26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

xmlgraphic
Search
apllogo

A.P.Lawrence
InformationandResourcesforUnixandLinuxSystems
Home
Articles
MostPopular
NewestArticles
Linux
Mac
Books
Humor
BrowseallTopics...
Tests
Linux
MacOSX
SCOUnix
Perl
Resources
SiteForum
Writeforthissite
Moreaboutthissite
FindaConsultant
ContactInfo
RSSFeeds
OlderSurveyComments
Disclaimer
Rates

Originallyfrom:http://aplawrence.com/MDesrosiers/aixhardening.html
PrinterFriendlyVersion

AIXOperatingSystemHardeningProcedures&SecurityGuide
ByMichaelDesrosiers
ITSecureInc.
Email:mdesrosiers@itsecureinc.com
WebSite:http://secureitconsulting.com

1.TheAIX5Lserversecurityprocess
1.1Preamble
IBMhaspositionedAIX5Lversion5.1,asthenewstandardinUnixoperatingsystems.ItisbuiltuponAIX
4.3.3andprovidesimprovementsincriticalareassuchasreliability,availability,performanceandsecurity.The
recommendedwaytohardentheAIXOperatingSystemistousetheprincipleofleastprivilege.Iftheuser
doesnotneedtheservice,theyarenotallowedtoaccessthatservice.Alsoiftheserveristobeanapplication
server,onlyallowthosespecificserviceslikeports80443and8080totheserver.Thereisasecurityprinciple
thatsaysyoushouldconfigurecomputerstoprovideonlyselectednetworkservices.Thebasicideaisthis,
everynetworkserviceyouofferisanopportunityforthebadguys(alternativelyarisktoyoursystem).That's
nottosaythatyoushouldn'tofferanyservicesawebapplicationserverthatdoesn'tofferwebservicesisn't
veryuseful.Instead,theprinciplesaysyoushouldhaveagoodunderstandingofnetworkservicesandyou
shouldnotofferanyserviceunlessthereareverygoodreasonsfordoingso.Thispaperoffersreasonstoharden
bothserverandnetworkservicesforAIX5.1anapplicationofthesecurityprinciple.
http://www.owlriver.com/issa/aixhardening.html

1/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

Somesecuritypackagesaddresstheproblembystrippingall(ornearlyall)networkservicesandtheninstruct
youtobecarefulaboutwhatyouaddtothesystem.That'sagreatapproachbutrequiresthatyou"getyour
handson"thesystembeforeanyonelayersanythingontoitandyouunderstandwhatyou'readdingtothe
systemwhenyouadditbackin.Thesearetwoconditionsthatdonotapplyatmanysites.Theapproachhereis
different.WewillconsiderservicesofferedbytheAIX5.1operatingsystem,trytoexplainwhateachdoes,
notetherisksinvolvedwitheachandmakerecommendationsaboutwhatoneoughttodotomitigatetherisk.

1.1.1SecurityPlanningandFramework
PlanningThisisthepartoftheplanwhereyoumustdefinetheoverallsecuritypoliciesandgoals.InmanyOrganizations,thisinitial
stepisperformedatthecorporatelevel,andislikelytohavealreadybeencompleted.
Howmuchsecurityisneeded?
Howmuchsecuritycanyourbusinessafford?
Whatisthe"crownjewel"thatyouareprotecting?
ArchitectureThisiswherethedesignofyourenvironmentisdefinedtomeettherequirementsoftheplanningphase.
Whataretheweakestpointsinyourenvironment?
Whatwouldbethenatureoftheattemptedattacks?
Wherewouldtheexploitscomefrom?Internal?External?
Whereisyourcompanyfocused?Border?Perimeter?
ImplementationThisiswheretheinfrastructureisbuiltfromthearchitecturaldesign.
Startwithsecuringtheserversandworkingouttowardstheperimeter.
Startwithonesecuritypackageandrollouttotheotherservers.
Startfromthetopdown,inotherwords,physicallayer,networklayer,etc.
MonitoringOncetheinfrastructureisbuilt,youwillneedtocontinuouslymonitoritforvulnerabilitiesandsuspectedattacks.Abetter
approachmightbetoscheduleweeklyaudits,soasnottochokethenetworkwithuselesssnmptraffic.Problemsthatarefoundhere
shouldthenbeaddressedthroughthepreviousphasesinordertofindthebestresolutionpossible.
Applicationlogs
Systemlogs(syslog,sulog,wtmp,lastlogin,failedlogin,etc.)
Auditlogs
Systemerrors(errlog)
Systemperformance(vmstat,iostat,ptx,sar,wlmstat,etc.)
Networkperformance(no,netstat,netpmon,etc.)
Filesystemsandpermissionstructures
FileIntegrity(tripwire,AIDE,md5,etc.)
IncidentResponseThisisthephasethatyoumustaddressyourworsefears.Theworsttimetobeginworkingonthisphaseisafteran
attackorbreachthathasalreadyoccurred.Thetimespentinthebeginningconsideringhowyoushouldrespondtoarealattackwillpay
foritselfmanytimesoverifyouareeverinthissituation.Youmustthinkofthis"Preemptive"thinking.
Identifytheseverityofthebreach.
Startanoutlineorworkingdocumentforevidencegathering.
Workmethodicallyfromtheinsidetotheoutsideofyourenvironment.
Startatphysicallayerandworkyourwhythrough.
Haveachecklisttoworkoffofbeforetheeventtakesplace.
Documenteverythingyoudoandvalidateit.
Ifadditionalhelpisneededhaveavendorcontractinplace.

