copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

UNIX and Linux Security Checklist v3.0 Notes - AIX

Date: 13 February 2007

Click here for printable version
OS Specific footnotes - AIX
OS Specific Footnotes - AIX
General

The AIX Security Guide is a key resource. This is provided on the AIX documentation CD and is also available at: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.doc/aixbman/security/security.pdf

Another useful document to highlight is the IBM Redbook "Additional AIX Security Tools on IBM eserver pSeries, IBM RS/6000 and SP/Cluster", available at http://www.redbooks.ibm.com/abstracts/sg245971.html.
This gives practical steps for performing several of the checklist security tasks on an AIX system.

B. Installation

When installing the base operating system, choosing
More Options -> Install Trusted Computing Base
enables the AIX trusted path features including the secure attention key, and also enables basic system integrity checking (see G.5.1 below).

D. Minimize

A guide to minimizing services in AIX is provided by Sandor Sklar in "Securing AIX Network Services". This is available at http://www.blacksheepnetworks.com/security/resources/securing-aix-network-services.html

D.1.1 Minimise network services

Standard network services that will be started are configured in /etc/rc.tcpip.

D.1.4 Notes on particular network services

The AIX command securetcpip makes it straightforward to disable the following services: rcp, rlogin, rlogind, rsh, rshd, tftp, and tftpd. securetcpip also disables .netrc files, as discussed in section E.5.5.

D.2 Disable all unnecessary startup scripts

AIX services set to run on startup listed in /etc/initab can be disabled using the command rmitab <service>.

E. Secure Base OS

The Titan hardening scripts now have preliminary support for AIX, available at http://www.trouble.org/titan/

E.2.5 User session controls

In AIX the chuser command can be used to set user resource limits. These settings are stored in the file /etc/security/limits.

User logins can be limited to certain times of day in the file /etc/security/login.cfg

E.3.1.5 Enforce password complexity

The chuser command can be used to enforce password policy, login restrictions and also to disable accounts. This information is stored in the file /etc/security/user. The default values for new users are given in the file /usr/lib/security/mkuser.default

E.3.1.2 shadow passwords

AIX uses shadow passwords by default. These are stored in the file /etc/security/passwd.

E.4.3 Role Based Access Control

RBAC is implemented in AIX. Documentation showing how to split the powers of root using RBAC is provided in the AIX Security Guide:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/administrative_roles.htm

E.5.2 Mount options

Instead of /etc/fstab, AIX uses the file /etc/filesystems.

E.5.3 Non-execute memory protection

On 64-bit AIX systems the Stack Execute Disable (SED) feature is turned on by default, but for selected programs only. This mechanism is configured using the sedmgr command, but note that if it is enabled for all executables, then those programs incompatible with SED need to have the "exempt" bit explicitly set. For details, see:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/stack_exec_disable.htm

G.1 syslog configuration

Note that AIX syslog by default may be configured to log nothing, or log to /tmp only. In this case, this should be fixed by editing /etc/syslog.conf and then using the touch command to create the new log files.

G.3 Enable trusted audit subsystem if available

AIX has an auditing subsystem configured using the files in /etc/security/audit/* For further information on how to select events to audit, see the documentation at:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/auditing.htm

G.5.1 File integrity checker

If AIX has been installed with the "TCB" option, AIX provides basic file integrity checking using the tcbck command. Details of the monitored files are kept in /etc/security/sysck.cfg Unfortunately, the weak checksum used by tcbck is really only effective protection against accidental modification rather than an active attacker, so it is recommended still to use Tripwire or AIDE for integrity checking on AIX. In some cases tcbck is also able to identify some potentially suspicious new files, devices or symlinks.

H.1.1 Identify host firewall software

AIX does not come as standard with a full-featured host firewall, however it is possible to add static packet filter rules using the IPSEC command genfilt. This requires the IP Security filesets to have been installed, as described here. The set of filter rules can be saved to a file using expfilt and loaded on future boots using impfilt and mkfilt -u to activate the rules. lsfilt will list the current rules. As an alternative, SMIT or the Web-based System Manager can be used to create the rules.

H.3 Network stack hardening/sysctls

On AIX, instead of sysctls, the no command is used to tune network stack settings. The manual page for no documents the settings that are available, and those that can be adjusted for security are listed here.