Unix/Linux Go Back    

AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace.

Securing AIX - Hardening Lesson 101


aixpert, check, hardening, report, sox-cobit

Thread Tools Search this Thread Display Modes
Old Unix and Linux 02-25-2013   -   Original Discussion by MichaelFelt
MichaelFelt MichaelFelt is offline
Registered User
Join Date: Nov 2012
Last Activity: 22 November 2017, 10:09 AM EST
Location: on the road for work; home is private time
Posts: 442
Thanks: 8
Thanked 104 Times in 98 Posts
IBM Securing AIX - Hardening Lesson 101

Every now and then I google: SecuringAIX (I write a blog by that name, so I am curious where it stands - and to my dismay I did not make the top5 today from my current location.

However, this unix.com/aix thread did make the top5- and, imho, it is lacking in clarity and ease. So, I thought I would post a refresher - AIX Hardening 101.

Since AIX 5.3, ML05 I believe (so we are anno 2005 I believe) - AIX intradiced a tool known as AIX Security Expert, or aixpert. This is meant to be pretty much - push button security - from it's start at least as much more has been added.

For a test drive - let it tell you what it finds wrong (note, wrong means different. If the level you choose thinks 4 is the right number and you have a different number (e.g., 3 or 5) it will say it is failed.).

So, test drive - no configuration changes made to your system with:

# [[ -e /etc/security/aixpert/core/appliedaixpert.xml ]] && mv /etc/security/aixpert/core/appliedaixpert.xml /etc/security/aixpert/core/appliedaixpert.xml.save
# aixpert -l high|medium|low|default|sox-cobit -n -o /etc/security/aixpert/core/appliedaixpert.xml
# aixpert -c
# [[ -e /etc/security/aixpert/core/appliedaixpert.xml.save ]] && mv  /etc/security/aixpert/core/appliedaixpert.xml.save  /etc/security/aixpert/core/appliedaixpert.xml
# more /etc/security/aixpert/check_report.txt

Note: you must choose a level to test against - one of high|medium|low|default|sox-cobit

This is part of bos.security.rte so it is always installed. Up to you to use it!
Sponsored Links
Old Unix and Linux 02-26-2013   -   Original Discussion by MichaelFelt
bakunin bakunin is online now Forum Staff  
Bughunter Extraordinaire
Join Date: May 2005
Last Activity: 22 November 2017, 3:14 PM EST
Location: In the leftmost byte of /dev/kmem
Posts: 5,635
Thanks: 107
Thanked 1,603 Times in 1,180 Posts
Here is my checklist of security-related things i do when i install a new system:
  • Create administrative FSes
    root needs some places to store things: system documentation, logs, scripts, etc.. In most cases there is "/usr/local/bin" and roots home. Create FSes for some or all of these directories so that the content doesn't land in "/". Full root-fses usually cause some headache for the admins.
  • Install ssh
    You need ssh itself and openssl for that. Get both from IBMs Linux Toolbox for AIX website and install with rpm.
  • Disable "classic" means of connection: telnet, ftp, rlogin, rexec, ....
    Notice that you might need rlogin in some cases, but as a rule of thumb all these non-securified services should be disabled. Make sure these will not be started at system start any more.
  • Disable/limit root-login
    The best way to become root is to log on with your regular user-ID and then switch to root. Therefore remote login for root can and should be disabled. Console login should be allowed, because there might be emergency situations where it is necessary. Someone able to get to the console is most probably also allowed to log on as root.
  • Set up sudo
    Download from the IBM site where you got ssh.
  • Set up ntp
    Especially when you use Kerberos you need consistent timekeeping throughout your environment, so connect your system to your local Stratum-2-server. Set the method to "slew" for database systems (i.e. Oracle is quite picky about duplicate timestamps when you set it to "step").
  • Edit /etc/motd and /etc/security/login.cfg
    Its a good idea to be able to immediately recognize at which system you are when you log on. If you put some distinct banners at the login screen chances are you notice them even in times of stress if you have mistyped the machines name. (It is really easy to type "ssh server3" instead of "ssh server2" or something such.)
I hope this helps.

Sponsored Links
Old Unix and Linux 02-27-2013   -   Original Discussion by MichaelFelt
MichaelFelt MichaelFelt is offline
Registered User
Join Date: Nov 2012
Last Activity: 22 November 2017, 10:09 AM EST
Location: on the road for work; home is private time
Posts: 442
Thanks: 8
Thanked 104 Times in 98 Posts
Now is a good time to look at so-called Role Based Access Control solutions - aka RBAC, rather than sudo. IT audit requirements are moving in this direction.
If you go sudo - it is not enough to install it and let everyone just sudo su -.

And be sure and define a seperate group, no files in it, only admins, with are allowed to su to root (sugroups setting for root is the name of this group, default is keyword ALL - meaning any group is accepted)

AIX supplies ssh on the DVD with AIX 6.1 and AIX 7.1, no additional download needed.

Big plus on suggestion to setup non-rootvg filesystems (i.e., not just a seperate filesystem, but have an additional volume group for these items, so that "rootvg" can be replaced (e.g., fresh install) and you will not lose any vital configuration information by accident. Not saying the steps to "replace" rootvg are simple, but this is much simplier than losing the info, or having to extract outdated information from an "ancient" mksysb backup file.

edit motd: yes, but a standard message for all systems - best practice seems to be to mention that only authorized users are permitted, and actions may be logged. Proceding implies consent and other "legal stuff".

Important change: change the pwd_algorithm setting (none set, so crypt by default) in /etc/security/login.cfg

All the other edits, disabling programs, root login, etc. - just use
# aixpert -l h (or #aixpert -l high)
Old Unix and Linux 03-02-2013   -   Original Discussion by MichaelFelt
ross.mather ross.mather is offline
Registered User
Join Date: Aug 2008
Last Activity: 16 March 2015, 6:28 AM EDT
Location: Nomadic in the UK
Posts: 136
Thanks: 6
Thanked 9 Times in 9 Posts
AIXpert setting of High is intended for Internet facing servers. more common is that in data centre, firewall protected servers will use the medium setting.

You need to watch with medium as it by default will disable both NFS and NTP, so you should always review the entire content of the XML files before you apply them to existing live systems.
Sponsored Links

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
AIX 101 : Sys Admin Pocket Survival Guide filosophizer AIX 1 01-10-2012 11:42 AM
Securing AIX michlix AIX 4 12-22-2011 10:50 PM
securing AIX box michlix Security 0 12-21-2011 02:04 AM
Textfile lesson lazybaer Shell Programming and Scripting 0 03-11-2010 03:54 AM

All times are GMT -4. The time now is 04:28 PM.