This appendix discusses site security policy issues, and suggests reference books and web sites for further information:
Each Trusted Extensions site is unique and must determine its own security policy. Perform the following tasks when creating and managing a security policy.
Establish a security team. The security team needs to have representation from top-level management, personnel management, computer system management and administrators, and facilities management. The team must review Trusted Extensions administrators' policies and procedures, and recommend general security policies that apply to all system users.
Educate management and administration personnel about the site security policy. All personnel involved in the management and administration of the site must be educated about the security policy. Security policies must not be made available to regular users because this policy information has direct bearing on the security of the computer systems.
Educate users about Trusted Extensions software and the security policy. All users must be familiar with the Trusted Extensions User’s Guide . Because the users are usually the first to know when a system is not functioning normally, the user must become acquainted with the system and report any problems to a system administrator. A secure environment needs the users to notify the system administrators immediately if they notice any of the following:
A discrepancy in the last login time that is reported at the beginning of each session
An unusual change to file data
A lost or stolen human-readable printout
The inability to operate a user function
Enforce the security policy. If the security policy is not followed and enforced, the data contained in the system that is configured with Trusted Extensions is not secure. Procedures must be established to record any problems and the measures that were taken to resolve the incidents.
Periodically review the security policy. The security team must perform a periodic review of the security policy and all incidents that occurred since the last review. Adjustments to the policy can then lead to increased security.
The security administrator must design the Trusted Extensions network based on the site's security policy. The security policy dictates configuration decisions, such as the following:
How much auditing is done for all users and for which classes of events
How much auditing is done for users in roles and for which classes of events
How audit data is managed, archived, and reviewed
Which labels are used in the system and whether the ADMIN_LOW and ADMIN_HIGH labels will viewable by regular users
Which user clearances are assigned to individuals
Which devices (if any) can be allocated by which regular users
Which label ranges are defined for systems, printers, and other devices
Whether Trusted Extensions is used in an evaluated configuration or not
Consider the following list of guidelines when you develop a security policy for your site.
Assign the maximum label of a system that is configured with Trusted Extensions to not be greater than the maximum security level of work being done at the site.
Manually record system reboots, power failures, and shutdowns in a site log.
Document file system damage, and analyze all affected files for potential security policy violations.
Restrict operating manuals and administrator documentation to individuals with a valid need for access to that information.
Report and document unusual or unexpected behavior of any Trusted Extensions software, and determine the cause.
If possible, assign at least two individuals to administer systems that are configured with Trusted Extensions. Assign one person the security administrator authorization for security-related decisions. Assign the other person the system administrator authorization for system management tasks.
Establish a regular backup routine.
Assign authorizations only to users who need them and who can be trusted to use them properly.
Assign privileges to programs only they need the privileges to do their work, and only when the programs have been scrutinized and proven to be trustworthy in their use of privilege. Review the privileges on existing Trusted Extensions programs as a guide to setting privileges on new programs.
Review and analyze audit information regularly. Investigate any irregular events to determine the cause of the event.
Minimize the number of administration IDs.
Minimize the number of setuid and setgid programs. Use authorizations, privileges, and roles to execute the program and to prevent misuse.
Ensure that an administrator regularly verifies that regular users have a valid login shell.
Ensure that an administrator must regularly verifies that regular users have valid user ID values and not system administration ID values.
Consider the following list of guidelines when you develop a security policy for your site.
Restrict access to the systems that are configured with Trusted Extensions. The most secure locations are generally interior rooms that are not on the ground floor.
Monitor and document access to systems that are configured with Trusted Extensions.
Secure computer equipment to large objects such as tables and desks to prevent theft. When equipment is secured to a wooden object, increase the strength of the object by adding metal plates.
Consider removable storage media for sensitive information. Lock up all removable media when the media are not in use.
Store system backups and archives in a secure location that is separate from the location of the systems.
Restrict physical access to the backup and archival media in the same manner as you restrict access to the systems.
Install a high-temperature alarm in the computer facility to indicate when the temperature is outside the range of the manufacturer's specifications. A suggested range is 10°C to 32°C (50°F to 90°F).
Install a water alarm in the computer facility to indicate water on the floor, in the subfloor cavity, and in the ceiling.
Install a smoke alarm to indicate fire, and install a fire-suppression system.
Install a humidity alarm to indicate too much or too little humidity.
Consider TEMPEST shielding if machines do not have it. TEMPEST shielding might be appropriate for facility walls, floors, and ceilings.
Allow only certified technicians to open and close TEMPEST equipment to ensure its ability to shield electromagnetic radiation.
Check for physical gaps that allow entrance to the facility or to the rooms that contain computer equipment. Look for openings under raised floors, in suspended ceilings, in roof ventilation equipment, and in adjoining walls between original and secondary additions.
