Securing AIX

Sponsored Content

Operating Systems AIX Securing AIX - Hardening Lesson 101 Post 302772833 by MichaelFelt on Wednesday 27th of February 2013 01:58:40 AM

02-27-2013

Registered User

Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su -.

And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root (sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)

AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.

Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.

edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".

Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg

All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high)

MichaelFelt

View Public Profile for MichaelFelt

Find all posts by MichaelFelt

8 More Discussions You Might Find Interesting

1. Solaris

Hardening Solaris

What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:)

2. UNIX for Advanced & Expert Users

Lesson Learned: Dual boot XP and Fedora 9

This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution. I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of...

3. Shell Programming and Scripting

Rename multiple files lesson

Hi All, So I found a cool way to change extensions to multiple files with: for i in *.doc do mv $i ${i%.doc}.txt done However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work: for i in *.txt do mv $i ${i%.txt}_0hr.txt done My questions are (1) Why...

4. Shell Programming and Scripting

Textfile lesson

Tag allerseits Ich habe ein umfangreiches Script. Darin m�chte ich zu Beginn ein textfile lesen. Den ersten Satz. Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz. Etc. Ich kann also das herk�mmliche while read xyz / do ... done nicht ben�tzen. ...

5. Cybersecurity

securing AIX box

Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX?

6. AIX

Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX?

7. AIX

AIX 101 : Sys Admin Pocket Survival Guide

HOW-TO AIX Admin 101 Sys Admin Pocket Survival Guide - AIX Worth checking it out and printing it.

8. Web Development

Oracle Jet - LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding

Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js I cannot get the load average data in this Oracle JET test to update the...

LEARN ABOUT DEBIAN

newgrp

NEWGRP(1)							   User Commands							 NEWGRP(1)

NAME

       newgrp - log in to a new group

SYNOPSIS

       newgrp [-] [group]

DESCRIPTION

       The newgrp command is used to change the current group ID during a login session. If the optional - flag is given, the user's environment
       will be reinitialized as though the user had logged in, otherwise the current environment, including current working directory, remains
       unchanged.

       newgrp changes the current real group ID to the named group, or to the default group listed in /etc/passwd if no group name is given.
       newgrp also tries to add the group to the user groupset. If not root, the user will be prompted for a password if she does not have a
       password (in /etc/shadow if this user has an entry in the shadowed password file, or in /etc/passwd otherwise) and the group does, or if
       the user is not listed as a member and the group has a password. The user will be denied access if the group password is empty and the user
       is not listed as a member.

       If there is an entry for this group in /etc/gshadow, then the list of members and the password of this group will be taken from this file,
       otherwise, the entry in /etc/group is considered.

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       SYSLOG_SG_ENAB (boolean)
	   Enable "syslog" logging of sg activity.

FILES

       /etc/passwd
	   User account information.

       /etc/shadow
	   Secure user account information.

       /etc/group
	   Group account information.

       /etc/gshadow
	   Secure group account information.

SEE ALSO

       id(1), login(1), su(1), sg(1), gpasswd(1), group(5), gshadow(5).

shadow-utils 4.1.5.1						    05/25/2012								 NEWGRP(1)