HP-UX Security Guidelines

1. Account Management

Deletion of Default Accounts (Priority: High)

Delete system default accounts and unused accounts.

Criteria

A. Delete default accounts (lp, uucp, nuucp).
B. Delete accounts for resigned, transferred, on-leave, or contract-terminated employees.

※ Both items A and B must be applied.

Configuration Method

# userdel lp
# userdel uucp	
# userdel nuucp

Detailed Description

Identify and delete default accounts not used by the system and suspicious or unusual accounts. Accounts that are certainly not used by most systems, as listed below, and any suspicious accounts must be deleted. (In principle, if account creation is unavoidable for server testing or specific tasks, the account should be deleted immediately after the work is completed.)

Generally, system accounts that do not require login should be prohibited from logging in by referring to the “Shell Restriction for Accounts Not Requiring Login (Priority: Medium)” item. Accounts generated by default during OS or package installation often use default passwords, which can be exploited for password guessing attacks.

• Delete accounts of resigned, transferred, on-leave, or contract-terminated employees.
• Delete lp, uucp, nuucp, suspicious unusual accounts (e.g., guest, test), and unused accounts.
• Modifying the login shell to /bin/false may still cause security issues, so deletion is recommended.

Root Privilege Management for General Accounts (Priority: High)

Check for general accounts that possess root privileges.

Criteria

A. Set the UID of general accounts (excluding the root account and group) to 100 or higher.

Configuration Method

Execute # vi /etc/passwd and modify the UID of any general account with a UID of 0 to 100 or higher.
Example: To change the UID of the wiki account to 2002: # usermod –u 2002 wiki

Detailed Description

System administrators should regularly inspect and delete directories and files of all suspicious accounts, including the root account. It is necessary for security to periodically investigate and remove unnecessary user accounts.

• Check if there are other general accounts with root privileges.
• If a UID overlaps with root (0), another user can use administrator privileges. Overlapping UIDs between users make audit tracking difficult and cause overlapping user permissions.
• If the UID of a general account (excluding root) is 0, delete it or assign an appropriate UID (change to a number above 100). Register general accounts belonging to the root group into a group with appropriate permissions.
• System accounts (daemon, bin, adm, uucp, nuucp, lp, hpdb, etc.) are excluded.

<Distinguishing General Accounts and Directories – From /etc/passwd file content> The following is a sample of the /etc/passwd file. The field separator is :, and if the third field is 0, it has superuser privileges. Accounts with a UID other than 0 are considered general accounts, and the sixth field is the home directory of that account.

root:!:0:0::/:/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:           
adm:!:4:4::/var/adm:
lpd:!:9:4294967294::/:

<passwd file fields>

loginID:x:UID:GID:comment:home_directory:login_shell

---

/etc/passwd File Permission Settings (Priority: High)

Check the permissions of the /etc/passwd file, which contains system user account information.

Criteria

A. Set the permissions of the /etc/passwd file to 644 or lower, owned by root.

Configuration Method

# chmod 644 /etc/passwd
# chown root /etc/passwd

# chmod 400 /tcb/files/auth/계정이니셜/계정명
# chown root /tcb/files/auth/계정이니셜/계정명

# chmod 400 /etc/shadow
# chown root /etc/shadow

Detailed Description

The /etc/passwd file contains account information necessary for system user authentication. This diagnosis assesses the risk of security incidents (such as obtaining general user or root privileges) that may arise due to issues like incorrect file permission settings or management errors.

<Standard Mode>

• Set the permissions of the /etc/passwd file to 644, owned by root.

<Trusted Mode>

• Set the permissions of the /etc/passwd file to 644, owned by root.
• For files under /tcb/files/auth/[initial]/[username], set the permissions of loggable accounts (excluding system accounts) to 400, owned by root.

<Shadow Password>

• For HP-UX 11.11, the shadow file is created by running pwconv after installing the Shadow Password Bundle.
• For HP-UX 11.23, the Shadow Password product is installed by default.
• Set the permissions of the /etc/shadow file to 400, owned by root.

※ Reference site: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword&lc=EN_US

/etc/group File Permission Settings (Priority: High)

Check the permissions of the /etc/group file, which contains information about user groups.

Criteria A.

Set the permissions of the /etc/group file to 644 or lower, owned by root (or bin).

Configuration Method

# chmod 644 /etc/group 
# chown root /etc/group

Detailed Description

If a general user accesses and modifies the group file, an unauthorized user can be registered to the root group, enabling them to obtain root privileges. You must check whether modification of the group file is restricted for general users and ensure that write permissions for other users are limited.

---

Applying Password Usage Rules (Importance: High)

Prohibit the use of weak passwords when setting passwords for user accounts (both root and general accounts).

Criteria

A. Password Usage Rule Configuration

• When Identity Management solutions (Control-SA, RedOwl) are running:
  Password rules are managed automatically by the solution.
• When solutions are NOT running:
  Configure minimum length, maximum/minimum usage period, and account lockout thresholds.

# Edit /etc/login.defs to apply the following (Unit: Days):

PASS_MIN_LEN  8
PASS_MAX_DAYS  70
PASS_MIN_DAYS  7

B. Password Settings

• Combination rules: At least 8 characters with a mix of 2 types (letters/numbers/special chars) OR at least 10 characters with a mix of 3 types.

※ Note: Both items A and B must be applied.

Configuration Method

[Security Application 1] When Identity Management Solutions are running

• Control-SA: Rules are applied (currently requiring at least one letter, number, and special character).수문자 1자 이상 사용하도록 되어 있음)

→ Check process

$ ps -ef|grep p_ctsc
/bmc/ctsa/control-sa/exe/HP-UX-11/p_ctsce
/bmc/ctsa/ control-sa/exe/HP-UX-11/./p_ctscs
/bmc/ctsa/control-sa/exe/ HP-UX-11/./p_ctscd

• RedOwl: Rules are applied.

→ Check process

$ ps -ef|grep cmmd
ngmseos  417792       1   0   Jan 28      -  0:07 /usr/src/cmm/system/cmmd 
ngmseos  847942  417792   0   Jan 28      -  0:02 /usr/src/cmm/system/cmmd 

[Security Application 2] When Identity Management Solutions are NOT running

1. Minimum Password Length
Check if a minimum password length is set to avoid password-guessing attacks. If it is not set or is set too short, malicious users can easily guess passwords due to the use of weak credentials.

2. Maximum Password Usage Period
Check password date limits to prevent an environment where an unauthorized user who obtained a password through an arbitrary path can reconnect at any time.

3. Minimum Password Usage Period
Check password date limits to prevent an environment where an unauthorized user who obtained a password through an arbitrary path can reconnect at any time.

4. Remember Previous Passwords
Prohibit the reuse of previously used passwords by remembering them when a password change occurs.

• Recommended minimum password length: 8 characters or more.
• Recommended maximum password usage period: 70 days (10 weeks) or less.
• Recommended minimum password usage period: 7 days (1 week) or more.
• Recommended password history depth: at least 12 previous passwords.

5. Account Lockout Threshold
If an account lockout threshold is not set, there is a possibility that an attacker can obtain a user’s password without much effort through Brute-Force attacks using automated tools.

• Allow only up to 10 login failures; the account is locked upon the 10th failure.

<Account Lockout Threshold Setting, applicable to HP-UX 11.v3 or higher>

Run # vi /etc/default/security and apply the following settings (Unit: Attempts): AUTH_MAXTRIES=10

<Standard Mode>
1) Run # vi /etc/default/security and apply the following settings:

MIN_PASSWORD_LENGTH=8
PASSWORD_MAXDAYS=70
PASSWORD_MINDAYS=7
PASSWORD_HISTORY_DEPTH=12

2) To unlock a locked account, log in as root and execute the following command:

# userdbset –d –u username auth_failures

<Trusted Mode>
1) Run # /usr/sbin/sam and check the following (Navigate using the Tab key):

(1) Check the following in Auditing and Security → System Security Policies → Password Format Policies:

• Ensure Allow Null Passwords is unchecked.
• Ensure Use Restriction Rules is checked.

(2) Check the following in Auditing and Security → System Security Policies → Password Aging Policies:

• Password Aging : Enable
• Time Between Password Changes (days) : 7
• Password Life Time (days) :70

(3) Run # vi /etc/default/security and apply the following settings:

MIN_PASSWORD_LENGTH=8
PASSWORD_HISTORY_DEPTH=12

2) To unlock a locked account, log in as root and execute the following command:

# audusr  –d –u username auth_failures 

Detailed Description

When setting passwords for user accounts (both root and general accounts), if easily guessable passwords are used, unauthorized users may gain access to the system by obtaining general account or root privileges. If passwords are set differently from the criteria below, they must be changed according to the password policy.

<Password Configuration Criteria>
1. Passwords must be composed of a combination of at least 2 types of the 4 character types listed below with a minimum length of 10 characters, or a combination of at least 3 types with a minimum length of 8 characters.

Character Types:

1. Uppercase letters (26)
2. Lowercase letters (26)
3. Numbers (10)
4. Special characters (32)

<Design Requirements to Prevent Guessing by Unauthorized Persons>

1. Prohibit the use of Null passwords.
2. Prohibit compositions consisting of only letters or only numbers.
3. Prohibit passwords identical to the User ID.
4. Prohibit the use of sequential characters or numbers (e.g., 1111, 1234, abcd).
5. Prohibit the reuse of cyclic passwords.
6. Prohibit the use of easily guessable information such as phone numbers, birthdays, account names, or hostnames.

