13044559 Hardening Aix
-
Upload
sreekanth22063140 -
Category
Documents
-
view
214 -
download
0
Transcript of 13044559 Hardening Aix
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 113
Hardening AIX
(rough outline draft 2
I started this in Nov2001 but the project was abandoned)
NOTE This is an early working draft and as such is not very easy to read I apologise for this but the idea
is to produce an outline which then can be improved up and refined
By Se Aacute n Boran
This document presents a step-by-step approach to securely installing AIX 43 (TBD exact version) for use in
a sensitive environment All steps have been tested on Pilot Globe systems
The focus here is on preparing the Operating System to securely run services rather than the setup of the
services themselves An accompanying tool will be developed to allow corresponding automated hardening
The process of hardening involves installing patches disabling unneeded services configuring accounts
correctly restricting file permissions limiting SIDSGID files configuring OS security features andmonitoring the system for unusual behaviour
Table of contents
1 Preparation
2 Initial OS installation3 Minimize network services
o Principles
o Minimise Inetd
o Minimize etcrctcpipo Minimize etcrcnfs
o Minimize inittab
o Minimize other services
4 Kernel Tuning
5 Logging6 File Directory Access Control
7 System Authentication Access Control
8 User Accounts and Environment9 Hardening specific services (optional for later or refer to other documents) snmp smtp http dns
time sync amp ntp AIXwindowsCDE
10 Install additional security tools11 Create Tripwire image backup test12 Maintenance monitoring | Software patches
13 References
1 Preparation
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 213
bull Keep things simple it is expected that only one or two services will run on a host Use several
machines rather than one superserver that does everything Its easier to isolate applications hardenand troubleshoot Be minimalist only run what is absolutely necessary
bull Hardware Consider installation via the serial port console get rid of the keyboard screen and
framebuffer ie avoid using X11 and get to know the command line Have an isolated trusted
network available for testingTBD can AIX do this
bull Know exactly what the system is supposed to do what its hardware configuration will be etchardening is generic and may break certain functions eg AIXwindowsCDE may need RPC to run but you really dont want RPC running on a sensitive host
bull Its important to understand how the applications work (how they use ports devices files) to judge
what hardening is possible and to assess the risk posed
2 Initial OS installation
TBD
bull boot via serial console
bull installation example
bull additional OS packages
bull partitioning
bull patch bundle
Minimize network services
Principles
Network services present a significant risk to security
bull Only enable the strict minimum of services needed The number system processes listed by ps ndashef
or equivalent should be less than 10
bull Use encrypted tools (like SSH) rather than clear-text network logins (eg telnet 3270 ftp rlogin
rcmd)
bull Keeping up to date with security patches on network daemons is particularly important
bull Daemons should run as non-root users
bull Daemons should chroot to a dedicated directory
bull
Use encryption where possible to prevent snooping or replay attacksbull Services must use minimal umask file permissions etc
bull Strong authentication (with token or lists) should be considered for critical services
bull Applications should package structure
Minimise Inetd network Services
Inetd a process which automatically starts certain daemons such as telnet ftp if connections are made
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 313
Inetd services can be enabled or disabled with the command chsubserver on AIX Likewise after changes to
inetd configuration the daemon needs to be send a hang-up signal - refresh -s inetd For example
[server1] chsubserver -d -v daytime -p udp[server1] chsubserver -d -v daytime -p tcp
[server1] grep daytime etcinetdconf
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
It is recommended that ALL services except the following be disabled
TBD list
The can be achieved with the following commands
chsubserver -d -v daytime -p udpchsubserver -d -v daytime -p tcp
TBD list
securetcpip
Special services which may be needed (discuss what measures to take for each one)
1 ftp2 telnet
3 other
4 tftp - for diskless booting etctftpaccessctl
Minimize etcrctcpip network services
A description of what services are started in etcrctcpip and how they can be changed with chrctcp
usrsbinno -o clean_partial_conns=1
usrsbinno -o bcastping=0
usrsbinno -o directed_broadcast=0usrsbinno -o ipignoreredirects=1
usrsbinno -o ipsendredirects=0
usrsbinno -o ipsrcroutesend=0usrsbinno -o ipsrcrouterecv=0
usrsbinno -o ipsrcrouteforward=0
