AIX CHECKLIST By: Frank W. Lyons President of Entellus Technology Group, Inc. !"#"" #$%&" EntellusFL'aol.

co( Preli(inary )teps

I.

*. +,tain an organi-ational chart of the group responsi,le for the operating en.iron(ent. B. +,tain any e/isting security and control procedures 0. +,tain a description of the net1ork configuration 2. +,tain a listing of the .arious syste(s 3applications4 supported ,y the operating syste( E. +,tain a 5o, description of the )yste( *d(inistrator II. Installation *udit )teps

*. 6e.ie1 any design criteria for syste( security. B. 2eter(ine 1hether the user access is controlled through the operating syste(, the data,ase (anage(ent syste(, or the application front#end (enu syste(. 0. 2eter(ine 1hat docu(entation standards e/ist and 1hether they are ,eing follo1ed. 2. 2eter(ine 1ho acts as the )ecurity *d(inistrator for the operating en.iron(ent. E. 2eter(ine the standards for pass1ord (anage(ent and construction. F. 6e.ie1 any e/isting security guidelines for users, groups, and functions. III. Physical )ecurity *. 6e.ie1 the net1ork configuration to ensure that all net1ork co(ponents are physically secured. These include File )er.ers, Bridges, 6outers, 7u,s80oncentrators, Gate1ays, Ter(inal )er.ers, and 9ode(s. B. 2eter(ine 1ho is responsi,le and 1hat docu(entation is re:uired for configuration changes to the physical net1ork.

*re these procedures effecti.e; *re the changes to the net1ork docu(ented; *re users and other i(pacted parties properly notified; 0. Ensure that only the )yste( *d(inistrator or other authori-ed personnel ha.e physical access to the file ser.er console as the syste( can ,e re,ooted fro( the <*= dri.e and a ne1 root pass1ord can ,e supplied. I>. )yste( *d(inistration

*. Identify all the )yste( *d(inistrators. ?grep :!: 8etc8pass1d B. 2eter(ine that each ad(inistrator re:uires this le.el of authority. 0. 2eter(ine the change control procedures o.er changes to users, progra(s, (enus, authorities, user scripts, hard1are and syste( soft1are. 2. 2eter(ine that the proper person or group is responsi,le for (onitoring the net1ork that support the file ser.er. E. 2eter(ine that the proper person or group is responsi,le for syste( shutdo1n and ,ackups. F. 2eter(ine if the )yste( *d(inistrator is supported ,y a ,ackup or at a (ini(u( their userid8pass1ord are kept in a secured location in case of an e(ergency. G. 2eter(ine 1ho is responsi,le for (aintaining license agree(ents and if all agree(ents are ,eing (et. >. )yste( )ecurity The )yste( *d(inistrator=s interface for the *I@ syste( is the )yste( 9anage(ent Interface Tool 3s(it4. Aou can in.oke s(it ,y keying s(it at the operating syste( pro(pt. *. 2uring the initial installation did the )yste( *d(inistrator create audit check su( files. These files 1ill allo1 the )ecurity *d(inistrator to .erify that no changes ha.e ,een (ade since the installation of the syste(. The audit check su( files should contain a single#line entry for each file ha.ing the follo1ing infor(ation: 3)ee 8etc8security8sysck.cfg4

field acl class pathna(e o1ner group (ode si-e listed for de.ices links .ersion checksu( reflects the sy(links progra( source type

co((ents contains ,oth ,ase and e/tended access control list data for the file a logical group to 1hich this file ,elongs *,solute pathna(e Ether sy(,olic or nu(eric I2 Either sy(,olic or nu(eric I2 )y(,olic representation as displayed ,y the ls #l co((and )i-e of the file in ,ytes. 9a5or and (inor nu(,ers are Bu(,er of hard links to pathna(e Bu(eric .alue, reported ,y 1hat3C4. File contents co(puted ,y a checksu( algorith(. This field slightest change to a file, e.en a single character. Indicates 1hether the file has sy(,olic or hard links the associated checking progra( the source file for this file the type of file

Producing these files should ,e a si(ple task. The resulting files should reside in a secured directory. 2yna(ic security routines should ,e run on a periodic ,asis to ensure that these critical files ha.e not ,e (odified 1ithout proper appro.al. B. 2eter(ine if the syste( is running in a secured 3trusted4 (ode. 8etc8security8pass1d For the pass1ord file

* trusted en.iron(ent for(ats the pri(ary pass1ord file=s encrypted pass1ord 8etc8pass1d to the 8etc8security8pass1d file and replaces the pass1ord field in the 8etc8pass1d 1ith an <D=. In addition, it forces all user to use pass1ords, creates an audit I2 nu(,er for each user, sets the audit flag on for all e/isting users, and con.erts the at, ,atch, and cronta, files to use the su,(itter=s audit I2. 0. 2eter(ine if auditing has ,een ena,led. Ese the follo1ing file to look at defined audit e.ents: 8etc8security8audit8e.ents 2eter(ine if (ini(al set of audita,le e.ents is ,eing recorded.