Prohibit eating, drinking, and smoking in computer facilities or near computer equipment. Establish areas where these activities can occur without threat to the computer equipment.
Protect architectural drawings and diagrams of the computer facility.
Restrict the use of building diagrams, floor maps, and photographs of the computer facility.
Consider the following list of guidelines when you develop a security policy for your site.
Inspect packages, documents, and storage media when they arrive and before they leave a secure site.
Require identification badges on all personnel and visitors at all times.
Use identification badges that are difficult to copy or counterfeit.
Establish areas that are prohibited for visitors, and clearly mark the areas.
Escort visitors at all times.
Because no computer is completely secure, a computer facility is only as secure as the people who use it. Most actions that violate security are easily resolved by careful users or additional equipment. However, the following list gives examples of problems that can occur:
Users give passwords to other individuals who should not have access to the system.
Users write down passwords, and lose or leave the passwords in insecure locations.
Users set their passwords to easily guessed words or easily guessed names.
Users learn passwords by watching other users type a password.
Unauthorized users remove, replace, or physically tamper with hardware.
Users leave their systems unattended without locking the screen.
Users change the permissions on a file to allow other users to read the file.
Users change the labels on a file to allow other users to read the file.
Users discard sensitive hardcopy documents without shredding them, or users leave sensitive hardcopy documents in insecure locations.
Users leave access doors unlocked.
Users lose their keys.
Users do not lock up removable storage media.
Computer screens are visible through exterior windows.
Network cables are tapped.
Electronic eavesdropping captures signals emitted from computer equipment.
Power outages, surges, and spikes destroy data.
Earthquakes, floods, tornadoes, hurricanes, and lightning destroy data.
External electromagnetic radiation interference such as sun-spot activity scrambles files.
Government publications describe in detail the standards, policies, methods, and terminology associated with computer security. Other security publications are useful in gaining a thorough understanding of UNIX security problems and solutions.
The web also provides resources. In particular, the CERT web site alerts companies and users to security holes in the software. The SANS Institute offers training, an extensive glossary of terms, and an updated list of top threats from the Internet.
The U.S. government offers many of its publications on the web. The U.S. Department of Homeland Security publishes security information. Also, the Computer Security Resource Center (CSRC) of the National Institute of Standards and Technology (NIST) publishes articles on computer security. The following are a sample of the publications that can be downloaded from the NIST site.
An Introduction to Computer Security: The NIST Handbook. SP 800-12, October 1995.
Standard Security Label for Information Transfer. FIPS-188, September 1994.
Swanson, Marianne and Barbara Guttman. Generally Accepted Principles and Practices for Securing Information Technology Systems. SP 800-14, September 1996.
Tracy, Miles, Wayne Jensen, and Scott Bisker. Guidelines on Electronic Mail Security. SP 800-45, September 2002. Section E.7 concerns securely configuring LDAP for mail.
Wilson, Mark and Joan Hash. Building an Information Technology Security Awareness and Training Program. SP 800-61, January 2004. Includes a useful glossary.
Grace, Tim, Karen Kent, and Brian Kim. Computer Security Incident Handling Guidelines. SP 800-50, September 2002. Section E.7 concerns securely configuring LDAP for mail.
Scarfone, Karen,Wayne Jansen, and Miles Tracy. Guide to General Server Security SP 800-123, July 2008.
Souppaya, Murugiah, John Wack, and Karen Kent. Security Configuration Checklists Program for IT Products. SP 800-70, May 2005.
Sun Microsystems Security Engineers. Solaris 10 Security Essentials. Prentice Hall, 2009.
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical UNIX and Internet Security, 3rd Edition. O'Reilly & Associates, Inc, Sebastopol, CA, 2006.
Nemeth, Evi, Garth Snyder, Trent R. Hein, and Ben Whaley. UNIX and Linux System Administration Handbook (4th Edition) Pearson Education, Inc. 2010.
Brunette, Glenn M. Toward Systemically Secure IT Architectures. Archived Oracle Technical Paper, June 2006.
Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security: Private Communication in a Public World, 2nd Edition. Prentice-Hall, 2002.
Pfleeger, Charles P. and Shari Lawrence Pfleeger. Security in Computing. Prentice Hall PTR, 2006.
Privacy for Pragmatists: A Privacy Practitioner's Guide to Sustainable Compliance. Sun Microsystems, Inc, August 2005.
Rhodes-Ousley, Mark, Roberta Bragg, and Keith Strassberg. Network Security: The Complete Reference. McGraw-Hill/Osborne, 2004.
McClure, Stuart, Joel Scambray, George Kurtz. Hacking Exposed 7: Network Security Secrets & Solutions, Seventh Edition. McGraw-Hill, 2012.
Stoll, Cliff. The Cuckoo's Egg. Doubleday, 1989.