13044559 Hardening Aix

892019 13044559 Hardening Aix

httpslidepdfcomreaderfull13044559-hardening-aix 113

Hardening AIX

(rough outline draft 2

I started this in Nov2001 but the project was abandoned)

NOTE This is an early working draft and as such is not very easy to read I apologise for this but the idea

is to produce an outline which then can be improved up and refined

By Se Aacute n Boran

This document presents a step-by-step approach to securely installing AIX 43 (TBD exact version) for use in

a sensitive environment All steps have been tested on Pilot Globe systems

The focus here is on preparing the Operating System to securely run services rather than the setup of the

services themselves An accompanying tool will be developed to allow corresponding automated hardening

The process of hardening involves installing patches disabling unneeded services configuring accounts

correctly restricting file permissions limiting SIDSGID files configuring OS security features andmonitoring the system for unusual behaviour

Table of contents

1 Preparation

2 Initial OS installation3 Minimize network services

o Principles

o Minimise Inetd

o Minimize etcrctcpipo Minimize etcrcnfs

o Minimize inittab

o Minimize other services

4 Kernel Tuning

5 Logging6 File Directory Access Control

7 System Authentication Access Control

8 User Accounts and Environment9 Hardening specific services (optional for later or refer to other documents) snmp smtp http dns

time sync amp ntp AIXwindowsCDE

10 Install additional security tools11 Create Tripwire image backup test12 Maintenance monitoring | Software patches

13 References

1 Preparation



bull Keep things simple it is expected that only one or two services will run on a host Use several

machines rather than one superserver that does everything Its easier to isolate applications hardenand troubleshoot Be minimalist only run what is absolutely necessary

bull Hardware Consider installation via the serial port console get rid of the keyboard screen and

framebuffer ie avoid using X11 and get to know the command line Have an isolated trusted

network available for testingTBD can AIX do this

bull Know exactly what the system is supposed to do what its hardware configuration will be etchardening is generic and may break certain functions eg AIXwindowsCDE may need RPC to run but you really dont want RPC running on a sensitive host

bull Its important to understand how the applications work (how they use ports devices files) to judge

what hardening is possible and to assess the risk posed

2 Initial OS installation

TBD

bull boot via serial console

bull installation example

bull additional OS packages

bull partitioning

bull patch bundle

Minimize network services

Principles

Network services present a significant risk to security

bull Only enable the strict minimum of services needed The number system processes listed by ps ndashef

or equivalent should be less than 10

bull Use encrypted tools (like SSH) rather than clear-text network logins (eg telnet 3270 ftp rlogin

rcmd)

bull Keeping up to date with security patches on network daemons is particularly important

bull Daemons should run as non-root users

bull Daemons should chroot to a dedicated directory

bull

Use encryption where possible to prevent snooping or replay attacksbull Services must use minimal umask file permissions etc

bull Strong authentication (with token or lists) should be considered for critical services

bull Applications should package structure

Minimise Inetd network Services

Inetd a process which automatically starts certain daemons such as telnet ftp if connections are made



Inetd services can be enabled or disabled with the command chsubserver on AIX Likewise after changes to

inetd configuration the daemon needs to be send a hang-up signal - refresh -s inetd For example

[server1] chsubserver -d -v daytime -p udp[server1] chsubserver -d -v daytime -p tcp

[server1] grep daytime etcinetdconf

daytime stream tcp nowait root internal

daytime dgram udp wait root internal

It is recommended that ALL services except the following be disabled

TBD list

The can be achieved with the following commands

chsubserver -d -v daytime -p udpchsubserver -d -v daytime -p tcp

TBD list

securetcpip

Special services which may be needed (discuss what measures to take for each one)

1 ftp2 telnet

3 other

4 tftp - for diskless booting etctftpaccessctl

Minimize etcrctcpip network services

A description of what services are started in etcrctcpip and how they can be changed with chrctcp

usrsbinno -o clean_partial_conns=1

usrsbinno -o bcastping=0

usrsbinno -o directed_broadcast=0usrsbinno -o ipignoreredirects=1

usrsbinno -o ipsendredirects=0

usrsbinno -o ipsrcroutesend=0usrsbinno -o ipsrcrouterecv=0

usrsbinno -o ipsrcrouteforward=0

usrsbinno -o ip6srcrouteforward=0

usrsbinno -o icmpaddressmask=0usrsbinno -o nonlocsrcroute=0

usrsbinno -o tcp_pmtu_discover=0

usrsbinno -o udp_pmtu_discover=0usrsbinno -o ipforwarding=0



Minimize etcrcnfs network services

A description of etcrcnfs

etcexports

secure nfs usrsecretdata -secure

Minimize inittab services

A description of what services are started in etcinittab and how they can be changed with mkitab and

