Hardening your AIX Security

*****
***
*
I went to AIX security seminar and found it useful if I can summarize the information for my
reference. For further information, please do a search on google or HP/AIX Website.
1. Login Control
a. Modify login process at /etc/security/login.cfg
b. Changing the login screen: We can remove the information system during the
login process
c. Secure unattended terminal: Need to lock terminal always
2. Strengthening User Security
a. Hardening user password
b. Disable direct login: /var/adm/sulog monitors who login as root
c. Enforcing automatic logoff: Can modify in /etc/security/.profile
d. Disable group access permission
e. Hide user name and password. .netrc is containing user ID and password as a
plain text
f. Setting user password options: Can modify in /etc/security/user
g. Remove unnecessary default user accounts: eg: uucp, lpd, guest etc
h. Verify user environment: Can use commands like: grpck, usrck, pwdck, luser,
lsgroup etc..
3. Dealing with Special Situations
a. When setting special permission, this needs to be document
b. When install new software, we might need to create a special privileges, this
needs to be documented.
c. Special password on powering on/off the system
d. Enable system auditing
4. Monitoring Files & Directory
a. Removing obsolete files: Can use skulker command
b. Removing unown files: Can use find / -nouser ls command
c. Managing remote access: Remove the .rhosts file
d. Monitoring executable files: those are own by root
e. Managing cron & at jobs.
5. Managing X11 & CDE concerns
a. Remove the /etc/rc.dt
b. Remote X server: Using xwd or xwud tools
c. Disable access control: Using xhost command
d. Disable user permission to run xhost command
6. Few Basic Commands/Guide Lines

When installing a new system, install AIX from secure base media. Perform the
following procedures at installation time:
1. Do not install desktop software, such as CDE, GNOME, or KDE, on servers
2. Install required security fixes and any recommended maintenance level fixes
a. Use oslevel to determine AIX version
b. Use instfix -I | grep ML to determine ML
3. Back up the system after the initial installation and store the system backup in a
secure location
4. Edit the default login herald in /etc/security/login.cfg and remove references to
the operating system and version
5. Identify files that contain usernames and passwords in plain text and remove them
if possible
find / -name .netrc -ls
6. Identify files that have no owner and remove them if possible
find / -nouser -ls
7. Establish access control lists for restricted files and directories
a. acledit - Edits the access control information of a file
b. aclget - Displays the access control information of a file
c. aclput - Sets the access control information of a file
8. Disable unnecessary user accounts and system accounts, such as daemon, bin,
sys, adm, lp, uucp. Deleting accounts is not recommended because it deletes account
information, such as user IDs and user names, which may still be associated with data
on system backups. If a user is created with a previously deleted user ID and the
system backup is restored on the system, the new user might have unexpected access
to the restored system
9. Verify the user environment
a. grpck - Verifies the correctness of a group definition
b. usrck - Verifies the correctness of a user definition
c. pwck - Verifies the correctness of local authentication information
d. lsuser - Displays user account attributes
e. lsgroup - Displays group attributes
10. Disable group access permissions by setting the default umask to 077
11. Review the /etc/inetd.conf, /etc/inittab, /etc/rc.nfs, and /etc/ rc.tcpip files on a
regular basis and remove all unnecessary daemons and services
12. Verify that the permissions for the following files are set correctly:
-rw-rw-r-- root system /etc/filesystems

-rw-rw-r--rw-------rw-r--r--rw-r--r--rw-rw----

root system /etc/hosts

root system /etc/inittab
root system /etc/vfs
root system /etc/security/failedlogin
root
audit /etc/security/audit/hosts

13. Disable the root account from being able to remotely log in. The root account
should be able to log in only from the system console
14. Enable a login control policy. For more information, see the AIX Installation
Guide and Reference or smitty logins
15. Disable user permissions to run the xhost command Using chmod. For more
information, see the AIX System Management Guide: Operating Systems and
Devices
16. Establish user account controls using smitty chuser
17. Enforce a strict password policy
18. Allow only administrative accounts to use the su command. Monitor the su
command logs in the /var/adm/sulog file
19. Enable screen locking when using X-Windows
20. Restrict access to the cron and at commands to only the accounts that need access
to them in the allow files:
a. cron - /var/adm/cron/allow
b. at -/var/adm/cron/at.allow
21. Alias the ls command to show hidden files and characters in a file name using the
following command inside a local or global profile
alias ls=ls al
22. Alias the rm command to avoid accidentally deleting files from the system using
the following command inside a local or global profile
alias rm=rm i
23. Perform frequent system backups and verify the integrity of backups
24. Subscribe to security-related e-mail distribution lists.