AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace.AIX Frequently Asked Questions (Part 1 of 4) Part 2; Part 3; Part 4; Archive-name: aix-faq/part1 Last-modified: Jul 12, 1995 Version: 4.50 Thanks again to everyone who contributed, I apologize to those whom I can not reply to. Visit Us http:// Email Us: [email protected] Phone: 91 8099 77 6681 In this first part you will understand about IBM Hardware layout, and there are three types of hardware series, which. This IBM Redbooks publication takes an insightful look at the performance monitoring and tuning tools that are provided with AIX 5L. It discusses the use of the tools as well as the interpretation of the results in many. Hardening AIX (rough outline draft #2 I started this in Nov.2001, but the project was abandoned.) NOTE: This is an early working draft, and as such is not very easy to read. I apologise for this, but the idea is to produce an. Hardening AIX Unix. Hardening AIX (rough outline draft #2. I started this in Nov. NOTE: This is an early working draft, and as such is. I apologise for this, but the idea is to produce an outline, which. By Se. All steps have been. Pilot Globe systems. The focus here is on preparing the Operating System to securely run. An accompanying tool will be. The process of hardening involves installing patches, disabling unneeded. SID/SGID. files, configuring OS security features, and monitoring the system for unusual behaviour. Preparation. Initial OS installation. Minimize network services. Principles. Minimise Inetd Minimize /etc/rc. Minimize /etc/rc. Minimize inittab Minimize other services. Kernel Tuning. Logging. File / Directory Access Control. System Authentication / Access Control. User Accounts and Environment. Hardening specific services (optional for later?, or refer to other documents?): snmp. AIXwindows/CDE. Install additional security tools. Create Tripwire image, backup, test. Maintenance: monitoring . Keep things simple: it is expected that only one or two services will run on a host. Use. several machines, rather than one superserver that does everything. It's easier to isolate. Be minimalist, only run what is absolutely. Hardware: Consider installation via the serial port console, get rid of the keyboard. Have an. isolated, trusted network available for testing. TBD: can AIX do this? Know exactly what the system is supposed to do, what it's hardware configuration will be. AIXwindows/CDE may need. RPC to run but you really don't want RPC running on a sensitive host? It's important to understand how the applications work (how they use ports, devices. TBD. boot via serial consoleinstallation exampleadditional OS packagespartitioningpatch bundle. Network services present a significant risk to security. Only enable the strict minimum of services needed. The number system processes listed by. Strong authentication (with token or lists) should be considered for critical services. Applications should package structure. Minimise Inetd network Services. Inetd a process which automatically starts certain daemons such as telnet. Inetd services can be enabled or disabled with the command 'chsubserver'. AIX. Likewise after changes to inetd configuration, the daemon needs to be send a. TBD list .. The can be achieved with the following commands: chsubserver - d - v daytime - p udpchsubserver - d - v daytime - p tcp... TBD list .. securetcpip ? Special services which may be needed (discuss what measures to take for. Minimize /etc/rc. A description of what services are started in /etc/rc. This can be configured in the /etc/security/user file - - set the rlogin. System managers should login to their. The default permission is read. Only. community private 1. Write community system 1. Write 1. 1. 7. 2routingnis, nis+ If possible, configure the system option to reduce . Configure the OS for strong TCP sequencing, resistance to syn flooding and similar DOS. TBD: broadcasts & multicasts. The default syslogd(8) configuration does nothing - - you won't get any important. Only programs that are writing into audit logs should have write access to these log. Consider splitting logs by applications and priority. Consider centralised logging. Consider logging more that the. UNIX defaults. Enable logging of failed attempts to login: touch /var/log/loginlog; chmod 6. TBD. 5. 1 Root directory. Application and System files and directories. System directories. Login Shell scripts. Home Directories. SUID and SGID programs. Dangerous files. 