Unix System Review (C) John Sechrest 1989 Modified by Trent Fisher, 1993-5 The goal of the system review is to evaluate the status of a Unix system, with respect to useability, security, and how well it is maintained. For the purposes of this review, you may consider a "system" to be a single standalone machine, a class of "cloned" machines where all are identical, or a server with its diskless (or dataless) clients. Since there are many different kinds of hardware and software, and many different uses for systems, this document should be considered as a guide through the review process, and not as the final word on the way things should be done. To perform the review, fill in answers after each question/entry and precede that line with a ">" to more clearly denote your answers. Feel free to answer "NA" or "don't know" to items, as appropriate. It is important to at least put some mark next to each item to indicate (to yourself) that you have checked that item on the system being reviewed. Feel free to add items which you feel have been left off of the form, and to make note of questions or comments you wish to discuss later. The review is divided into categories, and many items within the categories may overlap with items in other sections. The categories are intended to indicate "systems" or "services" provided by the overall computer system and its software, and to reflect the kind of information and tasks necessary to configure, install and maintain it. System Name: Statement of the system's intended use: HARDWARE -------- CPU(s) (number and type): RAM: Non-disk peripherals and cards: Disk configuration (type, size, controllers, other info): Serial lines: Modems: Graphics (list screens, colors, resolution, mice, keyboards, etc.): PHYSICAL ENVIRONMENT -------------------- Is the temperature controlled? Dust and/or dirt? If not, how often is hardware cleaned? Is the hardware out of harm's way (vibration, kicking, vandalism, liquid & solid spills)? Is the hardware locked to prevent theft? Noise -- Is the hardware obnoxious to work around? Is there other noise in the room which will bother users of this system? Ergonomics -- Is the console comfortably usable? Is there enough space for papers or manuals one might wish to use at the console? Who has access to the system console? I.e., who might be able to get a single-user (root) shell? SYSTEM USAGE ------------ Total number of users: Typical maximum number of active users: Type of usage: programming (light -- academic, or heavy -- research, large programs)? text formatting, typesetting (light or heavy)? compute-bound, long-running jobs? reading news & mail? graphics/windowing users? other? DISK USAGE ---------- Amounts each of (estimate if necessary): total user space: active user space (<= 3 months old): total system (non-source) space: total system sources (incl. local additions): space for proprietary options (languages, dbms', etc.): swap space (interleaved over how many disks & controllers): List the partitions & where they're mounted: How long does it take to do a full file-system check at boot time? NFS: What partitions are shared among clients & servers in the system? Are partitions explicitly exported (not "world" exported)? Cleanup & space monitoring issues: Are log files rotated (news, uucp, syslog, messages, acct, lastlog, wtmp, sulog, others)? Spool areas (news expires, enough space for mailboxes, uucp queues expired, mail queues)? Likely overflow areas -- identify them, and discuss what will be the impact when they fill up (e.g. /usr/tmp, /usr/spool/mail, news spool, uucp spool, etc.)? Is space usage monitored? (manually? automatically?) Are junk files cleaned up (core, editor backup, mh deletes, a.out's)? CRASH RECOVERY -------------- Alternate boot device(s) (disk, tape, network)? If there's only one boot device (root disk), how hard is it to restore the system after that device crashes? Write down the procedure. List partitions which are backed up (or not backed up), how often they are backed up, and in what form (dump, tar, cpio, other; local or remote device): When was something last retrieved from backup (i.e. how often are the backups tested)? Are the backup media clearly labelled? Where are they stored? In the event of hardware failure what contingency plans are there (maintenance contract, spares, &c.) SECURITY -------- Are checks for setuid files made periodically? PATH for users & root "safe" ("." last or not present)? All directories in PATH protected against world writability? Is there a list somewhere of what the permissions should be on all (non-user) directories on the system? How about an automated check and report of changes? Is that list stored offline? User mailbox directory and files protected against loss or invasion of privacy? Who knows the root password (or other sorts of root access)? Do they need it? When was the root password last changed? When was YOUR password last changed? Are these passwords easy to guess or decrypt? Is the password file (and directory) protected? How about the root directory and filesystem? Is there a "shadow" password file on the system? Are the include files protected? Home directories? Are there any daemons which are run as root when they don't need to be? Ttys -- Some systems can disallow root logins. Is this set up? Is modem control enabled (i.e. if CD or DTR drops, does the session die)? Do you read a security mailing list? Do you (try to) understand it? If tftp is on the system, is it properly restricted? Do any of your users have stupid (easily guessable) passwords? Do you check regularly? Is the default umask set properly? Do you have the distribution media archived (copied, then stored)? PRINTING -------- What