NSWC PHD Engineering Directorate ADP Unix Operations and Security


Status

THIS IS AN INTERNAL DOCUMENT VIEWABLE ONLY FROM PHD_NSWC NET


This is a work in progress. It is the result of several years of work in progress and is in practice by personnel of Code 4A05C and the co-administrators within Codes 1000, 4000 and 5000 at NSWC PHD and on co-administered sites running Sun and other Unix at neighbor activities.

This work attempts to document the practices and procedures which have evolved with the counsel of other government activites, agencies and their consultants as well as the practical experiences of others in similar fields.

Please mail comments to sman@suned1.nswses.navy.mil


Unix Security Considerations

- 4A05 Unix Admin Personnel

-- The following personel, in order of experience, are responsible for the daily operation and maintenance of SunOS (Unix) OpenWindows :

  • Ev Batey
  • Carol Simpson
  • Lloyd Vancil
  • -- The following personel, in order of experience, are responsible for maintenance of Personal Computer DOS/MicroSoft Windows Networking Software (PCNFS WFWG NETBIOS) :

  • Lloyd Vancil
  • Ev Batey
  • Carol Simpson
  • 4A05 personel are rseponsible for host and Client operation of UNIX and PCNFS/NETBIOS operation on the following unclassified networks

    ..137.24.x.x 199.122.8 - 199.122.15.

    4A05 personel share responsiblity for host and Client operation of UNIX and PCNFS/NETBIOS operation on the following unclassified networks

  • NFESC
  • CBC
  • CESO
  • - Responsibilities ..

    All 4000 administered and 4000 co-administered Unix hosts, and hosts outside 4000 but within NSWC Divisions and in other DON and DOD activities as requested. 4A05 personel are responsible for operating, maintaining, adminstering upgrading and manitaining backups of:

  • +Security COPS, CRACK, WRAPPERS
  • +Mail
  • +Usenet News
  • +User accounts
  • +User Applications
  • +Use Accounting Files
  • - Delegation of authority

    Personel outside of 4A05 who are judged:

  • To be of responsible nature
  • Posses sufficient knowledge
  • Have the continuing need
  • shall be given user authority over certain, normally root privleged, commands via such devices as Sudo, and FSU. This authority may be revolked at any time by any of the 4A05 personel for cause or by direction of station security or station management.

    ADP Security

    - Advisors ..

    The following groups, in order of trust, shall be used by 4A05 personel for resolution/evaluation of ADP security related issues

  • NAVSECGRU,
  • NAVCIRT,
  • DISA ASSIST,
  • ADP-SEC Community peers,
  • vendors
  • Items covered:

  • Passwords, user accounts
  • Privileged commands (SUID, root)
  • Log files and history of logins,
  • Security search and report files
  • TCP and Portmap Wrappers, wrapper hit logs
  • /etc/hosts, /etc/hosts.allow, /etc/hosts.deny, /etc/hosts.equiv
  • hosts default routes
  • - Processes .. all the "items covered" will be edited

    in keeping with mission needs by the above Admin Security Personnel. None of these files (data or executables) will be changed except by or under the direction of the Admin Security Personnel

    - Current procedures

  • All hosts run WRAPPERS ( tcp and portmap / rpc.bind where compilable ) or are off net.
  • All hosts /etc/hosts.equiv are zero length and exist
  • All hosts /etc/hosts{allow,deny} are maintained by Admin Security Personnel.
  • All hosts /etc/inetd.conf contain at least the basic lines common on all servers
  • Only suned1, slced1, engsun, most highly wrapped and monitored hosts, will be fully open to the internet except for periods brief supervised (by root prived) individuals during working hours and with notice to Admin Security Personnel.
  • Passwords are maintained according to guidance from NAVCIRT, CERT, NAVSECGRU and such as to not be cracked or crackable by existing technology. Guidance is found in the menu highest numbered script in /usr/local/scr on all hosts under the for password command.
  • All available security patches when added will be left unmolested till obsoleted. All security patches will be added as prioritized and added as time permits and where appropriate to the known risks.
  • All use logs will be retired and deleted when obsoleted by the Admin Security Personnel. Crontab jobs affecting logging logs, accounting and their retirement will be managed by same personnel.
  • ALL Users are to be afforded timely resolution processes and resolutions for problems relating to the above procedures and their input is needed to ensure effective use of all systems.
  • Users--

    A user's Bill of rights, and responsibilities.

    1. The user is a respected and vital member of our team. If we had no users we would not exist.
    2. The user has the right to expect courteous service in a timely manner and he responsibilty to treat system administration personel with the same courtsey.
    3. The user is entitled to accurate and timely advice and the responsibility to be patient in a world of limited budgets and increased workload. Within the limits imposed upon us by the physical world and forces that we cannot control, the user has a right to a properly functioning system.
    4. The user has the right to expect that their data is as secure from outside intrusion and manipulation as current technology and bugets allow.
    5. As a vital member of the team, the user has the responsibilty to maintain a proper and secure password so that their data's security can be maintianed.
    6. As a vital member of the team, the user has the responsibilty to maintain only data that pertains to their Government employment on the system. Disk space is limited and expensive.