• Use the “John The Ripper” tool to check for weak passwords.

Restricting Shell for Non-Login Accounts (Importance: Medium)

Restricting shell access for system accounts that do not require login privileges.

Criteria

A. Restricting Shell Access for Non-Login Accounts

Configuration Method

Example: Setting the daemon account to prevent login

# vi /etc/passwd 
(Before) daemon:x:1:1::/:/sbin/ksh
(After) daemon:x:1:1::/:/bin/false

Detailed Description

Unauthorized system utilization should be prevented by restricting shell access for users who do not require system entry. System accounts that do not need to log in should have their execution shell (e.g., /bin/sh) restricted and be assigned a “nologin” (/bin/false) shell to prohibit login.

<Target Accounts Not Requiring an Execution Shell>
This includes all accounts with general system account names such as: daemon, bin, sys, adm, listen, nobody, nobody4, noaccess, diag, operator, games, gopher, etc.

The following is a sample of the /etc/passwd file. Fields are delimited by “:”. If the final field is nologin or /bin/false, it indicates that a non-functional shell has been applied to the account.

bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

<Account Configuration When Shell Login is Not Required>

# useradd account -c "account finger_info" -d /home/{account} -m -s /bin/false

Restricting SU (Select User) Command Usage (Importance: High)

Restricting the su command to prevent unauthorized users from switching to privileged accounts.

Criteria

A. Creation of the Wheel Group and User Configuration

Configuration Method

<Method 1>
1) Specify the group that will use the su command in the /etc/default/security file.

# vi /etc/default/security
SU_ROOT_GROUP=wheel (Specify the group that will use the su command)

<Method 2>
1) Create a group (Request the group to be created; typically wheel is used).

# groupadd wheel

2) Change the group of the /usr/bin/su file to the wheel group.

# chgrp wheel /usr/bin/su

3) Change the permissions of the /usr/bin/su file (4750).

# chmod 4750 /usr/bin/su

4) Add accounts that require the use of the su command to the wheel group.

# usermod –G wheel [계정명] 

Detailed Description

General users without administrative privileges can obtain root authority through Password Guessing after using the su command. Therefore, the use of the su command by general users must be restricted. (Configure the system so that only the wheel group can use the su command.)

2. File System

User UMASK (User MASK) Configuration (Importance: Low)

Configuring UMASK to apply proper file and directory permissions for files created by users within the system.

Criteria

A. Set user UMASK to 022 in /etc/profile or /etc/bashrc

Gemini said

2. File System

User UMASK (User MASK) Configuration (Importance: Low)

Configuring UMASK to apply proper file and directory permissions for files created by users within the system.

---

Criteria

A. Set user UMASK to 022 in /etc/profile or /etc/bashrc

---

Configuration Method

1) Edit /etc/profile

umask 022 

2) Edit /etc/default/security

UMASK=022

Detailed Description

The permissions applied when a user creates a file or directory within the system depend on the umask value. A low umask value may allow unauthorized persons to access files and directories that should only be accessible by administrators.

To view the umask value set for the current user, execute “umask” at the command prompt. It is recommended that the umask value be “022.” A umask value of “022” creates files with “rw-r–r–” access permissions.

By adding the command to the account’s Start Profile (/etc/profile, .cshrc, .kshrc, .bashrc, .login, .profile, etc.), the changed umask value will be applied after the user logs in.

SUID (Set User-ID) and SGID (Set Group-ID) Configuration (Priority: Low)

Restriction of SUID and SGID bits on root-owned files vulnerable to security threats.

Criteria

A. Removal of SUID (Set User-ID) and SGID (Set Group-ID)

※ Exception Handling: Files created by applications or files created for operational necessity are exempt.

Configuration Method

Verify the filenames in the table below and remove the SUID/SGID bits.

# chmod –s [Filename] 
HP-UX
/opt/perf/bin/glance	/usr/dt/bin/dtprintinfo	/usr/sbin/swreg
/opt/perf/bin/gpm	/usr/sbin/arp	/usr/sbin/swremove
/opt/video/lbin/camServer	/usr/sbin/lanadmin	
/usr/bin/at	/usr/sbin/landiag	
/usr/bin/lpalt	/usr/sbin/lpsched	
/usr/bin/mediainit	/usr/sbin/swacl	
/usr/bin/newgrp	/usr/sbin/swconfig	
/usr/bin/rdist	/usr/sbin/swinstall	
/usr/contrib/bin/traceroute	/usr/sbin/swmodify	
/usr/dt/bin/dtappgather	/usr/sbin/swpackage	

Detailed Description

Files with SUID (Set User-ID) and SGID (Set Group-ID) enabled—especially those owned by root—are frequently utilized in Buffer Overflow and local attacks. These files require periodic management as they are critical from a security perspective.

For root-owned setuid files that are vulnerable, attributes should be removed from all such files except for those that are absolutely necessary. Periodic diagnosis and management are required to ensure that misconfigurations do not become security threats.

The list of Setuid and Setgid files to be removed is provided in the configuration method table. Setuid should also be removed if unusual files, such as those created by applications or arbitrarily by users, are discovered outside of this list. When removing Setuid, proceed carefully while verifying the normal operation of services, including the OS and applications.

Example of removal method: # chmod -s file-name

Example of periodic audit method:

# find / -user root -type f \( -perm -4000 -o -perm -2000 \) -exec ls -lg {} \;

If a Setuid file must be used, restrict its use to a specific group only.

Example of restricting use to a specific group: Restrict Setuid use by general users (allow only a designated group).

# /usr/bin/chgrp <Group_Name> <Setuid_File_Name>
# /usr/bin/chmod 4750 <Setuid_File_Name>

If you wish to add an account, such as ‘wiki’, to a designated group to allow Setuid use, configure it as follows:

# usermod –G100 wiki
G : Change the configuration of the supplementary group list.
100 : the numerical value of the <Group>’s ID

/etc/inetd.conf File Permission Settings (Priority: High)

Configuration to remove write permissions for other users on the daemon configuration file (/etc/inetd.conf) owned by root.

Criteria

A. Restrictions on write access for other users to the /etc/inetd.conf file owned by root.

Configuration Method

# chown root /etc/inetd.conf 
# chmod o-w /etc/inetd.conf 

※ If the file is a symbolic link, change the ownership of the original source file.

Detailed Description

This check determines whether access permissions are restricted for inetd.conf, the configuration file for the Internet Super-Daemon service.

The Internet Super-Daemon executes internal program daemons registered in /etc/inetd.conf upon receiving requests from the external network. If the permissions for inetd.conf are misconfigured, an unauthorized attacker could register a malicious program in this file and execute it with root privileges.

History File Permission Settings (Priority: Medium)

Permission management for script files that store the commands executed by all users logged into the system.

Criteria

A. Set permissions for history-related files to 600 or less.

Configuration Method

# chmod 600 [User Home Directory Path]/.history
# chmod 600 [User Home Directory Path]/.sh_history

Detailed Description

History files (.history, .sh_history, etc.) are scripts that record the commands of every user who logs in; therefore, they require strict security management.

If these files are world-readable, sensitive information such as plain-text passwords included in commands, internal directory structures, or administrative activities could be exposed. You must set the permissions for all users’ history files to “600” (read/write for owner only) and ensure the owner is set to the user themselves.

Crontab File Permission Setting and Management (Priority: High)

Inspection of permissions for Crontab-related files and the files scheduled to run with root privileges within Crontab.

Criteria

A. Removal of write permissions for other users on Crontab-related files.

B. Configuration of Crontab file permissions:

• Set file permissions to 744 and owner to root.
• Use absolute paths for scheduled files.
• Ensure all files scheduled in Crontab actually exist
  ※ Both items A and B must be applied.

Configuration Method

1) Remove write permissions for other users on Crontab-related files:

# chmod o-w /var/spool/cron/crontabs/*  

2) Check and change the permissions of each file:

# ls –al [file]
# chmod 744 [file]
# ls -al /backup/OS_backup.sh
  -rwxr--r--   1 root       sys             84 Aug 10 05:01 /backup/OS_backup.sh
# ls -al /opt/sfm/vacuum
  -rwxr--r--   1 root       sys             67 Dec 18 14:47 /opt/sfm/vacuum

3) Change the owner of files displayed as UIDs:

# ls -al [file]
  -rw-r--r--   1 102      other          0 Jun  5 11:00 /tmp/user3
# chown root [file]
# ls -al [file]
  -rw-r--r--   1 root     other          0 Jun  5 11:00 /tmp/user3

※ If a file scheduled in Crontab does not exist in the actual path, delete it from the Crontab list.

Detailed Description

This check determines whether access permissions are restricted to prevent general users from maliciously accessing cron-related files.

Cron is a program that provides job scheduling, automatically performing specific tasks at specific times. If the access permissions for Cron-related files are misconfigured, unauthorized individuals can change the user environment through various methods, leading to security incidents.

A review of execution file permissions for files set to run in Crontab with root privileges is required (administrator review required).

If a file is set with general user privileges instead of root, an attacker can perform scheduled tasks. If relative paths are used, the file may fail to execute. If a file registered in Crontab does not exist in the actual path, an attacker can create a file with the same name as the registered file and execute it.

Additionally, when checking the permissions of files registered in Crontab, a problem may occur where the owner of files created by a deleted user remains as that user’s UID; appropriate ownership must be assigned to such files.

• Set permissions to 744 and owner to root for execution files set to run in Crontab with root privileges.
• Modify relative paths to absolute paths for files scheduled in Crontab.
• If the owner of a file scheduled in Crontab remains as a UID, assign a proper owner (root).
• Verify the existence of scheduled files in their actual paths.

# crontab –ㅣ
1 15 * * /backup/OS_backup.sh
30    *    *    *    *    /opt/sfm/vacuum

/etc/profile File Permission Settings (Priority: Medium)

Restricting access permissions for the user configuration file /etc/profile.

Criteria

A. Removal of write permissions for other users on the /etc/profile file owned by root (or bin).

Configuration Method

# chown root /etc/profile 
# chmod o-w /etc/profile

Gemini said

/etc/profile File Permission Settings (Importance: Medium)

Description: Restricting access permissions for the user configuration file /etc/profile.

---

Criteria

A. Removal of write permissions for other users on the /etc/profile file owned by root (or bin).

Configuration Method

Bash

# chown root /etc/profile 
# chmod o-w /etc/profile

Detailed Description

The /etc/profile file is a login script used to configure the default environment for all users who log in to the system. If the access permissions for the /etc/profile file are incorrectly set, an unauthorized person can change user environments through various methods, potentially leading to a security breach.

For example, an attacker with write access could insert a malicious script into this file, which would then be executed with the privileges of any user (including root) who logs into the system.

/etc/hosts File Permission Settings (Priority: Medium)

Restricting access permissions for /etc/hosts, the hostname registration file.

Criteria

A. Removal of write permissions for other users on the /etc/hosts file owned by root (or bin).

Configuration Method

# chown root /etc/hosts 
# chmod o-w /etc/hosts

※ If the file is a symbolic link, change the ownership and permissions of the original source file.

Detailed Description

The /etc/hosts file is used to map IP addresses to hostnames. If the access permissions for this file are incorrectly configured, an attacker could modify the mappings to redirect traffic to a malicious system.

/etc/issue File Permission Settings (Priority: Medium)

Restricting access permissions for the /etc/issue file related to terminal settings.

Criteria

A. Removal of write permissions for other users on the /etc/issue file owned by root (or bin).

Configuration Method

# chown root /etc/issue 
# chmod o-w /etc/issue

Detailed Description

The /etc/issue file requires security management because it displays a message to users connecting through a terminal, Telnet session, or console.

User Home Directory and File Management (Priority: Medium)

Restricting access permissions for user home directories and environment variable files within home directories.

Criteria

A. Removal of write permissions for other users on user home directories and environment variable files.

Configuration Method

# chmod o-w [Home Directory]
# chmod o-w [Filename]
# chmod o-w [Home Directory Path] [Filename]  
(When removing permissions from configuration files in the home directory)

Detailed Description

This check ensures that general users other than the account owner are restricted from modifying the home directory and environment variable files. If unauthorized users access and tamper with files or configuration files within a user’s home directory, the normal user’s services may be restricted.

If the access permissions for environment variable files are incorrectly configured, an unauthorized person can change the user environment through various methods, potentially leading to a security breach.

Remove write permissions for other users on environment variable files such as “.profile”, “.kshrc”, “.cshrc”, “.bashrc”, “.bash_profile”, “.login”, “.exrc”, “.netrc”, “.dtprofile”, and “.Xdefaults”.

Important Directory and File Permission Settings (Priority: Medium)

Configuration of permissions for important directories and the files contained within them.

Criteria

A. Removal of write permissions for other users on important directories owned by root (or bin).

Configuration Method

# chown root [Directory Name]
# chmod o-w [Directory Name]

Detailed Description

If access permissions for important directories are incorrectly configured, unauthorized persons can change the user environment through various methods, potentially causing security incidents.

Configure the removal of write permissions for other users on the /sbin, /etc/, /bin, /usr/bin, /usr/sbin, and /usr/lbin directories, ensuring they are owned by root (or bin).

# ls -ldb /sbin /etc/ /bin /usr/bin /usr/sbin /usr/lbin
  drwxrwxr-x  13 root       bin           2048 Aug 25 14:53 /sbin
  drwxrwxr-x  16 root       bin           2048 Aug 26 09:27 /etc/
  drwxrwxr-x  18 root       bin           1024 Jun 10  1996 /bin
  drwxrwxr-x   3 root       bin           6144 Aug 25 14:53 /usr/bin
  drwxrwxr-x   7 root       bin           1024 Aug 25 14:53 /usr/sbin
  drwxrwxr-x   5 root       bin           4096 Aug 25 14:53 /usr/lbin

PATH Environment Variable Configuration (Priority: Medium)

Configuration of the PATH environment variable in the root account’s environment variable files.

Criteria

A. Ensure the current directory symbol . is either removed or placed at the end of the PATH variable in the root account’s environment variable configuration files.

Configuration Method

The symbol ., which represents the current directory, must not be located at the beginning or in the middle of the PATH variable. If . must be used due to application configuration requirements, move . to the very end of the PATH environment variable.

Detailed Description

If the PATH environment variable of the root account includes . (referring to the current directory), an authorized root user may unintentionally execute a command located in the current directory.

Specifically, if . is positioned with higher priority than directories where standard commands are located (such as /usr/bin, /bin, or /sbin), a root user executing a command might unintentionally run a file illegally placed by an unauthorized person, leading to unexpected results. Furthermore, unexpected outcomes can occur if not only . but also any directory illegally created by an unauthorized person is given priority in the PATH.

Remove . (representing the current directory) from the PATH environment variable in the root account’s environment configuration files (e.g., .profile, .cshrc) and in /etc/profile.

※ Verify using echo $PATH (Applicable to the root account only).

FTP (File Transfer Protocol) Access Control File Permission Settings (Priority: High)

Configuration to remove write permissions for other users on FTP access control files owned by root.

Criteria

A. Removal of write permissions for other users on the /etc/ftpusers and /etc/ftpd/ftpusers files owned by root.

Configuration Method

# chown root /etc/ftpusers
# chown root /etc/ftpd/ftpusers
# chmod o-w /etc/ftpusers
# chmod o-w /etc/ftpd/ftpusers

※ When using vsftpd:
If userlist_enable = YES in vsftpd.conf: Check /etc/vsftpd/user_list or /etc/vsftpd.user_list.

# chown root /etc/vsftpd/user_list  또는 # chown root /etc/vsftpd.user_list
# chmod o-w /etc/vsftpd/user_list 또는 # chmod o-w /etc/vsftpd.user_list

If userlist_enable = NO or the option does not exist in vsftpd.conf: Check /etc/vsftpd/ftpusers.

# chown root /etc/vsftpd/ftpusers
# chmod o-w /etc/vsftpd/ftpusers

Detailed Description

If general users other than the administrator are allowed to access and modify FTP access control configuration files, security incidents may occur, such as unauthorized users being registered to access the server and perform illegal actions. Therefore, it is necessary to check whether restrictions are in place to prevent general users from modifying FTP access control configuration files.

Root Remote Access Control File Permission Settings (Priority: Medium)

Configuration to remove write permissions for other users on the /etc/security directory (or file), which is the root remote access control configuration setting, ensuring it is owned by root.

Criteria

A. Removal of write permissions for other users on the /etc/security path owned by root (or bin).

Configuration Method

# chown root /etc/security
# chmod o-w /etc/security

Detailed Description

If general users other than the administrator are allowed to access and modify root access control configuration files, service failures—such as the restriction of root access—may occur. Therefore, it is necessary to check whether restrictions are in place to prevent general users from modifying root access control configuration files.

NFS (Network File System) Access Control File Permission Settings (Priority: High)

Removal of write permissions for other users on NFS access control files owned by root.

Criteria

A. Removal of write permissions for other users on the /etc/exports file owned by root (or bin).

Configuration Method

# chown root /etc/exports
# chmod o-w /etc/exports

Detailed Description

If general users other than the administrator are allowed to access and modify the NFS (Network File System) access control configuration files, they could register unauthorized users or mount file systems to attempt illegal tampering. Therefore, it is necessary to check whether restrictions are in place to prevent general users from modifying the NFS access control configuration files.

/etc/services File Permission Settings (Priority: Medium)

Removal of write permissions for other users on the service file owned by root.

Criteria

A. Removal of write permissions for other users on the /etc/services file owned by root (or bin).

Configuration Method

# chown root w /etc/services
# chmod o-w /etc/services

Detailed Description

If the service file can be accessed and modified by general users instead of the administrator, there is a risk of security incidents, such as restricting normal services or executing unauthorized services through the file.

Boot Script File Permission Settings (Priority: High)

Restricting access permissions for boot script files used within the OS.

Criteria

A. Removal of write permissions for other users from boot script files.

Configuration Method

Remediate files identified as vulnerable among those involved in boot scripts using the following command:

# chmod o-w [Filename or Directory Name] 

Detailed Description

Access permissions for boot script files, which are critical for system operation, must be restricted so that only necessary users can access them. If write permissions are granted to other users, they must be removed.

/etc/rc*.d/*
/etc/inittab, etc.

3. Network Services

RPC (Remote Procedure Call) Service Restriction (Priority: Medium)

Removal of security-vulnerable RPC (Remote Procedure Call) services.

Criteria

A. Removal of unused RPC services.

※ Exception Handling: RPC services used for operational necessity are exempt.

Configuration Method

<Example of service removal for inetd>

• Comment out (add #) the corresponding lines in the /etc/inetd.conf file.
• Restart the inetd daemon.
• Completely delete the RPC service from the boot script.