usrsbinno -o ip6srcrouteforward=0
usrsbinno -o icmpaddressmask=0usrsbinno -o nonlocsrcroute=0
usrsbinno -o tcp_pmtu_discover=0
usrsbinno -o udp_pmtu_discover=0usrsbinno -o ipforwarding=0
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 413
Minimize etcrcnfs network services
A description of etcrcnfs
etcexports
secure nfs usrsecretdata -secure
Minimize inittab services
A description of what services are started in etcinittab and how they can be changed with mkitab and
rmitab
Minimize other services
bull Restrict AIXwindowsCDE login to console
o The xss command uses the enhanced MIT screen saver extensions
o xauth xhost
bull Disable anonymous ftp
bull Disable anonymous ftp writes
bull Disable ftp to system accounts
bull Lock down root access
The default configuration allows telnet and rlogin access to the root account This can be configured
in the etcsecurityuser file -- set the rlogin option to false for all system accounts System
managers should login to their account and then su so we have an audit trail
bull disable SNMP readWrite communities
The default SNMP configuration includes these readWrite communities
[server1] grep readWrite etcsnmpdconf
readOnly writeOnly readWrite The default permission is readOnly
community private 127001 255255255255 readWritecommunity system 127001 255255255255 readWrite 1172
bull routing
bull
nis nis+bull
Kernel Tuning
bull If possible configure the system option to reduce stack overflow attacks limit core file size
bull Configure the OS for strong TCP sequencing resistance to syn flooding and similar DOS attacks
bull TBD broadcasts amp multicasts
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 513
Logging
The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless
you configure the file etcsyslogconf
Only programs that are writing into audit logs should have write access to these log files
Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics
and reporting of exceptions Consider logging more that the UNIX defaults
bull log rotate archiving
bull Enable SU logging to console in etcdefaultsu
bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog
chgrp sys varlogloginlog
TBD
bull errpt| more
File Directory Access Control
51 Root directory
52 Application and System files and directories
53 System directories
54 Login Shell scripts
55 Home Directories
56 SUID and SGID programs
57 Dangerous files
58 Filesystem mounting
etcfilesystems
To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options
remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of
swap space and disallow execution of SUID programs)
Virus scanning
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 213
bull Keep things simple it is expected that only one or two services will run on a host Use several
machines rather than one superserver that does everything Its easier to isolate applications hardenand troubleshoot Be minimalist only run what is absolutely necessary
bull Hardware Consider installation via the serial port console get rid of the keyboard screen and
framebuffer ie avoid using X11 and get to know the command line Have an isolated trusted
network available for testingTBD can AIX do this
bull Know exactly what the system is supposed to do what its hardware configuration will be etchardening is generic and may break certain functions eg AIXwindowsCDE may need RPC to run but you really dont want RPC running on a sensitive host
bull Its important to understand how the applications work (how they use ports devices files) to judge
what hardening is possible and to assess the risk posed
2 Initial OS installation
TBD
bull boot via serial console
bull installation example
bull additional OS packages
bull partitioning
bull patch bundle
Minimize network services
Principles
Network services present a significant risk to security
bull Only enable the strict minimum of services needed The number system processes listed by ps ndashef
or equivalent should be less than 10
bull Use encrypted tools (like SSH) rather than clear-text network logins (eg telnet 3270 ftp rlogin
rcmd)
bull Keeping up to date with security patches on network daemons is particularly important
bull Daemons should run as non-root users
bull Daemons should chroot to a dedicated directory
bull
Use encryption where possible to prevent snooping or replay attacksbull Services must use minimal umask file permissions etc
bull Strong authentication (with token or lists) should be considered for critical services
bull Applications should package structure
Minimise Inetd network Services
Inetd a process which automatically starts certain daemons such as telnet ftp if connections are made
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 313
Inetd services can be enabled or disabled with the command chsubserver on AIX Likewise after changes to
inetd configuration the daemon needs to be send a hang-up signal - refresh -s inetd For example
[server1] chsubserver -d -v daytime -p udp[server1] chsubserver -d -v daytime -p tcp
