Beruflich Dokumente
Kultur Dokumente
Search
A.P. Lawrence
Information and Resources for Unix and Linux Systems Home Articles Most Popular Newest Articles Linux Mac Books Humor Browse all Topics... Tests Linux Mac OS X SCO Unix Perl Resources Site Forum Write for this site More about this site Find a Consultant Contact Info RSS Feeds Older Survey Comments Disclaimer Rates
7/12/12
does, note the risks involved with each and make recommendations about what one ought to do to mitigate the risk.
7/12/12
www.owlriver.com/issa/aixhardening.html
3/14
7/12/12
3. Tools and Checklists 3.1 Tools 3.1.1 AIX 5.1 server tools
Here are the tools that are used in I/T environments today. These tools are freeware, but have been validated by there reliability over the last 5 - 10 years. Tool md5 Purpose Validate integrity of file contents Extent of usage Daily (automated) Daily (automated) Comments freeware freeware
tripwire or AIDE Verify integrity of directories and files on the server tcp_wrapper syslog swatch lsof ssh tcpdump ethereal openssl nmap nessus Log unauthorized connections to servers
Daily (Viewing of logs) freeware Part of Operating System freeware freeware freeware freeware freeware freeware freeware freeware
Collect log information for unauthorized entry on the server Daily (Automated) Log parsing tool, that makes log reader more bearable Monitors service/port connections to server To encrypt connections to servers Analyze packets on the servers interface Packet capturing tool Encapsulation/tunneling of Network exploration tool and security scanner Network scanner and vulnerability assessment tool Daily (Automated) Daily (Automated) Daily (Automated) Daily (Automated) Daily (Automated) Communication paths Weekly(Automated) Weekly (Automated)
3.2 Checklist 3.2.1 AIX Security Checklist 3.2.1.1 AIX Environment Procedures
The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the servers. Serial numbers and physical location would be sufficient. ____ Record server serial numbers ____ Physical location of the servers Next we want to gather a rather comprehensive list of both the AIX and pseries inventories. By running these next 4 scripts we can gather the information for analyze. Run these 4 scripts: sysinfo, tcpchk, nfsck and nethwchk. (See Appendix A for scripts) ____ sysinfo: ____ Determine active logical volume groups on the servers: lsvg -o ____ List physical volumes in each volume group: lsvg -p "vgname" ____ List logical volumes for each volume group: lsvg -l "vgname" ____ List physical volumes information for each hard disk ____ lspv hdiskx ____ lspv -p hdiskx ____ lspv -l hdiskx
www.owlriver.com/issa/aixhardening.html
4/14
7/12/12
____ List server software inventory: lslpp -L ____ List server software history: lslpp -h ____ List all hardware attached to the server: lsdev -C | sort -d ____ List system name, nodename, LAN network number, AIX release, AIX version and machine ID: uname -x ____ List all system resources on the server: lssrc -a ____ List inetd services: lssrc -t 'service name' -p 'process id' ____ List all host entries on the servers: hostent -S ____ Name all nameservers the servers have access to: namerslv -Is ____ Show status of all configured interfaces on the server: netstat -i ____ Show network addresses and routing tables: netstat -nr ____ Show interface settings: ifconfig ____ Check user and group system variables ____ Check users: usrck -t ALL ____ Check groups: grpck -t ALL
____ Run tcbck to verify if it is enabled: tcbck ____ Examine the AIX failed logins: who -s /etc/security/failedlogin ____ Examine the AIX user log: who /var/adm/wtmp ____ Examine the processes from users logged into the servers: who -p /var/adm/wtmp ____ List all user attributes: lsuser ALL | sort -d ____ List all group attributes: lsgroup ALL ____ tcpchk: ____ Confirm the tcp subsystem installed: lslpp -l | grep bos.net ____ Determine if it is running: lssrc -g tcpip ____ Search for .rhosts and .netrc files: find / -name .rhosts -print ; find / -name .netrc -print ____ Checks for rsh functionality on host: cat /etc/hosts.equiv ____ Checks for remote printing capability: cat /etc/hosts.lpd | grep v #
____ nfschk: ____ Verify NFS is installed: lslpp -L | bin/grep nfs ____ Check NFS/NIS status: lssrc -g nfs | bin/grep active ____ Checks to see if it is an NFS server and what directories are exported: cat /etc/xtab ____ Show hosts that export NFS directories: showmount ____ Show what directories are exported: showmount -e
____ nethwchk
www.owlriver.com/issa/aixhardening.html 5/14