# vi /etc/inetd.conf
(Before) rpc dgram  udp  wait root /usr/lib/netsvc/rstat/rpc.rstatd  100001 2-4  rpc.rstatd 
(After) # rpc dgram  udp  wait root  /usr/lib/netsvc/rstat/rpc.rstatd  100001 2-4  rpc.rstatd 

# ps -ef | grep inetd
  root   141     1  0 15:03:22 ?        0:01 /usr/sbin/inetd -s
# inetd  -c (Restart/Reload)
# kill -HUP 141  

※ If a system restart is difficult, manually stop the rpc.statd process:

# ps –ef |grep rpc 
  rpc 3136 1 0 Oct11 ? 00:00:01 rpc.statd
# kill –HUP 3136

Detailed Description

RPC (Remote Procedure Call) services allow calls to server applications in a distributed environment to request specific tasks. They are widely used because they facilitate development in distributed processing environments and are provided by default in Unix systems. However, RPC services possess numerous remote Buffer Overflow vulnerabilities, posing a very high risk of security incidents.

A Buffer Overflow occurs when more data is input than the designated buffer size, causing the program to behave abnormally. At the moment the buffer overflows, an attacker can execute arbitrary commands to gain root privileges or perform various other attacks.

The following unused RPC services should be removed. If a service must be used, the appropriate security patches must be applied.

Service	Description
rpc.cmsd	Database management program used by Open Windows Calendar Manager and CDE Calendar.
rusersd	Responds to queries from the rusers command.
rstatd	Returns performance statistics obtained from the kernel.
rpc.statd	Supports the lockd program for file recovery in NFS during system failures.
kcms_server	Used to create or manage profiles controlling color performance for desktop digital images.
rpc.ttdbserverd	RPC-based ToolTalk database server program.
rwalld	Used to send messages to other users.
rpc.nisd	NIS server daemon.
rpc.ypupdated	Updates information in Network Information Services (NIS) maps.
cachefsd	Cache file system daemon.
sadmind	Program used for remote system administration.
sprayd	Receives packets sent by the spray command, which reports performance statistics.
rpc.pcnfsd	Handles service requests from PC-NFS (Personal Computer Network File System) clients.
rexd	Executes programs for remote systems.
rpc.rquotad	Returns local machine quotas for file systems mounted via NFS on remote machines.

Remove the following RPC-related services from /etc/inetd.conf: ttdb, cmsd, rstatd, sadmind, rusersd, rexd, rwalld, sprayd, kcms_server, cachefsd, etc.

NFS (Network File System) Restriction (Priority: High)

Removal of NFS (Network File System) services that are not being used for a specific purpose.

Criteria

A. When the service is required:

• Unmount unauthorized systems.
• Restrict system mounting to “everyone” (unrestricted access).

B. When the service is not required:

• Stop NFS daemons (nfsd, statd, lockd).

Configuration Method

<When using the service>

Identify systems that are remotely mounting NFS and unmount any unauthorized systems.

1. Check mounts: (Command will not run if the NFS service is stopped) Run # showmount -e hostname to check if the system is mounted to “everyone.”

# showmount
  Umount

2. Unmount:

# umount "File_System_Name"

※ When using NFS services, list only essential shared directories in the /etc/exports file. The system must not be mounted to “everyone,” and NFS-related security patches must be applied.

<When not using the service>

1. Stop running services: Terminate the NFS daemon (nfsd) and mountd.

# ps -ef | grep mountd
    root   163     1  0   Sep 27 ?        0:04 /usr/lib/autofs/automountd
# kill –9 163
# ps -ef | grep nfs
  root   146     1  0   Sep 27 ?        0:16 /usr/lib/nfs/nfs
# kill –9 146

2. Disable automatic startup: Remove NFS from the startup list to prevent the NFS Server from starting upon reboot.

# vi /etc/rc.config.d/nfsconf (Change to: NFS_SERVER=0)
# mv  /sbin/rc2.d/S900nfs.Server  /sbin/rc2.d/_S900nfs.Server

Gemini의 응답

NFS (Network File System) Restriction (Priority: High)

Description: Removal of NFS (Network File System) services that are not being used for a specific purpose.

---

Criteria

A. When the service is required:

• Unmount unauthorized systems.
• Restrict system mounting to “everyone” (unrestricted access).

B. When the service is not required:

• Stop NFS daemons (nfsd, statd, lockd).

---

Configuration Method

<When using the service>

Identify systems that are remotely mounting NFS and unmount any unauthorized systems.

1. Check mounts: (Command will not run if the NFS service is stopped) Run # showmount -e hostname to check if the system is mounted to “everyone.”Bash# showmount -e
2. Unmount:Bash# umount [File_System_Name]

※ When using NFS services, list only essential shared directories in the /etc/exports file. The system must not be mounted to “everyone,” and NFS-related security patches must be applied.

<When not using the service>

1. Stop running services: Terminate the NFS daemon (nfsd) and mountd.Bash# ps -ef | grep mountd root 163 1 0 Sep 27 ? 0:04 /usr/lib/autofs/automountd # kill –9 163 # ps -ef | grep nfs root 146 1 0 Sep 27 ? 0:16 /usr/lib/nfs/nfs # kill –9 146
2. Disable automatic startup: Remove NFS from the startup list to prevent the NFS Server from starting upon reboot.Bash# vi /etc/rc.config.d/nfsconf (Change to: NFS_SERVER=0) # mv /sbin/rc2.d/S900nfs.Server /sbin/rc2.d/_S900nfs.Server

---

Detailed Description

NFS is designed for sharing file systems over a network and is frequently used by high-capacity sites or service servers that need to share files from a single server. However, it carries a high risk of security incidents.

If not used for a specific purpose, the NFS service and its components (statd, lockd) should be stopped. If the use of NFS is unavoidable, you must ensure that unauthorized systems cannot mount the NFS system, preventing unauthorized access and file tampering.

Automountd Service Removal (Priority: Low)

Removal of the Automount service when it is not being used for a specific purpose.

Criteria

A. Removal of the Automount service.

Configuration Method

1) Stop the running service:

# ps -ef | grep automount
  root  650  1  0  3월 30  ? 0:30 /usr/lib/netsvc/fs/automount/automount -f /etc/auto_master
# kill –9 650

2) Prevent automount from starting upon system restart: (The exact file location may vary depending on the OS)

# vi /etc/rc.config.d/nfsconf
  (Before) AUTOFS=1 
  (After) AUTOFS=0 

Detailed Description

Autofs enables a client system to automatically mount a remote directory or file system when a user needs it and automatically unmount it when the mount point is no longer in use.

The Autofs daemon, automountd, handles mount and unmount requests from Autofs via RPC. A vulnerability exists in the automountd daemon that allows a local attacker to send RPC requests to the daemon, potentially leading to security issues.

NIS (Network Information Service) Restriction (Priority: High)

Removal of NIS services that are not being used for a specific purpose.

Gemini의 응답

NIS (Network Information Service) Restriction (Priority: High)

Description: Removal of NIS services that are not being used for a specific purpose.

---

Criteria

A. NIS service stop

※ Exception Handling: NIS services used for operational necessity are exempt.

Configuration Method

1) NIS service stop

# /usr/lib/netsvc/yp/ypstop

2) Removal of boot scripts

# cd /etc/rc*/
# mv S88ypserv _S88ypserv

Detailed Description

NIS (Network Information Service) provides a consistent system environment to administrators and users by sharing important system database files through the network, and NIS+ is a subsequent version with added security and convenience features.

<Service check method> If the processes below are not present, it is normal.

Process and Daemon	Description
ypserv	Runs on master and slave servers and responds to ypbind requests from clients.
ypbind	Runs on all NIS systems and binds and initializes clients and servers.
rpc.yppasswdd	Used by users to change passwords.
ypxfrd	Runs only on the NIS master server and transfers NIS maps at high speed.
rpc.ypupdated	Runs only on the NIS master server and transfers NIS maps at high speed with encryption.

‘r’ commands Service Removal (Priority: High)

Removal of ‘r’ commands services that are not being used for a specific purpose.

Criteria

A. When the service is required:

• Set the permissions of /etc/hosts.equiv and $HOME/.rhosts files to 400 with root ownership.
• Use fixed IP settings in /etc/hosts.equiv and $HOME/.rhosts configurations to allow access.

B. When the service is not required:

• Remove ‘r’ commands services such as rsh, rlogin, and rexec.
• Set the permissions of /etc/hosts.equiv and $HOME/.rhosts files to 000 with root ownership, or link them to /dev/null.
• ※ The .rhosts file must be created in the root home directory.

Configuration Method

<When using ‘r’ commands>

Remove any “+” signs from the host and account sections in the /etc/hosts.equiv and $HOME/.rhosts files, and register only the necessary hosts and accounts as shown in the example: Example: # vi /etc/hosts.equiv (or $HOME/.rhosts)

 Wiki security

Designate permissions and ownership for files:

# chown root /etc/hosts.equiv 
# chmod 400 /etc/hosts.equiv
# chown root /root/.rhosts
# chmod 400 /root/.rhosts

※ Symbolic Links are recommended; permission changes are not required for them.

Recommended periodic management via cron:

# /bin/touch /.netrc /etc/hosts.equiv
# /bin/chmod 400 /.netrc /etc/hosts.equiv

<When not using ‘r’ commands>

Remove the services and change the permissions of the /etc/hosts.equiv and $HOME/.rhosts files.