[server1] grep daytime etcinetdconf
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
It is recommended that ALL services except the following be disabled
TBD list
The can be achieved with the following commands
chsubserver -d -v daytime -p udpchsubserver -d -v daytime -p tcp
TBD list
securetcpip
Special services which may be needed (discuss what measures to take for each one)
1 ftp2 telnet
3 other
4 tftp - for diskless booting etctftpaccessctl
Minimize etcrctcpip network services
A description of what services are started in etcrctcpip and how they can be changed with chrctcp
usrsbinno -o clean_partial_conns=1
usrsbinno -o bcastping=0
usrsbinno -o directed_broadcast=0usrsbinno -o ipignoreredirects=1
usrsbinno -o ipsendredirects=0
usrsbinno -o ipsrcroutesend=0usrsbinno -o ipsrcrouterecv=0
usrsbinno -o ipsrcrouteforward=0
usrsbinno -o ip6srcrouteforward=0
usrsbinno -o icmpaddressmask=0usrsbinno -o nonlocsrcroute=0
usrsbinno -o tcp_pmtu_discover=0
usrsbinno -o udp_pmtu_discover=0usrsbinno -o ipforwarding=0
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 413
Minimize etcrcnfs network services
A description of etcrcnfs
etcexports
secure nfs usrsecretdata -secure
Minimize inittab services
A description of what services are started in etcinittab and how they can be changed with mkitab and
rmitab
Minimize other services
bull Restrict AIXwindowsCDE login to console
o The xss command uses the enhanced MIT screen saver extensions
o xauth xhost
bull Disable anonymous ftp
bull Disable anonymous ftp writes
bull Disable ftp to system accounts
bull Lock down root access
The default configuration allows telnet and rlogin access to the root account This can be configured
in the etcsecurityuser file -- set the rlogin option to false for all system accounts System
managers should login to their account and then su so we have an audit trail
bull disable SNMP readWrite communities
The default SNMP configuration includes these readWrite communities
[server1] grep readWrite etcsnmpdconf
readOnly writeOnly readWrite The default permission is readOnly
community private 127001 255255255255 readWritecommunity system 127001 255255255255 readWrite 1172
bull routing
bull
nis nis+bull
Kernel Tuning
bull If possible configure the system option to reduce stack overflow attacks limit core file size
bull Configure the OS for strong TCP sequencing resistance to syn flooding and similar DOS attacks
bull TBD broadcasts amp multicasts
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 513
Logging
The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless
you configure the file etcsyslogconf
Only programs that are writing into audit logs should have write access to these log files
Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics
and reporting of exceptions Consider logging more that the UNIX defaults
bull log rotate archiving
bull Enable SU logging to console in etcdefaultsu
bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog
chgrp sys varlogloginlog
TBD
bull errpt| more
File Directory Access Control
51 Root directory
52 Application and System files and directories
53 System directories
54 Login Shell scripts
55 Home Directories
56 SUID and SGID programs
57 Dangerous files
58 Filesystem mounting
etcfilesystems
To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options
remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of
swap space and disallow execution of SUID programs)
Virus scanning
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 313
Inetd services can be enabled or disabled with the command chsubserver on AIX Likewise after changes to
inetd configuration the daemon needs to be send a hang-up signal - refresh -s inetd For example
[server1] chsubserver -d -v daytime -p udp[server1] chsubserver -d -v daytime -p tcp
[server1] grep daytime etcinetdconf
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
It is recommended that ALL services except the following be disabled
TBD list
The can be achieved with the following commands
chsubserver -d -v daytime -p udpchsubserver -d -v daytime -p tcp
TBD list
securetcpip
Special services which may be needed (discuss what measures to take for each one)
1 ftp2 telnet
3 other
4 tftp - for diskless booting etctftpaccessctl
Minimize etcrctcpip network services
A description of what services are started in etcrctcpip and how they can be changed with chrctcp
usrsbinno -o clean_partial_conns=1
usrsbinno -o bcastping=0
usrsbinno -o directed_broadcast=0usrsbinno -o ipignoreredirects=1
usrsbinno -o ipsendredirects=0
usrsbinno -o ipsrcroutesend=0usrsbinno -o ipsrcrouterecv=0
usrsbinno -o ipsrcrouteforward=0
usrsbinno -o ip6srcrouteforward=0
usrsbinno -o icmpaddressmask=0usrsbinno -o nonlocsrcroute=0
usrsbinno -o tcp_pmtu_discover=0
usrsbinno -o udp_pmtu_discover=0usrsbinno -o ipforwarding=0
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 413
Minimize etcrcnfs network services
A description of etcrcnfs
