Anhang zur Ausführungsbestimmung
für UNIX-Systeme bei ....
Anhang A: Konfiguration AIX
Tabelle 1: Geräte-Beschreibungs-
Dateien
Tabelle 2: Hauptspeicher-
Beschreibungs-Dateien
Tabelle 3: Werkzeuge,
die auf Hauptspeicher-Beschreibungs-Dateien zugreifen
Tabelle 4: Logdateien
Tabelle 5: Gruppendatei
Tabelle 6: Netzwerkdateien
Tabelle 7: Crash
Dump Dateien
Tabelle 8: Tabelle
des Dateisystems
Tabelle 9: Daten
zur Terminal- Initialisierung
Tabelle 10:
Terminal Capability Datenbank
Tabelle 11:
Scheduled Administrative Commands
Tabelle 12:
System-Start Kommandoprozeduren
Tabelle 13:
Schutz der Benutzer- Account-Dateien
Tabelle 14:
Weitere Dateien in den Verzeichnissen /etc und /usr/sbin
Tabelle 15:
Weitere Systemdateien
Tabelle 16:
"wall"- Befehl
Tabelle 17:
"uudecode"- Befehl
Tabelle 18:
"chroot"- Befehl
Tabelle 19:
System-Verzeichnisse
Tabelle 20:
temporäre Systemverzeichnisse
Tabelle 21:
Empfehlungen zum Dateischutz der Benutzerumgebungen
Tabelle 22:
Mail-Dateien des Benutzers
Tabelle 23:
Datei der Mail-Alias-Namen
Tabelle 24:
ftp-Verzeichnisse
Tabelle 25:
ftp-Dateien
Tabelle 26 :
Schutz der Überwachungsdateien
Tabelle 27:
Schutz der Dateien für die Batch-Verarbeitung
Tabelle 1:
Geräte- Beschreibungs-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/dev |
root |
system |
755 |
Verzeichnis der Geräte-Beschreibungs-Dateien |
/dev/console |
root |
system |
620 |
Separate Datei für
die Konsol-Beschreibungs-Datei |
/usr/sbin/mkdev |
root |
system |
2550 |
Kommando-Prozedur zur
Installation von Beschreibungs-Dateien |
/dev/[disk]* |
root |
system |
600 |
Gepufferte Plattensysteme |
/dev/r[disk]* |
root |
system |
600 |
Ungepufferte Plattensysteme |
/dev/rmt/[tape]* |
root |
system |
666 |
Magnetband-Geräte. |
/dev/tty# |
root |
tty |
620 |
Geöffnete Terminal-Beschreibungs-Dateien. |
/usr/sbin/mknod |
root |
system |
744 |
Erzeugt Geräte-Beschreibungs-Dateien |
Tabelle 2:
Hauptspeicher-Beschreibungs-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/dev/ipcdevice |
root |
system |
640 |
Zeigt auf das "paging
device" |
/dev/kmem |
root |
system |
640 |
Image des Kernels im virtuellen
Hauptspeicher |
/dev/mvram |
root |
system |
640 |
Non volatile memory |
/dev/mem |
root |
system |
640 |
Image des physikalischen
Hauptspeichers |
Tabelle 3:
Werkzeuge, die auf Hauptspeicher-Beschreibungs-Dateien zugreifen
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
/usr/bin/ps |
bin |
bin |
755 |
/usr/bin/iostat |
root |
bin |
2755 |
/usr/bin/ipcs |
root |
bin |
2755 |
/usr/bin/mail |
bin |
mail |
6711 |
/usr/sbin/nfsstat |
root |
system |
555 |
/usr/sbin/pstat |
bin |
bin |
555 |
/usr/bin/netstat |
root |
bin |
2755 |
/usr/bin/uptime |
bin |
bin |
2755 |
/usr/bin/vmstat |
root |
bin |
2755 |
/usr/bin/w |
bin |
bin |
2755 |
Tabelle 4:
Log-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/etc/syslog.conf |
root |
system |
644 |
Configuration file used
to direct syslog (8) messages of various priorities to files, devices,
and users. |
/etc/utmp |
root |
system |
644 |
Information about logged-in
users. |
/var/adm/acct |
adm |
adm |
644 |
Raw system accounting