1.1.2PolicyConsiderations
Yourorganization'ssecuritypolicyfornetworkedsystemsshouldrequirethatadetailedcomputerdeploymentplanbedeveloped,
implemented,andmaintainedwhenevercomputersarebeingdeployed.Accesstoyourdeploymentplanshouldonlybegiventothose
whorequiretheinformationtoperformtheirjobs.Allnewandupdatedserversbeinstalled,configured,andtestedinastandalonemode
orwithintestnetworks(i.e.,notconnectedtooperationalnetworks).Youmustpresentapolicythatdefinesindetailappropriate
behaviorwithinit'sI/Tinfrastructure.Allserverspresentawarningbannertoallusersindicatingthattheyarelegallyaccountablefor
theiractionsand,byusingtheservers,theyareconsentingtohavingtheiractionslogged.

2.Requirements
2.1PoliciesandProcedures
http://www.owlriver.com/issa/aixhardening.html

2/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

Youmustdevelopaserverdeploymentplanthatincludessecurityissues.Mostdeploymentplansaddressthecostofthecomputers,schedules
tominimizeworkdisruption,installationofapplicationssoftware,andusertraining.Inaddition,youneedtoincludeadiscussionofsecurity
issues.Youcaneliminatemanynetworkedsystemsvulnerabilitiesandpreventmanysecurityproblemsifyousecurelyconfigurecomputers
andnetworksbeforeyoudeploythem.Vendorstypicallysetcomputerdefaultstomaximizeavailablefunctions,soyouusuallyneedto
changedefaultstomeetyourorganization'ssecurityrequirements.Youaremorelikelytomakedecisionsaboutconfiguringcomputers
appropriatelyandconsistentlywhenyouuseadetailed,welldesigneddeploymentplan.Developingsuchaplanwillsupportyouinmaking
someofthehardtradeoffdecisionsbetweenfunctionalityandsecurity.Consistencyisakeyfactorinsecurity,becauseitfosterspredictable
behavior.Thiswillmakeiteasierforyoutomaintainsecureconfigurationsandhelpyoutoidentifysecurityproblems(whichoftenmanifest
themselvesasdeviationsfromcommon,expectedbehavior).RefertothebetterpracticethatkeepingtheAIXoperatingsystemand
applicationssoftwareuptodate,isanessentialpartofthisstrategy.

2.1.1ServicesIdentification
Identifythepurposeofeachcomputer.Documenthowthecomputerwillbeused.Considerthefollowing:
Whatcategoriesofinformationwillbestoredonthecomputer?
Whatkindofinformationwillbeprocessedonthecomputer?
Whatarethesecurityrequirementsforthatinformation?
Whatnetworkservice(s)willbeprovidedbythecomputer?
Whatarethesecurityrequirementsforthoseservices?
Identifythenetworkservicesthatwillbeprovidedontheserver.Serversasageneralruleshouldbededicatedtoasingleservice.This
usuallysimplifiestheconfiguration,whichreducesthelikelihoodofconfigurationerrors.Inthecaseoftheservers,theapplication
servershouldbelimitedtowwworhttpsservices.Thedb2servershouldbeports50000(db2idb2inst1)and50001(db2idb2inst1).It
alsocaneliminateunexpectedandunsafeinteractionsamongtheservicesthatpresentopportunitiesforintruders.Insomecases,itmay
beappropriatetooffermorethanoneserviceonasinglehostcomputer.Forexample,theserversoftwarefrommanyvendorscombines
thefiletransferprotocol(FTP)andthehypertexttransferprotocol(HTTP)servicesinasinglepackage.Itmaybeappropriatetoprovide
accesstopublicinformationviabothprotocolsfromthesameserverhostbutwedonotrecommendthisasitisalesssecure
configuration.
Determinehowtheserverswillbeconnectedtoyournetwork.Thereareconcernsrelatingtonetworkconnectionsthatcanaffectthe
configurationanduseofanyonecomputer.ManyorganizationsuseabroadcasttechnologysuchasEthernetfortheirlocalarea
networks.Inthesecases,informationtraversinganetworksegmentcanbeseenbyanycomputeronthatsegment.Thissuggeststhatyou
shouldonlyplace"trusted"computersonthesamenetworksegment,orelseencryptsinformationbeforetransmittingit.Theseservers
shouldbeinthereownprivatesubnet.

2.1.2AIXInstallationProcedures
Developandfollowadocumentedprocedureforinstallinganoperatingsystem.Ihavecompiledaseparatedocumentthatpertainsto
thisbullet.Inthisdocument,thestepstoimplementandinstallabaseAIX5.1imagearedetailedanddescribedwithalltheparameters
thataresetduringinstallation.Makeallyourparameterchoicesexplicit,eveniftheymatchthedefaultsettings.(Thismayseemtobe
unnecessary,butitcanpreventsecurityproblemsifyousubsequentlyreuseyourscriptsorconfigurationfilestoconfigureservers).Your
explicitchoiceswillstillbeusedevenifthedefaultshavechangedwithnewAIXreleases.Yourinstallationprocedureshouldalso
specifythesecurityrelatedupdatesorpatchesthataretobeappliedtotheoperatingsystem.Ifpossible,haveasinglepersonperform
theinstallationprocedureforeachcomputerandcaptureeachinstallationstepinadocumentedmanner(suchasthroughusinga
checklist).

