Professional Documents
Culture Documents
http://aplawrence.com
From http://aplawrence.com/MDesrosiers/aixhardening.html
1.1 Preamble
IBM has positioned AIX 5 L version 5.1, as the new standard in Unix operating systems. It is built upon AIX 4.3.3 and provides
improvements in critical areas such as reliability, availability, performance and security. The recommended way to harden the AIX Operating
System is to use the principle of least privilege. If the user does not need the service, they are not allowed to access that service. Also if the
server is to be an application server, only allow those specific services like ports 80 443 and 8080 to the server. There is a security principle
that says you should configure computers to provide only selected network services. The basic idea is this; every network service you offer is
an opportunity for the bad guys (alternatively a risk to your system). That's not to say that you shouldn't offer any services -- a web application
server that doesn't offer web services isn't very useful. Instead, the principle says you should have a good understanding of network services
and you should not offer any service unless there are very good reasons for doing so. This paper offers reasons to harden both server and
network services for AIX 5.1 -- an application of the security principle.
Some security packages address the problem by stripping all (or nearly all) network services and then instruct you to be careful about what you
add to the system. That's a great approach but requires that you "get your hands on" the system before anyone layers anything onto it and you
understand what you're adding to the system when you add it back in. These are two conditions that do not apply at many sites. The approach
here is different. We will consider services offered by the AIX 5.1 operating system, try to explain what each does, note the risks involved with
each and make recommendations about what one ought to do to mitigate the risk.
Planning – This is the part of the plan where you must define the overall security policies and goals. In many
Organizations, this initial step is performed at the corporate level, and is likely to have already been completed.
Architecture – This is where the design of your environment is defined to meet the requirements of the planning
phase.
Implementation – This is where the infrastructure is built from the architectural design.
Start with securing the servers and working out towards the perimeter.
Start with one security package and rollout to the other servers.
Start from the top down, in other words, physical layer, network layer, etc.
Monitoring – Once the infrastructure is built, you will need to continuously monitor it for vulnerabilities and suspected attacks. A
better approach might be to schedule weekly audits, so as not to choke the network with useless snmp traffic. Problems that are found
here should then be addressed through the previous phases in order to find the best resolution possible.
Application logs
System logs (syslog, sulog, wtmp, lastlogin, failedlogin, etc.)
Audit logs
1 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
Incident Response – This is the phase that you must address your worse fears. The worst time to begin working on this phase is after
an attack or breach that has already occurred. The time spent in the beginning considering how you should respond to a real attack
will pay for itself many times over if you are ever in this situation. You must think of this “Pre-emptive” thinking.
Your organization's security policy for networked systems should require that a detailed computer deployment plan be developed,
implemented, and maintained whenever computers are being deployed. Access to your deployment plan should only be given to those
who require the information to perform their jobs. All new and updated servers be installed, configured, and tested in a stand-alone
mode or within test networks (i.e., not connected to operational networks). You must present a policy that defines in detail
appropriate behavior within it’s I/T infrastructure. All servers present a warning banner to all users indicating that they are legally
accountable for their actions and, by using the servers; they are consenting to having their actions logged.
2. Requirements
2.1 Policies and Procedures
You must develop a server deployment plan that includes security issues. Most deployment plans address the cost of the computers,
schedules to minimize work disruption, installation of applications software, and user training. In addition, you need to include a discussion of
security issues. You can eliminate many networked systems vulnerabilities and prevent many security problems if you securely configure
computers and networks before you deploy them. Vendors typically set computer defaults to maximize available functions, so you usually need
to change defaults to meet your organization's security requirements. You are more likely to make decisions about configuring computers
appropriately and consistently when you use a detailed, well-designed deployment plan. Developing such a plan will support you in making
some of the hard trade-off decisions between functionality and security. Consistency is a key factor in security, because it fosters predictable
behavior. This will make it easier for you to maintain secure configurations and help you to identify security problems (which often manifest
themselves as deviations from common, expected behavior). Refer to the better practice that keeping the AIX operating system and applications
software up to date is an essential part of this strategy.
