• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
Hardening AIX
(rough outline draft #2
I started this in Nov.2001, but the project was abandoned..)
NOTE: This is an early working draft, and as such is not very easy to read. I apologise for this, but the idea
is to produce an outline, which then can be improved up and refined.
By Se\u00c1n Boran
This document presents a step-by-step approach to securely installing AIX 4.3 (TBD exact version) for use in
a sensitive environment. All steps have been tested on Pilot Globe systems.
The focus here is on preparing the Operating System to securely run services, rather than the setup of the
services themselves. An accompanying tool will be developed to allow corresponding automated hardening.

The process of hardening involves installing patches, disabling unneeded services, configuring accounts
correctly, restricting file permissions, limiting SID/SGID files, configuring OS security features, and
monitoring the system for unusual behaviour.

Table of contents

1.Preparation
2.Initial OS installation
3.Minimize network services

o
Principles
o
Minimise Inetd
o
Minimize /etc/rc.tcpip
o
Minimize /etc/rc.nfs
o
Minimize inittab
o

Minimize other services
4.Kernel Tuning
5.Logging
6.File / Directory Access Control
7.System Authentication / Access Control
8.User Accounts and Environment
9. Hardening specific services (optional for later?, or refer to other documents?): snmp, smtp, http, dns,

time sync & ntp, AIXwindows/CDE.
10.Install additional security tools
11.Create Tripwire image, backup, test
12.Maintenance :moni toring | Software patches
13.References
1. Preparation
\u2022

Keep things simple: it is expected that only one or two services will run on a host. Use several
machines, rather than one superserver that does everything. It's easier to isolate applications, harden
and troubleshoot. Be minimalist, only run what is absolutely necessary.

\u2022

Hardware: Consider installation via the serial port console, get rid of the keyboard, screen and
framebuffer. i.e. avoid using X11 and get to know the command line. Have an isolated, trusted
network available for testing.
TBD: can AIX do this?

\u2022

Know exactly what the system is supposed to do, what it's hardware configuration will be etc.
hardening is generic and may break certain functions. e.g. AIXwindows/CDE may need RPC to run
but you really don't want RPC running on a sensitive host?

\u2022
It's important to understand how the applications work (how they use ports, devices, files), to judge
what hardening is possible and to assess the risk posed.
2. Initial OS installation
TBD:
\u2022
boot via serial console
\u2022
installation example
\u2022
additional OS packages
\u2022
partitioning
\u2022
patch bundle
Minimize network services
Principles
Network services present a significant risk to security:
\u2022
Only enable the strict minimum of services needed. The number system processes listed by "ps \u2013ef"
or equivalent should be less than 10.
\u2022
Use encrypted tools (like SSH) rather than clear-text network logins (e.g. telnet, 3270, ftp, rlogin,
rcmd).
\u2022
Keeping up to date with security patches on network daemons is particularly important.
\u2022
Daemons should run as non-root users.
\u2022
Daemons should "chroot" to a dedicated directory.
\u2022
Use encryption where possible to prevent snooping or replay attacks.
\u2022
Services must use minimal umask, file permissions etc.
\u2022
Strong authentication (with token or lists) should be considered for critical services.
\u2022
Applications should package structure
Minimise Inetd network Services
Inetd a process which automatically starts certain daemons such as telnet, ftp, if connections are made.
Inetd services can be enabled or disabled with the command 'chsubserver' on AIX. Likewise after changes to
inetd configuration, the daemon needs to be send a hang-up signal - 'refresh -s inetd'. For example:

[server1]# chsubserver -d -v daytime -p udp
[server1]# chsubserver -d -v daytime -p tcp
[server1]# grep daytime /etc/inetd.conf
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal

It is recommended that ALL services except the following be disabled:
..... TBD list ...

The can be achieved with the following commands:
chsubserver -d -v daytime -p udp
chsubserver -d -v daytime -p tcp

..... TBD list ...
securetcpip ?
Special services which may be needed (discuss what measures to take for each one)

1. ftp
2. telnet
3. other?

4. tftp - for diskless booting : /etc/tftpaccess.ctl
Minimize /etc/rc.tcpip network services
A description of what services are started in /etc/rc.tcpip and how they can be changed with chrctcp.

/usr/sbin/no -o clean_partial_conns=1
/usr/sbin/no -o bcastping=0
/usr/sbin/no -o directed_broadcast=0
/usr/sbin/no -o ipignoreredirects=1
/usr/sbin/no -o ipsendredirects=0
/usr/sbin/no -o ipsrcroutesend=0
/usr/sbin/no -o ipsrcrouterecv=0
/usr/sbin/no -o ipsrcrouteforward=0
/usr/sbin/no -o ip6srcrouteforward=0
/usr/sbin/no -o icmpaddressmask=0
/usr/sbin/no -o nonlocsrcroute=0
/usr/sbin/no -o tcp_pmtu_discover=0
/usr/sbin/no -o udp_pmtu_discover=0
/usr/sbin/no -o ipforwarding=0

of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...