*uditing is ena,led ,y entering 8etc8audit start Files used ,y *udit 8etc8security8audit8config configuration infor(ation 8etc8security8audit8e.ents audit e.ents of the syste( 8etc8security8audit8,inc(ds ,ackend co((ands 8etc8security8audit8strea(c(ds co((ands that process strea( data 8etc8security8audit8o,5ects infor(ation a,out audited o,5ects 2. 6e.ie1 the audit logs to deter(ine if any unauthori-ed e.ent has occurred. E. 6e.ie1 the initta,s to ensure that only authori-ed entries are present and that access is properly restricted. ?cat 8etc8initta, F. 6e.ie1 all the rc. scripts to ensure that only .alid progra(s are e/ecuted 1ithin these scripts. G. 6e.ie1 the sulog to look for suspicious acti.ity 7. Ensure that the syste( ,ackup is done on a regular ,asis and that the ,ackup files are properly stored. >I. *ccount )ecurity

In traditional 7P#E@ syste(s you can use the ls #l co((and to list off the per(issions for a directory or a file. +n a secure3trusted4 syste( you can use the lsacl co((and to see 1hat per(issions are associated 1ith a gi.en file, and the chacl co((and to change the access control lists of the file. *0Ls are attached to files or directories to allo1 the )ecurity *d(inistrator to assign discrete authority to indi.iduals or groups. *. +,tain a listing of all user accounts and .erify that each user is still an acti.e 1orker on the syste(. ?cat 8etc8pass1d Files associated 1ith the user accounts: 8etc8security8ids uid se:uence nu(,er 8etc8security8logins.cfg contains rules for pass1ord :uality 8etc8group group definitions 8etc8security8group additional group infor(ation and flags

8etc8pass1d user account file 8etc8security8pass1d encryption pass1ords 8etc8security8user contains user e/tended attri,utes 8etc8security8en.iron contains en.iron(ental attri,utes for users 8etc8security8li(its contains file li(its 8etc8security8failedlogin contains an entry for e.ery ti(e a login fails

*lso the *I@ syste( has a file that contains a stan-a for each user kno1n to the syste(. This can ,e o,tained ,y using the follo1ing co((and and file: ?cat 8etc8security8user +ne other file that restricts the user is the 8etc8security8li(its file. This file contains the follo1ing: fsi-e core 0PE ,eing killed. data is the largest file a user can create is the largest core file allo1ed in units of FCG ,ytes. is the (a/i(u( nu(,er of 0PE#seconds a process is allo1ed ,efore is the largest data seg(ent allo1ed, in units of FCG ,ytes.

stack is the (a/i(u( stack si-e a process is allo1ed rss is the (a/i(u( real (e(ory si-e a process can ac:uire

B. +,tain a listing of all group accounts and .erify that each user still needs to participate in the defined group.

*I@ 07E0HLI)T The group file contains so(e pre#defined groups such as the follo1ing: syste( staff ,in ad( uucp (ail

security cron print: audit ecs no,ody usr *. 6e.ie1 the access control per(ission on the critical syste( directories and files. In addition, re.ie1 the access control per(issions on the application=s directories and files. E/a(ple: ? ls (e(os #r1/r1/r1/ C frank syste( !I%F !C8CG (e(os The ch(od co((and can still ,e used to change the per(issions for a file and should only ,e used if the file has any *0Ls. If you e/ecute a co((and such as ?aclget ?aclput ?acledit gets the *0L for a file sets the *0L for a file co(,ines aclget and aclput

