Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For UNIX

Transcription

1 Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For UNIX

2 Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright Notice Portions Copyright 2004 Visa U.S.A Inc. All Rights reserved. All information that is made available by Visa is the copyrighted work of Visa U.S.A Inc. and is owned and reprinted with permission, and is provided AS-IS with NO WARRANTY. Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit cisp for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa. Copyright 2004 Symantec Corporation. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec, the Symantec logo, and LiveUpdate, are U.S. registered trademarks of Symantec Corporation. Symantec Enterprise Security Manager and Symantec Security Response are trademarks of Symantec Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Visa is a registered trademark of Visa in the United States and other countries. AIX is a registered trademark of IBM Corporation. HP-UX is a registered trademark of Hewlett-Packard Development Company, L.P. Red Hat is a trademark of Red Hat, Inc. Solaris is a registered trademark of Sun Microsystems, Inc. SuSE is a registered trademark of SuSE Linux AG, a Novell business. Linux is a registered trademark of Linus Torvalds. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America.

3 3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works in collaboration with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include: A range of support options that gives you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link. Customers with a current support agreement may contact the Technical Support group by phone or online at Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.

4 4 When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Symantec Software License Agreement Symantec Enterprise Security Manager SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ( SYMANTEC ) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS YOU OR YOUR ) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE I DO NOT AGREE OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. 1. License: The software and documentation that accompanies this license (collectively the Software ) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a License Module ) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows. You may: A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes; C. use the Software to assess no more than the number of Desktop machines set forth under a License Module. Desktop means a desktop central processing unit for a single end user; D. use the Software to assess no more than the number of Server machines set forth under a License Module. Server means a central processing unit that acts as a server for other central processing units; E. use the Software to assess no more than the number of Network machines set forth under a License Module. Network means a system comprised of multiple machines, each of which can be assessed over the same network; F. use the Software in accordance with any written agreement between You and Symantec; and G. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license. You may not: A. copy the printed documentation which accompanies the Software; B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module; C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement; E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance; F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed; G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version; H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license. 2. Content Updates: Certain Software utilize content that is updated from time to time (including but not limited to the following

6 Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as Content Updates ). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates. 3. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. 4. Disclaimer of Damages: SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software. 5. U.S. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are Commercial Items, as that term is defined in 48 C.F.R. section 2.101, consisting of Commercial Computer Software and Commercial Computer Software Documentation, as such terms are defined in 48 C.F.R. section (a)(5) and 48 C.F.R. section (a)(1), and used in 48 C.F.R. section and 48 C.F.R. section , as applicable. Consistent with 48 C.F.R. section , 48 C.F.R. section , 48 C.F.R. section through , 48 C.F.R. section , and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, Stevens Creek Blvd., Cupertino, CA 95014, United States of America. 6. Export Regulation: Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited. 7. General: If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the

7 laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Authorized Service Center, Postbus 1029, 3600 BA Maarssen, The Netherlands, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

8 8

9 Contents Symantec ESM Policy Manual for Visa CISP for UNIX Introducing the policy About the policy About Visa CISP Installing the policy Before you install Installing the policy LiveUpdate installatio n...14 Manual installatio n Account Integrity Shells tem p late files...20 File Access File Attributes File Atrib utes tem p late files...22 File Find File Watch File Watch tem p late files...25 Login Parameters Network Integrity Object Integrity OS Patches Patch tem p late files...31 Password Strength Startup Files Servic es tem p late files...36 System Auditing Eventauditing and Sy stem call m apping tem p late files...37 System Mail System Queues User Files... 39

10 10 Contents

11 Symantec ESM Policy Manual for Visa CISP for UNIX This document includes the following topics: Introducing the policy Installing the policy Note: Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa.

12 12 Symantec ESM Policy Manual for Visa CISP for UNIX Introducing the policy Introducing the policy About the policy About Visa CISP Visa announced the launch of its Cardholder Information Security Program (CISP) in April CISP defines a standard of due care for securing Visa cardholder data. CISP compliance is required of all entities that store, process, or transmit Visa cardholder data. The Symantec ESM policy for Visa CISP assesses compliance with technical requirements and also provides information needed to assess compliance with many of the manual requirements of the Visa CISP Security Audit Procedures and Reporting guidelines. This Symantec ESM policy for Visa CISP assesses compliance with many of the standard s compliance requirements. This policy can be installed on Symantec ESM 5.5. and 6.0 managers running Security Update 18 or later on the following operating systems: IBM AIX 4.x and 5.x Hewlett-Packard HP-UX versions 10.x and 11.x Red Hat Linux Enterprise Server versions 2.1 and 3 Sun Solaris versions 8 and 9 SUSE Linux Standard Server version 8 Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa. In April 2000, Visa announced the launch of its Cardholder Information Security Program (CISP). Because the payment industry places a high priority on maintaining the confidentiality and integrity of account and personal data, CISP was developed to ensure that merchants and service providers adequately protect Visa cardholder data. Mandated in June 2001, CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. Intended to protect Visa cardholder data, this program establishes requirements

