Securing AIX tips or stories

[LarryLava]

Due to a managemnet crackdown, I need to secure our AIX environment. I see posts of admins running 300 plus servers, did security affect your business and user base. How should I go about the securing process? Any tips from the gurus would be appreciated.

TIA,
Larry

 

[Mag0007]

remove the network cable

This is a good starting point:

http://www.redbooks.ibm.com/redbooks/SG245971.html

 

[mrn]

Here's a script to do most things

#!/usr/bin/ksh
##########################################################
# security.sh #
# #
# This script configures the AIX security. Settings #
# changed in this file are discussed in the Base Build #
# Infrastructure document. The domain security will be #
# handled by Tivoli and LDAP, but AIX hardening is done #
# on all the servers to provide extra security. #
# #
# #
# Changes: #
# #
# #
# #
# #
##########################################################

# Timestamp
date

# Get the variable from the vars file
. /var/adm/litslogs/vars

# Set up password defaults
echo "Configuring password defaults"
UDEF="/usr/bin/chsec -f /etc/security/user -s default"
$UDEF -a maxage=26
$UDEF -a minage=0
$UDEF -a minalpha=1
$UDEF -a minother=1
$UDEF -a mindiff=3
$UDEF -a maxrepeats=2
$UDEF -a minlen=8
$UDEF -a maxexpired=1
$UDEF -a histsize=4
$UDEF -a histexpire=26
$UDEF -a tpath=on
$UDEF -a login=false
$UDEF -a su=false
$UDEF -a pwdwarntime=5
$UDEF -a loginretries=3
$UDEF -a rlogin=false


UROOT="/usr/bin/chsec -f /etc/security/user -s root"
$UROOT -a rlogin=false
$UROOT -a ttys=ALL
$UROOT -a login=true
$UROOT -a su=true
$UROOT -a maxage=0

LOGIN="/usr/bin/chsec -f /etc/security/login.cfg -s default"
$LOGIN -a logindelay=2
$LOGIN -a logindisable=3
$LOGIN -a sak_enabled=true
$LOGIN -a herald="\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\rWARNING:\n\r\n\rUnauthorised use of this system is illegal and constitutes\n\ran offence under the Computer Misuse Act 1990.\n\r\n\rYour activity on this system will be continuously monitored.\n\r\n\rIf you are not authorised to use this system, you are not to attempt to LOGIN.\n\r\n\r\Enter User Name: "

LOGIN="/usr/bin/chsec -f /etc/security/login.cfg -s /dev/console"
$LOGIN -a synonym=/dev/lft0

echo "Finished configuring password defaults\n"

# Remove guest user, added security
rmuser -p guest

# Set uucp su settings
/usr/sbin/lsuser uucp >/dev/null 2>&1
if [[ $? -eq 0 ]] then
echo "Updating su to false for user uucp."
/usr/bin/chuser "su=false" uucp
else
echo "User uucp does not exist"
fi

# Set root password to Secret12
echo "Setting root password"
/usr/sbin/pwset root Secret12

# Remove the pwset file as it can be dangerous
# rm /usr/sbin/pwset

# Update TCB
# Update the tcb entries for the following files :
echo "/usr/lib/lpd/lpd
/usr/bin/login
/usr/bin/netstat
/usr/bin/entstat " | while read file; do
print "Updating TCB entry for $file ..."
tcbck -a $file group owner mode
done

# Update tcb for all devices - assume all devices are trusted
print "Updating TCB entries for devices ..."
tcbck -l /dev/* >/dev/null 2>&1
tcbck -l /dev/xti/*
tcbck -l /audit


# Removing subsystems
echo "Removing unneeded services"
echo "Configuring inetd.conf"
/usr/sbin/chsubserver -d -v ntalk -p udp
/usr/sbin/chsubserver -d -v exec -p tcp6
/usr/sbin/chsubserver -d -v shell -p tcp6
/usr/sbin/chsubserver -d -v login -p tcp6
echo "Configuring inittab"
/usr/sbin/rmitab httpdlite
echo "Removing NFS"
/usr/sbin/rmitab rcnfs
echo "Configuring rc.tcpip"
/usr/sbin/chrctcp -d dhcpcd
/usr/sbin/chrctcp -d dhcpsd
/usr/sbin/chrctcp -d dhcprd
/usr/sbin/chrctcp -d gated
/usr/sbin/chrctcp -d routed

# If FTP is enabled, we want to disable root access using FTP
echo "Configuring /etc/ftpusers"
echo "root" >> /etc/ftpusers

# Create the cmfops user which will be used by the CMF to gain
# access to the system, and to su to root.
# The cmfusers group will be allowed to su to root, and will have
# the cmfops user in.
echo "Creating cmfops user and cmfusers group"
/usr/bin/mkgroup cmfusers
/usr/bin/mkuser login=true rlogin=true su=false pgrp=cmfusers groups=staff,cmfusers cmfops
if [[ $? -ne 0 ]]
then
echo "$0: ERROR: Could not create cmfops user"
exit 10
fi
/usr/sbin/pwset cmfops Secret12
UROOT="/usr/bin/chsec -f /etc/security/user -s root"
$UROOT -a sugroups=security,cmfusers


echo "Security setup complete"

Also check you have a patch for the following

http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=5440

and take a read of

http://swexpert.com/C8/SE.C8.SEP.98.pdf

http://www-03.ibm.com/servers/aix/whitepapers/aix_security.html

http://aplawrence.com/MDesrosiers/aixhardening.html

also worth doing a google for aix hardening....

Hope this helps


Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[needcoffee]

Here is a link to a table from the AIX Security Guide that details the different OS services and makes recommendations on how to set them. It is just a starting point and you will need to consider if the services it recommends modifying or disabling will adversely effect your environment.

http://www16.boulder.ibm.com/pseries/en_US/aixbman/security/common_aix_services.htm

I would also read the redbook that Mag recommended above. You can also search this forum for specific topics as you come across them.

Good Luck,
needcoffee

 

[RMGBELGIUM]

@mrn :

is this pwset command standard in AIX? If I google on it, I can't seem to find anything on it ...


rgds,

R.

 

[mrn]

No it's a special I'll dig a copy out and post it

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[RMGBELGIUM]

check this out :

http://www.cert.org/tech_tips/usc20_full.html

if you follow this advice, you'll have a secure machine

rgds,

R.

 

[mrn]

Also on rootvg.net

AIX Security Toolkit under software download.



Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/