5. Filesystem mounting/etc/filesystems. To reduce the risk of trojan horses and unauthorised modifications, in /etc/vfstab. Virus scanning. Use the command virscan on filesystems that may contain files that are transferred to. PCs. ACLs. ACL commands : aclget Gets the ACL for a file. System accounts should be explicitly given access if needed. Enable logging. of cron activity. Ensure that all command scripts that are to be executed with root. Devices: disks, tty* Consider setting restrictive permissions on raw disk devices used by databases. Ports: In /etc/security/login. The power- on password protection is effective against reset as well as power- on, and. CD to bypass password controls. Alternatively, leave only hard disk in the boot device sequence, and set the. The system will boot only from hard disk. If the machine is already in a physically secure room, this may create more trouble than. It is recommended that at least 'Unattended start mode' be. Cover lock key? Privileged- access password for firmware access. If you set both power- on and. SMS. s. 2/TCB Auditing. TCB is a good tool to detect penetrations and configuration changes. It is not. installed by default. You have the option to install TCB during the initial installation. It stores these files. ASCII file, /etc/security/sysck. Make a backup of this file to a floppy disk and. We should be able to use this as an alternative to tripwire? The installp command automatically updates the TCB when you install PTFs /i. However, E- Fixes, naturally, do not update TCB. So if you apply an E- Fix to your. TCB. Store TCB read- only on floppy? AGE 1. 2 or 2. 4? Password MIN. LENGTH 6. Password MIN. ALPHA characters 4. Password MIN. OTHER characters 1. Password MAX. REPEATED characters 3. Password MIN. DIFFERENT characters 3. Password REGISTRYloginretries 2. Soft FILE size. 36 Soft CPU time. Soft DATA segment. Soft STACK size. 39 Soft CORE file size ? TERM. IFS, LIBRARY PATH, MANPATH) in /. The tsh shell is a good security tool. It only allows you to run programs that are in. TCB and have the TCB mode set. We should at least recommend it's usage? Only allow root to be access via su (not console or network login): smit chuser. Another user can SU TO USER? For sensitive accounts: One common method of increasing login security is to require two. This is called “2 key authentication”. SAK: /etc/security/login. Maybe an alternative to. Manage. Basic. Users: chsec, chuser, lsuser, mkuser Manage. All. Users: chfn, chsec, chuser, mkuser, rmuser, chrole, mkrole, lsrole, rmrole chsec. Manage. Basic. Passwords pwdadm Manage. All. Passwords chsec, lssec, pwdadm Manage. Roles chrole, mkrole, lsrole, rmrole Manage. Backup. Restore backup, restore Manage. Backup backup Manage. Shutdown shutdown Run. Diagnostics diag. The chuser command is used when adding/removing a role to an existing user. See also /etc/security/user. To change the attribute valuessmit lsrole To display the attributes and their valuessmit mkrole To creates an entry for each new role in the /etc/security/rolessmit rmrole To remove a roletop. At this stage standard tools/utilities are going to be installed, the most important. SSH. These tools should already have been compiled and tested extensively on another. They are typically transferred as tar files, by CD or FTP. It's like a local Ipchains/IPfilter). Examples would include ports used by Web- based System. Manager and X1. 1. Configure the ssh daemon (/etc/sshd. Use . shosts rather than . If. telnetd/ftpd was still enabled, disable it in /etc/inetd. SSH. Securitytripwire, lsof, md. Sys. Admin. Test - Do SSH and the standard tools work? Check log entries, check console messages. This reduces. the risk of trojan horses and unauthorised modifications. Mount other partitions nosuid (SUID programs cannot assume other identities). Reboot. Run the mount command to check that filesystems options are effective. If CD- ROMS are not needed for production, disable the volume manager (one less daemon. It can always be re- enabled if needed later: mv /etc/rc. S9. 2volmgt /etc/rc. S9. 2volmgt. At this stage install tripwire (or some other filechecker that uses secure hashing. If. possible keep the tripwire master database on another machine or write- once media. Even. better, copy tripwire & it's database and run it remotely at regular intervals using. SSH. This makes it difficult for an attacker to know that tripwire is being used to check. Backup the system to two tapes, one offsite. Intrusion monitoring tasks. File integrity: size, permissions, ownershipnice tcbck - n treeor tripwire? Network ports visible. Network traffic intrusion. Log Statistics. 9. Log Exception monitoring 9. Availability / reliability. Processes, ping hosts, snmp, rpc, remote check of specific services. Example Schedules: Daily, Weekly, Monthly. On system installation, the latest security / recommended patches for the Operating. System and applications be installed. As time goes by, new weaknesses and corresponding patches will be published and these. It is advisable to test patches on a. Also a pdf. version for printing. AIX 4. 3 Elements of. Security Effective and Efficient Implementation (by) Kosuge, Arminguad, Chew, Horne. Witteveen 1. 8- Aug- 2. Also a pdf version for. Additional AIX Security. Tools on IBM p. Series, IBM RS/6. SP/Cluster, (by) Farazdel, Genty, Kerouanton. Khor 2. 0- Dec- 2. Also a pdf version for. Exploiting RS/6. 00. SP. Security: Keeping It Safe, (by) Farazdel, De. Robertis, Genty, Kreuger & Wilkop. Sep- 2. 00. 0. Also a pdf. Auditing notes: Several “check” commands (grpck, usrck, pwdck, and. The grpck, usrck, and pwdck commands require a flag to indicate whether thesystem should try to fix erroneous attributes. Flags are: - n Reports errors but does not fix them.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |