7/12/12

AIX Operating System Hardening Procedures & Security Guide

Search

A.P. Lawrence
Information and Resources for Unix and Linux Systems Home Articles Most Popular Newest Articles Linux Mac Books Humor Browse all Topics... Tests Linux Mac OS X SCO Unix Perl Resources Site Forum Write for this site More about this site Find a Consultant Contact Info RSS Feeds Older Survey Comments Disclaimer Rates

Originally from: http://aplawrence.com/MDesrosiers/aixhardening.html Printer Friendly Version

AIX Operating System Hardening Procedures & Security Guide

By Michael Desrosiers ITSecure Inc. Email: mdesrosiers@itsecureinc.com Web Site: http://secure-it-consulting.com

1. The AIX 5L server security process

1.1Preamble
IBM has positioned AIX 5 L version 5.1, as the new standard in Unix operating systems. It is built upon AIX 4.3.3 and provides improvements in critical areas such as reliability, availability, performance and security. The recommended way to harden the AIX Operating System is to use the principle of least privilege. If the user does not need the service, they are not allowed to access that service. Also if the server is to be an application server, only allow those specific services like ports 80 443 and 8080 to the server. There is a security principle that says you should configure computers to provide only selected network services. The basic idea is this, every network service you offer is an opportunity for the bad guys (alternatively a risk to your system). That's not to say that you shouldn't offer any services -- a web application server that doesn't offer web services isn't very useful. Instead, the principle says you should have a good understanding of network services and you should not offer any service unless there are very good reasons for doing so. This paper offers reasons to harden both server and network services for AIX 5.1 -- an application of the security principle. Some security packages address the problem by stripping all (or nearly all) network services and then instruct you to be careful about what you add to the system. That's a great approach but requires that you "get your hands on" the system before anyone layers anything onto it and you understand what you're adding to the system when you add it back in. These are two conditions that do not apply at many sites. The approach here is different. We will consider services offered by the AIX 5.1 operating system, try to explain what each
www.owlriver.com/issa/aixhardening.html 1/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

does, note the risks involved with each and make recommendations about what one ought to do to mitigate the risk.

1.1.1 Security Planning and Framework

Planning - This is the part of the plan where you must define the overall security policies and goals. In many Organizations, this initial step is performed at the corporate level, and is likely to have already been completed. How much security is needed? How much security can your business afford? What is the "crown jewel" that you are protecting? Architecture - This is where the design of your environment is defined to meet the requirements of the planning phase. What are the weakest points in your environment? What would be the nature of the attempted attacks? Where would the exploits come from? Internal? External? Where is your company focused? Border? Perimeter? Implementation - This is where the infrastructure is built from the architectural design. Start with securing the servers and working out towards the perimeter. Start with one security package and rollout to the other servers. Start from the top down, in other words, physical layer, network layer, etc. Monitoring - Once the infrastructure is built, you will need to continuously monitor it for vulnerabilities and suspected attacks. A better approach might be to schedule weekly audits, so as not to choke the network with useless snmp traffic. Problems that are found here should then be addressed through the previous phases in order to find the best resolution possible. Application logs System logs (syslog, sulog, wtmp, lastlogin, failedlogin, etc.) Audit logs System errors (errlog) System performance (vmstat, iostat, ptx, sar, wlmstat, etc.) Network performance (no, netstat, netpmon, etc.) Filesystems and permission structures File Integrity (tripwire, AIDE, md5, etc.) Incident Response - This is the phase that you must address your worse fears. The worst time to begin working on this phase is after an attack or breach that has already occurred. The time spent in the beginning considering how you should respond to a real attack will pay for itself many times over if you are ever in this situation. You must think of this "Pre-emptive" thinking. Identify the severity of the breach. Start an outline or working document for evidence gathering. Work methodically from the inside to the outside of your environment. Start at physical layer and work your why through. Have a checklist to work off of before the event takes place. Document everything you do and validate it. If additional help is needed have a vendor contract in place.

1.1.2 Policy Considerations

Your organization's security policy for networked systems should require that a detailed computer deployment plan be developed, implemented, and maintained whenever computers are being deployed. Access to your deployment plan should only be given to those who require the information to perform their jobs. All new and updated servers be installed, configured, and tested in a stand-alone mode or within test networks (i.e., not connected to operational networks). You must present a policy that defines in detail appropriate behavior within it's I/T infrastructure. All servers present a warning banner to all users indicating that they are legally accountable for their actions and, by using the servers, they are consenting to having their actions logged.

2. Requirements 2.1 Policies and Procedures

You must develop a server deployment plan that includes security issues. Most deployment plans address the cost of the computers, schedules to minimize work disruption, installation of applications software, and user training. In addition, you need to include a discussion of security issues. You can eliminate many networked systems vulnerabilities and prevent many security problems if you securely configure computers and networks before you deploy them. Vendors typically set computer defaults to maximize available functions, so you usually need to change defaults to meet your organization's security requirements. You are more likely to make decisions about configuring computers appropriately and consistently when you use a detailed, well-designed deployment plan. Developing such a plan will support you in making some of the hard trade-off decisions between functionality and security. Consistency is a key factor in security, because it fosters predictable behavior. This will make it easier for you to maintain secure configurations and help you to identify security problems (which often manifest themselves as deviations from common, expected behavior). Refer to the better practice that keeping the AIX operating system and applications software up to date, is an essential part of this strategy.
www.owlriver.com/issa/aixhardening.html 2/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

