Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing AIX tips or stories

Status
Not open for further replies.

LarryLava

Technical User
Dec 1, 2005
1
US
Due to a managemnet crackdown, I need to secure our AIX environment. I see posts of admins running 300 plus servers, did security affect your business and user base. How should I go about the securing process? Any tips from the gurus would be appreciated.

TIA,
Larry
 
Here's a script to do most things

#!/usr/bin/ksh
##########################################################
# security.sh #
# #
# This script configures the AIX security. Settings #
# changed in this file are discussed in the Base Build #
# Infrastructure document. The domain security will be #
# handled by Tivoli and LDAP, but AIX hardening is done #
# on all the servers to provide extra security. #
# #
# #
# Changes: #
# #
# #
# #
# #
##########################################################

# Timestamp
date

# Get the variable from the vars file
. /var/adm/litslogs/vars

# Set up password defaults
echo "Configuring password defaults"
UDEF="/usr/bin/chsec -f /etc/security/user -s default"
$UDEF -a maxage=26
$UDEF -a minage=0
$UDEF -a minalpha=1
$UDEF -a minother=1
$UDEF -a mindiff=3
$UDEF -a maxrepeats=2
$UDEF -a minlen=8
$UDEF -a maxexpired=1
$UDEF -a histsize=4
$UDEF -a histexpire=26
$UDEF -a tpath=on
$UDEF -a login=false
$UDEF -a su=false
$UDEF -a pwdwarntime=5
$UDEF -a loginretries=3
$UDEF -a rlogin=false


UROOT="/usr/bin/chsec -f /etc/security/user -s root"
$UROOT -a rlogin=false
$UROOT -a ttys=ALL
$UROOT -a login=true
$UROOT -a su=true
$UROOT -a maxage=0

LOGIN="/usr/bin/chsec -f /etc/security/login.cfg -s default"
$LOGIN -a logindelay=2
$LOGIN -a logindisable=3
$LOGIN -a sak_enabled=true
$LOGIN -a herald="\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\rWARNING:\n\r\n\rUnauthorised use of this system is illegal and constitutes\n\ran offence under the Computer Misuse Act 1990.\n\r\n\rYour activity on this system will be continuously monitored.\n\r\n\rIf you are not authorised to use this system, you are not to attempt to LOGIN.\n\r\n\r\Enter User Name: "

LOGIN="/usr/bin/chsec -f /etc/security/login.cfg -s /dev/console"
$LOGIN -a synonym=/dev/lft0

echo "Finished configuring password defaults\n"

# Remove guest user, added security
rmuser -p guest

# Set uucp su settings
/usr/sbin/lsuser uucp >/dev/null 2>&1
if [[ $? -eq 0 ]] then
echo "Updating su to false for user uucp."
/usr/bin/chuser "su=false" uucp
else
echo "User uucp does not exist"
fi

# Set root password to Secret12
echo "Setting root password"
/usr/sbin/pwset root Secret12

# Remove the pwset file as it can be dangerous
# rm /usr/sbin/pwset

# Update TCB
# Update the tcb entries for the following files :
echo "/usr/lib/lpd/lpd
/usr/bin/login
/usr/bin/netstat
/usr/bin/entstat " | while read file; do
print "Updating TCB entry for $file ..."
tcbck -a $file group owner mode
done

# Update tcb for all devices - assume all devices are trusted
print "Updating TCB entries for devices ..."
tcbck -l /dev/* >/dev/null 2>&1
tcbck -l /dev/xti/*
tcbck -l /audit


# Removing subsystems
echo "Removing unneeded services"
echo "Configuring inetd.conf"
/usr/sbin/chsubserver -d -v ntalk -p udp
/usr/sbin/chsubserver -d -v exec -p tcp6
/usr/sbin/chsubserver -d -v shell -p tcp6
/usr/sbin/chsubserver -d -v login -p tcp6
echo "Configuring inittab"
/usr/sbin/rmitab httpdlite
echo "Removing NFS"
/usr/sbin/rmitab rcnfs
echo "Configuring rc.tcpip"
/usr/sbin/chrctcp -d dhcpcd
/usr/sbin/chrctcp -d dhcpsd
/usr/sbin/chrctcp -d dhcprd
/usr/sbin/chrctcp -d gated
/usr/sbin/chrctcp -d routed

# If FTP is enabled, we want to disable root access using FTP
echo "Configuring /etc/ftpusers"
echo "root" >> /etc/ftpusers

# Create the cmfops user which will be used by the CMF to gain
# access to the system, and to su to root.
# The cmfusers group will be allowed to su to root, and will have
# the cmfops user in.
echo "Creating cmfops user and cmfusers group"
/usr/bin/mkgroup cmfusers
/usr/bin/mkuser login=true rlogin=true su=false pgrp=cmfusers groups=staff,cmfusers cmfops
if [[ $? -ne 0 ]]
then
echo "$0: ERROR: Could not create cmfops user"
exit 10
fi
/usr/sbin/pwset cmfops Secret12
UROOT="/usr/bin/chsec -f /etc/security/user -s root"
$UROOT -a sugroups=security,cmfusers


echo "Security setup complete"

Also check you have a patch for the following


and take a read of


also worth doing a google for aix hardening....

Hope this helps


Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Here is a link to a table from the AIX Security Guide that details the different OS services and makes recommendations on how to set them. It is just a starting point and you will need to consider if the services it recommends modifying or disabling will adversely effect your environment.


I would also read the redbook that Mag recommended above. You can also search this forum for specific topics as you come across them.

Good Luck,
[morning] needcoffee
 
@mrn :

is this pwset command standard in AIX? If I google on it, I can't seem to find anything on it ...


rgds,

R.
 
No it's a special I'll dig a copy out and post it

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Also on rootvg.net

AIX Security Toolkit under software download.



Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top