etcexports
secure nfs usrsecretdata -secure
Minimize inittab services
A description of what services are started in etcinittab and how they can be changed with mkitab and
rmitab
Minimize other services
bull Restrict AIXwindowsCDE login to console
o The xss command uses the enhanced MIT screen saver extensions
o xauth xhost
bull Disable anonymous ftp
bull Disable anonymous ftp writes
bull Disable ftp to system accounts
bull Lock down root access
The default configuration allows telnet and rlogin access to the root account This can be configured
in the etcsecurityuser file -- set the rlogin option to false for all system accounts System
managers should login to their account and then su so we have an audit trail
bull disable SNMP readWrite communities
The default SNMP configuration includes these readWrite communities
[server1] grep readWrite etcsnmpdconf
readOnly writeOnly readWrite The default permission is readOnly
community private 127001 255255255255 readWritecommunity system 127001 255255255255 readWrite 1172
bull routing
bull
nis nis+bull
Kernel Tuning
bull If possible configure the system option to reduce stack overflow attacks limit core file size
bull Configure the OS for strong TCP sequencing resistance to syn flooding and similar DOS attacks
bull TBD broadcasts amp multicasts
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 513
Logging
The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless
you configure the file etcsyslogconf
Only programs that are writing into audit logs should have write access to these log files
Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics
and reporting of exceptions Consider logging more that the UNIX defaults
bull log rotate archiving
bull Enable SU logging to console in etcdefaultsu
bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog
chgrp sys varlogloginlog
TBD
bull errpt| more
File Directory Access Control
51 Root directory
52 Application and System files and directories
53 System directories
54 Login Shell scripts
55 Home Directories
56 SUID and SGID programs
57 Dangerous files
58 Filesystem mounting
etcfilesystems
To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options
remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of
swap space and disallow execution of SUID programs)
Virus scanning
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 413
Minimize etcrcnfs network services
A description of etcrcnfs
etcexports
secure nfs usrsecretdata -secure
Minimize inittab services
A description of what services are started in etcinittab and how they can be changed with mkitab and
rmitab
Minimize other services
bull Restrict AIXwindowsCDE login to console
o The xss command uses the enhanced MIT screen saver extensions
o xauth xhost
bull Disable anonymous ftp
bull Disable anonymous ftp writes
bull Disable ftp to system accounts
bull Lock down root access
The default configuration allows telnet and rlogin access to the root account This can be configured
in the etcsecurityuser file -- set the rlogin option to false for all system accounts System
managers should login to their account and then su so we have an audit trail
bull disable SNMP readWrite communities
The default SNMP configuration includes these readWrite communities
[server1] grep readWrite etcsnmpdconf
readOnly writeOnly readWrite The default permission is readOnly
community private 127001 255255255255 readWritecommunity system 127001 255255255255 readWrite 1172
bull routing
bull
nis nis+bull
Kernel Tuning
bull If possible configure the system option to reduce stack overflow attacks limit core file size
bull Configure the OS for strong TCP sequencing resistance to syn flooding and similar DOS attacks
bull TBD broadcasts amp multicasts
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 513
Logging
The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless
you configure the file etcsyslogconf
Only programs that are writing into audit logs should have write access to these log files
Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics
and reporting of exceptions Consider logging more that the UNIX defaults
bull log rotate archiving
bull Enable SU logging to console in etcdefaultsu
bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog
chgrp sys varlogloginlog
TBD
bull errpt| more
File Directory Access Control
51 Root directory
52 Application and System files and directories
53 System directories
54 Login Shell scripts
55 Home Directories
56 SUID and SGID programs
57 Dangerous files
58 Filesystem mounting
etcfilesystems
To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options
remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of
swap space and disallow execution of SUID programs)
Virus scanning
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 513
Logging
The default syslogd(8) configuration does nothing -- you wont get any important messages logged unless
you configure the file etcsyslogconf