Example of service removal: Comment out (add #) the corresponding lines in the /etc/inetd.conf file and restart inetd.

# vi /etc/inetd.conf
(Before)
  shell  stream  tcp     nowait  root    /usr/sbin/in.rshd       in.rshd
  shell  stream  tcp6    nowait  root    /usr/sbin/in.rshd       in.rshd
  login  stream  tcp6    nowait  root    /usr/sbin/in.rlogind    in.rlogind
  exec   stream  tcp     nowait  root    /usr/sbin/in.rexecd     in.rexecd
  exec   stream  tcp6    nowait  root    /usr/sbin/in.rexecd     in.rexecd
  
  (After)
  # shell  stream  tcp     nowait  root    /usr/sbin/in.rshd       in.rshd 
  # shell  stream  tcp     nowait  root    /usr/sbin/in.rshd       in.rshd
  # shell  stream  tcp6    nowait  root    /usr/sbin/in.rshd       in.rshd
  # login  stream  tcp6    nowait  root    /usr/sbin/in.rlogind    in.rlogind
  # exec   stream  tcp     nowait  root    /usr/sbin/in.rexecd     in.rexecd
  # exec   stream  tcp6    nowait  root    /usr/sbin/in.rexecd     in.rexecd
  
# ps -ef | grep inetd
  root   141     1  0 15:03:22 ?        0:01 /usr/sbin/inetd -s
# kill -HUP 141

Method 1: Changing file permissions

# chown root /etc/hosts.equiv
# chmod 000 /etc/hosts.equiv
# chown root /root/.rhosts
# chmod 000 /root/.rhosts

Method 2: Linking to /dev/null

# ln –s  /dev/null  /etc/hosts.equiv (/etc/hosts.equiv 파일 삭제 후)
# ln –s  /dev/null  /root/.rhosts (/root/.rhosts 파일 삭제 후)

※ The .rhosts file must be created in the root home directory with 000 permissions or as a link to /dev/null.

Recommended periodic management via cron:

# /bin/touch /root/.netrc /etc/hosts.equiv
# /bin/chmod 0 /root/.netrc /etc/hosts.equiv
# /bin/touch /.netrc /root/.rhosts
# /bin/chmod 0 /.netrc /root/.rhosts

Detailed Description

‘r’ commands such as rsh, rlogin, and rexec allow remote access for administrators without authentication. While they are sometimes used for NET Backup or other purposes, the use of ‘r’ commands is very vulnerable in terms of security; if service ports are open, there is a risk of security incidents.

If not used for a specific purpose like NET Backup, remove the following services: shell(514), login(513), exec(512)

If the services must be used, access should be allowed only for essential servers, and the permissions of related configuration files must be set appropriately. (Refer to “3.6. Trust Relationship Settings”)

Removal of Berkeley R-Command services from /etc/inetd.conf: Remove rsh, rlogin, and rexec services.

The /etc/hosts.equiv file is used to register TRUSTED systems and enable access without authentication using ‘r’ commands. The .rhosts file performs almost the same function but can be configured per user.

When using ‘r’ commands, register specific servers cautiously. Using “+” (which allows access from all servers) is extremely dangerous and must be configured with caution. When in use, set ownership to root and permissions to 400.

Prohibition of ‘+’ settings in the /etc/hosts.equiv file:

If the file is in use: Owner: root, Permissions: 400.

Setting	Meaning
+ +	Trust all accounts from all hosts.
+ wiki	Trust the ‘wiki’ account from all hosts.
Wiki +	Trust all accounts from the ‘Wiki’ host.

Removal of Unnecessary Services (Priority: High)

Removal of security-vulnerable or unnecessary services.

Criteria

A. Removal of unnecessary services.

Configuration Method

< Example of service removal >

• Comment out (add #) the corresponding lines in the /etc/inetd.conf file and restart inetd.
• Completely delete unnecessary services from the boot script.

# vi /etc/inetd.conf
  (Before) # 100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd 
  (After) # 100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd 
# inetd -c

If there are services that must be used, strengthen access control primarily through network equipment or firewalls in the short term. In the long term, re-evaluate the validity of providing the service and modify the application (e.g., changing the procedure calls that use the service).

Detailed Description

Unnecessary service ports open on a server can lead to the exposure of major system information and cause Denial of Service (DoS) attacks.

The following unused services should be removed:

Service	Port	Description
echo	7	Simply retransmits messages sent by the client.
discard	9	Discards data received from any user.
daytime	13	Outputs the current time and date in ASCII format in response to client queries.
chargen	19	Service that returns a string of arbitrary length.
time	37	TCP version of the RFC 868 time server used by the rdate daemon.
tftp	69	Protocol for file transfer; used for downloading configuration files or starting installation processes for diskless workstations or network printers.
finger	79	Displays user information.
sftp	115	FTP over SSH.
uucp-path	117	UUCP path service.
nntp	119	Network News Transfer Protocol; standard service for creating discussion groups on the Internet.
ntp	123	Network Time Protocol; synchronizes time between clients and servers.
netbios_ns	137	NetBIOS name service; used to identify resources on the network.
netbios_dgm	138	NetBIOS Datagram service; used for broadcasting to hosts, groups, or the entire network.
netbios_ssn	139	NetBIOS session service; used to transmit and receive actual data using network shares, etc.
bftp	152	Binary File Transfer Protocol.
ldap	389	Service for directory service access.
printer	515	Used for spooling on remote printers.
talk	517	Starts a conversation session with a user logged into another system.
ntalk	518	Enables chatting between different systems.
uucp	540	Copies files between Unix systems and transmits commands to be executed on other systems.
pcserver	600	ECD Integrated PC board server; used in RPC-related attacks.
ldaps	636	LDAP over SSL.
ingreslock	1524	Ingre database lock service.
www-ldap-gw	1760	HTTP to LDAP gateway; used when LDAP transmits database information to a web server.
nfsd	2049	NFS server daemon service (if NFS is not in use).
dtspcd	6112	Desktop sub-process control daemon service.

Service Banner Management (Priority: Medium)

Configuration of banners displayed when accessing general services (TELNET, FTP, SMTP, etc.) on the system.

Criteria

A. Prevention of information exposure and display of warning messages in access banners when using Telnet, FTP, SMTP, and DNS services.

Configuration Method

[Telnet Banner]

• Banner Configuration / Hostname Removal

Add the following to /etc/inetd.conf:

  telnet   stream   tcp6   nowait   root   /usr/lbin/telnetd   telnetd   -b /etc/issue
  (/etc/issue is the file containing the banner text)
  (-b: Option to use the specified banner file)

Insert banner content into the /etc/issue file.

[FTP Banner]

• Banner Configuration / Hostname Removal

Add the following to /etc/inetd.conf:

ftp   stream   tcp   nowait   root   /usr/lbin/ftpd   ftpd   -a /etc/ftpd/ftpaccess
(- a : Option to use the specified configuration file)

For wu-ftpd below v2.4:
Add the following to /etc/ftpd/ftpaccess:

  suppresshostname yes (Hides hostname)
  suppressversion yes (Hides version information)
  banner /etc/ftpd/ftp_banner(File containing the FTP banner)

For wu-ftpd v2.4 or higher:
Add the following to /etc/ftpd/ftpaccess:

greeting    terse (Hides hostname and version information)

※ If /etc/ftpd/ftpaccess does not exist, copy it as follows:
  cp /usr/newconfig/etc/ftpd/examples/ftpaccess /etc/ftpd/ftpaccess

[SMTP Banner]

# vi /etc/mail/sendmail.cf
# SMTP initial login message (old $e macro)
  (Before) O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
  (After) O SmtpGreetingMessage= WARNING:Authorized use only  
※ The location of the sendmail.cf file may vary depending on the SMTP configuration.

[DNS Banner]

# vi /etc/named.conf
version "Contact Another Administrator!";

Detailed Description

By managing the banners output when accessing general services (TELNET, FTP, SMTP, etc.), you can prevent the leakage of service versions.

• Clearly state the scope of authorized server users and indicate that all activities are being monitored.
• Delete default banners or insert warning messages in each daemon configuration file.
• Configure banners so that the version of the corresponding process and the system’s hostname are not exposed.

Session Timeout Configuration (Priority: Low)

Configuration of session timeouts for connected sessions that remain idle for a specified period.

Criteria

A. Configuration of session timeout within the /etc/profile file.

Configuration Method

1) For sh (Bourne shell) and ksh (Korn shell): Modify /etc/profile or .profile by inserting TMOUT=300 and export TMOUT.

# vi /etc/profile
(After) TMOUT = 300
          export TMOUT

2) For csh (C shell): Add set autologout=5 (for 5 minutes) or the relevant timeout variable to the /etc/csh.login file.

Detailed Description

Failure to set a timeout for idle sessions can lead to issues not only in terms of confidentiality but also in terms of availability.

It is necessary to configure the server to disconnect connected sessions if they are not used for a specified amount of time. (Timeout occurs after 300 seconds of inactivity.)

Root Account Telnet and SSH Access Restriction (Priority: High)

Configuration to restrict direct remote access to the root account via telnet and ssh.

Criteria

A. Restriction of root account login during telnet and ssh access.

Configuration Method

[telnet]

# Create the /etc/securetty file and insert "console".
# echo console > /etc/securetty 

[ssh]

# Modify the /opt/ssh/etc/sshd_config file and restart the sshd daemon.
(Before) #PermitRootLogin no
(After)  PermitRootLogin no

※ When restarting, you must terminate all connected sessions, then execute the /sbin/init.d/secsh stop command followed by start.