2.1.3AuthenticationandAuthorization
Themostcommonapproachistheuseofpasswordsbutothermechanismscanbeused,suchaskeys,tokens,andbiometricdevices
(devicesthatrecognizeapersonbasedonbiologicalcharacteristicssuchasfingerprintsorpatternsoftheretinalbloodvessels).Because
authenticationmechanismslikepasswordsrequireinformationtobeaccessibletotheauthenticationsoftware,carefullydocumenthow
thatinformationwillbeprotected.Authenticationdataiscriticalsecurityinformationthatrequiresahighlevelofprotection.Youshould
followthesecuritygroup'sguidelinesforadministrativeaccessintoyoursensitivedataenvironment.Inotherwords,passwordlengthof
8characterswithatleast2alphacharacters,etc.Wewillbediscussingthisinmoredetailintherecommendationssectionofthis
document.
Determinehowappropriateaccesstoinformationresourceswillbeenforced.Formanyresources,suchasprogramanddatafiles,the
accesscontrolsprovidedbyAIXarethemostobviousmeanstoenforceaccessprivileges.Also,considerusingencryptiontechnologies
toprotecttheconfidentialityofsensitiveinformation.Insomecases,protectionmechanismswillneedtobeaugmentedbypoliciesthat
guideuser'sbehaviorrelatedtotheirworkstations.Identifytheusersorcategoriesofusersofthecomputer.Thecategoriesarebasedon
userrolesthatreflecttheirauthorizedactivity.Therolesareoftenbasedonsimilarworkassignmentsandsimilarneedsforaccessto
particularinformationresourcessystemadministrators,softwaredevelopers,dataentrypersonnel,etc.Ifappropriate,includegroupsof
remoteusersandtemporaryorguestusers.Documentthecategoriesofusersthatwillbeallowedaccesstotheprovidedservices.You
mayneedtocategorizeusersbytheirorganizationaldepartment,physicallocation,orjobresponsibilities.Youalsoneedacategoryof
administrativeuserswhowillneedaccesstoadministertheserversandpossiblyanothercategoryforbackupoperators.
http://www.owlriver.com/issa/aixhardening.html

3/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

AccesstoAIXserversshouldberestrictedtoonlythoseadministratorsresponsibleforoperatingandmaintainingtheserver.Thiswill
ensurethattheserver'susersarerestrictedtothosewhoareauthorizedtoaccesstheprovidedserviceandresponsibleforserver
administration.Determinetheprivilegesthateachcategoryofuserwillhaveontheservers.Todocumentprivileges,createamatrixthat
showstheusersorusercategories(definedinthepreviousstep)crosslistedwiththeprivilegestheywillpossess.Theprivilegesare
customarilyplacedingroupsthatdefinewhatsystemresourcesorservicesausercanread,write,change,execute,create,delete,install,
remove,turnon,orturnoff.Decidehowuserswillbeauthenticatedandhowauthenticationdatawillbeprotected.Thereareusuallytwo
kindsofauthentication:(1)thekindprovidedwiththeoperatingsystem,commonlyusedforauthenticatingadministrativeusersand(2)
thekindprovidedbythenetworkservicesoftware,commonlyusedforauthenticatingusersoftheservice.Aparticularsoftware
implementationofanetworkservicemayusetheprovidedauthenticationcapability,andthusitmaybenecessaryforusersofthat
servicetohavealocalidentity(usuallyalocalaccount)ontheserver.

2.1.4BackupandRecovery
Documentproceduresforbackupandrecoveryofinformationresourcesstoredonthecomputer.Possessingrecent,securebackupcopies
ofinformationresourcesmakesitpossibleforyoutoquicklyrestoretheintegrityandavailabilityofinformationresources.Successful
restorationdependsonconfiguringtheoperatingsystem,installingappropriatetools,andfollowingdefinedoperatingprocedures.You
needtodocumentbackupproceduresincludingroles,responsibilities,andhowthephysicalmediathatstorethebackupdataare
handled,stored,andmanaged.Considerusingencryptiontechnologieslikesshtoprotectbackups.Yourbackupproceduresneedto
accountforthepossibilitythatbackupfilesmayhavebeencompromisedbyanundetectedintrusion.Verifytheintegrityofallbackup
filespriortousingthemtorecoversystems.

3.ToolsandChecklists
3.1Tools
3.1.1AIX5.1servertools
HerearethetoolsthatareusedinI/Tenvironmentstoday.Thesetoolsarefreeware,buthavebeenvalidatedbytherereliabilityoverthe
last510years.
Tool

Purpose

Extentofusage

Comments

md5

Validateintegrityoffilecontents

Daily(automated)

freeware

tripwireorAIDE

Verifyintegrityofdirectoriesandfilesontheserver

Daily(automated)

freeware

tcp_wrapper

Logunauthorizedconnectionstoservers

Daily(Viewingoflogs)

freeware

syslog

Collectloginformationforunauthorizedentryontheserver

Daily(Automated)

PartofOperatingSystem

swatch

Logparsingtool,thatmakeslogreadermorebearable

Daily(Automated)

freeware

lsof

Monitorsservice/portconnectionstoserver

Daily(Automated)

freeware

ssh

Toencryptconnectionstoservers

Daily(Automated)

freeware

tcpdump

Analyzepacketsontheserversinterface

Daily(Automated)

freeware

ethereal

Packetcapturingtool

Daily(Automated)

freeware

openssl

Encapsulation/tunnelingof

Communicationpaths

freeware

nmap

Networkexplorationtoolandsecurityscanner

Weekly(Automated)

freeware

nessus

Networkscannerandvulnerabilityassessmenttool

Weekly(Automated)

freeware

3.2Checklist
3.2.1AIXSecurityChecklist
3.2.1.1AIXEnvironmentProcedures
Thebestwaytoapproachthisportionofthechecklististodoacomprehensivephysicalinventoryoftheservers.Serialnumbersand
http://www.owlriver.com/issa/aixhardening.html