13 Symantec ESM Policy Manual for Visa CISP for UNIX Introducing the policy 13 for safeguarding personally identifiable information with a list of 12 security requirements and detailed sub-requirements. The CISP Requirements 1. Install and maintain a working firewall to protect data 2. Keep security patches up-to-date 3. Protect stored data 4. Encrypt data sent across public networks 5. Use and regularly update anti-virus software 6. Restrict access by need to know 7. Assign unique ID to each person with computer access 8. Don t use vendor-supplied defaults for passwords and security parameters 9. Track all access to data by unique ID 10. Regularly test security systems and processes 11. Implement and maintain an information security policy 12. Restrict physical access to data Note: The full text of these references is available on the VISA Web site,

14 14 Symantec ESM Policy Manual for Visa CISP for UNIX Installing the policy Installing the policy Before you install Installing the policy Decide which Symantec ESM managers require the policy. Policies run on managers. They do not need to be installed on agents. The policy runs on only Symantec ESM 5.5 or later, with Security Update 18 or later. Update any managers that do not meet these requirements. The standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a CD or the Internet to install the policy manually. LiveUpdate installation Install the policy by using the LiveUpdate feature in the Symantec ESM console. To install the policy 1 Connect the Symantec ESM Enterprise Console to managers where you want to install the policy. 2 Click the LiveUpdate icon to start the LiveUpdate Wizard. 3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next. 4 In the Welcome to LiveUpdate dialog box, click Next. 5 Do one of the following: 6 Click Next. To install all checked products and components, click Next. To omit a product from the update, uncheck it, and then click Next. To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next. 7 Click Finish. 8 Ensure that all the managers that you want to update are checked. 9 Click Next. 10 Click OK. 11 Click Finish.

15 Symantec ESM Policy Manual for Visa CISP for UNIX Installing the policy 15 Manual installation If you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a CD or the Internet. To obtain policy files 1 Connect the Symantec ESM Enterprise Console to managers that you want to update. 2 From the Security Response Web site ( download the executable files for the following operating systems: AIX 4.x.x through 5.x.x Solaris 2.6 through 2.9 Red Hat Linux 2.1 and 3 HP-UX 10.x and 11.x SuSE Linux Standard Server 8 Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate. To install the policy on a Symantec ESM manager 1 On a computer running Windows NT/2000/XP/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site. 2 Click Next to close the Welcome dialog box. 3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes. 4 Click Yes to continue installation of the best practice policy. 5 Type the requested manager information. 6 Click Next. If the manager s modules have not been upgraded to Security Update 18 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 18 or later, then rerun the install program. 7 Click Finish.

16 16 Symantec ESM Policy Manual for Visa CISP for UNIX Account Integrity The VISA CISP policy includes the following modules to manage compliance with many of the technical and some administrative aspects. The enabled checks of each module are listed with the standards that they address and a brief rationale for enabling the check. Associated name lists and templates are also listed. Because the standard does not require specific values, default values and templates have been provided. The policy is read-only but can be copied or renamed according to the needs of your corporate security policy. See the current Symantec Enterprise Security Manager Security Update User s Guide for Windows for check and message information. The Account Integrity module creates and maintains user and group snapshot files on each agent where the module runs. The module reports new, changed, and deleted users and groups between snapshot updates as well as account privileges and other information. Illegal login shells Configure system security parameters to prevent The presence of unauthorized login shells could indicate compromised access controls. Setuid login shells Configure system security parameters to prevent Setuid login shells could allow inadvertent access to unauthorized users. Setgid login shells Configure system security parameters to prevent Setgid login shells could allow inadvertent access to unauthorized users. Login shell owners Configure system security parameters to prevent Login shells that are not owned by system accounts (root or bin) can be replaced with Trojan versions that are capable of unauthorized activity. Login shell permissions Configure system security parameters to prevent Login shells that are writeable by group or world can be replaced with Trojan versions that are capable of unauthorized activity.