Identify the network services that will be provided on the server. Servers as a general rule should be dedicated to a single service.
This usually simplifies the configuration, which reduces the likelihood of configuration errors. In the case of the servers, the
application server should be limited to www or https services. The db2 server should be ports 50000 (db2idb2inst1) and 50001
(db2idb2inst1). It also can eliminate unexpected and unsafe interactions among the services that present opportunities for intruders. In
some cases, it may be appropriate to offer more than one service on a single host computer. For example, the server software from
many vendors combines the file transfer protocol (FTP) and the hypertext transfer protocol (HTTP) services in a single package. It
may be appropriate to provide access to public information via both protocols from the same server host but we do not recommend
this as it is a less secure configuration.
Determine how the servers will be connected to your network. There are concerns relating to network connections that can affect the
configuration and use of any one computer. Many organizations use a broadcast technology such as Ethernet for their local area
networks. In these cases, information traversing a network segment can be seen by any computer on that segment. This suggests that you
should only place “trusted” computers on the same network segment, or else encrypts information before transmitting it. The servers
should be in there own private subnet.
2 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
The most common approach is the use of passwords; but other mechanisms can be used, such as keys, tokens, and biometric devices
(devices that recognize a person based on biological characteristics such as fingerprints or patterns of the retinal blood vessels).
Because authentication mechanisms like passwords require information to be accessible to the authentication software, carefully
document how that information will be protected. Authentication data is critical security information that requires a high level of
protection. You should follow the security group’s guidelines for administrative access into your sensitive data environment. In other
words, password length of 8 characters with at least 2 alpha characters, etc. We will be discussing this in more detail in the
recommendations section of this document.
Determine how appropriate access to information resources will be enforced. For many resources, such as program and data files,
the access controls provided by AIX are the most obvious means to enforce access privileges. Also, consider using encryption
technologies to protect the confidentiality of sensitive information. In some cases, protection mechanisms will need to be augmented
by policies that guide user's behavior related to their workstations. Identify the users or categories of users of the computer. The
categories are based on user roles that reflect their authorized activity. The roles are often based on similar work assignments and
similar needs for access to particular information resources—system administrators, software developers, data entry personnel, etc. If
appropriate, include groups of remote users and temporary or guest users. Document the categories of users that will be allowed
access to the provided services. You may need to categorize users by their organizational department, physical location, or job
responsibilities. You also need a category of administrative users who will need access to administer the servers and possibly
another category for backup operators.
Access to AIX servers should be restricted to only those administrators responsible for operating and maintaining the server.
This will ensure that the server's users are restricted to those who are authorized to access the provided service and responsible for
server administration. Determine the privileges that each category of user will have on the servers. To document privileges, create a
matrix that shows the users or user categories (defined in the previous step) cross-listed with the privileges they will possess. The
privileges are customarily placed in groups that define what system resources or services a user can read, write, change, execute,
create, delete, install, remove, turn on, or turn off. Decide how users will be authenticated and how authentication data will be
protected. There are usually two kinds of authentication: (1) the kind provided with the operating system, commonly used for
authenticating administrative users and (2) the kind provided by the network service software, commonly used for authenticating users
of the service. A particular software implementation of a network service may use the provided authentication capability, and thus it
may be necessary for users of that service to have a local identity (usually a local account) on the server.
Document procedures for backup and recovery of information resources stored on the computer. Possessing recent, secure backup
copies of information resources makes it possible for you to quickly restore the integrity and availability of information resources.
Successful restoration depends on configuring the operating system, installing appropriate tools, and following defined operating
procedures. You need to document backup procedures including roles, responsibilities, and how the physical media that store the
backup data are handled, stored, and managed. Consider using encryption technologies like ssh to protect backups. Your backup
procedures need to account for the possibility that backup files may have been compromised by an undetected intrusion. Verify the
integrity of all backup files prior to using them to recover systems.
3.1 Tools
3.1.1 AIX 5.1 server tools
Here are the tools that are used in I/T environments today. These tools are freeware, but have been validated by there reliability over
the last 5 – 10 years.