2.1.1 Services Identification

Identify the purpose of each computer. Document how the computer will be used. Consider the following: What categories of information will be stored on the computer? What kind of information will be processed on the computer? What are the security requirements for that information? What network service(s) will be provided by the computer? What are the security requirements for those services? Identify the network services that will be provided on the server. Servers as a general rule should be dedicated to a single service. This usually simplifies the configuration, which reduces the likelihood of configuration errors. In the case of the servers, the application server should be limited to www or https services. The db2 server should be ports 50000 (db2idb2inst1) and 50001 (db2idb2inst1). It also can eliminate unexpected and unsafe interactions among the services that present opportunities for intruders. In some cases, it may be appropriate to offer more than one service on a single host computer. For example, the server software from many vendors combines the file transfer protocol (FTP) and the hypertext transfer protocol (HTTP) services in a single package. It may be appropriate to provide access to public information via both protocols from the same server host but we do not recommend this as it is a less secure configuration. Determine how the servers will be connected to your network. There are concerns relating to network connections that can affect the configuration and use of any one computer. Many organizations use a broadcast technology such as Ethernet for their local area networks. In these cases, information traversing a network segment can be seen by any computer on that segment. This suggests that you should only place "trusted" computers on the same network segment, or else encrypts information before transmitting it. These servers should be in there own private subnet.

2.1.2 AIX Installation Procedures

Develop and follow a documented procedure for installing an operating system. I have compiled a separate document that pertains to this bullet. In this document, the steps to implement and install a base AIX 5.1 image are detailed and described with all the parameters that are set during installation. Make all your parameter choices explicit, even if they match the default settings. (This may seem to be unnecessary, but it can prevent security problems if you subsequently reuse your scripts or configuration files to configure servers). Your explicit choices will still be used even if the defaults have changed with new AIX releases. Your installation procedure should also specify the security-related updates or patches that are to be applied to the operating system. If possible, have a single person perform the installation procedure for each computer and capture each installation step in a documented manner (such as through using a checklist).

2.1.3 Authentication and Authorization

The most common approach is the use of passwords; but other mechanisms can be used, such as keys, tokens, and biometric devices (devices that recognize a person based on biological characteristics such as fingerprints or patterns of the retinal blood vessels). Because authentication mechanisms like passwords require information to be accessible to the authentication software, carefully document how that information will be protected. Authentication data is critical security information that requires a high level of protection. You should follow the security group's guidelines for administrative access into your sensitive data environment. In other words, password length of 8 characters with at least 2 alpha characters, etc. We will be discussing this in more detail in the recommendations section of this document. Determine how appropriate access to information resources will be enforced. For many resources, such as program and data files, the access controls provided by AIX are the most obvious means to enforce access privileges. Also, consider using encryption technologies to protect the confidentiality of sensitive information. In some cases, protection mechanisms will need to be augmented by policies that guide user's behavior related to their workstations. Identify the users or categories of users of the computer. The categories are based on user roles that reflect their authorized activity. The roles are often based on similar work assignments and similar needs for access to particular information resources-system administrators, software developers, data entry personnel, etc. If appropriate, include groups of remote users and temporary or guest users. Document the categories of users that will be allowed access to the provided services. You may need to categorize users by their organizational department, physical location, or job responsibilities. You also need a category of administrative users who will need access to administer the servers and possibly another category for backup operators. Access to AIX servers should be restricted to only those administrators responsible for operating and maintaining the server. This will ensure that the server's users are restricted to those who are authorized to access the provided service and responsible for server administration. Determine the privileges that each category of user will have on the servers. To document privileges, create a matrix that shows the users or user categories (defined in the previous step) cross-listed with the privileges they will possess. The privileges are customarily placed in groups that define what system resources or services a user can read, write, change, execute, create, delete, install, remove, turn on, or turn off. Decide how users will be authenticated and how authentication data will be protected. There are usually two kinds of authentication: (1) the kind provided with the operating system, commonly used for authenticating administrative users and (2) the kind provided by the network service software, commonly used for authenticating users of the service. A particular software implementation of a network service may use the provided authentication capability, and thus it may be necessary for users of that service to have a local identity (usually a local account) on the server.

2.1.4 Backup and Recovery

Document procedures for backup and recovery of information resources stored on the computer. Possessing recent, secure backup copies of information resources makes it possible for you to quickly restore the integrity and availability of information resources. Successful restoration depends on configuring the operating system, installing appropriate tools, and following defined operating procedures. You need to document backup procedures including roles, responsibilities, and how the physical media that store the backup data are handled, stored, and managed. Consider using encryption technologies like ssh to protect backups. Your backup procedures need to account for the possibility that backup files may have been compromised by an undetected intrusion. Verify the integrity of all backup files prior to using them to recover systems.

www.owlriver.com/issa/aixhardening.html

3/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

3. Tools and Checklists 3.1 Tools 3.1.1 AIX 5.1 server tools
Here are the tools that are used in I/T environments today. These tools are freeware, but have been validated by there reliability over the last 5 - 10 years. Tool md5 Purpose Validate integrity of file contents Extent of usage Daily (automated) Daily (automated) Comments freeware freeware

tripwire or AIDE Verify integrity of directories and files on the server tcp_wrapper syslog swatch lsof ssh tcpdump ethereal openssl nmap nessus Log unauthorized connections to servers