Only programs that are writing into audit logs should have write access to these log files
Consider splitting logs by applications and priority Consider centralised logging analysis of usage statistics
and reporting of exceptions Consider logging more that the UNIX defaults
bull log rotate archiving
bull Enable SU logging to console in etcdefaultsu
bull Enable logging of failed attempts to login touch varlogloginlog chmod 600 varlogloginlog
chgrp sys varlogloginlog
TBD
bull errpt| more
File Directory Access Control
51 Root directory
52 Application and System files and directories
53 System directories
54 Login Shell scripts
55 Home Directories
56 SUID and SGID programs
57 Dangerous files
58 Filesystem mounting
etcfilesystems
To reduce the risk of trojan horses and unauthorised modifications in etcvfstab mount with options
remountnosuid var with nosuid tmp with size=100mnosuid (allow tmp to only use 100MB of
swap space and disallow execution of SUID programs)
Virus scanning
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 613
Use the command virscan on filesystems that may contain files that are transferred to from PCs
ACLs
ACL commands aclget Gets the ACL for a file aclput Sets the ACL for a file acledit Combines aclget andaclput
System Authentication Access Control
Batch Utilities atcron
Users are not allowed to use cron or at access to these tools to be restricted accordingly System accounts
should be explicitly given access if needed Enable logging of cron activity Ensure that all command scripts
that are to be executed with root privilege by cron at or batch are owned by root and set to mode 755 or more restrictive
Devices disks tty
Consider setting restrictive permissions on raw disk devices used by databases
Ports In etcsecuritylogincfgor via smit login_port we could set
Port NAME devttyp0Allowed LOGIN TIMES []
Login RETRY DELAY [0]
Number of FAILED LOGINS before port is locked [0]INTERVAL for counting failed logins [0]
REENABLE DELAY for locked port [0]
Login Banners
Edit etcsecuritylogincfg or try
chsec -f etcsecuritylogincfg -s default -a herald= NOTICE TO USERSrnrnUse of this machine waivesall rights to your privacyrnr and is consent to be monitoredrnrUnauthorized use
prohibitedrnrnrnlogin
Consoles amp boot security
bull Should we set the power-on password
o The power-on password protection is effective against reset as well as power-on and means
the system cant be booted from CD to bypass password controls
o Alternatively leave only hard disk in the boot device sequence and set the privileged-access
password The system will boot only from hard disk
o If the machine is already in a physically secure room this may create more trouble than its
worth (convenience) It is recommended that at least Unattended start mode be enabled
bull Cover lock key
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 713
bull Privileged-access password for firmware access If you set both power-on and privileged-access
passwords only privileged-access password is required to start SMS
s2TCB Auditing
TCB is a good tool to detect penetrations and configuration changes It is not installed by default You have
the option to install TCB during the initial installation It cannot be added without reinstalling AIX
etcsecurityauditconfig
TCB monitors over 600 files plus the devices (dev) by default It stores these files in an ASCII fileetcsecuritysysckcfg Make a backup of this file to a floppy disk and write protect it immediately
We should be able to use this as an alternative to tripwire
The installp command automatically updates the TCB when you install PTFs ie patches) However E-
Fixes naturally do not update TCB So if you apply an E-Fix to your system you will need to manually
update TCB
Store TCB read-only on floppy with backup config
User Accounts and Environment
General policy
bull Ensure that encrypted passwords are only stored in etcsecuritypasswd and not etcpasswd
bull Define standard UIDGID ranges
bull Groups
o Define standard groups add to system install
o Define standard members of security (auditors) and system (sysadmins) groups
User account policy
bull TBD edit etcenvironment etcprofile etcsecurityenviron etcsecurityprofile
usrlibsecuritymkusersys set default user environmentMANPATH TMOUT=3600 TIMEOUT=3600 PS1 umask) in etcprofile etclogin and profile
bull
We can set several security relevant account details for example via smit mkuser or editingetcsecurityuser
TBD define standardsexamples and test (especially with SSH) - Ive started adding some examplesettings in green
1 User NAME []3 ADMINISTRATIVE USER false
4 Primary GROUP []
6 ADMINISTRATIVE GROUPS []7 ROLES []
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 813
8 Another user can SU TO USER true
9 SU GROUPS [ALL]
11 Initial PROGRAM []
13 EXPIRATION date (MMDDhhmmyy) [0]14 Is this user ACCOUNT LOCKED false
15 User can LOGIN true16 User can LOGIN REMOTELY true17 Allowed LOGIN TIMES [] 0600-2000