3 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
3.2 Checklist
3.2.1 AIX Security Checklist
Next we want to gather a rather comprehensive list of both the AIX and pseries inventories. By running these next 4 scripts we can
gather the information for analyze.
____ Run these 4 scripts: sysinfo, tcpchk, nfsck and nethwchk. (See Appendix A for scripts)
____ sysinfo:
____ List logical volumes for each volume group: lsvg –l “vgname”
____ List system name, nodename, LAN network number, AIX release, AIX version and machine ID: uname –x
4 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
____ Name all nameservers the servers have access to: namerslv –Is
____ Examine the processes from users logged into the servers: who –p /var/adm/wtmp
____ tcpchk:
____ Search for .rhosts and .netrc files: find / -name .rhosts -print ; find / -name .netrc –print
____ nfschk:
____ Checks to see if it is an NFS server and what directories are exported: cat /etc/xtab
____ nethwchk
____ Display active connection on boot: odmget -q value=up CuAt | grep name|cut -c10-12
5 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
____ To allow all users: touch cron.allow (if file does not already exist)
____ Disable direct herald root access: add rlogin=false to root in /etc/security/user file or through smit
____ Limit the $PATH variable in /etc/environment. Use the users .profile instead.
____ Report all password inconsistencies and not fix them: pwdck –n ALL
____ Report all password inconsistencies and fix them: pwdck –y ALL
____ Report all group inconsistencies and not fix them: grpck –n ALL
____ Report all group inconsistencies and fix them: grpck –y ALL
3.2.1.4 SUID/SGID
____ Review all SUID/SGID programs owned by root, daemon, and bin.
____ Review all sticky bit programs: find / -perm -3000 –print
____ Use the sticky bit on the /tmp and /usr/tmp directories.
____ Run checksum (md5) against all /bin, /usr/bin, /dev and /usr/sbin files.
____ Look for un-owned files on the server: find / -nouser –print.
Note: Do not remove any /dev files.
____ Do not use r-type commands: rsh, rlogin, rcp and tftp or .netrc or .rhosts files.
____ Change /etc/host file permissions to 660 and review its contents weekly.
6 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
____ Check for both tcp/udp failed connections to the servers: netstat –p tcp; netstat –p udp.
____ If using ftp, make this change to the /etc/inetd.conf file to enable logging.
____ Set NFS mounts to –ro (read only) and only to the hosts that they are needed.
____ Consider using extended ACL’s (please review the tcb man page).
____ Before making network connection collect a full system file listing and store it off-line:
ls -Ra -la>/tmp/allfiles.system
____ Make use of the strings command to check on files: strings /etc/hosts | grep Kashmir
4. Recommendations
4.1 Remove unnecessary services
By default the Unix operating system gives us 1024 services to connect to, we want to parse this down to a more manageable value.
There are 2 files in particular that we want to parse. The first is the /etc/services file itself. A good starting point is to eliminate all
unneeded services and add services as you need them. Below is a screenshot of an existing ntp server etc/services file on one of my
lab servers.
#
# Network services, Internet style
#
ssh 22/udp
ssh 22/tcp mail
auth 113/tcp authentication
sftp 115/tcp
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
#
# UNIX specific services
#
login 513/tcp
shell 514/tcp cmd # no passwords used
This file starts the daemons that we will be using for the tcp/ip stack on AIX servers. By default the file will start the sendmail, snmp
and other daemons. We want to parse this to reflect what
functionality we need this server for. Here is the example for my ntp server.
# Start up Portmapper
7 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
This helps also to better understand what processes are running on the server.
##################################################################
##################################################################
# Changes made on 06/07/02 to tighten up socket states on this
# server.
##################################################################
if [ -f /usr/sbin/no ] ; then
/usr/sbin/no -o udp_pmtu_discover=0 # stops autodiscovery of MTU
/usr/sbin/no -o tcp_pmtu_discover=0 # on the network interface
/usr/sbin/no -o clean_partial_conns=1 # clears incomplete 3-way conn.