B. 6e.ie1 the users or groups 1ho ha.e 1rite authority into a directory or file. 0. 6e.ie1 the u(ask .alue for a !G". This is located in the 8etc8profile and the user=s .profile. The 8etc8profile is a file that is e/ecuted each ti(e a user login to the syste(. The u(ask .aria,le is only one entry in this file. The P*T7 .aria,le (ay also ,e listed. The P*T7 .aria,le should also ,e re.ie1 to ensure that the path search is proper. *nother para(eter for the 8etc8profile 1ithin *I@ is the follo1ing para(eter: T9+ET8TI9E+ET defines the ti(e 3in seconds4 that a user can ,e idle ,efore ,eing auto(atically logged out of the syste(. T9+ET is used ,y ksh 2. 6e.ie1 the syste( for setuid and setgid progra(s. 0o(pare the list against a certification list of authori-ed progra(s. Ese the find co((and to look for these type of progra(s especially root o1ned setuid or setgid progra(s. ? find 8 #user root #per( # !!! #e/ec ls #l JK LM

This find co((and 1ill list root o1ned setuid progra(s ? find 8 #user root #per( #G!!! #e/ec ls #l JK LM This find co((and 1ill list root o1ned setgid progra(s E. Pass1ord )ecurity 0heck to ensure that all users ha.e a pass1ord. 0heck to ensure that all users are using the shado1 pass1ord syste(. 0heck to ensure that no user I2 are duplicated. 6e.ie1 all accounts 1ith a EI2 of <!= 2eter(ine if all users listed in the 8etc8pass1d are still .alid. 2eter(ine if the pass1ord aging criteria is ade:uate Pass1ord aging is ena,led ,y placing the necessary infor(ation in the pass1ord field 2eter(ine if all pass1ords are at least si/ characters long 2eter(ine if all pass1ords are run against a <hacker dictionary= ,efore ,eing accepted initially or 1hen changed. F. Pseudo#*ccounts 9ost EBI@ syste(s ha.e pseudo accounts that are not associated 1ith an indi.idual user and do not need to ha.e an interact login shell. Be sure that the pass1ord field is properly protected ,y not allo1ing anyone to signon to these accounts. By placing an <BP= for no pass1ord 1ithin the pass1ord field, these accounts cannot ,e signed onto. 2eter(ine if accounts such as the follo1ing ha.e ,een re(o.ed fro( the 8etc8pass1d file: date 1ho sync tty +ther entries (ust re(ain as pseudo users such as: ,in

dae(on ad( uucp lp hpd, guest no,ody lpd G. 7o(e 2irectories Ensure that the user=s ho(e directories and files are not 1rita,le ,y anyone e/cept the o1ner or root Ensure that the .profile .cshrc, and .login files are not 1rita,le ,y anyone other than the o1ner In.estigate and re(o.e if possi,le the use of any .rhost files 1ithin the user=s ho(e directory Ensure that .netrc file is not used as the it allo1s for the user to ,ypass the .login authentication for re(ote login and e.en contains the user=s unencrypted pass1ord. If it is used and is re:uired it should not ,e read or 1rita,le ,y anyone other than it=s o1ner. Ensure that root=s .profile has a proper P*T7 .aria,le 1ith no <dot= as the first entry. * good P*T7 P*T7N8,in:8usr8,in:8etc P*T7N.:8,in:8usr8,in:8etc 7. Eser )tan-a The 8etc8security8user file contains a stan-a for each user kno1n to the syste( plus a default stan-a. The para(eters controlled in this file are: ad(in indicates 1hether the user is an ad(inistrator. If yes8true8al1ays then only root can can this user=s attri,utes. The default is no. dae(on defines 1hether this user can use the cron and )60 dae(ons. * ,ad P*T7

e/pires specifies an e/piration date for the user. The for(at is 9922hh((AA. The default is ! indicating that the account 1ell ne.er e/pire.

login controls login fro( a local ter(inal. If you specify false here the userid is locked for all locally attached ter(inals ,ut (ight not ,e locked for re(ote access. rlogin controls login fro( a re(ote ter(inal or port. It controls 1hether or not this userid can ,e accessed re(otely .ia the rlogin co((and. It does not pre.ent local logins telnet defines 1hether this userid can ,e re(otely logged into 1ith the telnet co((and. If used in con5unction 1ith login and rlogin a userid can ,e secured fro( any,ody logging into that userid, ,ut it is not secured against the use of su. su co((and. controls 1hether other users can s1itch to this account ,y using su