4/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

physicallocationwouldbesufficient.
____Recordserverserialnumbers
____Physicallocationoftheservers
NextwewanttogatherarathercomprehensivelistofboththeAIXandpseriesinventories.Byrunningthesenext4scriptswecan
gathertheinformationforanalyze.
Runthese4scripts:sysinfo,tcpchk,nfsckandnethwchk.(SeeAppendixAforscripts)
____sysinfo:
____Determineactivelogicalvolumegroupsontheservers:lsvgo
____Listphysicalvolumesineachvolumegroup:lsvgp"vgname"
____Listlogicalvolumesforeachvolumegroup:lsvgl"vgname"
____Listphysicalvolumesinformationforeachharddisk
____lspvhdiskx
____lspvphdiskx
____lspvlhdiskx
____Listserversoftwareinventory:lslppL
____Listserversoftwarehistory:lslpph
____Listallhardwareattachedtotheserver:lsdevC|sortd
____Listsystemname,nodename,LANnetworknumber,AIXrelease,AIXversionandmachineID:unamex
____Listallsystemresourcesontheserver:lssrca
____Listinetdservices:lssrct'servicename'p'processid'
____Listallhostentriesontheservers:hostentS
____Nameallnameserverstheservershaveaccessto:namerslvIs
____Showstatusofallconfiguredinterfacesontheserver:netstati
____Shownetworkaddressesandroutingtables:netstatnr
____Showinterfacesettings:ifconfig
____Checkuserandgroupsystemvariables
____Checkusers:usrcktALL
____Checkgroups:grpcktALL
____Runtcbcktoverifyifitisenabled:tcbck
____ExaminetheAIXfailedlogins:whos/etc/security/failedlogin
____ExaminetheAIXuserlog:who/var/adm/wtmp
____Examinetheprocessesfromusersloggedintotheservers:whop/var/adm/wtmp
____Listalluserattributes:lsuserALL|sortd
____Listallgroupattributes:lsgroupALL
http://www.owlriver.com/issa/aixhardening.html

5/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

____tcpchk:
____Confirmthetcpsubsysteminstalled:lslppl|grepbos.net
____Determineifitisrunning:lssrcgtcpip
____Searchfor.rhostsand.netrcfiles:find/name.rhostsprintfind/name.netrcprint
____Checksforrshfunctionalityonhost:cat/etc/hosts.equiv
____Checksforremoteprintingcapability:cat/etc/hosts.lpd|grepv#
____nfschk:
____VerifyNFSisinstalled:lslppL|bin/grepnfs
____CheckNFS/NISstatus:lssrcgnfs|bin/grepactive
____CheckstoseeifitisanNFSserverandwhatdirectoriesareexported:cat/etc/xtab
____ShowhoststhatexportNFSdirectories:showmount
____Showwhatdirectoriesareexported:showmounte
____nethwchk
____Shownetworkinterfacesthatareconnected:lsdevCcif
____Displayactiveconnectiononboot:odmgetqvalue=upCuAt|grepname|cutc1012
____Showallinterfacestatus:ifconfigALL

3.2.1.2Rootlevelaccess
____LimituserswhocansutoanotherUID:lsuserfALL
____Auditthesulog:cat/var/adm/sulog
____Verify/etc/profiledoesnotincludecurrentdirectory
____Lockdowncronaccess
____Toallowrootonly:rmi/var/adm/cron/cron.denyandrmI/var/adm/cron/cron.allow
____Toallowallusers:touchcron.allow(iffiledoesnotalreadyexist)
____Toallowauseraccess:touch/var/adm/cron/cron.allowthenecho"UID">/var/adm/cron/cron.allow
____Todenyauseraccess:touch/var/adm/cron/cron.denythenecho"UID">/var/adm/cron/cron.deny
____Disabledirectheraldrootaccess:addrlogin=falsetorootin/etc/security/userfileorthroughsmit
____Limitthe$PATHvariablein/etc/environment.Usetheusers.profileinstead.3.2.1.3Authorization/authentication
administration
____Reportallpasswordinconsistenciesandnotfixthem:pwdcknALL
____Reportallpasswordinconsistenciesandfixthem:pwdckyALL
____Reportallgroupinconsistenciesandnotfixthem:grpcknALL
____Reportallgroupinconsistenciesandfixthem:grpckyALL
http://www.owlriver.com/issa/aixhardening.html

