ULTRIX Security Guide for Users

This document, the "ULTRIX Security Guide for Users" (June 1990, for ULTRIX Version 4.0 or higher), aims to educate users with basic ULTRIX experience on how to create and maintain a secure computing environment.

The guide outlines the fundamental aspects of computer security—secrecy, integrity, availability, and accountability—and describes common threats like masquerade and Trojan horse programs. It emphasizes the shared responsibility between users and security administrators in maintaining system security.

Key areas of user responsibility and system features covered include:

1. Protecting Your Account:

   • Understanding how the system verifies user identity (UID/GID).
   • Using a "trusted path" (Secure Attention Key) during login to prevent password theft.
   • Monitoring login messages and auditing logs (last command) for unauthorized access.
   • Adhering to strong password practices: choosing complex, hard-to-guess passwords (e.g., passphrases, mixed characters, minimum length), keeping them secret, changing them regularly, and using different passwords for multiple accounts.
   • Securing the terminal by locking sessions or logging out properly when leaving.

2. Protecting Your Files and Directories:

   • Understanding file types (ordinary, directory, special), ownership, and permissions (read, write, execute using octal and symbolic values).
   • Setting restrictive default file permissions with umask and modifying existing permissions with chmod.
   • Using groups (chgrp) and organizing files into separate directories for better access control.
   • Employing the find command to identify suspicious or poorly protected files.
   • Understanding how file manipulation commands (cp, mv, ln, tar, cpio) affect file permissions and ownership.
   • Using the crypt command to encrypt sensitive information.

3. Processes and Shells:

   • Differentiating between real and effective User IDs (UIDs) and Group IDs (GIDs), which determine a process's access rights.
   • Recognizing the security risks of SUID (Set User ID) and SGID (Set Group ID) programs, especially those owned by root, and advising caution in their creation and use.
   • Creating secure shell startup files (e.g., .profile, .cshrc) by using absolute pathnames in the PATH variable and setting restrictive permissions on these files.
   • Noting that shell scripts are inherently less secure than compiled programs and should not be made SUID.

4. Connecting to Other Systems (Network Security):

   • Addressing security concerns related to various networking protocols (TCP/IP, LAT, UUCP, DECnet) and their associated commands (e.g., rlogin, ftp, uucp, tip, dcp).
   • Emphasizing careful control of network access files like /etc/hosts.equiv and .rhosts to prevent unauthorized, passwordless access.
   • Providing guidelines for secure remote sessions, such as avoiding automatic logins and ensuring terminals are not left unattended.

5. Workstation and Windowing Environments (DECwindows):

   • Explaining how to control access to a workstation display through system-wide (/etc/X*.hosts) and personal (.Xdefaults) access control lists.
   • Highlighting features like "secure keyboard mode" to protect sensitive input (e.g., passwords) from being captured remotely.
   • Discussing the importance of physical security for workstations in less protected environments and protecting removable media.

In summary, the "ULTRIX Security Guide for Users" provides comprehensive guidance and best practices for ULTRIX users to enhance the security of their accounts, files, processes, network interactions, and workstations, stressing the user's active role in maintaining a secure computing environment.