7/12/12
____ Show network interfaces that are connected: lsdev -Cc if ____ Display active connection on boot: odmget -q value=up CuAt | grep name|cut -c10-12 ____ Show all interface status: ifconfig ALL
____ Limit users who can su to another UID: lsuser -f ALL ____ Audit the sulog: cat /var/adm/sulog ____ Verify /etc/profile does not include current directory ____ Lock down cron access ____ To allow root only: rm -i /var/adm/cron/cron.deny and rm -I /var/adm/cron/cron.allow ____ To allow all users: touch cron.allow (if file does not already exist) ____ To allow a user access: touch /var/adm/cron/cron.allow then echo "UID">/var/adm/cron/cron.allow ____ To deny a user access: touch /var/adm/cron/cron.deny then echo "UID">/var/adm/cron/cron.deny ____ Disable direct herald root access: add rlogin=false to root in /etc/security/user file or through smit ____ Limit the $PATH variable in /etc/environment. Use the users .profile instead. 3.2.1.3 Authorization/authentication administration ____ Report all password inconsistencies and not fix them: pwdck -n ALL ____ Report all password inconsistencies and fix them: pwdck -y ALL ____ Report all group inconsistencies and not fix them: grpck -n ALL ____ Report all group inconsistencies and fix them: grpck -y ALL ____ Browse the /etc/shadow, etc/password and /etc/group file weekly 3.2.1.4 SUID/SGID ____ Review all SUID/SGID programs owned by root, daemon, and bin. ____ Review all SETUID programs: find / -perm -1000 -print ____ Review all SETGID programs: find / -perm -2000 -print ____ Review all sticky bit programs: find / -perm -3000 -print ____ Set user .profile in /etc/security/.profile 3.2.1.5 Permissions structures ____ System directories should have 755 permissions at a minimum ____ Root system directories should be owned by root ____ Use the sticky bit on the /tmp and /usr/tmp directories. ____ Run checksum (md5) against all /bin, /usr/bin, /dev and /usr/sbin files. ____ Check device file permissions:
____ disk, storage, tape, network (should be 600) owned by root. ____ tty devices (should be 622) owned by root. ____ /dev/null should be 777.
www.owlriver.com/issa/aixhardening.html 6/14
7/12/12
____ List all hidden files in there directories ( the .files). ____ List all writable directories (use the find command). ____ $HOME directories should be 710 ____ $HOME .profile or .login files should be 600 or 640. ____ Look for un-owned files on the server: find / -nouser -print. Note: Do not remove any /dev files. ____ Do not use r-type commands: rsh, rlogin, rcp and tftp or .netrc or .rhosts files. ____ Change /etc/host file permissions to 660 and review its contents weekly. ____ Check for both tcp/udp failed connections to the servers: netstat -p tcp; netstat -p udp. ____ Verify contents of /etc/exports (NFS export file). ____ If using ftp, make this change to the /etc/inetd.conf file to enable logging. ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -l ____ Set NFS mounts to -ro (read only) and only to the hosts that they are needed. ____ Consider using extended ACL's (please review the tcb man page). ____ Before making network connection collect a full system file listing and store it off-line: ls -Ra -la>/tmp/allfiles.system ____ Make use of the strings command to check on files: strings /etc/hosts | grep Kashmir
#Satu sso deo (o erradeetlgig tr p ylg amn fr ro n vn ogn) sat/s/bnssod"scrnig tr ursi/ylg $r_unn"
#Satu Prmpe tr p otapr sat/s/bnprmp"scrnig tr ursi/ota $r_unn" #Satu sce-ae deos tr p oktbsd amn sat/s/bnied"scrnig tr ursi/nt $r_unn"
www.owlriver.com/issa/aixhardening.html
7/14
7/12/12
This helps also to better understand what processes are running on the server.