data, including user commands executed. |
/usr/adm/ras/errlog |
root |
system |
644 |
Error log file. |
/etc/security/lastlog |
root |
security |
644 |
User login times. |
/usr/adm/pacct |
root |
system |
644 |
|
/var/adm/sulog |
root |
system |
600 |
Successful and unsuccessful
attempts to gain superuser status using the su command. |
/usr/adm/wtmp |
root |
system |
644 |
Successful logins, logouts,
shutdowns, and reboots. |
/usr/lib/sa |
adm |
adm |
755 |
Prints process accounting
statistics. |
/etc/security/
failedlogin |
root |
system |
600 |
Contains records of failed
logins. |
/etc/security/audit |
root |
audit |
750 |
Audit directory. |
/etc/security/audit/events |
root |
audit |
640 |
Audit events file. |
/etc/security/audit/objects |
root |
audit |
640 |
Description of audited
objects. |
/etc/security/audit/config |
root |
audit |
640 |
Audit configuration file. |
/etc/security/audit/bincmds |
root |
audit |
640 |
Command file for processing
bin data. |
/etc/security/audit/
streamcmds |
root |
audit |
640 |
Command file for processing
stream data. |
Tabelle 6:
Netzwerk-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/etc/exports |
root |
system |
644 |
Local file systems and
directories available for NFS support. |
/etc/hosts |
root |
system |
644 |
Information about known
hosts on the .. Internet. |
/etc/hosts.equiv |
root |
system |
600 |
Grants remote user access
to local system without password. |
/etc/inetd |
root |
system |
554 |
Internet daemon. |
/etc/inetd.conf |
root |
system |
644 |
Internet daemon configuration
database. |
/usr/lib/remote-file |
root |
system |
644 |
Modem information for
tip. |
/usr/sbin/rexecd |
root |
system |
554 |
Remote execution daemon. |
/etc/services |
root |
system |
644 |
List of Internet services. |
/etc/X*.hosts |
root |
system |
644 |
Contains server access
control list for the workstation's display. |
/etc/netgroup |
root |
system |
644 |
Network groups database. |
/usr/sbin/ftpd |
root |
system |
2554 |
Ftp daemon. |
/usr/bin/rcp |
root |
system |
2555 |
Remote copy program copies
files between machines. |
/usr/bin/rdist |
root |
bin |
2555 |
Remote file distribution
program maintains identical copies of files on multiple hosts. |
/usr/bin/rlogin |
root |
system |
2555 |
Connects the terminal
to a remote |
/usr/bin/rsh |
bin |
bin |
2555 |
Shell for executing commands
on remote hosts. |
/etc/tftpd |
root |
system |
555 |
TFTP daemon. |
Tabelle 7:
Crash Dump Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/usr/lib/boot |
root |
system |
700 |
generic dump file information |
Tabelle 8:
Tabelle des Datei-Systems
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/etc/filesystems |
root |
system |
644 |
Konfiguration des Datei-Systems |
Tabelle 9:
Daten zur Terminal-Initialisierung
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/etc/security/user |
root |
system |
644 |
Terminal port initialization
database. |
Datenbank der Terminal Capabilities
Die Datei /usr/lib/libtermcap/termcap.src
beschreibt die Möglichkeiten der unterschiedlichen Terminal-Typen
zusammen mit den entsprechenden Anforderungen und Initialisierungen.