6/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

____Browsethe/etc/shadow,etc/passwordand/etc/groupfileweekly3.2.1.4SUID/SGID
____ReviewallSUID/SGIDprogramsownedbyroot,daemon,andbin.
____ReviewallSETUIDprograms:find/perm1000print
____ReviewallSETGIDprograms:find/perm2000print
____Reviewallstickybitprograms:find/perm3000print
____Setuser.profilein/etc/security/.profile3.2.1.5Permissionsstructures
____Systemdirectoriesshouldhave755permissionsataminimum
____Rootsystemdirectoriesshouldbeownedbyroot
____Usethestickybitonthe/tmpand/usr/tmpdirectories.
____Runchecksum(md5)againstall/bin,/usr/bin,/devand/usr/sbinfiles.
____Checkdevicefilepermissions:
____disk,storage,tape,network(shouldbe600)ownedbyroot.
____ttydevices(shouldbe622)ownedbyroot.
____/dev/nullshouldbe777.
____Listallhiddenfilesintheredirectories(the.files).
____Listallwritabledirectories(usethefindcommand).
____$HOMEdirectoriesshouldbe710
____$HOME.profileor.loginfilesshouldbe600or640.
____Lookforunownedfilesontheserver:find/nouserprint.Note:Donotremoveany/devfiles.
____Donotusertypecommands:rsh,rlogin,rcpandtftpor.netrcor.rhostsfiles.
____Change/etc/hostfilepermissionsto660andreviewitscontentsweekly.
____Checkforbothtcp/udpfailedconnectionstotheservers:netstatptcpnetstatpudp.
____Verifycontentsof/etc/exports(NFSexportfile).
____Ifusingftp,makethischangetothe/etc/inetd.conffiletoenablelogging.ftpstreamtcp6nowaitroot/usr/sbin/ftpdftpdl
____SetNFSmountstoro(readonly)andonlytothehoststhattheyareneeded.
____ConsiderusingextendedACL's(pleasereviewthetcbmanpage).
____Beforemakingnetworkconnectioncollectafullsystemfilelistingandstoreitoffline:lsRala>/tmp/allfiles.system
____Makeuseofthestringscommandtocheckonfiles:strings/etc/hosts|grepKashmir

4.Recommendations
4.1Removeunnecessaryservices
BydefaulttheUnixoperatingsystemgivesus1024servicestoconnectto,wewanttoparsethisdowntoamoremanageablevalue.
Thereare2filesinparticularthatwewanttoparse.Thefirst,isthe/etc/servicesfileitself.Agoodstartingpointistoeliminateall
unneededservicesandaddservicesasyouneedthem.Belowisascreenshotofanexistingntpserveretc/servicesfileononeofmylab
http://www.owlriver.com/issa/aixhardening.html

7/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

servers.
#
#Networkservices,Internetstyle
#
ssh22/udp
ssh22/tcpmail
auth113/tcpauthentication
sftp115/tcp
ntp123/tcp#NetworkTimeProtocol
ntp123/udp#NetworkTimeProtocol
#
#UNIXspecificservices
#
login513/tcp
shell514/tcpcmd#nopasswordsused

4.2Parse/etc/rc.tcpipfile
Thisfilestartsthedaemonsthatwewillbeusingforthetcp/ipstackonAIXservers.Bydefaultthefilewillstartthesendmail,snmp
andotherdaemons.Wewanttoparsethistoreflectwhatfunctionalityweneedthisserverfor.Hereistheexampleformyntpserver.
#Startupthedaemons
#
echo"Startingtcpipdaemons:"
trap'echo"Finishedstartingtcpipdaemons."'0
#Startupsyslogdaemon(forerrorandeventlogging)
start/usr/sbin/syslogd"$src_running"
#StartupPortmapper
start/usr/sbin/portmap"$src_running"
#Startupsocketbaseddaemons
start/usr/sbin/inetd"$src_running"
#StartupNetworkTimeProtocol(NTP)daemon
start/usr/sbin/xntpd"$src_running"

Thishelpsalsotobetterunderstandwhatprocessesarerunningontheserver.

4.3Removeunauthorized/etc/inittabentries
Beawareofwhatisinthe/etc/inittabfileontheAIXservers.ThisfileworksliketheregistryinaMicrosoftenvironment.Ifanintruder
wantstohideaautomatedscript,hewouldwantitlaunchedhereorinthecronfile.Monitorthisfileclosely.

4.4Parse/etc/inetd.conffile
ThisistheAIXsystemfilethatstartssystemservices,liketelnet,ftp,etc.Wealsowanttocloselywatchthisfiletoseeifthereareany
servicesthathavebeenenabledwithoutauthorization.Ifyouareusingsshforexamplethisiswhattheinetd.conffileshouldlooklike.
Becauseweareusingotherinternetconnections,thisfileisnotusedinmyenvironmentandshouldnotbeofusetoyou.Thisiswhyssh
shouldbeusedforalladministrativeconnectionsintotheenvironment.Itprovidesanencryptedtunnelsoconnectiontrafficissecure.In
thecaseoftelnet,itisverytrivialtosnifftheUIDandpassword.
##protocol."tcp"and"udp"areinterpretedasIPv4.
##
##servicesocketprotocolwait/userserverserverprogram
##nametypenowaitprogramarguments
##

4.5Edit/etc/rc.net
ThisisnetworkconfigurationfileusedbyAIX.Thisisthefileyouusetosetyourdefaultnetworkroutealongyourno(fornetwork
options)attributes.Becausetheserverswillnotbeusedasrouterstoforwardtrafficandwedonotwanttouseloosesourceroutingat
You,wewillbemakingafewchangesinthisfile.AlotofthemaretoprotectfromDOSandDDOSattacksfromtheinternet.Also
protectsfromACKandSYNattacksontheinternalnetwork.
##################################################################
##################################################################

http://www.owlriver.com/issa/aixhardening.html

8/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

#Changesmadeon06/07/02totightenupsocketstatesonthis
#server.
##################################################################
if[f/usr/sbin/no];then
/usr/sbin/nooudp_pmtu_discover=0#stopsautodiscoveryofMTU
/usr/sbin/nootcp_pmtu_discover=0#onthenetworkinterface
/usr/sbin/nooclean_partial_conns=1#clearsincomplete3wayconn.
/usr/sbin/noobcastping=0#protectsagainstsmurficmpattacks
/usr/sbin/noodirected_broadcast=0#stopspacketstobroadcastadd.
/usr/sbin/nooipignoreredirects=1#preventsloose
/usr/sbin/nooipsendredirects=0#sourcerouting
/usr/sbin/nooipsrcrouterecv=0#attackson
/usr/sbin/nooipsrcrouteforward=0#ournetwork
/usr/sbin/nooip6srcrouteforward=0#fromusingindirect
/usr/sbin/nooicmpaddressmask=0#dynamicroutes
/usr/sbin/noononlocsrcroute=0#toattackusfrom
/usr/sbin/nooipforwarding=0#Stopsserverfromactinglikearouter
fi