types of printing are possible from the system? Local line printer? Remote line printer? Laser printer? MAIL SYSTEM ----------- Is there a "postmaster" alias? root alias? Do you read them? Does it handle UUCP ("!") and domain ("@") addresses? Does it forward mail to a smart gateway if necessary? TCP/IP NETWORKING ----------------- How is host name translation done (/etc/hosts, DNS, NIS)? Does it work properly for all network apps? Are the net address, subnet mask, and broadcast address set properly? Write down what they should be: Is the system a gateway (i.e. more than one net interface)? Does the system run a routing protocol? Which one? Does it really need to be running it? Is the default route set properly at boot time? Are /etc/hosts.equiv and /.rhosts reasonable? I.e. does EVERYTHING in them NEED to be there? How about your personal .rhosts? Does the system generate useless or obnoxious network traffic? Bad (wrong) broadcasts? Act as a gateway when it isn't one (try to forward packets)? Run rwhod? Generate routing updates (if not a gateway)? Can your system successfully connect with ftp,telnet and other network programs to remote and distant hosts? Do you check regularly? CONTINUOUS MAINTENANCE TASKS ---------------------------- The following are things which may need hourly, daily, or weekly attention. Some can be automated, some may need to be done manually (mark how and when they are done on the system (or if they are not done)). As a starting point, you should look in the crontab to see what gets done automatically. Follow through the scripts that cron calls, to see exactly which tasks are performed. Mail System: Enough spool space (queued traffic, log files)? Log files and old queued notes get cleaned up? Persistent and/or serious errors checked and corretced? News System: Enough spool space (articles and batch files go here)? Enough "lib" space (sys, active, history, & log files go here)? Old articles being expired? Bad (empty) articles & other "droppings" cleaned up? History file rebuilt occasionally (monthly)? Logs and errlogs trimmed? Control messages handled (newgroup, rmgroup, checkgroups)? Are there a lot of articles ending up in "junk"? If so, then probably you need to run the next checkgroups posting which comes in. Do you scan the news.admin, news.groups, news.software, etc. groups? Are outgoing and incoming feeds flowing regularly? UUCP System: Enough spool space (queued traffic and log files go here)? Log files trimmed? Old queued traffic expired (via uuclean)? Traffic flowing OK? Do all connections have their own login id & password? Do failure messages to those id's get forwarded to postmaster? List the proceedure for adding a new uucp connection: Log files & miscellaneous cleanup: Do log files get trimmed (e.g. wtmp, lastlog, acct, sulog, messages, syslog, logfiles for various daemons, etc.)? /usr/crash core dumps cleaned up? Causes examined? /tmp & /usr/tmp cleaned up? Disk usage monitored (heavy users, old unaccessed files)? Keeping host table(s) and/or DNS up to date and in sync. Keeping termcap files up to date and in sync. Does the system make regular traffic, resource usage, and error summaries? Local Additions --------------- Where do binaries for local applications go? Where do binaries for local sysadmin tools go? Where do local man pages go? Where do local online documents go? Where do local libraries go? Where do local administrative tools go? Where do log files go? Where do local config files go? Where are the new user init files and templates? Is there a system wide login init file? Where is it? What environment variables does it set? Do the new user dotfiles use it? What other system wide init files are there? Where are they? What do they do? Do they do it right? emacs? Mail? X-windows? MH? others? List all locally installed software. Decide if it needs to be there (is it used) and if it needs to be updated. Package Version Origin Version Origin (local) local most recent remote source available source ____________________________________________________________________________ (eg) emacs 18.51 ulysses.cs 18.52 prep.ai.mit.edu ____________________________________________________________________________ CONFIGURAION ------------ Do your users have healthy dotfiles(including root)? (.login,.cshrc,.logout,.mailrc,.newsrc,.mh_profile) Have you reviewed and studied the system configuration files to see if they are reasonable: passwd group termcap/terminfo printcap crontab fstab gettytab ttys ttytype rc files exports aliases resolv.conf hosts hosts.lpd syslog.conf inetd.conf sendmail.cf hosts.equiv .rhosts Paths: Is the path that whereis uses correct? Is a MANPATH supported? Have you recompiled and optimized the kernal? (buffer sizes, options, devices) ADMINISTRATION and POLICIES --------------------------- What modes of communication with users do you have set up (motd, newsgroups, mail aliases, bulletin boards, &c.) Do you use it?? Do you have clear articulated Policy statements? Do you have a Use policy for the machine? Do you have an Account policy and proceedure? What is it? How long does it take to get an account? Do you have a proceedure to know which accounts to delete? What is it? Do you have a written Backup policy (what gets backed up, how often)? Have you got written and documented proceedures for: Backup Recovery Cleaning Accounts New programs Plans Are changes announced ahead of time? (at least a week) Are system changes marked with name and date and mail address of the person making the change? Do you have a designated administrator for the system? Is there a System book which is in a known place that provides the focal point for the system and documents the sytem and its plans?