/usr/sbin/no -o bcastping=0 # protects against smurf icmp attacks
/usr/sbin/no -o directed_broadcast=0 # stops packets to broadcast add.
/usr/sbin/no -o ipignoreredirects=1 # prevents loose
/usr/sbin/no -o ipsendredirects=0 # source routing
/usr/sbin/no -o ipsrcrouterecv=0 # attacks on
/usr/sbin/no -o ipsrcrouteforward=0 # our network
/usr/sbin/no -o ip6srcrouteforward=0 # from using indirect
/usr/sbin/no -o icmpaddressmask=0 # dynamic routes
/usr/sbin/no -o nonlocsrcroute=0 # to attack us from
/usr/sbin/no -o ipforwarding=0 # Stops server from acting like a router
fi
8 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
This computer system is the private property of XYZ Insurance. It is for authorized use only. All users (authorized or non-authorized)
have no explicit or implicit expectations of privacy.
Any or all users of this system and all the files on this system may be intercepted, monitored, recorded, copied, audited, inspected and
disclosed to XYZ Insurance's management personnel.
By using this system, the end user consents to such interception, monitoring, recording, copying, auditing, inspection and disclosure at
the discretion of such personnel. Unauthorized or improper use of this system may result in civil and/or criminal penalities and
administrative or disciplinary action, as deemed appropriate by said actions. By continuing to use this system, the individual indicates
his/her awareness of and consent to these terms and conditions of use.
LOG OFF IMMEDIATELY if you do not agree to the provisions stated in this warning banner.
default:
#fsize = 2097151
fsize = 8388604 – sets the soft file block size to a max of 8 Gig.
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
9 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
Defaults logfile=/var/log/sudo.log
For more details, please see the XYZ Company Insurance Work Report that I compiled, or visit this
URL: http://www.courtesan.com/sudo/.
These are some of the changes to the /etc/security/user file that will promote a more heightened
configuration of default user attributes at your company.
default:
umask = 077 – defines umask values – 22 is readable only for that UID
pwdwarntime = 7 – days of password expiration warnings
loginretries = 5 – failed login attempts before account is locked
histexpire = 52 – defines how long a password cannot be re-used
histsize = 20 – defines how many previous passwords the system remembers
minage = 2 – minimum number of weeks a password is valid
maxage = 8 – maximum number of weeks a password is valid
maxexpired = 4 – maximum time in weeks a password can be changed after it expires
minalpha = 2 – minimum number of alphabetic characters in a password
minother = 1 – number of non-alphabetic characters in a password
minlen = 8 – minimum character length of a password
mindiff = 3 – number of different characters that must be used in a password
maxrepeats = 2 – number of times a character can appear in a password
default:
sak_enabled = false
logintimes =
logindisable = 5
logininterval = 0
loginreenable = 30
logindelay = 10
herald = "Unauthorized use prohibited.\r\nlogin: "
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/usr/bin/sh,/usr/bi
n/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh
maxlogins = 16
logintimeout = 15 – sets the time to 15 seconds from when a login is presented and you type
in your password.
errpt –a|more
alog -o -f '/var/adm/ras/bootlog' (boot log)
who /var/adm/sulog
who /var/adm/wtmp
10 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
vmstat
iostat
netpmon
monitor
wlmstat
5. Conclusion
5.1 Summary
Today’s computing environments are mostly distributed infrastructures. Your company must develop intrusion detection strategies for
the servers. I do not believe that there are any sensors on the nternal network. Many of the common intrusion detection methods depend on the
existence of various logs that AIX can produce and on the availability of auditing tools that analyze those logs. This will help you with
installing the appropriate software tools and configure these tools and the operating system to collect and manage the necessary information.
Keep your computer deployment plan current. Your company must update the computer deployment plan when relevant changes occur. Sources
of change may include new technologies, new security threats, updates to your network architecture, the addition of new classes of users or new
organizational units, etc. The environment will only work if the process is centralized. I also believe that there is not enough on-site
experience and internal infrastructure to administor this project. The issues of 24/7 availability and the underlying issues of security in layers
have to be addressed.