18 Number of FAILED LOGINS before [0] user account is locked 5
19 Login AUTHENTICATION GRAMMAR [compat]20 Valid TTYs [ALL] []
21 Days to WARN USER before password expires [0]
22 Password CHECK METHODS []
23 Password DICTIONARY FILES [] usrsharedictwords (and add others from John the ripper)
24 NUMBER OF PASSWORDS before reuse [0]
Password History size - histsize 825 WEEKS before password reuse [0]
Password reuse min - histexpire 26
26 Weeks between password EXPIRATION and LOCKOUTPassword maxexpired 4
27 Password MAX AGE 12 or 24
28 Password MIN AGE 029 Password MIN LENGTH 6
30 Password MIN ALPHA characters 4
31 Password MIN OTHER characters 1
32 Password MAX REPEATED characters 3
33 Password MIN DIFFERENT characters 334 Password REGISTRY
loginretries 20
following setting limit how much system resources can be used
some high limits could be set35 Soft FILE size
36 Soft CPU time
37 Soft DATA segment38 Soft STACK size
39 Soft CORE file size [2097151] 0
40 Hard FILE size []41 Hard CPU time []42 Hard DATA segment []
43 Hard STACK size []
44 Hard CORE file size [] 0
45 File creation UMASK [022] 027
46 AUDIT classes []47 TRUSTED PATH nosak
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 913
48 PRIMARY authentication method [SYSTEM]
49 SECONDARY authentication method [NONE]
bull Set user defaults for above
bull usrlibsecuritymkuserdefault
bull etcsecurityuser bull etcsecuritylimits
bull etcsecuritylogincfg
bull usrlibsecuritymkusersysbull User restricted shell
Temporary accounts
TBD
bull Ensure expiry date set
Temporary access to existing accounts
TBD
Applicationdaemon account policy
bull Ensure that the password is blocked and shell is set to devnull for all system accounts except root
and sysadmin users
bull A system default of umask 027 or tighter is required
AdministratorPrivileged access account policy
bull Set PATH (no system directories first) and other variables (eg TERM IFS LIBRARY PATH
MANPATH) in profile and cshrc or login
bull The tsh shell is a good security tool It only allows you to run programs that are in the TCB and have
the TCB mode set We should at least recommend its usagebull Only allow root to be access via su (not console or network login)
smit chuser
Another user can SU TO USER true
User can LOGIN falseUser can LOGIN REMOTELY false
TBD I think we should allow root to login to the consolebull A system default of umask 027 or tighter is required
TBD
bull Extended attributes
bull For sensitive accounts One common method of increasing login security is to require two passwords
to authenticate an account This is called ldquo2 key authenticationrdquo
bull SAK etcsecuritylogincfg to the ldquodefaultrdquo stanza sak_enabled=true
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1013
bull roles an alternative method of assigning sysadmin privileges Maybe an alternative to sudo or the
commercial equivalentManageBasicUsers chsec chuser lsuser mkuser
ManageAllUsers chfn chsec chuser mkuser rmuser chrole mkrole lsrole rmrole chsec lssec
pwdadm chgroup chgrpmem chsec mkgroup rmgroup chsec chuser lsuser mkuser ManageBasicPasswords pwdadm
ManageAllPasswords chsec lssec pwdadm
ManageRoles chrole mkrole lsrole rmroleManageBackupRestore backup restoreManageBackup backup
ManageShutdown shutdown
RunDiagnostics diag
The chuser command is used when addingremoving a role to an existing user
See also etcsecurityuserroles and etcsecurityroles and smitsmit chrole To change the attribute values
smit lsrole To display the attributes and their values
smit mkrole To creates an entry for each new role in the etcsecurityroles
smit rmrole To remove a role
top
Install additional security tools
At this stage standard toolsutilities are going to be installed the most important being SSH These tools
should already have been compiled and tested extensively on another machine They are typically transferredas tar files by CD or FTP
bull AIX tools - C2
bullIP Security (IPSec) port filtering permits AIX to filter incoming IP packets
based on combinations of source IP address (more generally a network
and netmask) protocol (TCP or UDP) and port number
(perhaps we dont need TCP wrappers this filtering seems to be just as good if not a littlecomplicated Its like a local IpchainsIPfilter)
bullIP Security (IPSec)encryption
bull DACinet permits arbitrary ports (above 1024) to be designated as
privileged so that they may only be bound to a socket created by the
super-user Examples would include ports used by Web-based SystemManager and X11
bull DACinet also provides a means of restricting the ability of users based on
user identity to establish connections to TCP ports (No similar feature is provided for UDP ports) This feature extends the IPSec address-based notion of port filtering to
permit only trusted users to establish connections to certain services (such as Web-based System
Manager)
bull Install SSH for login access Configure the ssh daemon (etcsshd_config) so that access is restricted