Daily (Viewing of logs) freeware Part of Operating System freeware freeware freeware freeware freeware freeware freeware freeware

Collect log information for unauthorized entry on the server Daily (Automated) Log parsing tool, that makes log reader more bearable Monitors service/port connections to server To encrypt connections to servers Analyze packets on the servers interface Packet capturing tool Encapsulation/tunneling of Network exploration tool and security scanner Network scanner and vulnerability assessment tool Daily (Automated) Daily (Automated) Daily (Automated) Daily (Automated) Daily (Automated) Communication paths Weekly(Automated) Weekly (Automated)

3.2 Checklist 3.2.1 AIX Security Checklist 3.2.1.1 AIX Environment Procedures
The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the servers. Serial numbers and physical location would be sufficient. ____ Record server serial numbers ____ Physical location of the servers Next we want to gather a rather comprehensive list of both the AIX and pseries inventories. By running these next 4 scripts we can gather the information for analyze. Run these 4 scripts: sysinfo, tcpchk, nfsck and nethwchk. (See Appendix A for scripts) ____ sysinfo: ____ Determine active logical volume groups on the servers: lsvg -o ____ List physical volumes in each volume group: lsvg -p "vgname" ____ List logical volumes for each volume group: lsvg -l "vgname" ____ List physical volumes information for each hard disk ____ lspv hdiskx ____ lspv -p hdiskx ____ lspv -l hdiskx

www.owlriver.com/issa/aixhardening.html

4/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

____ List server software inventory: lslpp -L ____ List server software history: lslpp -h ____ List all hardware attached to the server: lsdev -C | sort -d ____ List system name, nodename, LAN network number, AIX release, AIX version and machine ID: uname -x ____ List all system resources on the server: lssrc -a ____ List inetd services: lssrc -t 'service name' -p 'process id' ____ List all host entries on the servers: hostent -S ____ Name all nameservers the servers have access to: namerslv -Is ____ Show status of all configured interfaces on the server: netstat -i ____ Show network addresses and routing tables: netstat -nr ____ Show interface settings: ifconfig ____ Check user and group system variables ____ Check users: usrck -t ALL ____ Check groups: grpck -t ALL

____ Run tcbck to verify if it is enabled: tcbck ____ Examine the AIX failed logins: who -s /etc/security/failedlogin ____ Examine the AIX user log: who /var/adm/wtmp ____ Examine the processes from users logged into the servers: who -p /var/adm/wtmp ____ List all user attributes: lsuser ALL | sort -d ____ List all group attributes: lsgroup ALL ____ tcpchk: ____ Confirm the tcp subsystem installed: lslpp -l | grep bos.net ____ Determine if it is running: lssrc -g tcpip ____ Search for .rhosts and .netrc files: find / -name .rhosts -print ; find / -name .netrc -print ____ Checks for rsh functionality on host: cat /etc/hosts.equiv ____ Checks for remote printing capability: cat /etc/hosts.lpd | grep v #

____ nfschk: ____ Verify NFS is installed: lslpp -L | bin/grep nfs ____ Check NFS/NIS status: lssrc -g nfs | bin/grep active ____ Checks to see if it is an NFS server and what directories are exported: cat /etc/xtab ____ Show hosts that export NFS directories: showmount ____ Show what directories are exported: showmount -e

____ nethwchk
www.owlriver.com/issa/aixhardening.html 5/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

____ Show network interfaces that are connected: lsdev -Cc if ____ Display active connection on boot: odmget -q value=up CuAt | grep name|cut -c10-12 ____ Show all interface status: ifconfig ALL

3.2.1.2 Root level access

____ Limit users who can su to another UID: lsuser -f ALL ____ Audit the sulog: cat /var/adm/sulog ____ Verify /etc/profile does not include current directory ____ Lock down cron access ____ To allow root only: rm -i /var/adm/cron/cron.deny and rm -I /var/adm/cron/cron.allow ____ To allow all users: touch cron.allow (if file does not already exist) ____ To allow a user access: touch /var/adm/cron/cron.allow then echo "UID">/var/adm/cron/cron.allow ____ To deny a user access: touch /var/adm/cron/cron.deny then echo "UID">/var/adm/cron/cron.deny ____ Disable direct herald root access: add rlogin=false to root in /etc/security/user file or through smit ____ Limit the $PATH variable in /etc/environment. Use the users .profile instead. 3.2.1.3 Authorization/authentication administration ____ Report all password inconsistencies and not fix them: pwdck -n ALL ____ Report all password inconsistencies and fix them: pwdck -y ALL ____ Report all group inconsistencies and not fix them: grpck -n ALL ____ Report all group inconsistencies and fix them: grpck -y ALL ____ Browse the /etc/shadow, etc/password and /etc/group file weekly 3.2.1.4 SUID/SGID ____ Review all SUID/SGID programs owned by root, daemon, and bin. ____ Review all SETUID programs: find / -perm -1000 -print ____ Review all SETGID programs: find / -perm -2000 -print ____ Review all sticky bit programs: find / -perm -3000 -print ____ Set user .profile in /etc/security/.profile 3.2.1.5 Permissions structures ____ System directories should have 755 permissions at a minimum ____ Root system directories should be owned by root ____ Use the sticky bit on the /tmp and /usr/tmp directories. ____ Run checksum (md5) against all /bin, /usr/bin, /dev and /usr/sbin files. ____ Check device file permissions:

____ disk, storage, tape, network (should be 600) owned by root. ____ tty devices (should be 622) owned by root. ____ /dev/null should be 777.
www.owlriver.com/issa/aixhardening.html 6/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

____ List all hidden files in there directories ( the .files). ____ List all writable directories (use the find command). ____ $HOME directories should be 710 ____ $HOME .profile or .login files should be 600 or 640. ____ Look for un-owned files on the server: find / -nouser -print. Note: Do not remove any /dev files. ____ Do not use r-type commands: rsh, rlogin, rcp and tftp or .netrc or .rhosts files. ____ Change /etc/host file permissions to 660 and review its contents weekly. ____ Check for both tcp/udp failed connections to the servers: netstat -p tcp; netstat -p udp. ____ Verify contents of /etc/exports (NFS export file). ____ If using ftp, make this change to the /etc/inetd.conf file to enable logging. ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -l ____ Set NFS mounts to -ro (read only) and only to the hosts that they are needed. ____ Consider using extended ACL's (please review the tcb man page). ____ Before making network connection collect a full system file listing and store it off-line: ls -Ra -la>/tmp/allfiles.system ____ Make use of the strings command to check on files: strings /etc/hosts | grep Kashmir

4. Recommendations 4.1 Remove unnecessary services

By default the Unix operating system gives us 1024 services to connect to, we want to parse this down to a more manageable value. There are 2 files in particular that we want to parse. The first, is the /etc/services file itself. A good starting point is to eliminate all unneeded services and add services as you need them. Below is a screenshot of an existing ntp server etc/services file on one of my lab servers.
# #Ntoksrie,Itre sye ewr evcs nent tl # sh s 2/d 2up sh s 2/c 2tp mi al at uh 13tp 1/c atetcto uhniain st fp 15tp 1/c np t 13tp 2/c #NtokTm Pooo ewr ie rtcl np t 13up 2/d #NtokTm Pooo ewr ie rtcl # #UI seii srie NX pcfc evcs # lgn oi 53tp 1/c sel hl 54tp 1/c cd m #n pswrsue o asod sd

4.2 Parse /etc/rc.tcpip file

This file starts the daemons that we will be using for the tcp/ip stack on AIX servers. By default the file will start the sendmail, snmp and other daemons. We want to parse this to reflect what functionality we need this server for. Here is the example for my ntp server.
#Satu tedeos tr p h amn # eh "trigtppdeos" co Satn ci amn: ta 'co"iihdsatn tppdeos" 0 rp eh Fnse trig ci amn.'

#Satu sso deo (o erradeetlgig tr p ylg amn fr ro n vn ogn) sat/s/bnssod"scrnig tr ursi/ylg $r_unn"

#Satu Prmpe tr p otapr sat/s/bnprmp"scrnig tr ursi/ota $r_unn" #Satu sce-ae deos tr p oktbsd amn sat/s/bnied"scrnig tr ursi/nt $r_unn"

www.owlriver.com/issa/aixhardening.html

7/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

#Satu NtokTm Pooo (T)deo tr p ewr ie rtcl NP amn sat/s/bnxtd"scrnig tr ursi/np $r_unn"

This helps also to better understand what processes are running on the server.

4.3 Remove unauthorized /etc/inittab entries

Be aware of what is in the /etc/inittab file on the AIX servers. This file works like the registry in a Microsoft environment. If an intruder wants to hide a automated script, he would want it launched here or in the cron file. Monitor this file closely.

4.4 Parse /etc/inetd.conf file

This is the AIX system file that starts system services, like telnet, ftp, etc. We also want to closely watch this file to see if there are any services that have been enabled without authorization. If you are using ssh for example this is what the inetd.conf file should look like. Because we are using other internet connections, this file is not used in my environment and should not be of use to you. This is why ssh should be used for all administrative connections into the environment. It provides an encrypted tunnel so connection traffic is secure. In the case of telnet, it is very trivial to sniff the UID and password.
# # pooo. "c"ad"d"aeitrrtda Iv. rtcl tp n up r nepee s P4 # # # srie sce pooo wi/ ue # evc okt rtcl at sr sre evr sre porm evr rga # nm # ae tp ye nwi oat porm rga agmns ruet # #

4.5 Edit /etc/rc.net

This is network configuration file used by AIX. This is the file you use to set your default network route along your no (for network options) attributes. Because the servers will not be used as routers to forward traffic and we do not want to use loose source routing at You, we will be making a few changes in this file. A lot of them are to protect from DOS and DDOS attacks from the internet. Also protects from ACK and SYN attacks on the internal network.
################################# ################################# ################################# ################################# #Cagsmd o 0/70 t tgtnu sce sae o ti hne ae n 60/2 o ihe p okt tts n hs #sre. evr ################################# ################################# i [- /s/bnn ];te f f ursi/o hn /s/bnn - uppt_icvr0#sosatdsoeyo MU ursi/o o d_mudsoe= tp uoicvr f T /s/bnn - tppt_icvr0#o tentokitrae ursi/o o c_mudsoe= n h ewr nefc /s/bnn - cenprilcns1#cer icmlt 3wycn. ursi/o o la_ata_on= las nopee -a on /s/bnn - batig0#poet aantsufim atcs ursi/o o cspn= rtcs gis mr cp tak /s/bnn - drce_racs= #sospcest bodatad ursi/o o ietdbodat0 tp akt o racs d. /s/bnn - iinrrdrcs1#peet loe ursi/o o pgoeeiet= rvns os /s/bnn - isnrdrcs0#suc ruig ursi/o o pedeiet= ore otn /s/bnn - iscotrc= #atcso ursi/o o prrueev0 tak n /s/bnn - iscotfrad0#orntok ursi/o o prrueowr= u ewr /s/bnn - i6rrueowr= #fo uigidrc ursi/o o pscotfrad0 rm sn niet /s/bnn - imadesak0#dnmcrue ursi/o o cpdrsms= yai ots /s/bnn - nnoscot= #t atc u fo ursi/o o olcrrue0 o tak s rm /s/bnn - ifradn= #Sossre fo atn lk arue ursi/o o powrig0 tp evr rm cig ie otr f i

4.6 Securing root 4.6.1 Change the /etc/motd banner

Ti cmue sse i tepiaepoet o XZIsrne I hs optr ytm s h rvt rpry f Y nuac. t i fratoie ueol. Alues(uhrzdo nnatoie) s o uhrzd s ny l sr atoie r o-uhrzd hv n epii o ipii epcain o piay ae o xlct r mlct xettos f rvc. Ayo alueso ti sse adalteflso ti sse n r l sr f hs ytm n l h ie n hs ytm myb itretd mntrd rcre,cpe,adtd isetd a e necpe, oioe, eodd oid uie, npce addslsdt XZIsrnesmngmn pronl n icoe o Y nuac' aaeet esne. B uigti sse,teedue cnet t sc itreto, y sn hs ytm h n sr osns o uh necpin mntrn,rcrig cpig adtn,iseto addslsr oioig eodn, oyn, uiig npcin n icoue a tedsrto o sc pronl Uatoie o ipoe ue t h icein f uh esne. nuhrzd r mrpr s o ti sse myrsl i cvlado ciia pnlte ad f hs ytm a eut n ii n/r rmnl eaiis n amnsrtv o dsilnr ato,a dee aporaeb diitaie r icpiay cin s emd prpit y si atos B cniun t ueti sse,teidvda ad cin. y otnig o s hs ytm h niiul idctshshraaeeso adcnett teetrsad niae i/e wrns f n osn o hs em n cniin o ue odtos f s. LGOFIMDAEYi yud ntaret tepoiin sae O F MEITL f o o o ge o h rvsos ttd i ti wrigbne. n hs ann anr

www.owlriver.com/issa/aixhardening.html

8/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

4.6.2 Modify /etc/security/user

ro: ot lgnere =5-fie rtisutlacutlcs oirtis ald ere ni con ok roi =fle-Dsbe rmt hrl acs t aro sel Ne t s fo aohrUD lgn as ials eoe ead ces o ot hl. ed o u rm nte I. amrus=sse dgop ytm mng =0-mnmmaigi n tm vle iae iiu gn s o ie au mxg =4-mxmmaigi stt 3 dy o 4wes aae aiu gn s e o 0 as r ek uak=2 ms 2

4.6.3 Tighten up /etc/security/limits

This is an attribute that should be changed due to a runaway resource hog. This orphaned process can grow to use an exorbinate amount of disk space. To prevent this we can set the ulimit value here.
dfut eal: #sz =2911 fie 075 fie=8864-st tesf fl boksz t amxo 8Gg sz 380 es h ot ie lc ie o a f i.

4.6.4 Variable changes in /etc/profile

Set the $TMOUT variable in /etc/profile. This will cause a open shell to close after 15 minutes of inactivity. It works in conjunction with the screensaver, to prevent an open session to be used to either delete the server or worse corrupt data on the server.
#Atmtclgu,icuei epr ln i ucmetd uoai oot nld n xot ie f nomne TOT90 MU=0

4.6.5 Sudo is your friend

. This is a nice piece of code, that the system administrators can use in order to allow "root-like" functionality. It allows an non-root user to run system binaries or commands. The /etc/sudoers file is used to configure exactly what the user can do. The service is configured and running on ufxcpidev. The developers are running a script called changeperms in order to tag there .ear files with there own ownership attributes. First we setup sudo to allow root-like or superuser doer access to sxnair.
#sdesfl. uor ie # #Ti fl MS b eie wt te'iuo cmada ro. hs ie UT e dtd ih h vsd' omn s ot # #Setesdesmnpg frtedtiso hwt wieasdesfl. e h uor a ae o h eal n o o rt uor ie # #Hs aisseiiain ot la pcfcto #Ue aisseiiain sr la pcfcto #Cn aisseiiain md la pcfcto #Ue piieeseiiain sr rvlg pcfcto ro ot AL(L)AL L=AL L sni,baevad uxpdv/i/hw */s/eShr/pSre/ntleAp/ xarjld,niu fcie=bncon urWbpeeApevrisaldps* # # #Oerd tebiti dfutstig vrie h ul n eal etns Dfut eals sso=uh ylgat

Dfut eals

lgie/a/o/uolg ofl=vrlgsd.o

For more details, please see the XYZ Company Insurance Work Report that I compiled, or visit this URL: ttp://www.courtesan.com/sudo/ and http://aplawrence.com/Basics/sudo.html.