17 Symantec ESM Policy Manual for Visa CISP for UNIX 17 Home directories Configure system security parameters to prevent Immediately revoke accesses of terminated users. Inconsistent home directory configurations could indicate incomplete account termination and could result in unauthorized access. Group IDs Configure system security parameters to prevent Undefined groups could result in inadvertent inheritance of unauthorized access privileges. Home directory permissions Configure system security parameters to prevent Home directories can contain cardholder data and control files that could lead to unauthorized access to cardholder data. This policy ships with a default setting of 750, but should be changed to reflect your corporate policy. New accounts Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that unauthorized access has not been granted. Deleted accounts Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Immediately revoke accesses of terminated users. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that authorized access has not been removed.

18 18 Symantec ESM Policy Manual for Visa CISP for UNIX Changed accounts Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that unauthorized access has not been granted. New groups Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that unauthorized access has not been granted. Deleted groups Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that authorized access has not been removed. Changed groups Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Review all changes that were made to the /etc/ password and /etc/group files after the last snapshot update to ensure that unauthorized access has not been granted. Duplicate IDs 7.1 Uniquely identify all users before allowing them access to system resources or cardholder information. Each user must have a unique id.

19 Symantec ESM Policy Manual for Visa CISP for UNIX 19 Reserved UID/GID Configure system security parameters to prevent Privileged access to system files could lead to unauthorized access. UIDs and GIDs between 0 and 100 should be reviewed for appropriateness. Accounts should be disabled 8.1 Always change the vendor-supplied defaults before installing a system on the network. Allowing logins on these accounts could lead to unauthorized access. Remote-only accounts Password in /etc/ passwd (Best Practices) Configure system security parameters to prevent Configure the networking subsystems to protect against known attacks. These accounts could provide a channel for unauthorized network access to the host. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. A common password guessing attack involves trying strings found in the /etc/passwd file. User shell compliance Configure system security parameters to prevent The presence of unauthorized login shells could indicate compromised access controls. Local disks only N/A This option is required for systems that use NFS to serve home directories. Local accounts only N/A This option is required for systems that use NIS to manage the password and group files.

20 20 Symantec ESM Policy Manual for Visa CISP for UNIX Shells template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer. You can edit the template files by copying them into another directory and renaming them. The Account Integrity module uses the Shell template files shown below for specific operating systems. OS File name Template name AIX aix45shc.shc Shells -all HP-UX hp1011shc.shc Shells - all Red Hat lnxes2-3.shc Shells - all Solaris sol26shc.shc Shells - all SUSE Linux lnxsuse8.shc Shells - all File Access The File Access module checks read, write, and execute permissions on specified files, and reports user accounts that are allowed to access the files. It also examines access control lists (ACLs) on AIX. Write permission Configure system security parameters to prevent Granting write permissions to accounts other than root for the listed files could allow unauthorized access.

21 Symantec ESM Policy Manual for Visa CISP for UNIX 21 File Attributes The File Attributes module reports changes to file creation and modification times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of file permissions that are specified in template files. User ownership Group ownership Permissions Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper file ownership controls could result in unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper group ownership controls could result in unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper file permissions could result in unauthorized access. Changed file (creation time) Changed file (modification time) Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files could indicate unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files could indicate unauthorized access. Changed file (size) Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files could indicate unauthorized access.

22 22 Symantec ESM Policy Manual for Visa CISP for UNIX Changed file (signature) Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files could indicate unauthorized access. Local disks only N/A This check is required for systems that use NFS to serve home directories. Ignore symbolic links N/A Examining symbolic links could produce false positive alerts. File Attributes template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer. You can edit the template files by copying them into another directory and renaming them. File and directory permissions are compared with settings in New File templates. The module uses the following File Attributes template files for specific operating systems: OS File name Template name AIX 4, 5 fileatt.aix New File - AIX HP-UX fileatt.hpx New File - HPUX Red Hat Linux fileatt.li New File - Linux Solaris fileatt.sol New File - Solaris 2.6 SUSE Linux fileatt.sl New File - SuSE Linux File Find The File Find module reports weaknesses in file permissions and configuration files. Setuid files Configure system security parameters to prevent Setuid files should be carefully examined to ensure that they are not used for unauthorized access.