sugroups controls 1hich groups can s1itch to this userid ,y using su. If an D precedes the group na(e it denies access for that group. The *LL key1ord (eans that all groups ha.e access 3the default4. * ,lank indicates the default, i.e. *LL tpath indicates trusted path characteristics. Trusted path is part of the trusted co(puter ,ase 1hich ensures that the user only access directories and files that are considered safe. ttys defines the ter(inals that can ,e used. The full path na(e of the ter(inal=s (ust ,e gi.en. *I@ 07E0HLI)T I. )ecurity stan-a The follo1ing file contains security stan-a para(eters that apply to the 1hole syste( and it pro.ides so(e control o.er pass1ord :uality: 8etc8security8login.cfg Para(eters for this file are as follo1s: (a/age8(inage pass1ord (a/repeat pass1ord (indiff the (ini(u( defines the (a/i(u(8(ini(u( age3in 1eeks4 of a

defines the nu(,er of ti(es one character can ,e repeated in the co(pares the ne1 pass1ord 1ith the old one. (indiff is nu(,er of characters that (ust ,e different.

(inother pass1ord. (a/logins The only nu(,er. (inalpha shells

is the nu(,er of non#alpha,etic characters re:uired in the is the (a/i(u( nu(,er of locally logged in users at a gi.en ti(e. .alid para(eters are G, %G, and !. Oero (eans an unli(ited is the nu(,er of alpha,etic characters re:uired in the pass1ord. defines the .alid shells a user can access.

herald para(eters for the initial screen display >II. Bet1ork )ecurity *. 6e.ie1 the 8etc8e/ports file to see 1hich files can ,e (ounted ,y another (achine. The 8etc8e/ports file lists entries that consist of the path na(e of a file syste( follo1ed ,y a series of na(es of co(puters and na(es of groups of co(puters. To identify the groups of co(puters list off the contents of the 8etc8netgroup file. Each one line entry should ha.e t1o fields. The first is the na(e of the file syste( ,eing e/ported. The second and su,se:uent na(e the syste( to 1hich the file syste( can ,e e/ported. If fe1er than t1o fields are present, the file syste( can ,e shipped any1here in the 1orld. B. List the 8etc8hosts.e:ui. file to .erify the na(es of other co(puters that can allo1 their users to signon to this host 1ithout pro.iding a pass1ord. >erify that each of these other hosts do not e/tend unauthori-ed pri.ileges to another user or node. *nother file associated 1ith the trusted en.iron(ent is the .rhost files 1hich could allo1 so(eone to pro.ide any other user to access their authorities 1ithout a pass1ord.

*I@ 07E0HLI)T 0. 2eter(ine if an ad(inistrati.e do(ain has ,een set up.

If so, .erify that root is controlled on each local host other1ise so(eone can o,tain root authorities on any (achine 1ithin the do(ain. >erify that consistency is (aintained for user na(e, uid, and gid a(ong pass1ord files in the do(ain. >erify that consistency is (aintained for group files on all (achines 1ithin the do(ain. 2. >erify per(ission settings on net1ork control files The follo1ing files should ne.er ,e 1rita,le ,y pu,lic: net1orks Bet1ork na(es and their addresses hosts Bet1ork hosts and their addresses hosts.e:ui. 6e(ote hosts allo1ed access e:ui.alent to the local host ser.ices )er.ices na(e data,ase e/ports List of files syste(s ,eing e/ported to BF) clients protocols Protocol na(e data,ase inetd.conf Internet configuration file P T0P8IP ser.ices netgroup List of net1ork#1ide groups .netrc allo1s for the processing of re/ec and ftp co((ands 1ithout (anual pass1ord .erification. 3The .netrc file contains unencrypted pass1ord infor(ation4 E. 6e.ie1 the use of EE0P F. 6e.ie1 the use of anony(ous ftp G. 6e.ie1 the use of tftp 7. 9ode( security Ese of a s(art card or so(e type of secured dial#,ack Ese of an additional pass1ord Hept access list current >III. 2e.ice File )ecurity *. 0heck the 8de. directory for special de.ices that do not ha.e the proper per(ission settings.

B. Ensure that all de.ices only reside 1ithin the 8de. directory. 0. Ensure that access to de.ice such as (e(, k(e(, and s1ap are properly protected. 2. Ter(inal ports on EBI@ syste(s (ay ,e 1rita,le ,y anyone, so you can allo1 users to co((unicate ,y using the 1rite or talk progra(s. +nly the o1ner should ha.e read per(issions. E. Ensure that an indi.idual user does not o1n any de.ice e/cept for their ter(inal de.ice or local printer. *I@ 07E0HLI)T I@. Batch Qo,s )ecurity