rmitab

Minimize other services

bull Restrict AIXwindowsCDE login to console

o The xss command uses the enhanced MIT screen saver extensions

o xauth xhost

bull Disable anonymous ftp

bull Disable anonymous ftp writes

bull Disable ftp to system accounts

bull Lock down root access

The default configuration allows telnet and rlogin access to the root account This can be configured

in the etcsecurityuser file -- set the rlogin option to false for all system accounts System

managers should login to their account and then su so we have an audit trail

bull disable SNMP readWrite communities

The default SNMP configuration includes these readWrite communities

[server1] grep readWrite etcsnmpdconf

readOnly writeOnly readWrite The default permission is readOnly

community private 127001 255255255255 readWritecommunity system 127001 255255255255 readWrite 1172

bull routing

bull

nis nis+bull

Kernel Tuning

bull If possible configure the system option to reduce stack overflow attacks limit core file size

bull Configure the OS for strong TCP sequencing resistance to syn flooding and similar DOS attacks

bull TBD broadcasts amp multicasts



Logging

The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless

you configure the file etcsyslogconf

Only programs that are writing into audit logs should have write access to these log files

Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics

and reporting of exceptions Consider logging more that the UNIX defaults

bull log rotate archiving

bull Enable SU logging to console in etcdefaultsu

bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog

chgrp sys varlogloginlog

TBD

bull errpt| more

File Directory Access Control

51 Root directory

52 Application and System files and directories

53 System directories

54 Login Shell scripts

55 Home Directories

56 SUID and SGID programs

57 Dangerous files

58 Filesystem mounting

etcfilesystems

To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options

remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of

swap space and disallow execution of SUID programs)

Virus scanning



Use the command virscan on filesystems that may contain files that are transferred to from PCs

ACLs

ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput

System Authentication Access Control

Batch Utilities atcron

Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts

should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts

that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive

Devices disks tty

Consider setting restrictive permissions on raw disk devices used by databases

Ports In etcsecuritylogincfgor via smit login_port we could set

Port NAME devttyp0Allowed LOGIN TIMES []

Login RETRY DELAY [0]

Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]

REENABLE DELAY for locked port [0]

Login Banners

Edit etcsecuritylogincfg or try

chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use

prohibitedrnrnrnlogin

Consoles amp boot security

bull Should we set the power-on password

o The power-on password protection is effective against reset as well as power-on and means

the system cant be booted from CD to bypass password controls

o Alternatively leave only hard disk in the boot device sequence and set the privileged-access

password The system will boot only from hard disk

o If the machine is already in a physically secure room this may create more trouble than its

worth (convenience) It is recommended that at least Unattended start mode be enabled

bull Cover lock key



bull Privileged-access password for firmware access If you set both power-on and privileged-access

passwords only privileged-access password is required to start SMS

s2TCB Auditing

TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have

the option to install TCB during the initial installation It cannot be added without reinstalling AIX

etcsecurityauditconfig

TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately

We should be able to use this as an alternative to tripwire

The installp command automatically updates the TCB when you install PTFs ie patches) However E-

Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually

update TCB

Store TCB read-only on floppy with backup config

User Accounts and Environment

General policy

bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd

bull Define standard UIDGID ranges

bull Groups

o Define standard groups add to system install

o Define standard members of security (auditors) and system (sysadmins) groups

User account policy

bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile

usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile

bull

We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser

TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green

1 User NAME []3 ADMINISTRATIVE USER false

4 Primary GROUP []

6 ADMINISTRATIVE GROUPS []7 ROLES []



8 Another user can SU TO USER true

9 SU GROUPS [ALL]

11 Initial PROGRAM []

13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false

15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000

18 Number of FAILED LOGINS before [0] user account is locked 5

19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []

21 Days to WARN USER before password expires [0]

22 Password CHECK METHODS []

23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)

24 NUMBER OF PASSWORDS before reuse [0]

Password History size - histsize 825 WEEKS before password reuse [0]

