OS Specific Footnotes - AIX
D.1.1 Minimise network services
When installing the base operating system, choosing
More Options -> Install Trusted Computing Base
enables the AIX trusted path features including the secure attention key,
and also enables basic system integrity checking (see G.5.1 below).
D.1.4 Notes on particular network services
Standard network services that will be started are configured in /etc/rc.tcpip.
D.2 Disable all unnecessary startup scripts
The AIX command securetcpip makes it straightforward to
disable the following services: rcp, rlogin, rlogind, rsh, rshd, tftp, and tftpd.
securetcpip also disables .netrc
files, as discussed in section E.5.5.
E. Secure Base OS
E.2.5 User session controls
AIX services set to run on startup listed in /etc/initab can be
disabled using the command rmitab <service>.
E.3.1.5 Enforce password complexity
In AIX the chuser command can be used to set
user resource limits. These settings are stored in the file /etc/security/limits.
User logins can be limited to certain times of day in the file
E.3.1.2 shadow passwords
The chuser command can be used to enforce password policy, login
restrictions and also to disable accounts. This information is stored in the
file /etc/security/user. The default values for new users are given in
the file /usr/lib/security/mkuser.default
E.4.3 Role Based Access Control
E.5.2 Mount options
AIX uses shadow passwords by default. These are stored in the file
E.5.3 Non-execute memory protection
G.1 syslog configuration
Instead of /etc/fstab, AIX uses the file
G.3 Enable trusted audit subsystem if available
G.5.1 File integrity checker
Note that AIX syslog by default may be configured to log nothing, or
log to /tmp only. In this case, this should be fixed
by editing /etc/syslog.conf and then using the
touch command to create the new log files.
H.1.1 Identify host firewall software
If AIX has been installed with the "TCB" option, AIX provides basic file integrity
checking using the tcbck command. Details of the monitored
files are kept in /etc/security/sysck.cfg
Unfortunately, the weak checksum used by tcbck is really only
effective protection against accidental modification rather than an active attacker, so
it is recommended still to use Tripwire or AIDE for integrity checking on AIX.
In some cases tcbck is also able to identify some potentially
suspicious new files, devices or symlinks.
H.3 Network stack hardening/sysctls
AIX does not come as standard with a full-featured host firewall, however it
is possible to add static packet filter rules using the IPSEC command genfilt.
This requires the IP Security filesets to have been installed, as described
The set of filter rules can be saved to a file using expfilt and loaded on
future boots using impfilt and mkfilt -u to activate
the rules. lsfilt will list the current rules. As an alternative, SMIT
or the Web-based System Manager can be used to create the rules.
On AIX, instead of sysctls, the no command is used to tune network
stack settings. The manual page for no documents the settings that are available,
and those that can be adjusted for security are listed