Beruflich Dokumente
Kultur Dokumente
com
Welcome to
Coffee with Carol
Todays topic is:
www.skyviewpartners.com
www.skyviewpartners.com
Security Drivers
THIS is where compliance lives, since you either ARE or ARE NOT in
compliance with your security policy! (regardless of external regulatory
requirements)
www.skyviewpartners.com
Compliance Drivers
www.skyviewpartners.com
www.skyviewpartners.com
www.skyviewpartners.com
www.skyviewpartners.com
Password Security
AIX
IBM i
/etc/security/user
mindiff
System Values
QPWDPOSDIF
www.skyviewpartners.com
Password Security
AIX
IBM i
/etc/security/user
maxage
System Values
QPWDEXPITV
www.skyviewpartners.com
www.skyviewpartners.com
Password Security
AIX
IBM i
/etc/security/user
minlen
System Values
QPWDMINLEN
www.skyviewpartners.com
Password Security
AIX
IBM i
/etc/security/user
minother
System Values
QPWDRQDDGT
www.skyviewpartners.com
www.skyviewpartners.com
Password Security
AIX
IBM i
/etc/security/user
histsize
System Values
QPWDRQDDIF
www.skyviewpartners.com
AIX
IBM i
/etc/security/login.cfg
pwd_algorithm
System Values
QPWDLVL
www.skyviewpartners.com
www.skyviewpartners.com
Login Security
AIX
IBM i
/etc/security/user
loginretries
System Values
QMAXSIGN
www.skyviewpartners.com
Login Security
AIX
IBM i
www.skyviewpartners.com
www.skyviewpartners.com
AIX
IBM i
/etc/inittab
qdaemon
qdaemon
IBM i check: Verify various output queue parameters, such as DSPDTA, OPRCTL, AUTCHK,
AUT, and *SPLCTL special authority; lockdown STRPRTWTR and WRKWTR commands
www.skyviewpartners.com
AIX
IBM i
/etc/inittab
lpd
lpd
IBM i check: Verify various output queue parameters, such as DSPDTA, OPRCTL, AUTCHK,
AUT, and *SPLCTL special authority; lockdown STRPRTWTR and WRKWTR commands
www.skyviewpartners.com
www.skyviewpartners.com
AIX
IBM i
/etc/inittab
piobe
piobe
IBM i check: Verify various output queue parameters, such as DSPDTA, OPRCTL, AUTCHK,
AUT, and *SPLCTL special authority; lockdown STRPRTWTR and WRKWTR commands
www.skyviewpartners.com
AIX
IBM i
/etc/rc.tcpip
sendmail
CFGTCP
Configure TCP/IP Applications >
Configure SMTP
IBM i check: CHGSMTPA (Change SMTP Attributes) command can be used to set the
AUTOSTART parameter to *NO if not required
www.skyviewpartners.com
www.skyviewpartners.com
AIX
IBM i
/etc/rc.tcpip
snmpd
CFGTCP
Configure TCP/IP Applications >
Configure SNMP Agent
IBM i check: CFGTCPSNMP (Configure TCP/IP SNMP) command can be used to set the
AUTOSTART parameter to *NO if not required
www.skyviewpartners.com
AIX
IBM i
/etc/rc.tcpip
Numerous other services
CFGTCP
Configure TCP/IP Applications
within /etc/rc.tcpip
www.skyviewpartners.com
10
www.skyviewpartners.com
AIX
IBM i
/etc/inetd.conf
telnet
CFGTCP
Configure TCP/IP Applications >
Configure TELNET
"telnet" /etc/inetd.conf
IBM i check: For the best security and compliance in most instances (PCI DSS, for example),
IBM i TELNET should be implemented using SSL (default port 992)
www.skyviewpartners.com
AIX
IBM i
/etc/inetd.conf
exec
CFGTCP
Configure TCP/IP Applications >
Change REXEC attributes
rexecd" /etc/inetd.conf
IBM i check: CHGRXCA (Change REXEC Attributes) command can be used to set the
AUTOSTART parameter to *NO if not required
www.skyviewpartners.com
11
www.skyviewpartners.com
AIX
IBM i
/etc/inetd.conf
ftp
CFGTCP
Configure TCP/IP Applications >
Change FTP attributes
"^#ftp" /etc/inetd.conf
IBM i check: CHGFTPA (Change FTP Attributes) command can be used to set the
AUTOSTART parameter to *NO if not required
www.skyviewpartners.com
AIX
IBM i
/etc/inetd.conf
Numerous other services
within /etc/inetd.conf
www.skyviewpartners.com
12
www.skyviewpartners.com
AIX
IBM i
/etc/tunables/nextboot directory
Numerous other settings
within /etc/tunables/nextboot
www.skyviewpartners.com
AIX
IBM i
/etc/security/user
default umask
System Values
QCRTAUT
www.skyviewpartners.com
13
www.skyviewpartners.com
AIX
IBM i
/audit
Auditing
System Values
QAUDCTL and QAUDLVL
AIX check: Several steps, including verification of the audit filesystem, the configuration in
/etc/security/audit/config, the existence of audit classes, and automatic startup.
www.skyviewpartners.com
AIX
IBM i
Various settings
Various settings
www.skyviewpartners.com
14
www.skyviewpartners.com
System Logging
AIX
IBM i
/etc/syslog.conf
syslog
AIX check: ls
www.skyviewpartners.com
AIX
IBM i
TCP Wrappers
IBM i check: Open IP Policies under Network in i Navigator and verify/review Packet Rules
Copyright SkyView Partners, Inc, 2011. All rights reserved.
30
www.skyviewpartners.com
15
www.skyviewpartners.com
File Access
AIX
IBM i
proposed changes)
www.skyviewpartners.com
File Access
AIX
IBM i
www.skyviewpartners.com
16
www.skyviewpartners.com
Q&A
33
http://www.cisecurity.org
http://cisecurity.org/en-us/?route=downloads.benchmarks
http://www.skyviewpartners.com
www.skyviewpartners.com
17