1779-10, May 1988, pp. 165-185. APPENDIX A - SECURITY CHECKLIST This checklist summarizes the information presented in this paper, and can be used to verify that you have implemented every- thing described. Account Security [] Password policy developed and distributed to all users [] All passwords checked against obvious choices [] Expiration dates on all accounts [] No ``idle'' guest accounts [] All accounts have passwords or ``*'' in the password field [] No group accounts [] ``+'' lines in passwd and group checked if running Yellow Pages Network Security [] hosts.equiv contains only local hosts, and no ``+'' [] No .rhosts files in users' home directories [] Only local hosts in ``root'' .rhosts file, if any [] Only ``console'' labeled as ``secure'' in ttytab (servers only) [] No terminals labeled as ``secure'' in ttytab (clients only) [] No NFS file systems exported to the world [] ftpd version later than December, 1988 [] No ``decode'' alias in the aliases file [] No ``wizard'' password in sendmail.cf [] No ``debug'' command in sendmail [] fingerd version later than November 5, 1988 [] Modems and terminal servers handle hangups correctly File System Security [] No setuid or setgid shell scripts [] Check all ``nonstandard'' setuid and setgid programs for security [] Setuid bit removed from /usr/etc/restore [] Sticky bits set on world-writable directories [] Proper umask value on ``root'' account [] Proper modes on devices in /dev Backups [] Level 0 dumps at least monthly [] Incremental dumps at least bi-weekly