4.7 Tighten user/group attributes 4.7.1 Change /etc/security/user

These are some of the changes to the /etc/security/user file that will promote a more heightened configuration of default user attributes at your company.
dfut eal: uak=07-dfnsuakvle -2 i raal ol frta UD ms 7 eie ms aus 2 s edbe ny o ht I pdanie=7-dy o pswr eprto wrig wwrtm as f asod xiain anns lgnere =5-fie lgnatmt bfr acuti lce oirtis ald oi teps eoe con s okd

www.owlriver.com/issa/aixhardening.html

9/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

hsepr =5 -dfnshwln apswr cno b r-sd itxie 2 eie o og asod ant e eue hssz =2 -dfnshwmn peiu pswrstesse rmmes itie 0 eie o ay rvos asod h ytm eebr mng =2-mnmmnme o wesapswr i vld iae iiu ubr f ek asod s ai mxg =8-mxmmnme o wesapswr i vld aae aiu ubr f ek asod s ai mxxie =4-mxmmtm i wesapswr cnb cagdatri eprs aeprd aiu ie n ek asod a e hne fe t xie mnlh =2-mnmmnme o apaei caatr i apswr iapa iiu ubr f lhbtc hrces n asod mnte =1-nme o nnapaei caatr i apswr iohr ubr f o-lhbtc hrces n asod mne =8-mnmmcaatrlnt o apswr iln iiu hrce egh f asod mnif=3-nme o dfeetcaatr ta ms b ue i apswr idf ubr f ifrn hrces ht ut e sd n asod mxeet =2-nme o tmsacaatrcnapa i apswr arpas ubr f ie hrce a per n asod

4.7.2 Change /etc/security/login.cfg

Set login attributes to be more restrictive in /etc/security/login.cfg
dfut eal: skeald=fle a_nbe as lgnie = oitms lgnial =5 oidsbe lgnnevl=0 oiitra lgnenbe=3 oireal 0 lgnea =1 oidly 0 hrl ="nuhrzduepoiie.rnoi:" ead Uatoie s rhbtd\\lgn uw s: sel =/i/h/i/s,bnch/i/s,bnth/s/i/h/s/i/s,urbnch/s/i/s,urbnth hls bns,bnbh/i/s,bnkh/i/s,urbns,urbnbh/s/i/s,urbnkh/s/i/s mxois=1 algn 6

lgnieu =1 -st tetm t 1 scnsfo we algni peetdadyutp i yu pswr. oitmot 5 es h ie o 5 eod rm hn oi s rsne n o ye n or asod

4.8 What to monitor and audit in AIX 4.8.1 Monitor error logs and alogs on servers
ert-|oe rp amr ao - - 'vramrsbolg (otlg lg o f /a/d/a/oto' bo o) wo/a/d/uo h vramslg wo/a/d/tp h vramwm

4.8.2 Configure and use a syslog server

The central loghost is lab_test.
# #M Dsoir o IScr,Ic addteelnso 0/20 . erses f Teue n. de hs ie n 61/2 # #lgalwrig o l anns # *wrig .ann /a/o/ylgwrigrtt tm 1 #rtt diy vrlgsso/ann oae ie d oae al *wrig .ann @ohs lgot # #lgmi dbgmsae o al eu esgs # mi.eu aldbg /a/o/ylgmi vrlgsso/al rtt tm 1 #rtt diy oae ie d oae al mi.oe alnn /a/o/ylgmi vrlgsso/al #lgscrt msae o euiy esgs # at.eu uhdbg /a/o/ylgscrt vrlgsso/euiy rtt tm 1 #rtt diy oae ie d oae al at.oie uhntc @ohs lgot # #sse polm adeet ytm rbes n vns # *aet*ci * .lr;.rt *eeg;.lr;.rt*er @ohs .mre*aet*ci;.r lgot # #alohrmsae nticuigmi l te esgs o nldn al #

4.8.3 Use bos.perf tools

vmstat iostat netpmon

www.owlriver.com/issa/aixhardening.html 10/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

monitor wlmstat

5. Conclusion 5.1 Summary

Today's computing environments are mostly distributed infrastructures. Your company must develop intrusion detection strategies for the servers. I do not believe that there are any sensors on the nternal network. Many of the common intrusion detection methods depend on the existence of various logs that AIX can produce and on the availability of auditing tools that analyze those logs. This will help you with installing the appropriate software tools and configure these tools and the operating system to collect and manage the necessary information. Keep your computer deployment plan current. Your company must update the computer deployment plan when relevant changes occur. Sources of change may include new technologies, new security threats, updates to your network architecture, the addition of new classes of users or new organizational units, etc. The environment will only work if the process is centralized. I also believe that there is not enough on-site experience and internal infrastructure to administor this project. The issues of 24/7 availability and the underlying issues of security in layers have to be addressed.

