02-27-2013
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su -.
And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root (sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)
AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.
Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.
edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".
Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg
All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high)
8 More Discussions You Might Find Interesting
1. Solaris
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies
2. UNIX for Advanced & Expert Users
This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution.
I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
3. Shell Programming and Scripting
Hi All,
So I found a cool way to change extensions to multiple files with:
for i in *.doc
do
mv $i ${i%.doc}.txt
done
However, what I want to do is move *.txt to *_0hr.txt but the following doesn't work:
for i in *.txt
do
mv $i ${i%.txt}_0hr.txt
done
My questions are (1) Why... (2 Replies)
Discussion started by: ScKaSx
2 Replies
4. Shell Programming and Scripting
Tag allerseits
Ich habe ein umfangreiches Script. Darin möchte ich zu Beginn ein textfile lesen. Den ersten Satz.
Dann kommen mehrere Instruktionen und dann soll wieder gelesen werden. Den zweiten Satz.
Etc.
Ich kann also das herkömmliche while read xyz / do ... done nicht benützen.
... (0 Replies)
Discussion started by: lazybaer
0 Replies
5. Cybersecurity
Guys, i want to securing AIX after install by scrath. Is anybody can inform about the standard port which used by AIX? (0 Replies)
Discussion started by: michlix
0 Replies
6. AIX
Guys, i want to securing AIX after install by scratch. Is anybody can inform about the standard port which used by AIX? (4 Replies)
Discussion started by: michlix
4 Replies
7. AIX
HOW-TO
AIX Admin 101 Sys Admin Pocket Survival Guide - AIX
Worth checking it out and printing it. (1 Reply)
Discussion started by: filosophizer
1 Replies
8. Web Development
Working on LP: 10. Lesson 1: Oracle JET 4.x - Lesson 1 - Part 4: Data Binding in this Oracle JET online course - Soar higher with Oracle JavaScript Extension Toolkit (JET), I have created this code for incidents.js
I cannot get the load average data in this Oracle JET test to update the... (4 Replies)
Discussion started by: Neo
4 Replies
LEARN ABOUT DEBIAN
csp_helper
csp_helper(1) USER COMMANDS csp_helper(1)
NAME
csp_helper - A collection of caspar helper scripts
SYNOPSIS
csp_install dir (directory) file (file)
csp_mkdircp dir (directory) file (file)
csp_scp_keep_mode h ([user@]host) dir (directory) file (file)
csp_sucp h ([user@]host) dir (directory) file (file)
DESCRIPTION
The scripts csp_install, csp_mkdircp, csp_scp_keep_mode and csp_sucp are helpers for caspar(7). These scripts typically are not invoked
directly, but via a Makefile which uses caspar. See the notes on csp_PUSH in caspar(7) for information on how to link csp_install,
csp_scp_keep_mode and csp_sucp to caspar.
install DESCRIPTION
csp_install creates the required directory (if needed) and installs the file, preserving timestamps. It uses install(1).
install EXAMPLES
csp_INSTALL_OPTIONS='--owner=www-data --group=www-data'
csp_INSTALL_MODE=ugo=r
csp_install /srv/www index.html
csp_INSTALL_MODE=u=rwx,go= csp_install /usr/local/sbin mkpasswd
install ENVIRONMENT
csp_install honors csp_INSTALL_OPTIONS and csp_INSTALL_MODE (default is u=rw,go=r).
mkdircp DESCRIPTION
csp_mkdircp calls mkdir(1) and cp(1).
scp_keep_mode DESCRIPTION
csp_scp_keep_mode uses ssh to copy a file to a remote host, keeping its file permission mode. The trick used is a combination of mktemp(1)
and mv(1). Useful if you'd like to be sure a file gets installed e.g. group writable, without fiddling with permission bits on the remote
host.
scp_keep_mode EXAMPLE
chmod g+w rc
csp_scp_keep_mode root@gandalf /etc/uruk rc
scp_keep_mode ENVIRONMENT
csp_scp_keep_mode honors csp_SSH ("ssh" by default).
sucp DESCRIPTION
csp_sucp calls cat(1) from within sudo(1) from within ssh(1). This allows one to copy files to accounts on hosts one can only reach by call-
ing sudo on the ssh-reachable remote host.
Typically, one wants to install a root-owned file, but one does not want to allow access to the root-account directly from ssh. Typically
sudo is used as an extra line of defense.
sucp EXAMPLES
Some examples:
csp_sucp rms@bilbo /etc fstab
csp_sucp monty-python commit/ trailer.txt
sucp BUGS
If NOPASSWD is not set in the sudoers(5) file, and one's timestamp is expired, csp_sucp will forward the sudo password prompt. The given
password will be echoed on the console!
AUTHOR
Joost van Baal-Ili
SEE ALSO
caspar(7) The caspar homepage is at http://mdcc.cx/caspar/ .
csp_helper 20120514 14 mai 2012 csp_helper(1)