Be
extremely careful about installing new software.
Never install binaries obtained from untrustworthy sources.
When installing new software, do not unpack or compile it as
root. Consider building it in a
chroot environment. Install it first on a
noncritical system on which you can test it and observe any
misbehavior or bugs.
Run integrity checks on your system on a regular basis (see
Chapter
20).
Don't include nonstandard directories in your
execution path.
Don't leave any bin or library
directories writable by untrustworthy accounts.
Set permissions on commands to prevent unauthorized alteration.
Scan your system for any user home directories or dot files that are
world-writable or group-writable.
Don't leave untrusted floppies in the floppy drive.
If you suspect a network-based worm attack or a virus in widely
circulated software, call a FIRST response team or the vendor to
confirm the instance before sounding any alarm.
If you are attacked by a network-based worm, sever your network
connections immediately.
Never write or use SUID or SGID shell scripts unless you are a hoary
Unix wizard.
Disable terminal answer-back, if possible.
Never have "." (the current
directory) in your search path. Never have writable directories in
your search path.
When running as the superuser, get in the habit of typing full
pathnames for commands.
Check the behavior of your xargs and
find commands. Review the use of these commands
(and the shell) in all scripts executed by cron.
Watch for unauthorized modification to initialization files in any
user or system account, including editor startup files,
.forward files, etc.
Periodically review all system startup and configuration files for
additions and changes.
Periodically review mailer alias files for unauthorized changes.
Periodically review configuration files for server programs (e.g.,
inetd.conf).
Check the security of your at program, and
disable the program if necessary.
Verify that any files run from the cron command
files cannot be altered or replaced by unauthorized users.
Don't use the vi or
ex editors in a directory without first checking
for a Trojan .exrc file. Disable the automatic
command execution feature in GNU Emacs.
Make sure that the devices used for backups are not world-readable.
Make sure that any shared libraries are properly protected and that
protections cannot be overridden.