Appendix A sysinfo:
#/i/s !bnkh # #Ti srp i oeo tesse mngmn tosue hs cit s n f h ytm aaeet ol sd #t dtrieapriua AXsse cniuain o eemn atclr I ytm ofgrto # # ls alo teuesrgsee o tesse it l f h sr eitrd n h ytm # /s/bnlue - - i hm AL|sd'^./'|t '''01 ursi/ssr c a d oe L e /#*d r : \1' # # dslytemutdflsses ipa h one ieytm # eh "**********" co *********** eh co eh LS O MUTDFLSSES co IT F ONE IEYTM eh co eh "**********" co *********** /s/i/f urbnd eh "**********" co *********** eh co eh co eh "**********" co *********** eh co eh VLM GOPIFRAIN co OUE RU NOMTO eh co eh "**********" co *********** # # ls ottevlm gopifrain it u h oue ru nomto # sc a pyvl lgclvlif uh s h o, oia o no # /s/bnlv 'p rov ursi/sg -' otg /s/bnlv 'l rov ursi/sg -' otg /s/bnlp hik ursi/sv ds0 /s/bnlp 'p hik ursi/sv -' ds0 /s/bnlp 'l hik ursi/sv -' ds0 /s/bnlp hik ursi/sv ds1 /s/bnlp 'p hik ursi/sv -' ds1 /s/bnlp 'l hik ursi/sv -' ds1 # # ls otalo tedfndue gop it u l f h eie sr rus # eh "******** co ********" eh co eh co eh "******** co ********" eh co eh DFNDUE GOP co EIE SR RUS eh co eh "******** co ********" eh co /s/bnlgop'c AL ursi/sru -' L # # ls otteTPntif it u h C e no # eh "******** co ********" eh co eh co eh "******** co ********" eh co

www.owlriver.com/issa/aixhardening.html

11/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

eh TPI NTOKIFRAIN co C/P EWR NOMTO eh co eh "******** co ********" /s/i/esa 'n' urbnnttt -r /s/i/aesv's 'I urbnnmrl -' -' /s/i/otn 'S urbnhset -' /s/i/ntev's 'S 'X urbniesr -' -' -' # # dslywa sfwr i isaldo tesse ipa ht otae s ntle n h ytm # eh "******** co ********" eh co eh co eh "******** co ********" eh co eh SFWR IVNOY co OTAE NETR eh co eh "******** co ********" eh co /s/i/nm 'x urbnuae -' /s/i/sp 'l urbnllp -' /s/bnldv'C |sr 'd 'f ursi/se -' ot -' -' /s/i/sr 'g 'f' urbnlsc -' ns /s/i/wc 'n 'L' urbnpdk -' AL /s/i/sc 'n 'L' urbnurk -' AL /s/bngpk'n 'L' ursi/rc -' AL # # dslytefielgnlg ipa h aldoi o # eh "******** co ********" eh co eh FIE LGN O TI SSE co ALD OIS N HS YTM eh co

eh "******** co ********" /s/i/h 's 'ecscrt/aldoi' urbnwo -' /t/euiyfielgn # # dslyteuei i ec dfndgop ipa h srd n ah eie ru # eh "******** co ********" eh co eh UE IFRAIN co SR NOMTO eh co eh "******** co ********" /s/bnlgop'f''d 'sr''L' ursi/sru -a i' ues AL # adsm ohrue if n oe te sr no

/s/bnlue 'f''d 'rus 'oe 'uicass 'oi'\ ursi/ssr -a i' gop' hm' adtlse' lgn 'u 'lgn 'ent 'ts 'L' s' roi' tle' ty' AL tph: cck # # ti fl cekfrtprltdflst sei i i hs ie hc o c eae ie o e f t s # isaldo temcie ntle n h ahn # eh "h floigntokpout aeisaldo ti sse: co Te olwn ewr rdcs r ntle n hs ytm" eh "" co llp- |rpbse sp l ge ont eh "" co isalet`sp - |/i/rp'o.e.c' ntlts=llp l bnge bsnttp` i ["$ntlts"=""] te f xisalet x ; hn eh "C/Pntisald co TPI o ntle" es le eh "h floigTPI srie aecniue o ti mcie co Te olwn C/p evcs r ofgrd n hs ahn" eh "" co lsc- tpp sr g ci eh "" co eh "****WRIG*****" co **** ANN ***** eh "rot ad.er aeascrt rs" co .hss n ntc r euiy ik eh "rot flsad.er flsaei:" co .hss ie n ntc ie r n eh "" co fn /-ae'rot'-rn id nm .hss pit eh "" co eh "ntcflsaei: co .er ie r n" eh "" co fn /-ae'ntc -rn id nm .er' pit eh "" co i [- /s/bnied- - /t/ot.qi ] te f x ursi/nt a f echsseuv ; hn eh "tefloighssaealwdt rh rp roi" co h olwn ot r loe o s, c, lgn eh co

www.owlriver.com/issa/aixhardening.html

12/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

ct/t/ot.qi |ge - "" a echsseuv rp v # eh "" co f i i [- /s/bnied- - /t/ot.p ] te f x ursi/nt a f echssld ; hn eh "tefloighssaealwdt sui rmt pitjb" co h olwn ot r loe o bmt eoe rn os eh "OL" co NY ct/t/ot.p |ge - "" a echssld rp v # eh "" co f i i [- /s/bnied- - /t/eovcn ] te f x ursi/nt a f ecrsl.of ; hn eh "hsmciei o anmsre ntok co ti ahn s n aeevr ewr" eh "" co ct/t/eovcn |ge - "" a ecrsl.of rp v # f i f i ei 0 xt