Detailed Description

Direct access to the root account is risky in terms of security; therefore, direct remote access to the root account must be restricted. It is necessary for security to configure the options below so that access to the root account is only possible by switching from a general user account.

Firewall Policy Application (Priority: High)

Application of firewall policies to block external attacks.

Criteria

A. Firewall ports can only be opened after the security assessment application is completed.

※ Note: “Any Open” configurations can only be opened after all identified security vulnerabilities have been remediated.

Configuration Method

A. Complete the security assessment application through ISS-D before opening the service.

Detailed Description

When opening a new service, the security assessment application must be completed before the firewall can be opened. In the case of “Any Open” (including Any Open within the internal network or opening a large number of IPs on external networks), the firewall can only be opened after the remediation of vulnerabilities discovered during the security assessment is finalized.

4. Log Management

System Log Configuration (Priority: High)

Configuration of su logs and syslog, along with permission settings for log files and directories.

Criteria

A. su logging records: Configure via /etc/syslog.conf.

B. syslog.conf log levels: Ensure logging for *.notice, *.alert, and *.emerg.

C. Permission settings for log files and directories: Ownership by root (or bin) and removal of write permissions for other users.

※ All items (A, B, and C) must be applied.

Configuration Method

1. su Log Configuration

# Check the /etc/syslog.conf file and add the following if it does not exist:
  auth.notice   /var/adm/sulog/syslog.log
or
  *.notice      /var/adm/sulog/syslog.log
  (Use the TAB key to separate the selector and the file path.)

2. syslog Configuration

1) Inspect the /etc/syslog.conf file:

• .notice /var/log/messages
• .alert /dev/console
• .emerg *

2) After modifying /etc/syslog.conf, restart the syslogd daemon to apply changes:

# ps –ef | grep syslogd
  root  7524  6970   0   Apr 23      -  0:02 /usr/sbin/syslogd
# kill –HUP 7524

3. Log File Permission Configuration

Set ownership to system users (root, adm, bin, etc.) and remove write permissions for other users for the following files:

Log File	HP-UX 9.x Path	HP-UX 10.x or higher Path
wtmpx, utmpx	/usr/adm	/var/adm
wtmp, utmp	/usr/adm	/var/adm
btmp	/usr/adm	/var/adm
syslog	/usr/adm/syslog/syslog.log	/var/adm/syslog/syslog.log
sulog	/usr/adm	/var/adm
pacct	/usr/adm	/var/adm
messages	/usr/adm	/var/adm
lastlog	/usr/adm	/var/adm

# chown root [Log_Filename]
# chmod o-w [Log_Filename]

Detailed Description

1. su Log Configuration It is essential to log the use of su (Switch User) to record instances where general users transition to Super User status. Since incidents compromising system availability or integrity typically involve Super User privileges, su logging is critical for auditing. The syslog configuration must be modified to record auth.notice logs in a file.

2. syslog Configuration This check ensures that syslog.conf is configured to record information and alerts generated during system operation. The syslog daemon is dedicated to monitoring kernel messages and system logs locally or remotely. If improperly configured, critical traces of intruders or system errors may not be recorded, making forensic analysis impossible.

3. Log File Permission Configuration Since general users do not need access to system logs, security should be strengthened by restricting file ownership and removing read/write permissions for unauthorized users.

Log Retention Period (Priority: High)

Application of the minimum log retention period as specified by law.

Criteria

A. Application of minimum retention periods for log files.
B. Regular review and supervision of log records.
C. Backup of log files to separate storage devices and restriction of write permissions.

Configuration Method

While log retention periods can be adjusted based on the business environment, they must be kept for at least the following periods in accordance with the “Act on Promotion of Information and Communications Network Utilization and Information Protection,” the “Personal Information Protection Act,” and “Company Regulations.”

1) User Access Information Records

• User Login / Logout / Information Changes: 6 months or longer

2) Access Records of Personal Information Processing Systems by Personal Information Handlers

• Identification of data subjects/handlers, access date/time, access location info, tasks performed according to granted authority types, etc.: 2 years or longer

3) Authority Change Records for Personal Information Handlers

• Creation / Change / Deletion of personal information handler permissions: 3 years or longer

The person in charge must regularly check and supervise log records. In cases where errors or fraudulent acts related to user access occur or are expected, immediate reporting and action must be taken.

To prevent log files from being forged or altered, it is desirable to keep them backed up on a separate storage device and restrict write permissions. Even if modification is possible, separate protective measures using information that can verify forgery (such as HMAC values or digital signatures) should be implemented.

Detailed Description

According to the “Act on Promotion of Information and Communications Network Utilization and Information Protection,” the “Personal Information Protection Act,” and “Company Regulations,” log files must be kept for at least 6 months. The person in charge must regularly backup, verify, and supervise the log records.

5. Major Application Configuration

FTP (File Transfer Protocol) Service User Restriction (Priority: High)

Checking whether FTP service is used, and if so, configuring User UMASK and Anonymous FTP settings.

Criteria

A. Restriction of FTP service for root and unnecessary accounts. B. Setting FTP UMASK to ‘077’. C. Disabling Anonymous FTP settings.

※ All items (A, B, and C) must be applied.

Configuration Method

1. Restricting FTP use for root and unnecessary accounts
   Check if FTP use is restricted for root and unnecessary system accounts.
   Configuration Files: /etc/ftpusers, /etc/ftpd/ftpusers
   Add the root account and system accounts to the /etc/ftpusers file to restrict FTP login.

# vi /etc/ftpusers 
root 
... 
(Example of FTP service restriction) 
# echo root >> /etc/ftpd/ftpusers
# vi /etc/ftpd/ftpusers (Insert root)

When using vsftpd:

• If userlist_enable=YES in vsftpd.conf: Check vsftpd.userlist
• If userlist_enable=NO (or option missing) in vsftpd.conf: Check vsftpd.ftpusers

2. FTP UMASK Restriction

Modify /etc/inetd.conf as follows:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -u 077 

3. Anonymous FTP Restriction

Check if the ftp account exists in the /etc/passwd file and delete it if present.

# cat /etc/passwd | grep ftp 
# cat /etc/shadow | grep ftp 
# userdel ftp

Detailed Description

<Restricting FTP for root and unnecessary accounts> FTP is a program for exchanging files between computers connected over the internet or internal networks. Due to bugs and risks inherent in FTP servers, its use should be restricted unless absolutely necessary. When FTP service is used, prohibiting high-privileged accounts from logging in reduces the operational risk to the system.

<FTP UMASK Setting> If FTP use is unavoidable, the FTP UMASK must be configured to ensure that the access permissions of transferred files are set appropriately. If the FTP UMASK is incorrectly configured, files created via FTP may be deleted or modified by anyone.

<Anonymous FTP Restriction> Anonymous FTP must be disabled. If enabled, unauthorized persons can acquire system information. Furthermore, if write permissions are set on directories, various attacks can be executed using local exploits. Restricting access to authorized users only is also desirable for system availability.

SNMP (Simple Network Management Protocol) Service Configuration (Priority: Medium)

Verification of SNMP service and security configuration of the Community String.

Criteria

A. When the service is required:

The SNMP Community String must not be set to public or private.
(To prevent SNMP Brute-Force or Dictionary attacks, set a strong password format using at least 8 characters including a mix of numbers and symbols.)

B. When the service is not required:

Stop the service and configure it so that it does not execute upon system restart.

Configuration Method

<When SNMP service is not required>

# ps -ef | grep snmp
  root  9546  6970   0   Dec 05      -  1:11 /usr/sbin/snmpd
# kill –9 9546  or  # /sbin/SnmpAgtStart.d/S560SnmpMaster stop
# mv /sbin/ /sbin/SnmpAgtStart.d/S560SnmpMaster /sbin/SnmpAgtStart.d/_S560SnmpMaster

<When SNMP service is required>

Change the community string in the /etc/snmp/snmpd.conf file to a value that others cannot guess.

• Change the public part in read-community public to an <arbitrary name> and restart the service.
• Exercise caution when using the set-community-name: section.
• (Restrict the use of simple community names such as public, admin, or private.)

Vulnerability Item	Content	Countermeasure
Default Community String	If default strings like public or private are not changed, crackers can extract critical system information.	Modify or remove permissions; grant different permissions based on policy for special cases.
Network Interface Info	Remote hosts can obtain a list of network interfaces through SNMP.	Set community strings that are difficult to guess when using SNMP.
SNMP RPC Service	Default community strings allow remote discovery of system/network equipment info and modification of settings.	Change community strings to values that are difficult to guess.
OS Type Acquisition	Server OS and version information can be identified using SNMP.	Modify or remove permissions; grant different permissions based on policy for special cases.

Detailed Description

The SNMP service is a basic service provided by UNIX systems for NMS (Network Management Systems) to monitor system status in real-time. Since the Community String (a type of password required to receive information) is often left at default values like public or private, a vulnerability exists where unauthorized users can exploit these strings to identify key system information and configuration status.

If the SNMP service is not used on the server—for example, if the NMS is not monitoring the server—it is desirable to remove the SNMP service. When using the service, it is necessary to change the community string to a complex value in the /etc/snmp/conf/snmpd.conf or /etc/snmp/snmpd.conf file.