4.6Securingroot
4.6.1Changethe/etc/motdbanner
ThiscomputersystemistheprivatepropertyofXYZInsurance.It
isforauthorizeduseonly.Allusers(authorizedornonauthorized)
havenoexplicitorimplicitexpectationsofprivacy.
Anyorallusersofthissystemandallthefilesonthissystem
maybeintercepted,monitored,recorded,copied,audited,inspected
anddisclosedtoXYZInsurance'smanagementpersonnel.
Byusingthissystem,theenduserconsentstosuchinterception,
monitoring,recording,copying,auditing,inspectionanddisclosure
atthediscretionofsuchpersonnel.Unauthorizedorimproperuse
ofthissystemmayresultinciviland/orcriminalpenalitiesand
administrativeordisciplinaryaction,asdeemedappropriateby
saidactions.Bycontinuingtousethissystem,theindividual
indicateshis/herawarenessofandconsenttothesetermsand
conditionsofuse.
LOGOFFIMMEDIATELYifyoudonotagreetotheprovisionsstated
inthiswarningbanner.

4.6.2Modify/etc/security/user
root:

loginretries=5failedretriesuntilaccountlocks
rlogin=falseDisablesremoteheraldaccesstoarootshell.NeedtosufromanotherUID.
admgroups=system
minage=0minimumagingisnotimevalue
maxage=4maximumagingissetto30daysor4weeks
umask=22

4.6.3Tightenup/etc/security/limits
Thisisanattributethatshouldbechangedduetoarunawayresourcehog.Thisorphanedprocesscangrowtouseanexorbinateamount
ofdiskspace.Topreventthiswecansettheulimitvaluehere.

default:

#fsize=2097151
fsize=8388604setsthesoftfileblocksizetoamaxof8Gig.

4.6.4Variablechangesin/etc/profile
Setthe$TMOUTvariablein/etc/profile.Thiswillcauseaopenshelltocloseafter15minutesofinactivity.Itworksinconjunctionwith
thescreensaver,topreventanopensessiontobeusedtoeitherdeletetheserverorworsecorruptdataontheserver.
#Automaticlogout,includeinexportlineifuncommented
TMOUT=900

http://www.owlriver.com/issa/aixhardening.html

9/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

4.6.5Sudoisyourfriend
.
Thisisanicepieceofcode,thatthesystemadministratorscanuseinordertoallow"rootlike"functionality.Itallowsannonrootuser
torunsystembinariesorcommands.The/etc/sudoersfileisusedtoconfigureexactlywhattheusercando.Theserviceisconfigured
andrunningonufxcpidev.Thedevelopersarerunningascriptcalledchangepermsinordertotagthere.earfileswiththereown
ownershipattributes.
Firstwesetupsudotoallowrootlikeorsuperuserdoeraccesstosxnair.
#sudoersfile.
#
#ThisfileMUSTbeeditedwiththe'visudo'commandasroot.
#
#Seethesudoersmanpageforthedetailsonhowtowriteasudoersfile.
#
#Hostaliasspecification
#Useraliasspecification
#Cmndaliasspecification
#Userprivilegespecification
rootALL=(ALL)ALL
sxnair,jblade,vnaiduufxcpidev=/bin/chown*/usr/WebSphere/AppServer/installedApps/*
#
#
#Overridethebuiltindefaultsettings
Defaultssyslog=auth
Defaultslogfile=/var/log/sudo.log

Formoredetails,pleaseseetheXYZCompanyInsuranceWorkReportthatIcompiled,orvisitthisURL:
ttp://www.courtesan.com/sudo/andhttp://aplawrence.com/Basics/sudo.html.

4.7Tightenuser/groupattributes
4.7.1Change/etc/security/user
Thesearesomeofthechangestothe/etc/security/userfilethatwillpromoteamoreheightenedconfigurationofdefaultuserattributesat
yourcompany.
default:

umask=077definesumaskvalues22isreadableonlyforthatUID
pwdwarntime=7daysofpasswordexpirationwarnings
loginretries=5failedloginattemptsbeforeaccountislocked
histexpire=52defineshowlongapasswordcannotbereused
histsize=20defineshowmanypreviouspasswordsthesystemremembers
minage=2minimumnumberofweeksapasswordisvalid
maxage=8maximumnumberofweeksapasswordisvalid
maxexpired=4maximumtimeinweeksapasswordcanbechangedafteritexpires
minalpha=2minimumnumberofalphabeticcharactersinapassword
minother=1numberofnonalphabeticcharactersinapassword
minlen=8minimumcharacterlengthofapassword
mindiff=3numberofdifferentcharactersthatmustbeusedinapassword
maxrepeats=2numberoftimesacharactercanappearinapassword

4.7.2Change/etc/security/login.cfg
Setloginattributestobemorerestrictivein/etc/security/login.cfg
default:

sak_enabled=false
logintimes=
logindisable=5
logininterval=0
loginreenable=30
logindelay=10
herald="Unauthorizeduseprohibited.\r\nlogin:"

http://www.owlriver.com/issa/aixhardening.html

10/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

usw:
shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh

maxlogins=16

logintimeout=15setsthetimeto15secondsfromwhenaloginispresentedandyoutypeinyourpassword.