www.owlriver.com/issa/aixhardening.html
8/14
7/12/12
Dfut eals
lgie/a/o/uolg ofl=vrlgsd.o
For more details, please see the XYZ Company Insurance Work Report that I compiled, or visit this URL: ttp://www.courtesan.com/sudo/ and http://aplawrence.com/Basics/sudo.html.
www.owlriver.com/issa/aixhardening.html
9/14
7/12/12
lgnieu =1 -st tetm t 1 scnsfo we algni peetdadyutp i yu pswr. oitmot 5 es h ie o 5 eod rm hn oi s rsne n o ye n or asod
4.8 What to monitor and audit in AIX 4.8.1 Monitor error logs and alogs on servers
ert-|oe rp amr ao - - 'vramrsbolg (otlg lg o f /a/d/a/oto' bo o) wo/a/d/uo h vramslg wo/a/d/tp h vramwm
7/12/12
monitor wlmstat
Appendix A sysinfo:
#/i/s !bnkh # #Ti srp i oeo tesse mngmn tosue hs cit s n f h ytm aaeet ol sd #t dtrieapriua AXsse cniuain o eemn atclr I ytm ofgrto # # ls alo teuesrgsee o tesse it l f h sr eitrd n h ytm # /s/bnlue - - i hm AL|sd'^./'|t '''01 ursi/ssr c a d oe L e /#*d r : \1' # # dslytemutdflsses ipa h one ieytm # eh "**********" co *********** eh co eh LS O MUTDFLSSES co IT F ONE IEYTM eh co eh "**********" co *********** /s/i/f urbnd eh "**********" co *********** eh co eh co eh "**********" co *********** eh co eh VLM GOPIFRAIN co OUE RU NOMTO eh co eh "**********" co *********** # # ls ottevlm gopifrain it u h oue ru nomto # sc a pyvl lgclvlif uh s h o, oia o no # /s/bnlv 'p rov ursi/sg -' otg /s/bnlv 'l rov ursi/sg -' otg /s/bnlp hik ursi/sv ds0 /s/bnlp 'p hik ursi/sv -' ds0 /s/bnlp 'l hik ursi/sv -' ds0 /s/bnlp hik ursi/sv ds1 /s/bnlp 'p hik ursi/sv -' ds1 /s/bnlp 'l hik ursi/sv -' ds1 # # ls otalo tedfndue gop it u l f h eie sr rus # eh "******** co ********" eh co eh co eh "******** co ********" eh co eh DFNDUE GOP co EIE SR RUS eh co eh "******** co ********" eh co /s/bnlgop'c AL ursi/sru -' L # # ls otteTPntif it u h C e no # eh "******** co ********" eh co eh co eh "******** co ********" eh co
www.owlriver.com/issa/aixhardening.html
11/14
7/12/12
eh TPI NTOKIFRAIN co C/P EWR NOMTO eh co eh "******** co ********" /s/i/esa 'n' urbnnttt -r /s/i/aesv's 'I urbnnmrl -' -' /s/i/otn 'S urbnhset -' /s/i/ntev's 'S 'X urbniesr -' -' -' # # dslywa sfwr i isaldo tesse ipa ht otae s ntle n h ytm # eh "******** co ********" eh co eh co eh "******** co ********" eh co eh SFWR IVNOY co OTAE NETR eh co eh "******** co ********" eh co /s/i/nm 'x urbnuae -' /s/i/sp 'l urbnllp -' /s/bnldv'C |sr 'd 'f ursi/se -' ot -' -' /s/i/sr 'g 'f' urbnlsc -' ns /s/i/wc 'n 'L' urbnpdk -' AL /s/i/sc 'n 'L' urbnurk -' AL /s/bngpk'n 'L' ursi/rc -' AL # # dslytefielgnlg ipa h aldoi o # eh "******** co ********" eh co eh FIE LGN O TI SSE co ALD OIS N HS YTM eh co