Tabelle 10:
Terminal Capability Datenbank
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/usr/lib/libtermcap/termcap.src |
root |
system |
644 |
Terminal capability Datenbank |
Tabelle 11:
Scheduled Administrative Commands
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/var/spool/cron/crontabs/[user] |
[user] |
cron |
644 |
Scheduled system administrative
commands executed by the cron command. Link to /usr/bin/crontab. |
/usr/adm/cron/at.allow
and
/usr/adm/cron/at.deny |
bin |
cron |
640 |
Respectively control who
may or may not use the cron facility for batch jobs. |
Tabelle 12:
System-Start Kommando-Prozeduren
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/etc/inittab |
root |
system |
600 |
System init control file. |
/etc/rc |
root |
system |
600 |
Generic startup command
script. |
/etc/rc.* |
bin |
bin |
550 |
Site and application specific
startup files. |
Tabelle 13:
Schutz der Benutzer-Account-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/etc/passwd |
root |
system |
644 |
Basic user-account information
used in conjunction with the authorization database (etc/security/passwd). |
/etc/passwd.dir |
root |
system |
644 |
Directory for password
database. |
/etc/passwd.pag |
root |
system |
644 |
Data for password database. |
/etc/security/.ids |
root |
system |
210 |
Sequence number file for
mkuser. |
/etc/security/login.cfg |
root |
security |
660 |
Password rules, terminal
controls, allowed shells and herald. |
/etc/security/group |
root |
security |
640 |
Additional group information. |
/etc/security/passwd |
root |
security |
600 |
Contains encrypted passwords
plus timestamps and other information. |
/etc/security/user |
root |
security |
640 |
Contains extended user
attributes, ttys, login, rlogin, sulimitations, etc. |
/etc/security/environ |
root |
security |
640 |
Exceptions to default
environment information specified in /etc/environment. |
/etc/environment |
root |
security |
664 |
Specifies basic environment
for all processes. |
/etc/security/limits |
root |
security |
640 |
Contains resource information
for users. |
/etc/security/ mkuser.default |
root |
security |
640 |
Defaults for generating
a new user. |
/etc/security/failedlogin |
root |
security |
644 |
Filed login file. |
/etc/profile |
bin |
bin |
555 |
System wide login profile
for all users. |
/etc/tftpaccess.ctl |
root |
system |
644 |
Access to this system
via tftp rules file. |
Tabelle 14:
Weitere Dateien in den Verzeichnissen /etc und /usr/sbin
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
/etc/services |
root |
system |
644 |
/etc/xtab |
root |
system |
660 |
/usr/sbin/htable |
bin |
bin |
755 |
/usr/sbin/init |
root |
system |
755 |
/usr/sbin/install |
root |
system |
700 |
/usr/sbin/mklost+found |
bin |
bin |
755 |
/usr/sbin/ncheck |
bin |
bin |
555 |
/usr/sbin/netgroup |
root |
system |
644 |
/usr/sbin/pac |
root |
printq |
754 |
/usr/sbin/portmap |
root |
system |
555 |
/usr/sbin/sendmail.cf |
root |
system |
600 |
/usr/sbin/snmpd.conf |
root |
system |
600 |
Alle Verzeichnisse in /usr/sbin
müssen wie folgt geschützt sein:
Owner: |
root |
Gruppe: |
system |
Zugriffsart: |
755 |
Alle anderen Dateien in den Verzeichnissen
/etc und /usr/sbin, die bisher nicht aufgeführt sind, sind mindestens
mit folgenden Zugriffsschutz zu versehen:
Owner: |
root |
Gruppe: |
system |
Zugriffsart: |
644 |
Tabelle 15:
Weitere System-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/usr/bin/passwd |
root |
security |
2555 |
Change password command. |
/usr/lbin/expreserve |
bin |
bin |
555 |
Preserves vi backup files. |
/usr/lbin/exrecover |
bin |
bin |
555 |
Recovers vi backup files. |