4.8WhattomonitorandauditinAIX
4.8.1Monitorerrorlogsandalogsonservers

errpta|more

alogof'/var/adm/ras/bootlog'(bootlog)
who/var/adm/sulog
who/var/adm/wtmp

4.8.2Configureanduseasyslogserver
Thecentralloghostislab_test.
#
#M.DesrosiersofITSecure,Inc.addedtheselineson06/12/02
#
#logallwarnings
#
*.warning/var/log/syslog/warningrotatetime1d#rotatedaily
*.warning@loghost
#
#logmaildebugmessages
#
mail.debug/var/log/syslog/mailrotatetime1d#rotatedaily
mail.none/var/log/syslog/mail
#logsecuritymessages
#
auth.debug/var/log/syslog/securityrotatetime1d#rotatedaily
auth.notice@loghost
#
#systemproblemsandevents
#
*.alert;*.crit*
*.emerge;*.alert;*.crit;*.err@loghost
#
#allothermessagesnotincludingmail
#

4.8.3Usebos.perftools
vmstat
iostat
netpmon
monitor
wlmstat

5.Conclusion
5.1Summary
Today'scomputingenvironmentsaremostlydistributedinfrastructures.Yourcompanymustdevelopintrusiondetectionstrategiesforthe
servers.Idonotbelievethatthereareanysensorsonthenternalnetwork.Manyofthecommonintrusiondetectionmethodsdependonthe
existenceofvariouslogsthatAIXcanproduceandontheavailabilityofauditingtoolsthatanalyzethoselogs.Thiswillhelpyouwith
installingtheappropriatesoftwaretoolsandconfigurethesetoolsandtheoperatingsystemtocollectandmanagethenecessaryinformation.
Keepyourcomputerdeploymentplancurrent.Yourcompanymustupdatethecomputerdeploymentplanwhenrelevantchangesoccur.
Sourcesofchangemayincludenewtechnologies,newsecuritythreats,updatestoyournetworkarchitecture,theadditionofnewclassesof
usersorneworganizationalunits,etc.Theenvironmentwillonlyworkiftheprocessiscentralized.Ialsobelievethatthereisnotenoughon
siteexperienceandinternalinfrastructuretoadministorthisproject.Theissuesof24/7availabilityandtheunderlyingissuesofsecurityin
http://www.owlriver.com/issa/aixhardening.html

11/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

layershavetobeaddressed.

AppendixA
sysinfo:
#!/bin/ksh
#
#Thisscriptisoneofthesystemmanagementtoolsused
#todetermineaparticularAIXsystemconfiguration
#
#listalloftheusersregisteredonthesystem
#
/usr/sbin/lsusercaidhomeALL|sed'/^#.*/d'|tr':''\011'
#
#displaythemountedfilesystems
#
echo"*********************"
echo
echoLISTOFMOUNTEDFILESYSTEMS
echo
echo"*********************"
/usr/bin/df
echo"*********************"
echo
echo
echo"*********************"
echo
echoVOLUMEGROUPINFORMATION
echo
echo"*********************"
#
#listoutthevolumegroupinformation
#suchasphyvol,logicalvolinfo
#
/usr/sbin/lsvg'p'rootvg
/usr/sbin/lsvg'l'rootvg
/usr/sbin/lspvhdisk0
/usr/sbin/lspv'p'hdisk0
/usr/sbin/lspv'l'hdisk0
/usr/sbin/lspvhdisk1
/usr/sbin/lspv'p'hdisk1
/usr/sbin/lspv'l'hdisk1
#
#listoutallofthedefinedusergroups
#
echo"****************"
echo
echo
echo"****************"
echo
echoDEFINEDUSERGROUPS
echo
echo"****************"
echo
/usr/sbin/lsgroup'c'ALL
#
#listouttheTCPnetinfo
#
echo"****************"
echo
echo
echo"****************"
echo
echoTCP/IPNETWORKINFORMATION
echo
echo"****************"
/usr/bin/netstat'nr'
/usr/bin/namerslv's''I'
/usr/bin/hostent'S'
/usr/bin/inetserv's''S''X'
#
#displaywhatsoftwareisinstalledonthesystem
#
echo"****************"
echo

http://www.owlriver.com/issa/aixhardening.html

12/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

echo
echo"****************"
echo
echoSOFTWAREINVENTORY
echo
echo"****************"
echo
/usr/bin/uname'x'
/usr/bin/lslpp'l'
/usr/sbin/lsdev'C'|sort'd''f'
/usr/bin/lssrc'g''nfs'
/usr/bin/pwdck'n''ALL'
/usr/bin/usrck'n''ALL'
/usr/sbin/grpck'n''ALL'
#
#displaythefailedloginlog
#
echo"****************"
echo
echoFAILEDLOGINSONTHISSYSTEM
echo
echo"****************"
/usr/bin/who's''/etc/security/failedlogin'
#
#displaytheuseridineachdefinedgroup
#
echo"****************"
echo
echoUSERINFORMATION
echo
echo"****************"
/usr/sbin/lsgroup'fa''id''users''ALL'
#andsomeotheruserinfo
/usr/sbin/lsuser'fa''id''groups''home''auditclasses''login'\
'su''rlogin''telnet''ttys''ALL'
tcpchk:
#
#thisfilecheckfortcprelatedfilestoseeifitis
#installedonthemachine
#
echo"Thefollowingnetworkproductsareinstalledonthissystem:"
echo""
lslppl|grepbosnet
echo""
installtest=`lslppl|/bin/grep'bos.net.tcp'`
if["x$installtest"="x"];then
echo"TCP/IPnotinstalled"
else
echo"ThefollowingTCP/Ipservicesareconfiguredonthismachine"
echo""
lssrcgtcpip
echo""
echo"********WARNING**********"
echo".rhostsand.netrcareasecurityrisk"
echo".rhostsfilesand.netrcfilesarein:"
echo""
find/name'.rhosts'print
echo""
echo".netrcfilesarein:"
echo""
find/name'.netrc'print
echo""
if[x/usr/sbin/inetdaf/etc/hosts.equiv];then
echo"thefollowinghostsareallowedtorsh,rcp,rlogin"
echo