*. )cheduled 5o,s 1ithin the EBI@ en.iron(ent are setup in a file called the cronta,s. This file has a one line entry for each 5o, to ,e e/ecuted at a gi.en ti(e. This file, especially the one o1ned ,y root, should ,e re.ie1ed to ensure that only .alid entries and 5o,s are run. B. +ther 5o,s can ,e run 1ith the at co((and. 2eter(ine if the at co((and is restricted ,y re.ie1ing a file called at.allo1 and at.deny @. Log File *. Esing the last co((and you can re.ie1 the last login atte(pts on the syste( B. Ese the 8etc81t(p to re.ie1 connection session ? f1t(p R 8etc81t(p 0. 6e.ie1 the 8usr8ad(8(essages for SB*2T login atte(pts 2. 0heck to see if accounting is turned on The accton turns on accounting E. 2isplaying process accounting records The acctco( 1ill allo1 you to display records fro( any file containing process accounting records @I. )pecial 0o((ands or 6outines *. sysck 6uns the grpck, usrck, and p1dck co((ands

B. grpck This co((and .erifies that all users listed as group (e(,ers are defined as users, that the gid is uni:ue, and that the group na(e is correctly for(ed. 0. usrck definition. 2. p1dck The usrck co((and .erifies (any para(eters of the userid The p1dck co((and checks authentication stan-as in 8etc8pass1d and 8etc8security8pass1d. 2EFIBITI+B): kernel Is the piece of soft1are that controls the co(puter and is often called the operating syste( shell Is a co((and interpreter and a progra( such as sh, csh, ksh, rsh, and tsh *I@ uses the ksh. dri.er peripheral 8de.8k(e( ,y the kernel 8 8de. 8,in 8etc 8t(p 8etc8initta, each ter(inal Is a progra( that ena,les the kernel to co((unicate 1ith a gi.en type of Is a special de.ice file that allo1s access to the ra( locations occupied The root directory The 8de. directory contains the de.ices attached to EBI@ The 8,in directory contains a s(all su,set of 7P#E@ co((ands The 8etc directory contains (any files including the pass1d file The 8t(p directory is used for te(porary file storage 0ontains infor(ation a,out syste( run le.els and also has a entry for E/a(ple: ! :G:respa1n:8etc8getty ttyC! ! N id G N operating syste( le.el respa1n N action 8etc8getty N progra( to e/ecute

8etc8rc 8etc8pass1d

2efines actions taken during startup 2eter(ines 1ho can log into your syste( root:r$%Gu:$io%rtI:!:C:6oot )yste( +1ner:8:8,in8sh

*I@ uses a shado1 pass1d file in the 8etc8security directory. With this file the pri(ary pass1d file 1ould look like the follo1ing: root:D:!:C:6oot )yste( +1ner:8:8,in8ksh 8etc8group Identifies the users that for( a group audit:U:GF:frank,anne,katie,(ichaella 8etc8ttytype .e/rc 8etc8(otd F 2EFIBITI+B): 8etc8profile E/ecute auto(atically during the login process * data,ase of ter(inal types 9aps ter(inal characteristics and sets up key definitions 0ontains the (essage of the day

.profile E/ecutes each ti(e the user successfully logs in using the Bourne3sh4, Horn3ksh4, or rsh .kshrc Horn shell script that supple(ents actions taken ,y the .profile file

per(issions E.erything in EBI@ is treated like a file. That is a data file is a file, so is a directory, so is a ter(inal, so is a (ode(, and etc. Each of these is identified ,y the file type. The file types are: d N directory # N a data or progra( file c N a character file , N a ,lock file l N a sy(,olic link p N a pipe or FIF+

Aou can o,tain this infor(ation ,y running the ls #l co((and ? ls #l (e(os #r1/r1/r1/ C frank audit FI Qan " CG: F (e(os

The first digit is the file type The second through the C! digit are the per(ission r1/ r1/ r1/ for all other ch(od cho1n u(ask cronta, 0o((and to change the per(issions on a file 0o((and to change the o1nership of a file 2efault per(ission le.els for all ne1 files created *uto(ate 5o, processing. Each entry contains the follo1ing infor(ation: (inute hour dates (onths days runstring !#F& !#G% C#%C C#CG !#I !N)unday specifies the co((and line or script file to e/ecute for o1ner 1hich is frank for group 1hich is audit for other 1hich is not sho1n ,ut represents authorities

*n entry of <U= (eans all .alues for that entry s(it defaults )yste( 9anage(ent Interface Tool 2efault .alues for the (kuser co((and and s(it etc8security8(kuser.default default group in *I@ is staff