23 Symantec ESM Policy Manual for Visa CISP for UNIX 23 Setgid files Configure system security parameters to prevent Setgid files should be carefully examined to ensure that they are not used for unauthorized access. New setuid files New setgid files Configure system security parameters to prevent Perform critical file comparisons at least daily (or more frequently if the process can be automated). Setuid files should be carefully examined to ensure that they are not used for unauthorized access. Configure system security parameters to prevent Perform critical file comparisons at least daily (or more frequently if the process can be automated). Setgid files should be carefully examined to ensure that they are not used for unauthorized access. World writeable directories without sticky bit Device files not in /dev World writeable files Uneven file permissions Unowned directories/files Configure system security parameters to prevent World writeable directories without the sticky bit allows any user to delete files in the directory Configure system security parameters to prevent Misplaced device files could indicate system compromise and could be used to gain unauthorized access to other system resources Configure system security parameters to prevent World writeable files could be used to gain unauthorized access Configure system security parameters to prevent Uneven permissions could result in unauthorized access Configure system security parameters to prevent Access to unowned directories and files could be inadvertently inherited by newly created accounts and groups. Local disks only N/A This option is required for systems that use NFS to serve home directories.

24 24 Symantec ESM Policy Manual for Visa CISP for UNIX File Watch The File Watch module creates and maintains a snapshot file for each agent where you run the module that stores file information. The File Watch template specifies the files or directories to be checked, the depth of directory traversal, and the types of changes to be evaluated. Malicious File Watch templates identify known attack signatures for malicious files checks. Changed files (ownership) Changed files (permissions) Changed files (signature) Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least daily, or more frequently if the process can be automated. Changes to ownership could indicate unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least daily, or more frequently if the process can be automated. Changes to file permissions could indicate unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least daily, or more frequently if the process can be automated. Changes to the listed files could indicate unauthorized access. New files Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least ddaily, or more frequently if the process can be automated. Files that are added to the watch directories could indicate unauthorized access.

25 Symantec ESM Policy Manual for Visa CISP for UNIX 25 Removed files Malicious files Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least daily, or more frequently if the process can be automated. Files that are removed from the watch directories could indicate unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical files comparisons at least daily, or more frequently if the process can be automated. The presence of known malware could indicate system compromise. Local disks only N/A This check is required for systems that use NFS to serve home directories. Automatically update snapshots N/A N/A File Watch template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer. You can edit the template files by copying them into another directory and renaming them. OS File name Template name All UNIX, Linux unix.fw File Watch - all Red Hat Linux All UNIX, Linux lnxadore_policy.mfw lnxlion_policy.mfw lnxt0rn_policy.mfw unix_policy.mfw unixhide_policy.mfw Malicious File Watch - all Malicious File Watch - all Note: Do not edit Malicious File Watch files. You can add new File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and

26 26 Symantec ESM Policy Manual for Visa CISP for UNIX more information about specific checks and messages, see the current Symantec ESM Security Update User s Guide.

27 Symantec ESM Policy Manual for Visa CISP for UNIX 27 Login Parameters The Login Parameters module reports accounts, resources and settings that are inconsistent with proper authorized usage. Inactive accounts Remove inactive user accounts at least every 90 days. Unused accounts must be terminated. Unused accounts could allow unauthorized access. Login failures Monitor system access attempts. Limit repeated attempts by locking out the user ID after a specific number of failed attempts. Excessive login failures could indicate an attempt to gain unauthorized access. This policy ships with a default setting of 30 days, but should be changed to reflect your corporate policy. Password expired Immediately revoke accesses of terminated users. Remove inactive user accounts at least every 90 days. Expired passwords could indicate an unused account that has not been terminated. Unused accounts could allow unauthorized access. Successful login attempts not logged Unsuccessful login attempts not logged Successful su attempts not logged Unsuccessful su attempts not logged Audit all actions taken by any user with root or administrative privileges. Certain system activities, including logins, must be logged and audited to monitor for abuse of privilege Audit invalid logical access attempts. Unsuccessful logins could indicate an attempt to gain unauthorized access. This activity must be logged and audited Audit all actions taken by any user with root or administrative privileges. Certain system activities, including privilege escalation, must be logged and audited to monitor for abuse of privilege Audit invalid logical access attempts. Unsuccessful privilege escalation could indicate an attempt to gain unauthorized access. This activity must be logged and audited.

28 28 Symantec ESM Policy Manual for Visa CISP for UNIX Remote root logins Audit all actions taken by any user with root or administrative privileges. Remote root login on an untrusted channel could indicate unauthorized access. Locked accounts Monitor system access attempts. Limit repeated attempts by locking out the user ID after a specific number of failed attempts. Accounts are usually locked due to excessive login failures. Locked accounts could indicate attempt to gain unauthorized access. Password changes failed Devices with failed logins Login retries (AIX, HP-UX, Red Hat Linux) Configure the network subsystems to protect against known attacks. Excessive password change failures could indicate an attempt to guess a password Audit invalid logical access attempts. Excessive login failures could indicate an attempt to gain unauthorized access Monitor system access attempts. Limit repeated login attempts by locking out the user ID after a specific number of failed attempts. Allowing excessive login attempts makes an account vulnerable to a password guessing attack. This policy ships with a default setting of five attempts. Local disks only N/A This option is required for systems that use NFS to serve home directories. Local accounts only N/A This option is required for systems that use NFS to serve home directories.

