Securing AIX - Hardening Lesson 101 | Unix Linux Forums | AIX

  Go Back    


AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace.

Securing AIX - Hardening Lesson 101

AIX


Tags
aixpert, check, hardening, report, sox-cobit

Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 02-25-2013
MichaelFelt MichaelFelt is offline
Registered User
 
Join Date: Nov 2012
Last Activity: 11 December 2013, 7:33 AM EST
Location: on the road for work; home is private time
Posts: 311
Thanks: 6
Thanked 75 Times in 71 Posts
IBM Securing AIX - Hardening Lesson 101

Every now and then I google: SecuringAIX (I write a blog by that name, so I am curious where it stands - and to my dismay I did not make the top5 today from my current location.

However, this unix.com/aix thread did make the top5- and, imho, it is lacking in clarity and ease. So, I thought I would post a refresher - AIX Hardening 101.

Since AIX 5.3, ML05 I believe (so we are anno 2005 I believe) - AIX intradiced a tool known as AIX Security Expert , or aixpert . This is meant to be pretty much - push button security - from it's start at least as much more has been added.

For a test drive - let it tell you what it finds wrong (note, wrong means different. If the level you choose thinks 4 is the right number and you have a different number (e.g., 3 or 5) it will say it is failed.).

So, test drive - no configuration changes made to your system with:


Code:
# [[ -e /etc/security/aixpert/core/appliedaixpert.xml ]] && mv /etc/security/aixpert/core/appliedaixpert.xml /etc/security/aixpert/core/appliedaixpert.xml.save
# aixpert -l high|medium|low|default|sox-cobit -n -o /etc/security/aixpert/core/appliedaixpert.xml
# aixpert -c
# [[ -e /etc/security/aixpert/core/appliedaixpert.xml.save ]] && mv  /etc/security/aixpert/core/appliedaixpert.xml.save  /etc/security/aixpert/core/appliedaixpert.xml
# more /etc/security/aixpert/check_report.txt

Note: you must choose a level to test against - one of high|medium|low|default|sox-cobit

This is part of bos.security.rte so it is always installed. Up to you to use it!
Sponsored Links
    #2  
Old 02-26-2013
bakunin bakunin is offline Forum Staff  
Bughunter Extraordinaire
 
Join Date: May 2005
Last Activity: 20 April 2014, 3:47 PM EDT
Location: In the leftmost byte of /dev/kmem
Posts: 3,919
Thanks: 39
Thanked 671 Times in 533 Posts
Here is my checklist of security-related things i do when i install a new system:
  • Create administrative FSes
    root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
  • Install ssh
    You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
  • Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
    Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
  • Disable/limit root-login
    The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
  • Set up sudo
    Download from the IBM site where you got ssh.
  • Set up ntp
    Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
  • Edit /etc/motd and /etc/security/login.cfg
    Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)
I hope this helps.

bakunin
Sponsored Links
    #3  
Old 02-27-2013
MichaelFelt MichaelFelt is offline
Registered User
 
Join Date: Nov 2012
Last Activity: 11 December 2013, 7:33 AM EST
Location: on the road for work; home is private time
Posts: 311
Thanks: 6
Thanked 75 Times in 71 Posts
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su - .

And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root ( sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)

AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.

Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.

edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".

Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg

All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high )
    #4  
Old 03-02-2013
ross.mather ross.mather is offline
Registered User
 
Join Date: Aug 2008
Last Activity: 20 April 2014, 10:25 AM EDT
Location: Nomadic in the UK
Posts: 132
Thanks: 5
Thanked 8 Times in 8 Posts
AIXpert setting of High is intended for Internet facing servers. more common is that in data centre, firewall protected servers will use the medium setting.

You need to watch with medium as it by default will disable both NFS and NTP, so you should always review the entire content of the XML files before you apply them to existing live systems.
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
AIX 101 : Sys Admin Pocket Survival Guide filosophizer AIX 1 01-10-2012 10:42 AM
Securing AIX michlix AIX 4 12-22-2011 09:50 PM
securing AIX box michlix Security 0 12-21-2011 01:04 AM
Textfile lesson lazybaer Shell Programming and Scripting 0 03-11-2010 02:54 AM



All times are GMT -4. The time now is 03:04 AM.