August 04, 2010, 2:29 PM — Even in the wild frontiers of today's Internet, good basic Unix system security provides extremely valuable protection against security breaches. In today's column, I'm going to rant about some basic security rules of thumb that every Unix sysadmin ought to consider.
The first basic security rule is to keep your consoles safe. Lock them up, eliminate them by replacing them with console servers (recovering rack space at the same time), and make sure that only a very select group of people have access to them. What's more, access to your data centers should be limited to just those who need to lay hands on the servers. If anyone can walk in and out, you're asking for a headache.
Data centers should be equipped with UPS or, better still, a generator to keep them up through significant power outages. Wait, you ask, is power to the data center security? You bet it is! Anything that threatens the productivity of your staff and the smooth running of your business is a security concern. UPS systems can often be configured to send low battery signals to systems and initiate auto-shutdown options, further preventing hardware loss. Check your UPS systems and make use of this feature if it's supported. If your AC is not also on the UPS or generator, auto-shutdown of systems might prevent them from being damaged through overheating.
Use locked cabinets for those things that are especially sensitive or that you just don't want walking off. I can't tell you how easily tools seem to leave data centers. Maybe you should have one set that isn't left out for just anyone to use. Consider adding binders with instructions on configuring critical applications to the locked cabinet. You might need them during an emergency and you might want to be sure that no one who doesn't (legitimately) need them walks off with them.
Your backup media should have very limited exposure. If encryption is an option (keep in mind that you will have to store and save your keys), make use of it. Backups are best stored offsite. Duplicate copies going to two different locations is even better.
Good user security remains a prime component of any Unix security scheme. Train your users to use good passwords, committed only to secure storage (tools like KeePass) and never written to slips of paper that remain in clear view. Explain why locking their screens and reporting suspicious events are so important to overall security.
We still should not be running any services we don't need on our systems. It's simply a matter of statistics. The fewer services you run, the fewer exploits you'll be vulnerable to. You'll also have more bandwidth for those services you really do need to support if you don't waste cycles on services no one needs.
Set up your user groups sensibly. If you support distinct projects, maybe you need to configure groups of related users. Other (world) permission, on the other hand, may not be needed at all.