/usr/sbin/sendmail |
root |
system |
6511 |
Network mailer program. |
/usr/lprm |
bin |
bin |
555 |
Removes jobs from a printer
queue. |
/usr/lib/boot/unix |
root |
system |
555 |
AIX operating system boot
file image. Write protect of this file is critical. |
/etc/security/sysck.cfg |
root |
security |
640 |
File definitions for tcb |
Tabelle 16:
"wall"-Befehl
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
use/sbin/wall |
bin |
bin |
550 |
Bildschirm-Meldungen für
alle angemeldeten Benutzer. |
Tabelle 17:
"uudecode"-Befehl
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/usr/bin/uudecode |
uucp |
uucp |
111 |
Entschlüsselt Dateien,
die durch /usr/bin/uuencode verschlüsselt wurden |
Tabelle 18:
"chroot"-Befehl
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/usr/bin/chroot |
bin |
bin |
500 |
Ändert das "root"-Verzeichnis
für einen Befehl |
Tabelle 19:
System-Verzeichnisse
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
|
root |
system |
755 |
Root of all file systems
and home directory of the superuser. |
/bin |
root |
system |
755 |
Single user commands. |
/etc |
root |
system |
755 |
System management commands. |
/etc/security |
root |
security |
750 |
Audit subsystem files. |
/usr |
root |
system |
755 |
A file system hierarchy. |
/usr/adm or var/adm |
root |
system |
755 |
Administrative information. |
/usr/sbin |
bin |
bin |
755 |
System utility and files
used to boot machine and mount usr/filesystem. |
/usr/mbin |
bin |
bin |
755 |
Multi-byte versions of
utilities and commands in /usr/bin. |
/export |
root |
system |
775 |
File tree for binaries
and data for diskless clients. |
/usr/bin |
bin |
bin |
755 |
Additional user commands. |
/usr/etc |
root |
system |
755 |
More system management
commands. |
/usr/kits/usr/var/kits |
root |
system |
755 |
Directories for user installed
product commands. |
/usr/lib |
bin |
bin |
755 |
Many system executables,
such as the compiler and system libraries. |
/usr/local |
root |
system |
755 |
Commands with a local
origin. |
/usr/ucb |
bin |
bin |
775 |
Certain Berkeley extension
commands. |
/usr/share |
bin |
bin |
755 |
Shareable text files. |
Tabelle 20:
temporäre System-Verzeichnisse
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/tmp |
root |
system |
1777 |
Schreibbares Verzeichnis
für temporäre Dateien |
/var/tmp |
root |
system |
1777 |
Schreibbares Verzeichnis
für temporäre Dateien |
/usr/tmp |
root |
system |
1777 |
Schreibbares Verzeichnis
für temporäre Dateien |
Tabelle 21:
Empfehlungen zum Datei-Schutz der Benutzer-Umgebungen
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
.cshrc |
user's name |
user's group |
640 |
Environment file for C
shell. |
.forward |
user's name |
user's group |
640 |
Mail forwarding address.Use
for temporary forwarding only.Write access allows an attacker to redirect
mail or specify that a malicious /tmp program be run upon receipt of mail. |
.kshrc |
user's name |
user's group |
640 |
Environment file for KornShell. |
.login |
user's name |
user's group |
640 |
Environment file for csh
shell. |
.logout |
user's name |
user's group |
640 |
Environment file for csh
shell. |
.mailrc |
user's name |
user's group |
640 |
Environment file for mail. |
.netrc |
user's name |
user's group |
600 |
Information used for ftp
auto-login. |
.plan |
user's name |
user's group |
644 |
Message displayed by the
finger command. |
.profile |
user's name |
user's group |
640 |
Environment file for the
sh, sh5, ksh shells. |
.project |
user's name |
user's group |
644 |
Message text displayed
by the finger command. See related guideline in Section 2.2.3.4. |
.Xdefaults |
user's name |
user's group |