nfschk:
#/i/h !bns # # ti srp rve teNScniuainframcie hs cit eiw h F ofgrto o ahn # eh "F Cniuain co NS ofgrto" eh "--------" co --------eh "" co isalet`sp - |bnge ns ntlts=llp l /i/rp f` i ["$ntlts"=""] te f xisalet x ; hn eh "F ntisaldo ti sse" co NS o ntle n hs ytm eh "" co es le eh "F i isaldo ti sse" co NS s ntle n hs ytm eh "" co nset`sr - ns/i/rpatv` fts=lsc g f|bnge cie i ["$fts"=""] te f xnset x ; hn eh "F i ntatv a ti tm" co NS s o cie t hs ie eh "" co es le eh "F i atv" co NS s cie eh "" co i [- /s/t/fd- - /t/xot ] te f x urecns a f eceprs ; hn eh "hsmciei a NSsre" co Ti ahn s n F evr :! q ksmrro /s/oa/i >ctnsh ahi@ot urlclbn a fck #/i/h !bns # # ti srp rve teNScniuainframcie hs cit eiw h F ofgrto o ahn # eh "F Cniuain co NS ofgrto" eh "--------" co --------eh "" co isalet`sp - |bnge ns ntlts=llp l /i/rp f` i ["$ntlts"=""] te f xisalet x ; hn eh "F ntisaldo ti sse" co NS o ntle n hs ytm eh "" co es le eh "F i isaldo ti sse" co NS s ntle n hs ytm eh "" co nset`sr - ns/i/rpatv` fts=lsc g f|bnge cie i ["$fts"=""] te f xnset x ; hn eh "F i ntatv a ti tm" co NS s o cie t hs ie eh "" co es le eh "F i atv" co NS s cie eh "" co i [- /s/t/fd- - /t/xot ] te f x urecns a f eceprs ; hn eh "hsmciei a NSsre" co Ti ahn s n F evr eh "h floigdrcoismyb epre: co Te olwn ietre a e xotd" eh "" co ct/t/xot a eceprs eh "" co eh "h floigdrcoisaecretyepre: co Te olwn ietre r urnl xotd" eh "" co ct/t/tb a ecxa eh "" co eh "h floighsshv epre drcoismutd co Te olwn ot ae xotd ietre one" eh "tti tm" co a hs ie eh "" co /s/i/hwon urbnsomut eh "" co es le eh "hsmciei a NScin" co ti ahn s n F let eh "" co

www.owlriver.com/issa/aixhardening.html

13/14

7/12/12

AIX Operating System Hardening Procedures & Security Guide

eh "h floigdrcoisaemutdfo rmt sses co Te olwn ietre r one rm eoe ytm" eh "" co eh "oe co Nd mutd one mutdoe one vr vs f dt ae otos pin" mut|ge - " " on rp v ^ eh "" co f i eh "h floigNSsrie aecniue o ti mcie" co Te olwn F evcs r ofgrd n hs ahn: eh "" co lsc- ns sr g f eh "" co

f i eh "" co eh "I Cniuain co NS ofgrto" eh "--------" co --------iyst`oanae|/i/rp"[-AZ" spe=dminm bnge ^az-]` i ["$spe"=""] te f xiyst x ; hn eh "I i ntcniue a ti tm" co NS s o ofgrd t hs ie eh "" co es le eh "I i cniue o ti sse" co NS s ofgrd n hs ytm eh "" co f i f i ei 0 xt

nethwchk:
Tefloigntokitrae aeaalbeo ti sse: h olwn ewr nefcs r vial n hs ytm e0Aalbe1-8Sadr Ehre NtokItrae n vial 06 tnad tent ewr nefc e1Dfnd 1-0Sadr Ehre NtokItrae n eie 07 tnad tent ewr nefc e2Dfnd 1-0Sadr Ehre NtokItrae n eie 08 tnad tent ewr nefc e0Dfnd 1-8IE 823Ehre NtokItrae t eie 06 EE 0. tent ewr nefc e1Dfnd 1-0IE 823Ehre NtokItrae t eie 07 EE 0. tent ewr nefc e2Dfnd 1-0IE 823Ehre NtokItrae t eie 08 EE 0. tent ewr nefc l0Aalbe o vial Lobc NtokItrae opak ewr nefc Tefloigcmuiainitrae aebogtu a bo h olwn omncto nefcs r ruh p t ot Lobc itrae aentue frcmuiain opak nefcs r o sd o omncto e0 n Tecretitraei: h urn nefc s e0 fas4006<PBODATNTALR,UNN,IPE,UTCS,RUR,4I,SG n: lg=e883U,RACS,ORIESRNIGSMLXMLIATGOPT6BTPE> ie 121811 ntak0fffe bodat121813 nt 9.6..3 ems xfff0 racs 9.6..1 ksmrro /s/oa/i >mr ntwh ahi@ot urlclbn oe ehck #/i/h !bns # # cektentokitraehrwr hc h ewr nefc adae # eh "h floigntokitrae aeaalbeo ti sse: co Te olwn ewr nefcs r vial n hs ytm" eh "" co ldv- - i se C c f eh "" co eh "h floigcmuiainitrae aebogtu a bo" co Te olwn omncto nefcs r ruh p t ot eh "" co eh "opakitrae aentue frcmuiain" co Lobc nefcs r o sd o omncto eh "" co ome -"au=u' CA |ge nm|u -1-2 dgt qvle'p" ut rp aect c01 eh "" co its=ome -"au=u' CA|rpnm|u -1-2 fet`dgt qvle'p" utge aect c01` eh "h cretitraei:" co Te urn nefc s eh "" co frii $fet o n its d o i [- $ ] te f n i ; hn icni $ fofg i eh "" co f i dn oe ei 0 xt

www.owlriver.com/issa/aixhardening.html

14/14