11 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
Appendix A
sysinfo:
#!/bin/ksh
#
# This script is one of the system management tools used
# to determine a particular AIX system configuration
#
# list all of the users registered on the system
#
/usr/sbin/lsuser -c -a id home ALL | sed '/^#.*/d' | tr ':' '\011'
#
# display the mounted filesystems
#
echo "*********************"
echo
echo LIST OF MOUNTED FILESYSTEMS
echo
echo "*********************"
/usr/bin/df –k
#
# List the filesystems in 1024 block size for easier conversion
#
echo "*********************"
echo
echo
echo "*********************"
echo
echo VOLUME GROUP INFORMATION
echo
echo "*********************"
#
# list out the volume group information
# such as phy vol, logical vol info
#
/usr/sbin/lsvg '-p' rootvg
/usr/sbin/lsvg '-l' rootvg
/usr/sbin/lspv hdisk0
/usr/sbin/lspv '-p' hdisk0
/usr/sbin/lspv '-l' hdisk0
/usr/sbin/lspv hdisk1
/usr/sbin/lspv '-p' hdisk1
/usr/sbin/lspv '-l' hdisk1
#
# list out all of the defined user groups
#
echo "****************"
echo
echo
echo "****************"
echo
echo DEFINED USER GROUPS
echo
echo "****************"
echo
/usr/sbin/lsgroup '-c' ALL
#
# list out the TCP net info
#
echo "****************"
echo
echo
echo "****************"
echo
12 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
echo "****************"
/usr/bin/who '-s' '/etc/security/failedlogin'
#
# display the userid in each defined group
#
echo "****************"
echo
echo USER INFORMATION
echo
echo "****************"
/usr/sbin/lsgroup '-fa' 'id' 'users' 'ALL'
tcpchk:
#
# this file check for tcp related files to see if it is
# installed on the machine
#
echo "The following network products are installed on this system:"
echo " "
lslpp -l |grep bosnet
echo " "
installtest=`lslpp -l | /bin/grep 'bos.net.tcp'`
if [ "x$installtest" = "x" ]; then
echo "TCP/IP not installed"
else
echo "The following TCP/IP services are configured on this machine"
echo " "
lssrc -g tcpip
echo " "
echo "******** WARNING **********"
echo ".rhosts and .netrc are a security risk"
13 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
nfschk:
#!/bin/sh
#
# this script review the NFS configuration for a machine
#
echo "NFS Configuration"
echo "-----------------"
echo " "
installtest=`lslpp -l |/bin/grep nfs`
if [ "x$installtest" = "x" ]; then
echo "NFS not installed on this system"
echo " "
else
echo "NFS is installed on this system"
echo " "
nfstest=`lssrc -g nfs|/bin/grep active`
if [ "x$nfstest" = "x" ]; then
echo "NFS is not active at this time"
echo " "
else
echo "NFS is active"
echo " "
if [ -x /usr/etc/nfsd -a -f /etc/exports ]; then
echo "This machine is an NFS server"
echo "The following directories may be exported:"
echo " "
cat /etc/exports
echo " "
echo "The following directories are currently exported:"
echo " "
cat /etc/xtab
echo " "
echo "The following hosts have exported directories mounted"
echo "at this time"
echo " "
/usr/bin/showmount
echo " "
else
echo "this machine is an NFS client"
echo " "
echo "The following directories are mounted from remote systems"
echo " "
14 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
nethwchk:
en0
en0: flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet 192.168.1.13 netmask 0xffffffe0 broadcast 192.168.1.31
15 of 16 11/14/2010 8:26 AM
MDesrosiers/aixhardening.html http://aplawrence.com/cgi-bin/printer.pl?arg=/MDesrosiers/aixhardening...
From http://aplawrence.com/MDesrosiers/aixhardening.html
URLS:
Comments /MDesrosiers/aixhardening.html
16 of 16 11/14/2010 8:26 AM