SMTP(Send Mail Transfer Protocol)서비스 설정(중요도 : 중)

SMTP 서비스 사용유무 및 설정

기준

가. 서비스 필요 시

• Sendmail Abuse 방지 방법 및 일반 사용자 q옵션 사용제한
• Sendmail 8.14.4 이상의 버전 사용

나. 서비스 불필요 시

• 서비스 중지 및 시스템 재시작시 서비스가 실행되지 않도록 설정

설정방법

<SMTP 서비스 필요 시 >
1) Sendmail Abuse 방지 방법 및 일반 사용자 q옵션 사용 제한

• Sendmail의 기본적인 서비스인 VRFY, EXPN을 다음과 같이 설정 하고 q옵션 제한

# vi /etc/mail/sendmail.cf 파일을 아래와 같이 수정
    O PrivacyOptions=authwarnings, noexpn, novrfy, restricqrun

2) 취약한 Senmail 버전 사용 제한
1) Sendmail 서비스가 실행되고 있는지 점검

# ps –ef | grep sendmail

2) Sendmail 버전 점검

# telnet localhost 25

3) Sendmail의 버전을 확인하고, ftp://ftp.sendmail.org/pub/sendmail 에서 보안 패치가 존재하는지 확인
4) O/S에 따라 설정하는 방법이 다를 수 있으므로, 홈페이지(http://www.sendmail.org/) 에서 해당 OS에 관한 정보를 확인 후 업그레이드

<SMTP 서비스 불필요 시>
1) 실행중인 서비스 중지

# ps –ef | grep sendmail
  root  441 1  0 Sep19 ?    00:00:00 sendmail: accepting connections
# kill -9 441

2) 시스템 재 시작시 SMTP Server 가 시작되지 않게 하기 위해서 아래와 같이 수행

# mv  /etc/rc2.d/S88sendmail  /etc/rc2.d/_S88sendmail

상세설명

SMTP는 많은 보안취약성을 포함하고 있어 잠재적인 위험성들이 존재하며, 서버에서 SMTP를 사용하는 목적을 검토하여 사용할 필요가 없는 경우에는 서비스를 제거하는 것이 바람직합니다.

SMTP 서비스 운영 시 Sendmail Abuse를 방지하기 위해 Sendmail의 기본적인 서비스인 VRFY, EXPN을 막아야 하고 일반 사용자의 q 옵션을 사용한 Sendmail 실행을 방지하여 메일큐의 내용과 sendmail 설정을 보거나, 메일큐를 강제적으로 drop 할 수 있는 기능을 막아야 합니다.

또한, Sendmail 경우 8.13.8 이하 버전에서 대부분의 취약성이 발견되어 8.14.4 이상의 버전 사용을 권고하며, 아래는 최근 Sendmail의 취약점들이고 취약점 버전을 사용하는 시스템은 업그레이드가 필요합니다.

SSL Certificate NULL Character Spoofing(CVE-2009-4565) 취약점 : 8.14.3 이전 버전 Heap-based buffer overflow(CVE-2009-1490) 취약점 : 8.13.1.2 이전 버전

특별한 목적으로 사용하지 않는다면 SMTP 서비스를 제거합니다.

• sendmail 최신 버전 및 설정 적용 확인

① vrfy, expn 명령어 제거 및 일반 사용자의 q 옵션을 사용한 실행 방지
② sendmail 8.14.4 이상 사용
③ 메일 릴레이 기능 제한
④ Address Parser 취약점에 대한 패치 필요

※ SMTP 설정에 따라 sendmail.cf 파일 위치가 상이할 수 있습니다.

DNS(Domain Name Service)보안 설정(중요도 : 중)

DNS 서비스 사용유무 및 설정

기준

가. 서비스 필요 시

• 특정서버로만 전송 가능하도록 IP 제한
• BIND 9.9.2-P1 이상의 최신 버전 업데이트 권고

나. 서비스 불필요 시

• 서비스 중지 및 시스템 재 시작 시 서비스 시작되지 않도록 설정

설정방법

<DNS 서비스 필요 시>

<BIND8 DNS 설정(/etc/named.conf) 수정 예>
  options {
              allow-transfer {존 파일 전송을 허용하고자 하는 IP;};
  };

<BIND4.9 DNS 설정(/etc/named.boot) 수정 예>
  Options
	  xfrnets 허용하고자 하는 IP

<서비스 불필요 시> 1) 실행중인 서비스 중지

# ps -ef | grep named
  root   279     1  0   Sep 22 ?        1:17 /usr/sbin/in.named
# kill -9 279

2) 시스템 재시작시 DNS Server 가 시작되지 않도록 함

# mv  /etc/rc3.d/ S79named  /etc/rc3.d/_S79named

상세설명

일반적으로 Zone Transfer는 Primary Name Server와 Secondary Name Server의 Zone 정보를 일관성 있게 유지하기 위해 이루어지기 때문에 Secondary Name Server로만 Zone Transfer를 할 수 있도록 하면 됩니다.

만약, 허가되지 않는 사용자에게 Zone Transfer를 허용할 경우 공격자는 전송 받은 Zone 정보를 이용하여 호스트 정보, 네트워크 구성 형태 등의 많은 정보를 파악할 수 있게 되며, DNS 서버를 디폴트로 설치할 경우 임의의 사용자가 Zone Transfer 를 할 수 있도록 설정됩니다.

시스템 초기 설치 후, Default 구성을 그대로 사용한다면 DNS서비스를 사용하지 않음에도 불구하고 DNS 서비스가 기동되어 있는 경우가 있으므로, 불필요한 DNS 서비스는 제거해야 합니다.
만약, DNS 서비스를 사용한다면, DNS설정을 통해 내부 Zone 파일을 임의의 외부 서버에서 전송 받지 못하게 하고, 아무나 쿼리 응답을 받을 수 없도록 수정해야 하고 보안을 위한 버전 패치를 해야 합니다.

BIND(Berkeley Internet Name Domain)는 현재(2012. 11)기준으로 BIND 9.9.2-P1 버전이 나왔으며, 이하 버전에서는 거의 모든 취약점이 존재하고 있습니다.

ISC의 BIND 8 버전에 대한 보안 및 시스템 업데이트 지원이 2007.8.27부터 중단됨에 따라, 향후에 발생할 수 있는 보안 취약점에 대비하고, 시스템 성능 향상을 위하여 BIND 9 버전으로의 업그레이드를 권고합니다. (https://www.isc.org/downloads)

• BIND는 거의 모든 버전이 취약한 상태로서 BIND 9.9.2-P1 이상 버전으로 업데이트 필요
• 다음은 최근 BIND 취약점들이며, 취약점 버전을 사용하는 시스템은 업그레이드 필요

서비스 거부(Denial-of-Service)(CVE-2009-4022) 취약점 : 9.6.0이전 버전

특별한 목적으로 사용하지 않는다면 DNS 서비스 제거합니다.

SWAT(Samba Web Administrator Tool)보안 설정(중요도 : 상)

SWAT 서비스 사용유무 및 설정

기준

가. SWAT 서비스 제거

※ 침입차단시스템을 사용하여 901번 포트 필터링 시 예외처리

설정방법

<SWAT 서비스 필요 시> 침입차단시스템을 사용한다면 침입차단시스템 관리자에게 연락하여 901번 포트를 필터링 함으로써 외부 네트워크로부터의 SWAT 접근을 막기를 권장함

<SWAT 서비스 불필요 시> 1) SWAT을 사용할 필요가 없다면 아래와 같이 구동 중지

# vi /etc/inetd.conf 파일 실행하여 아래와 같이 내용 수정
(수정 전)  swat    stream tcp   nowait.400 root /opt/samba/bin/swat swat 
(수정 후) #swat    stream tcp   nowait.400 root /opt/samba/bin/swat swat 

2) inetd 재구동

# inetd –c 

상세설명

SWAT(Samba Web Administration Tool)은 잘못된 사용자와 비밀번호를 입력하였을 때 아래와 같이 서로 다른 메시지를 출력합니다.

사용자 ID는 맞고 비밀번호만 틀렸을 때 :
  401 Authorization Required.
  You must be authenticated to use this service.

사용자 ID, 비밀번호 모두 틀렸을 때 :
  401 Bad Authorization
  username/password must be supplied

이렇게 서로 다른 메시지를 이용하여 일률적으로 사용자 ID와 비밀번호를 대입하는 강제 공격(brute-force)으로 그 메시지에 따라 사용자 ID를 알아낼 수 있습니다.

Samba 버전 취약성

Samba 서비스 사용여부 및 버전 확인

기준

가. 서비스 필요 시

• Version 4.0.1 업그레이드

나. 서비스 불필요 시

• 서비스 제거

설정방법

<Samba 서비스 필요 시>
서비스를 위해 사용시에는 Version 3.6.2 업그레이드

<Samba 서비스 불필요 시>
1) Samba를 사용할 필요가 없다면 아래와 같이 구동중지

# ps –ef | grep smb
  538 ? 00:00:00 smbd
# kill -9 538

2) 부팅스크립트 삭제

# mv /etc/rc3.d/S90samba /etc/rc3.d/_S90samba

상세설명

Samba 서버는 다수의 취약점이 발견되고 있으며, 하위버전의 Samba를 사용할 경우 강제공격, Buffer overflow 등의 공격대상이 될 수 있습니다.

• Samba 경우 3.4 이하 버전에서 취약성이 대부분 발견되었으며, 현재(2012.11)기준으로 Samba 4.0.1이 최신 버전이기 때문에 Samba 4.0.1 이상의 버전을 사용할 것을 권장합니다.
• 다음은 최근 Samba 취약점들이며, 취약점 버전을 사용하는 시스템은 업그레이드 필요합니다.