eh "******** co ********" /s/i/h 's 'ecscrt/aldoi' urbnwo -' /t/euiyfielgn # # dslyteuei i ec dfndgop ipa h srd n ah eie ru # eh "******** co ********" eh co eh UE IFRAIN co SR NOMTO eh co eh "******** co ********" /s/bnlgop'f''d 'sr''L' ursi/sru -a i' ues AL # adsm ohrue if n oe te sr no
/s/bnlue 'f''d 'rus 'oe 'uicass 'oi'\ ursi/ssr -a i' gop' hm' adtlse' lgn 'u 'lgn 'ent 'ts 'L' s' roi' tle' ty' AL tph: cck # # ti fl cekfrtprltdflst sei i i hs ie hc o c eae ie o e f t s # isaldo temcie ntle n h ahn # eh "h floigntokpout aeisaldo ti sse: co Te olwn ewr rdcs r ntle n hs ytm" eh "" co llp- |rpbse sp l ge ont eh "" co isalet`sp - |/i/rp'o.e.c' ntlts=llp l bnge bsnttp` i ["$ntlts"=""] te f xisalet x ; hn eh "C/Pntisald co TPI o ntle" es le eh "h floigTPI srie aecniue o ti mcie co Te olwn C/p evcs r ofgrd n hs ahn" eh "" co lsc- tpp sr g ci eh "" co eh "****WRIG*****" co **** ANN ***** eh "rot ad.er aeascrt rs" co .hss n ntc r euiy ik eh "rot flsad.er flsaei:" co .hss ie n ntc ie r n eh "" co fn /-ae'rot'-rn id nm .hss pit eh "" co eh "ntcflsaei: co .er ie r n" eh "" co fn /-ae'ntc -rn id nm .er' pit eh "" co i [- /s/bnied- - /t/ot.qi ] te f x ursi/nt a f echsseuv ; hn eh "tefloighssaealwdt rh rp roi" co h olwn ot r loe o s, c, lgn eh co
www.owlriver.com/issa/aixhardening.html
12/14
7/12/12
ct/t/ot.qi |ge - "" a echsseuv rp v # eh "" co f i i [- /s/bnied- - /t/ot.p ] te f x ursi/nt a f echssld ; hn eh "tefloighssaealwdt sui rmt pitjb" co h olwn ot r loe o bmt eoe rn os eh "OL" co NY ct/t/ot.p |ge - "" a echssld rp v # eh "" co f i i [- /s/bnied- - /t/eovcn ] te f x ursi/nt a f ecrsl.of ; hn eh "hsmciei o anmsre ntok co ti ahn s n aeevr ewr" eh "" co ct/t/eovcn |ge - "" a ecrsl.of rp v # f i f i ei 0 xt
nfschk:
#/i/h !bns # # ti srp rve teNScniuainframcie hs cit eiw h F ofgrto o ahn # eh "F Cniuain co NS ofgrto" eh "--------" co --------eh "" co isalet`sp - |bnge ns ntlts=llp l /i/rp f` i ["$ntlts"=""] te f xisalet x ; hn eh "F ntisaldo ti sse" co NS o ntle n hs ytm eh "" co es le eh "F i isaldo ti sse" co NS s ntle n hs ytm eh "" co nset`sr - ns/i/rpatv` fts=lsc g f|bnge cie i ["$fts"=""] te f xnset x ; hn eh "F i ntatv a ti tm" co NS s o cie t hs ie eh "" co es le eh "F i atv" co NS s cie eh "" co i [- /s/t/fd- - /t/xot ] te f x urecns a f eceprs ; hn eh "hsmciei a NSsre" co Ti ahn s n F evr :! q ksmrro /s/oa/i >ctnsh ahi@ot urlclbn a fck #/i/h !bns # # ti srp rve teNScniuainframcie hs cit eiw h F ofgrto o ahn # eh "F Cniuain co NS ofgrto" eh "--------" co --------eh "" co isalet`sp - |bnge ns ntlts=llp