to named hosts with known public keys (etcssh_known_hosts) and rhosts authentication is disabled
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1113
Use shosts rather than rhosts if remote admin is needed If telnetdftpd was still enabled disable it
in etcinetdconf once you have tested SSH
bull Security
o tripwire lsof md5 logcheck rdist tcp wrappers
o possibly snort tocsin
o monitoring scripts
o auditing scripts
bull SysAdmino perl gzip top
Create Tripwire image backup test
Test - Do SSH and the standard tools work Check log entries check console messages Does the system
behave as expected
bull When all is working fine freeze usr and if possible opt
Mount usr and opt read-only (in etcvfstab with ro option) This reduces the risk of trojan horses andunauthorised modifications
Mount other partitions nosuid (SUID programs cannot assume other identities)
RebootRun the mount command to check that filesystems options are effective
bull If CD-ROMS are not needed for production disable the volume manager (one less daemon one less
security worry) It can always be re-enabled if needed later
mv etcrc2dS92volmgt etcrc2dS92volmgt
bull At this stage install tripwire (or some other filechecker that uses secure hashing algorithms) initialise
its database and run regular checks to monitor for changes If possible keep the tripwire master database on another machine or write-once media Even better copy tripwire amp its database and run
it remotely at regular intervals using SSH This makes it difficult for an attacker to know that tripwireis being used to check the system
bull Backup the system to two tapes one offsite
Maintenance
Monitoring Tasks
921 Intrusion monitoring tasks
9211 File integrity size permissions ownership
nice tcbck -n tree
or tripwire
9212 Network ports visible9213 Network traffic intrusion
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1213
922 Log Statistics
923 Log Exception monitoring
924 Availability reliabilityProcesses ping hosts snmp rpc remote check of specific services
925 Example Schedules Daily Weekly Monthly
Software Patches
bull On system installation the latest security recommended patches for the Operating System and
applications be installed
bull As time goes by new weaknesses and corresponding patches will be published and these must be
installed on the system within two months Alternatively a lsquopatch strategyrsquo for the system must be
defined and approved that consists ofa) How is notification of new relevant patches realised
b) How often are patches applied
c) Patch procedure for example test patches on a test System plan downtime prepare rollback in
case of failure apply patches monitor for problems document resultsbull How do you decide whether a weakness is worth patching
a) If the weakness concerns a remotely exploitable weakness in an active network daemon exposed
to a hostile environment like the Internet install it fast b) If the weakness concerns a local exploit of a tool not normally used not a daemon and on a host
where only root or administrator accounts exist it may be enough to install the patch together with a
bundle at the scheduled intervalsc) If the weakness concerns a local exploit of a tool on a host where non-administrative users have
accounts with shell access urgent action is advised
d) If the systems runs highly specialised software like databases clusters etc be very wary of installing Kernel IO and driver patches It is advisable to test patches on a separate system first
References
[1] AIX 43 Network Hardening
Information Systems and Technology University of Waterloohttpistuwaterloocasecurityhowto2001-01-15
httpistuwaterloocasecurityhowto2001-01-15aix-network-hardentar
A PDF version has been createdhttpborandyndnsorgaix
[2] AIX - RS6000 Documentation Library (IBM)
bull Frequently Asked Questions about AIX and the IBM RS6000 (Usenix posting) Also a pdf version
for printing
bull AIX 43 Elements of Security Effective and Efficient Implementation (by) Kosuge Arminguad
Chew Horne amp Witteveen 18-Aug-2000 Also a pdf version for printing
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck
892019 13044559 Hardening Aix
httpslidepdfcomreaderfull13044559-hardening-aix 1313
bull Additional AIX Security Tools on IBM pSeries IBM RS6000 and SPCluster (by) Farazdel Genty
Kerouanton amp Khor 20-Dec-2000 Also a pdf version for printing
bull Exploiting RS6000 SP Security Keeping It Safe (by) Farazdel DeRobertis Genty Kreuger amp
Wilkop 21-Sep-2000 Also a pdf version for printing
Auditing notes
Several ldquocheckrdquo commands (grpck usrck pwdck and tcbck) and ldquolistrdquocommands (lsuser and lsgroup) are available for use by root or anyone in thesecurity group
The grpck usrck and pwdck commands require a flag to indicate whether the
system should try to fix erroneous attributes
Flags are -n Reports errors but does not fix them eggrpck -n ALL
lsgroup -f ALL gtgt tmpcheck
lsuser -f ALL gtgt tmpcheck