29 Symantec ESM Policy Manual for Visa CISP for UNIX 29 Network Integrity The Network Integrity module reports system configuration settings that pertain to authentication and remote access. Trusted hosts/users 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. The Berkeley trust mechanism is one of the most common vulnerabilities that is exploited by attackers. The mechanism does not properly authenticate users. Other means, such as SSH, should be used instead. FTP enabled TFTP Listening TCP ports Configure system security parameters to prevent Configure the network subsystems to protect against known attacks. FTP is another frequently exploited vulnerability. Other means, such as SSH, should be used instead. Configure system security parameters to prevent Configure the network subsystems to protect against known attacks. TFTP is one of the most common vulnerabilities that is exploited by attackers. The mechanism does not properly authenticate users. Encrypt non-console administrative access. User technologies such as SSH or VPN. Disable all unnecessary services. Unauthorized listening ports could not be properly protected against common threats. New listening TCP ports Modified listening TCP ports Encrypt non-console administrative access. User technologies such as SSH or VPN. Disable all unnecessary services. Review new listening ports since the last snapshot to ensure that they are authorized. Encrypt non-console administrative access. User technologies such as SSH or VPN. Disable all unnecessary services. Review modified listening ports to ensure they are still in accordance with policy and requirements after the changes.

30 30 Symantec ESM Policy Manual for Visa CISP for UNIX Listening UDP ports Disable all unnecessary services. Unauthorized listening ports could not be properly protected against common threats. New listening UDP ports Modified listening UDP ports Access control (xhost) Disable all unnecessary services. Review new listening ports since the last snapshot to ensure that they are authorized Disable all unnecessary services. Review modified listening ports to ensure that they are still in accordance with policy and requirements after the changes Configure system security parameters to prevent Access to the X console should be explicitly controlled. Object Integrity The UNIX Object Integrity module reports new devices, deleted devices, and any access to disk and memory. The module also creates and maintains the sifdev.dat device snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change. Check CISP Section Rationale New devices Changed devices Disk and memory access Limit access to only those whose job requires it, also remove all unnecessary functionality. Limit access to only those whose job requires it, also remove all unnecessary functionality. Limit access to only those whose job requires it, also remove all unnecessary functionality.

31 Symantec ESM Policy Manual for Visa CISP for UNIX 31 OS Patches The OS Patches module reports patches that are defined in the UNIX patch template files for AIX, HP-UX, Solaris, and Linux but are not installed on the agent. OS Patches Make sure all systems and software have the latest vendor-supplied security patches. Keep up with vendor changes and enhancements to security patches. Install new/modified security patches within one month of release. Unpatched systems are the most common cause of technical security exploits. Patching known vulnerabilities constitutes an effective protection against anticipated threats. Superseded N/A N/A Patch template files Symantec uses LiveUpdate every two weeks to overwrite the template files that are loaded on your system. Note: Do not edit, move, or change your Patch template files. The Patch module uses the following template files. OS File name Template name AIX patch.pai Patch - AIX HP-UX patch.ph1 Patch- HP-UX 10/11 Red Hat Linux patch.plx Patch - Linux Solaris patch.ps6 Patch - Solaris 2.6 This template contains patches for Solaris 2.6 through 2.9 SUSE Linux patch.psl Patch - SUSE Linux

32 32 Symantec ESM Policy Manual for Visa CISP for UNIX Password Strength The Password Strength module examines system parameters that control the construction, change, aging, expiration, and storage of passwords. Password = username Password = any username Password within GECOS field Password = wordlist word (Best Practices) (Best Practices) (Best Practices) (Best Practices) Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately. Reverse order (Best Practices) Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately. Double occurrences (Best Practices) Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require the users to change them immediately.

33 Symantec ESM Policy Manual for Visa CISP for UNIX 33 Plural forms (Best Practices) Uppercase (Best Practices) Lowercase (Best Practices) Guessed password (Best Practices) Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords do not meet the GLBA requirement for adequate authentication and access controls. Login requires password (Best Practices) Ensure proper user authentication and password management for non-consumer users. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Accounts without passwords could allow unauthorized access.