l /i/rp f` i ["$ntlts"=""] te f xisalet x ; hn eh "F ntisaldo ti sse" co NS o ntle n hs ytm eh "" co es le eh "F i isaldo ti sse" co NS s ntle n hs ytm eh "" co nset`sr - ns/i/rpatv` fts=lsc g f|bnge cie i ["$fts"=""] te f xnset x ; hn eh "F i ntatv a ti tm" co NS s o cie t hs ie eh "" co es le eh "F i atv" co NS s cie eh "" co i [- /s/t/fd- - /t/xot ] te f x urecns a f eceprs ; hn eh "hsmciei a NSsre" co Ti ahn s n F evr eh "h floigdrcoismyb epre: co Te olwn ietre a e xotd" eh "" co ct/t/xot a eceprs eh "" co eh "h floigdrcoisaecretyepre: co Te olwn ietre r urnl xotd" eh "" co ct/t/tb a ecxa eh "" co eh "h floighsshv epre drcoismutd co Te olwn ot ae xotd ietre one" eh "tti tm" co a hs ie eh "" co /s/i/hwon urbnsomut eh "" co es le eh "hsmciei a NScin" co ti ahn s n F let eh "" co
www.owlriver.com/issa/aixhardening.html
13/14
7/12/12
f i eh "" co eh "I Cniuain co NS ofgrto" eh "--------" co --------iyst`oanae|/i/rp"[-AZ" spe=dminm bnge ^az-]` i ["$spe"=""] te f xiyst x ; hn eh "I i ntcniue a ti tm" co NS s o ofgrd t hs ie eh "" co es le eh "I i cniue o ti sse" co NS s ofgrd n hs ytm eh "" co f i f i ei 0 xt
nethwchk:
Tefloigntokitrae aeaalbeo ti sse: h olwn ewr nefcs r vial n hs ytm e0Aalbe1-8Sadr Ehre NtokItrae n vial 06 tnad tent ewr nefc e1Dfnd 1-0Sadr Ehre NtokItrae n eie 07 tnad tent ewr nefc e2Dfnd 1-0Sadr Ehre NtokItrae n eie 08 tnad tent ewr nefc e0Dfnd 1-8IE 823Ehre NtokItrae t eie 06 EE 0. tent ewr nefc e1Dfnd 1-0IE 823Ehre NtokItrae t eie 07 EE 0. tent ewr nefc e2Dfnd 1-0IE 823Ehre NtokItrae t eie 08 EE 0. tent ewr nefc l0Aalbe o vial Lobc NtokItrae opak ewr nefc Tefloigcmuiainitrae aebogtu a bo h olwn omncto nefcs r ruh p t ot Lobc itrae aentue frcmuiain opak nefcs r o sd o omncto e0 n Tecretitraei: h urn nefc s e0 fas4006<PBODATNTALR,UNN,IPE,UTCS,RUR,4I,SG n: lg=e883U,RACS,ORIESRNIGSMLXMLIATGOPT6BTPE> ie 121811 ntak0fffe bodat121813 nt 9.6..3 ems xfff0 racs 9.6..1 ksmrro /s/oa/i >mr ntwh ahi@ot urlclbn oe ehck #/i/h !bns # # cektentokitraehrwr hc h ewr nefc adae # eh "h floigntokitrae aeaalbeo ti sse: co Te olwn ewr nefcs r vial n hs ytm" eh "" co ldv- - i se C c f eh "" co eh "h floigcmuiainitrae aebogtu a bo" co Te olwn omncto nefcs r ruh p t ot eh "" co eh "opakitrae aentue frcmuiain" co Lobc nefcs r o sd o omncto eh "" co ome -"au=u' CA |ge nm|u -1-2 dgt qvle'p" ut rp aect c01 eh "" co its=ome -"au=u' CA|rpnm|u -1-2 fet`dgt qvle'p" utge aect c01` eh "h cretitraei:" co Te urn nefc s eh "" co frii $fet o n its d o i [- $ ] te f n i ; hn icni $ fofg i eh "" co f i dn oe ei 0 xt
www.owlriver.com/issa/aixhardening.html
14/14