Password reuse min - histexpire 26

26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4

27 Password MAX AGE 12 or 24

28 Password MIN AGE 029 Password MIN LENGTH 6

30 Password MIN ALPHA characters 4

31 Password MIN OTHER characters 1

32 Password MAX REPEATED characters 3

33 Password MIN DIFFERENT characters 334 Password REGISTRY

loginretries 20

following setting limit how much system resources can be used

some high limits could be set35 Soft FILE size

36 Soft CPU time

37 Soft DATA segment38 Soft STACK size

39 Soft CORE file size [2097151] 0

40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []

43 Hard STACK size []

44 Hard CORE file size [] 0

45 File creation UMASK [022] 027

46 AUDIT classes []47 TRUSTED PATH nosak



48 PRIMARY authentication method [SYSTEM]

49 SECONDARY authentication method [NONE]

bull Set user defaults for above

bull usrlibsecuritymkuserdefault

bull etcsecurityuser bull etcsecuritylimits

bull etcsecuritylogincfg

bull usrlibsecuritymkusersysbull User restricted shell

Temporary accounts

TBD

bull Ensure expiry date set

Temporary access to existing accounts

TBD

Applicationdaemon account policy

bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root

and sysadmin users

bull A system default of umask 027 or tighter is required

AdministratorPrivileged access account policy

bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH

MANPATH) in profile and cshrc or login

bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have

the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)

smit chuser

Another user can SU TO USER true

User can LOGIN falseUser can LOGIN REMOTELY false

TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required

TBD

bull Extended attributes

bull For sensitive accounts One common method of increasing login security is to require two passwords

to authenticate an account This is called ldquo2 key authenticationrdquo

bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true



bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the

commercial equivalentManageBasicUsers chsec chuser lsuser mkuser

ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec

pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm

ManageAllPasswords chsec lssec pwdadm

ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup

ManageShutdown shutdown

RunDiagnostics diag

The chuser command is used when addingremoving a role to an existing user

See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values

smit lsrole To display the attributes and their values

smit mkrole To creates an entry for each new role in the etcsecurityroles

smit rmrole To remove a role

top

Install additional security tools

At this stage standard toolsutilities are going to be installed the most important being SSH These tools

should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP

bull AIX tools - C2

bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets

based on combinations of source IP address (more generally a network

and netmask) protocol (TCP or UDP) and port number

(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)

bullIP Security (IPSec)encryption

bull DACinet permits arbitrary ports (above 1024) to be designated as

privileged so that they may only be bound to a socket created by the

super-user Examples would include ports used by Web-based SystemManager and X11

bull DACinet also provides a means of restricting the ability of users based on

user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to

permit only trusted users to establish connections to certain services (such as Web-based System

Manager)

bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted

to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled



Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it

in etcinetdconf once you have tested SSH

bull Security

o tripwire lsof md5 logcheck rdist tcp wrappers

o possibly snort tocsin

o monitoring scripts

o auditing scripts

bull SysAdmino perl gzip top

Create Tripwire image backup test

Test - Do SSH and the standard tools work Check log entries check console messages Does the system

behave as expected

bull When all is working fine freeze usr and if possible opt

Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications

Mount other partitions nosuid (SUID programs cannot assume other identities)

RebootRun the mount command to check that filesystems options are effective

bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less

security worry) It can always be re-enabled if needed later

mv etcrc2dS92volmgt etcrc2dS92volmgt

bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise

its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run

it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system

bull Backup the system to two tapes one offsite

Maintenance

Monitoring Tasks

921 Intrusion monitoring tasks

9211 File integrity size permissions ownership

nice tcbck -n tree

or tripwire

9212 Network ports visible9213 Network traffic intrusion



922 Log Statistics

923 Log Exception monitoring

924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services

925 Example Schedules Daily Weekly Monthly

Software Patches

bull On system installation the latest security recommended patches for the Operating System and

applications be installed

bull As time goes by new weaknesses and corresponding patches will be published and these must be

installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be

defined and approved that consists ofa) How is notification of new relevant patches realised

b) How often are patches applied

c) Patch procedure for example test patches on a test System plan downtime prepare rollback in

case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching

a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed

to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host

where only root or administrator accounts exist it may be enough to install the patch together with a

bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have

accounts with shell access urgent action is advised

d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first

References

[1] AIX 43 Network Hardening

Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15

httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar

A PDF version has been createdhttpborandyndnsorgaix

[2] AIX - RS6000 Documentation Library (IBM)

bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version

for printing

bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad

Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing



bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty

Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing

bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp

Wilkop 21-Sep-2000 Also a pdf version for printing

Auditing notes

Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group

The grpck usrck and pwdck commands require a flag to indicate whether the

system should try to fix erroneous attributes

Flags are -n Reports errors but does not fix them eggrpck -n ALL

lsgroup -f ALL gtgt tmpcheck

lsuser -f ALL gtgt tmpcheck



bull Keep things simple it is expected that only one or two services will run on a host Use several

machines rather than one superserver that does everything Its easier to isolate applications hardenand troubleshoot Be minimalist only run what is absolutely necessary

bull Hardware Consider installation via the serial port console get rid of the keyboard screen and

framebuffer ie avoid using X11 and get to know the command line Have an isolated trusted

network available for testingTBD can AIX do this

bull Know exactly what the system is supposed to do what its hardware configuration will be etchardening is generic and may break certain functions eg AIXwindowsCDE may need RPC to run but you really dont want RPC running on a sensitive host

bull Its important to understand how the applications work (how they use ports devices files) to judge

what hardening is possible and to assess the risk posed

2 Initial OS installation

TBD

bull boot via serial console

bull installation example

bull additional OS packages

bull partitioning

bull patch bundle

Minimize network services

Principles

Network services present a significant risk to security

bull Only enable the strict minimum of services needed The number system processes listed by ps ndashef

or equivalent should be less than 10

bull Use encrypted tools (like SSH) rather than clear-text network logins (eg telnet 3270 ftp rlogin

rcmd)

bull Keeping up to date with security patches on network daemons is particularly important

bull Daemons should run as non-root users

bull Daemons should chroot to a dedicated directory

bull

Use encryption where possible to prevent snooping or replay attacksbull Services must use minimal umask file permissions etc

bull Strong authentication (with token or lists) should be considered for critical services

bull Applications should package structure

Minimise Inetd network Services

Inetd a process which automatically starts certain daemons such as telnet ftp if connections are made










TBD list



TBD list

securetcpip


1 ftp2 telnet

3 other


















etcexports




rmitab




o xauth xhost













bull routing

bull

nis nis+bull

Kernel Tuning






Logging










TBD

bull errpt| more


51 Root directory




55 Home Directories


57 Dangerous files


etcfilesystems




Virus scanning




ACLs







Devices disks tty







Login Banners












bull Cover lock key





s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes
















TBD list



TBD list

securetcpip


1 ftp2 telnet

3 other


















etcexports




rmitab




o xauth xhost













bull routing

bull

nis nis+bull

Kernel Tuning






Logging










TBD

bull errpt| more


51 Root directory




55 Home Directories


57 Dangerous files


etcfilesystems




Virus scanning




ACLs







Devices disks tty







Login Banners












bull Cover lock key





s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes











etcexports




rmitab




o xauth xhost













bull routing

bull

nis nis+bull

Kernel Tuning






Logging










TBD

bull errpt| more


51 Root directory




55 Home Directories


57 Dangerous files


etcfilesystems




Virus scanning




ACLs







Devices disks tty







Login Banners












bull Cover lock key





s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes









Logging










TBD

bull errpt| more


51 Root directory




55 Home Directories


57 Dangerous files


etcfilesystems




Virus scanning




ACLs







Devices disks tty







Login Banners












bull Cover lock key





s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes










ACLs







Devices disks tty







Login Banners












bull Cover lock key





s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes











s2TCB Auditing








update TCB



General policy



bull Groups



User account policy



bull




4 Primary GROUP []





9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes










9 SU GROUPS [ALL]



















loginretries 20



36 Soft CPU time

















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes
















Temporary accounts

TBD



TBD



and sysadmin users







smit chuser




TBD














RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes
















RunDiagnostics diag






top




bull AIX tools - C2












Manager)







bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes











bull Security




o auditing scripts




behave as expected












Maintenance

Monitoring Tasks



nice tcbck -n tree

or tripwire




922 Log Statistics




Software Patches















References







for printing









Auditing notes









922 Log Statistics




Software Patches















References







for printing









Auditing notes













Auditing notes







13044559 Hardening Aix

Documents

Transcript of 13044559 Hardening Aix