Samba Information Disclosure and Denial of Service (CVE-2009-2906) 취약점 : 3.4 이전 버전
※ Samba 취약점 버전에 대해서 패치를 제공하므로 취약점에 대해서 패치 할 것을 권고(http://www.samba.org/samba/history/security.html)

SSH(Secure Shell)버전 취약성(중요도 : 중)

SSH 사용여부 따른 버전 확인

기준

가. 서비스 필요 시

• 최신버전의 SSH 를 설치하여 운영 (openSSH 6.1 2012.11)

나. 서비스 불필요 시

• 실행중인 SSH 서비스 제거

설정방법

<SSH 서비스 필요시>
1) 최신버전의 SSH를 설치하여 운영하는 것을 권고
최신 SSH버전은 현재(2012/11/31)기준으로 openSSH 6.1이며, openSSH 6.1이상의 버전을 사용할 것을 권장 (openSSH는 http://www.openssh.org에서 다운 가능)

<서비스 불필요시>
1) 실행중인 서비스를 중지

# ps –ef | grep sshd
  root    414  0.0  0.7  2672 1692  /usr/sbin/sshd
# kill -9 414

2) SSH가 시작되지 않도록 시작스크립트의 파일명 변경 (OS 마다 시작스크립트 위치 다름)

# ls –al /etc/rc*.d/* | grep sshd   (시작스크립트 파일 위치 확인)
# mv  /etc/rc2.d/S55sshd  /etc/rc2.d/_S55sshd

※ SSH 설정에 따라 /opt/ssh/etc/sshd_config 파일 위치가 상이할 수 있음

상세설명

OpenSSH는 SSH(Secure Shell) 프로토콜을 구현한 오픈 소스 프로그램으로 telnet, ftp, rlogin, rsh 등을 대체하고 있으며, 네트워크 트래픽을 암호화하여 패킷 스니핑과 같은 공격으로부터 중요한 데이터를 보호할 수 있습니다.

그러나, OpenSSH의 낮은 버전에서는 다수의 취약점이 발견되고 있으며, 이러한 취약점으로 인해 root 계정 권한 획득, DoS공격 등 다양한 공격의 대상이 될 수 있습니다.

• 다음은 OpenSSH 취약점들이며, 취약점 버전을 사용하는 시스템은 업그레이드가 필요합니다.

Plaintext Recovery Attack Against SSH 취약점 : 5.1 이전 버전
X11UseLocalhost=no hijacking attack(CVE-2008-1483) 취약점 : OpenSSH 5.0 이전 버전

x-server접속 제한 설정(중요도 : 상)

임의의 호스트에서 해킹 대상 시스템의 x-server 접속 제한 설정

기준

가. 모든 사용자의 자동 실행파일 에서 ‘xhost +’ 와 같은 x-server 접속 설정 제거

설정방법

모든 사용자의 자동 실행화일(.login, .profile, .cshrc, .xinitrc, .xsession 등)에서 ‘xhost +’와 같은 명령은 모두 제거

상세설명

유닉스 시스템의 GUI 프로그램은 X-Window를 기반으로 수행되므로 이 X-Window를 사용하는 시스템의 경우에 임의의 호스트에서 해킹 대상 시스템의 X-Server에의 접속을 허용할 경우에 공격자는 대상 시스템의 X-Server에 접속한 뒤 다음과 같은 작업을 할 수 있습니다.

• 사용자가 타이핑하는 여러 가지 정보(예 : password 등)들을 키보드로부터 읽을 수 있는 것이 가능
• 스크린으로 출력되는 모든 정보를 볼 수 있는 것이 가능
• 임의의 정보를 스크린에 출력 가능
• 임의의 응용 프로그램을 실행시키거나 중지 가능
• 사용자의 세션을 제어 가능

6. 주요 응용 설정

보안 패치 적용(중요도 : 중)

서버 침해 방지를 위해 주기적으로 보안 패치 적용

기준

가. 최신 보안패치 및 버그 Fix 된 패치 적용

설정방법

최신 보안패치 및 버그 Fix 된 패치 설치

“swlist –l fileset | grep patch”로 서버에 적용되어 있는 패치 리스트를 확인
HPUX 는 다양한 하드웨어 플랫폼과 OS로 인해 General한 Security Patch가 공개되어 있지 않음 그리고, security_patch_check 라는 프로그램(펄 스크립트)을 서버에 설치/실행하여 서버의 취약한 Security Patch 리스트를 얻을 수 있음

security_patch_check 는 현재 적용되고 있는 패치 리스트를 분석 하는 툴 이며, 적용 가능한 패치 와 설치되지 않은 패치 정보를 리포트 형식으로 제공 하고, 시스템에서 보안 패치에 대한 오류정보를 자동으로 체크하여 알려주고 있음

security_patch_check 를 사용하기 위해서는 Service Control Manager 라는 도구를 서버에 설치하여야 하며, security_patch_check 사용관련 내용은 비고란을 참조 바람

<패치 적용의 예>
1) 수작업에 의한 패치 적용

운영자에 의한 패치 적용 방법은 아래와 같은 단계에 의해 설정
(1) http://www11.itrc.hp.com/service/patch/mainPage.do 접속
(2) HPUX 선택하여 해당 페이지 이동
(3) 해당되는 H/W, OS 를 선택
(4) 키워드, Patch-ID, Patch 리스트 옵션을 선택하여 검색
(5) 검색 결과를 받음
(6) 필요한 패치를 선택하여 다운로드 받음
(7) 패치간의 dependency를 고려하여 적용할 패치를 결정

2) Custom Patch Manager에 의한 패치 적용

CPM(Custom Patch Manager)는 해당 시스템에 적합한 패치를 선택하고 다운로드 받을 수 있도록 하는 툴임. CPM을 이용하여 환경에서 설정된 일정기간 간격 별로 패치를 자동 적용할 수 있으며, dependency관계나 conflict 관계를 자동 분석하여 적용할 패치를 결정해줌. CPM을 이용하는 단계는 다음과 같음

(1) ITRC 웹사이트에 (http://itrc.hp.com)이동하여 로그인
(2) maintenance/support 링크를 클릭한 후 customized patch bundles를 선택
(3) cpm_collect.sh 스크립트를 다운로드 받아 실행하여 현재 configuration에 대한 정보를 취합
(4) cpm_collect.sh 스크립트를 돌려 얻은 configuration에 대해 얻은 결과를 ITRC페이지에 업로드
(5) Perform Patch Analysis를 클릭함으로써 필요한 candidate patch list를 얻음
(6) 선택한 패치간의 conflict가 없는지 점검
(7) 선택한 패치를 Package버튼을 선택함으로써 다운로드 받은 후 패치를 설치

<패치적용>

• “swlist –l product” 로 서버에 적용되어 있는 패치 리스트를 확인
• OS별, 제품별, 보안관련 분류되어 패치파일을 제공 : http://itrc.hp.com/
  : http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

<패치적용의 예>

# mkdir /var/spool/patch 

위와 같은 디렉터리를 만들어 Patch 파일을 관리

• 패치 설치 순서

(예) : Patch: PHCO_16341: HP AutoRAID Manager cumulative patch 를 적용

# swlist –l fileset | grep PHCO_16341 (System에 patch가 설치 되어 있는 지 확인)
  PHCO_16341.txt
# sh PHCO_16341.txt
# ls 
  PHCO_16341.txt   PHCO_16341.depot  PHCO_16341.text
# swinstall –s /var/spool/patch /PHCO_16341.depot
#swlist –l fileset | grep PHCO_16341 (설치된 patch 확인)

<설치 시 주의사항>
※ Patch적용 후에 Rebooting이 필요한 경우가 있으므로 README-Patch-ID 파일을 주의 깊게 보아야 함

상세설명

주기적인 패치 적용을 통하여 보안성 및 시스템 안정성을 확보하는 것이 시스템 운용의 중요한 요소이며, 서비스 중인 시스템의 경우 패치 적용에 따르는 문제점(현재 운용중인 응용프로그램의 예기치 않은 중지, 패치 자체의 버그등)과 재부팅의 어려움 등으로 많은 패치를 적용하는 것이 매우 어렵기 때문에 패치 적용 시 많은 부분을 고려해야 합니다.

시스템의 보안성 및 안전성을 위하여 주기적으로 패치를 적용하는 것이 바람직하나, 아래의 사항을 고려하여 OS벤더 엔지니어의 충분한 검토 후 서버에서 운용중인 서비스에 아무런 영향이 없다고 판단될 때 OS벤더 엔지니어의 작업 하에 패치를 적용해야 합니다.

No	패치 적용시 고려 및 준수해야 할 사항
1	해당 패치가 시스템 자체에 미칠 수 있는 영향을 OS 벤더측에서 검토 후, 이상이 없을 때 패치를 적용
2	해당 패치가 시스템에서 운용중인 서비스 프로그램에 미칠 수 있는 영향을 OS벤더측과 서비스 프로그램(즉 응용프로그램) 개발자측과 함께 검토 후, 이상이 없을 때 패치를 적용
3	패치 적용 후 예기치 않은 서비스의 중지에 대비하여, 패치 작업을 실시하기 전에 Roll-Back 및 비상복구 절차 수립 및 테스트 필요
4	패치 적용 전/후 시스템에 대한 Full Backup을 실시.