640 |
Xwindows file. |
.mwmrc |
user's name |
user's group |
640 |
|
.Xinitrc |
user's name |
user's group |
750 |
X11 session initialization. |
.hushlogin |
user's name |
user's group |
640 |
No messages at login time. |
Owner: |
Benutzer (außer
Accounts für spezielle Zwecke) |
Gruppe: |
system |
Zugriffsart: |
751 |
Tabelle 22:
Mail-Dateien des Benutzers
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung |
/var/spool/mail/[username] |
[user] |
mail |
600 |
Mail-Datei des Benutzers |
/var/spool/mail |
root |
mail |
755 |
Verzeichnis der Mail-Datei |
Tabelle 23:
Datei der Mail-Alias-Namen
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/etc/aliases |
root |
system |
640 |
Mail aliases file. |
/etc/aliasesDB/DB.dir |
root |
system |
640 |
Lookaside files. |
/etc/aliasesDB/DB.pag |
root |
system |
660 |
Lookaside files. |
/etc/aliasesDB |
root |
system |
770 |
Lookaside files directory. |
Die folgenden Überwachungs-Klassen
sind definiert:
Klassen-Name: |
Ereignis-Name |
überwachtes Ereignis |
Prozesse |
|
PROC_RealUID |
setuidx() |
PROC_AuditID |
setuidx() |
PROC_RealGID |
setuidx() |
? PROC_SetPri |
setpri() |
? PROC_Privilege |
setpriv() |
Dateien |
|
? FILE_Privilege |
chpriv() |
Befehle |
|
USER_Login |
tsm |
? SYSCK_Check |
syschk |
? SYSCHK_Update |
syschk |
? SYSCHK_Install |
syschk |
USER_Logout |
logout |
USER_Change |
chuser |
USER_Remove |
rmuser |
USER_Create |
mkuser |
USER_SetGroups |
setgroups |
USER_SetEnv |
setsenv |
USER_SU |
su |
GROUP_User |
grpchk |
GROUP_Adms |
grpchk |
GROUP_Change |
chgroup |
GROUP_Create |
mkgroup |
GROUP_Remove |
rmgroup |
PASSWORD_Change |
passwd |
PASSWORD_Flags |
pwdadm |
PASSWORD_Check |
pwdck |
USER_Shell |
shell |
Objekte |
|
S_ENVIRON_WRITE |
/etc/security/environ |
S_GROUP_WRITE |
/etc/group |
S_LIMITS_WRITE |
/etc/security/limits |
S_LOGIN_WRITE |
/etc/security/login.cfg |
S_PASSWD_READ |
/etc/security/passwd |
S_PASSWD_WRITE |
/etc/security/passwd |
S_USER_WRITE |
/etc/security/user |
AUD_CONFIG_WR |
/etc/security/audit/config |
Überwachung der folgenden Benutzer,
mit der Liste der Überwachungs-Klassen:
Username |
Audit Class |
root |
????? |
system |
|
adm |
|
????? |
|
|
|
Liste der überwachten Objekte:
überwachte Objekte |
Zugehörige Datei |
S_ENVIRON_WRITE |
/etc/security/environ |
S_GROUP_WRITE |
/etc/group |
S_LIMITS_WRITE |
/etc/security/limits |
S_LOGIN_WRITE |
/etc/security/login.cfg |
S_PASSWD_READ |
/etc/security/passwd |
S_PASSWD_WRITE |
/etc/security/passwd |
S_USER_WRITE |
/etc/security/user |
AUD_CONFIG_WR |
/etc/security/audit/config |
Tabelle 26
: Schutz der Überwachungs-Dateien
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/etc/security/audit/config |
root |
system |
640 |
Contains auditing system
configuration information |
/etc/security/audit/events |
root |
system |
640 |
Contains auditable events
on the system |
/etc/security/audit/objects |
root |
system |
640 |
Contains auditable system
objects |
/etc/security/audit/bincmds |
root |
system |
640 |
Contains the backend commands
which process bin data |
/etc/security/audit/streamcmds |
root |
system |
640 |
Contains commands to process
stream data |
RAW audit data files |
root |
system |
640 |
Files which contain raw
audit information collected by the audit subsystem. These must NOT be world/other
accessible. |
Tabelle 27:
Schutz der Dateien für die Batch-Verarbeitung
Datei/Verzeichnis |
Owner |
Gruppe |
Zugriffsart |
Beschreibung (original) |
/usr/adm/cron/at.allow |
bin |
cron |
640 |
Users allowed to use batch
commands. |
/usr/adm/cron/at.deny |
bin |
cron |
640 |
Users denied use of batch
commands. |
Zurück zu den Unix-Systemen.
Stand
05.03.1998 |