cat/etc/hosts.equiv|grepv"#"
echo""
fi
if[x/usr/sbin/inetdaf/etc/hosts.lpd];then
echo"thefollowinghostsareallowedtosbumitremoteprintjobs"
echo"ONLY"
cat/etc/hosts.lpd|grepv"#"
echo""
fi
http://www.owlriver.com/issa/aixhardening.html

13/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

fi
if[x/usr/sbin/inetdaf/etc/resolv.conf];then
echo"thismachineisonanameservernetwork"
echo""
cat/etc/resolv.conf|grepv"#"
fi
fi
exit0

nfschk:
#!/bin/sh
#
#thisscriptreviewtheNFSconfigurationforamachine
#
echo"NFSConfiguration"
echo""
echo""
installtest=`lslppl|/bin/grepnfs`
if["x$installtest"="x"];then
echo"NFSnotinstalledonthissystem"
echo""
else
echo"NFSisinstalledonthissystem"
echo""
nfstest=`lssrcgnfs|/bin/grepactive`
if["x$nfstest"="x"];then
echo"NFSisnotactiveatthistime"
echo""
else
echo"NFSisactive"
echo""
if[x/usr/etc/nfsdaf/etc/exports];then
echo"ThismachineisanNFSserver"
:q!
kashmir@root/usr/local/bin>catnfschk
#!/bin/sh
#
#thisscriptreviewtheNFSconfigurationforamachine
#
echo"NFSConfiguration"
echo""
echo""
installtest=`lslppl|/bin/grepnfs`
if["x$installtest"="x"];then
echo"NFSnotinstalledonthissystem"
echo""
else
echo"NFSisinstalledonthissystem"
echo""
nfstest=`lssrcgnfs|/bin/grepactive`
if["x$nfstest"="x"];then
echo"NFSisnotactiveatthistime"
echo""
else
echo"NFSisactive"
echo""
if[x/usr/etc/nfsdaf/etc/exports];then
echo"ThismachineisanNFSserver"
echo"Thefollowingdirectoriesmaybeexported:"
echo""
cat/etc/exports
echo""
echo"Thefollowingdirectoriesarecurrentlyexported:"
echo""
cat/etc/xtab
echo""
echo"Thefollowinghostshaveexporteddirectoriesmounted"
echo"atthistime"
echo""
/usr/bin/showmount
echo""
else
echo"thismachineisanNFSclient"
echo""
echo"Thefollowingdirectoriesaremountedfromremotesystems"
echo""
echo"Nodemountedmountedovervfsdateoptions"
mount|grepv"^"

http://www.owlriver.com/issa/aixhardening.html

14/15

26/07/2016

AIXOperatingSystemHardeningProcedures&SecurityGuide

echo""
fi
echo"ThefollowingNFSservicesareconfiguredonthismachine:"
echo""
lssrcgnfs
echo""
fi
echo""
echo"NISConfiguration"
echo""
isypset=`domainname|/bin/grep"^[azAZ]"`
if["x$isypset"="x"];then
echo"NISisnotconfiguredatthistime"
echo""
else
echo"NISisconfiguredonthissystem"
echo""
fi
fi
exit0

nethwchk:
Thefollowingnetworkinterfacesareavailableonthissystem:

en0Available1068StandardEthernetNetworkInterface
en1Defined1070StandardEthernetNetworkInterface
en2Defined1080StandardEthernetNetworkInterface
et0Defined1068IEEE802.3EthernetNetworkInterface
et1Defined1070IEEE802.3EthernetNetworkInterface
et2Defined1080IEEE802.3EthernetNetworkInterface
lo0AvailableLoopbackNetworkInterface

Thefollowingcommunicationinterfacesarebroughtupatboot

Loopbackinterfacesarenotusedforcommunication

en0

Thecurrentinterfaceis:

en0:flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet192.168.1.13netmask0xffffffe0broadcast192.168.1.31

kashmir@root/usr/local/bin>morenethwchk
#!/bin/sh
#
#checkthenetworkinterfacehardware
#
echo"Thefollowingnetworkinterfacesareavailableonthissystem:"
echo""
lsdevCcif
echo""
echo"Thefollowingcommunicationinterfacesarebroughtupatboot"
echo""
echo"Loopbackinterfacesarenotusedforcommunication"
echo""
odmgetq"value='up'"CuAt|grepname|cutc1012
echo""
iftest=`odmgetq"value='up'"CuAt|grepname|cutc1012`
echo"Thecurrentinterfaceis:"
echo""
foriin$iftest
do
if[n$i];then
ifconfig$i
echo""
fi
done
exit0

http://www.owlriver.com/issa/aixhardening.html

15/15