Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Securing AIX - Hardening Lesson 101
Operating Systems AIX Securing AIX - Hardening Lesson 101 Post 302772833 by MichaelFelt on Wednesday 27th of February 2013 01:58:40 AM
Old 02-27-2013
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su -.

And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root (sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)

AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.

Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.

edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".

Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg

All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high)
 

8 More Discussions You Might Find Interesting

1. Solaris

Hardening Solaris

What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies

2. UNIX for Advanced & Expert Users

Lesson Learned: Dual boot XP and Fedora 9

This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution. I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies

3. Shell Programming and Scripting

Rename multiple files lesson

Hi All, So I found a cool way to change extensions to multiple files with: for i in *.doc do mv $i ${i%.doc}.txt done However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work: for i in *.txt do mv $i ${i%.txt}_0hr.txt done My questions are (1) Why... (2 Replies)
Discussion started by: ScKaSx
2 Replies

4. Shell Programming and Scripting

Textfile lesson

Tag allerseits Ich habe ein umfangreiches Script. Darin möchte ich zu Beginn ein textfile lesen. Den ersten Satz. Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz. Etc. Ich kann also das herkömmliche while read xyz / do ... done nicht benützen. ... (0 Replies)
Discussion started by: lazybaer
0 Replies

5. Cybersecurity

securing AIX box

Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies

6. AIX

Securing AIX

Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX? (4 Replies)
Discussion started by: michlix
4 Replies

7. AIX

AIX 101 : Sys Admin Pocket Survival Guide

HOW-TO AIX Admin 101 Sys Admin Pocket Survival Guide - AIX Worth checking it out and printing it. (1 Reply)
Discussion started by: filosophizer
1 Replies

8. Web Development

Oracle Jet - LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding

Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js I cannot get the load average data in this Oracle JET test to update the... (4 Replies)
Discussion started by: Neo
4 Replies

LEARN ABOUT LINUX

dpkg-buildflags

dpkg-buildflags(1)						    dpkg suite							dpkg-buildflags(1)

NAME

       dpkg-buildflags - returns build flags to use during package build

SYNOPSIS

       dpkg-buildflags [option...] command

DESCRIPTION

       dpkg-buildflags	is a tool to retrieve compilation flags to use during build of Debian packages.  The default flags are defined by the ven-
       dor but they can be extended/overriden in several ways:

       1.     system-wide with /etc/dpkg/buildflags.conf;

       2.     for the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf where $XDG_CONFIG_HOME defaults to $HOME/.config;

       3.     temporarily with environment variables (see section ENVIRONMENT).

       The configuration files can contain two types of directives:

       SET flag value
	      Override the flag named flag to have the value value.

       APPEND flag value
	      Extend the flag named flag with the options given in value.  A space is prepended to the appended value if the flag's current  value
	      is non-empty.

       The configuration files can contain comments on lines starting with a hash (#). Empty lines are also ignored.

COMMANDS

       --list Print  the  list of flags supported by the current vendor (one per line). See the SUPPORTED FLAGS section for more information about
	      them.

       --export=format
	      Print to standard output shell (if format is sh) or make (if format is make) commands that can be used to export all the compilation
	      flags  in the environment. If the format value is not given, sh is assumed. Only compilation flags starting with an upper case char-
	      acter are included, others are assumed to not be suitable for the environment.

       --get flag
	      Print the value of the flag on standard output. Exits with 0 if the flag is known otherwise exits with 1.

       --origin flag
	      Print the origin of the value that is returned by --get. Exits with 0 if the flag is known otherwise exits with 1. The origin can be
	      one of the following values:

	      vendor the original flag set by the vendor is returned;

	      system the flag is set/modified by a system-wide configuration;

	      user   the flag is set/modified by a user-specific configuration;

	      env    the flag is set/modified by an environment-specific configuration.

       --help Show the usage message and exit.

       --version
	      Show the version and exit.

SUPPORTED FLAGS

       CFLAGS Options  for the C compiler. The default value set by the vendor includes -g and the default optimization level (-O2 usually, or -O0
	      if the DEB_BUILD_OPTIONS environment variable defines noopt).

       CPPFLAGS
	      Options for the C preprocessor. Default value: empty.

       CXXFLAGS
	      Options for the C++ compiler. Same as CFLAGS.

       FFLAGS Options for the Fortran compiler. Same as CFLAGS.

       LDFLAGS
	      Options passed to the compiler when linking executables or shared objects (if the linker is called directly, then -Wl and , have	to
	      be stripped from these options). Default value: empty.

FILES

       /etc/dpkg/buildflags.conf
	      System wide configuration file.

       $XDG_CONFIG_HOME/dpkg/buildflags.conf or $HOME/.config/dpkg/buildflags.conf
	      User configuration file.

ENVIRONMENT

       DEB_flag_SET
	      This variable can be used to force the value returned for the given flag.

       DEB_flag_APPEND
	      This variable can be used to append supplementary options to the value returned for the given flag.

       DEB_BUILD_OPTIONS
	      When  used  with	the  hardening-wrapper	package,  the  values  hardening  and  nohardening will be converted into their respective
	      DEB_BUILD_HARDENING values.  The hardening option can also include (optionally prefixed with no ) the following sub-options:  stack-
	      protector  format  fortify pie relro For example, DEB_BUILD_OPTIONS=hardening=nopie would cause DEB_BUILD_HARDENING_PIE=0 to be set,
	      or DEB_BUILD_OPTIONS=nohardening would cause DEB_BUILD_HARDENING=0 to be	set.   See  http://wiki.debian.org/Hardening  for  further
	      details.

AUTHOR

       Copyright (C) 2010 Raphael Hertzog

       This is free software; see the GNU General Public Licence version 2 or later for copying conditions. There is NO WARRANTY.

Debian Project							    2010-07-29							dpkg-buildflags(1)
All times are GMT -4. The time now is 10:05 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy