Suggestions for making your system secure

The security of any system is ultimately the responsibility of all who have access to it. As the administrator of your system, do the following:

• Restrict physical access to your computer (especially if it is a small one) so that someone does not simply walk off with it.

• Set access permissions to directories and files so they can be accessed only as needed by the owner, group, or others. Publicly writable directories are a security hazard. Allow them only for a good reason.

• Assign passwords to all logins and change them regularly. You can force them to be changed by implementing password aging. Pick nonobvious passwords: six- to eight-character nonsense strings of letters and numbers are recommended over real words. Remove or lock unused logins.

• Do not keep sensitive information on a system with dial-up ports; the security of any system with dial-up ports is difficult to guarantee. For more information on network security and dial-up passwords, see ``Setting passwords for dial-in lines''.

• Record all use of the su(1M) command. See ``Recording su use'' for two methods of doing this.

• Keep in mind that login directories, user profile files, and files in /sbin, /usr/sbin, and /etc that are writable by others are security give-aways.

• Encrypt sensitive data files. The crypt(1) command together with the encryption capabilities of the editors ed and vi protect sensitive information. The Encryption Utilities package (domestic customers only) must be installed before you can run crypt(1).

• Do not leave a logged-in terminal unattended, especially if you are logged in as root or any privileged user as defined in the TFM database.

• Place an appropriate umask command in the system profile (/etc/profile) to set a default security level for file creation.

• Use full pathnames for critical commands (for example, /usr/bin/su instead of su).

• Do not mount a removable medium (such as a floppy disk or cartridge tape), or add packages or programs unless the contents are trusted. These filesystems may contain set-user-ID or Trojan horse programs. These are the most common ways of spreading computer viruses.