CIS AIX Benchmark

AIX Benchmark v1.0.1

Copyright 2005, The Center for Internet Security http://www.CISecurity.org/

1

CIS AIX Benchmark

AIX Benchmark v1.01 October 19, 2005
Copyright 2004, 2005, The Center for Internet Security (CIS)

TERMS OF USE AGREEMENT
Background. The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. No Representations, Warranties, or Covenants. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. User Agreements. By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: 1. No network, system, device, hardware, software, or component can be made fully secure; 2. We are using the Products and the Recommendations solely at our own risk; 3. We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendations, even risks that result from CIS's negligence 2

CIS AIX Benchmark or failure to perform; 4. We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; 5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades, or bug fixes; and 6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation, loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. Grant of Limited Rights. CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: 1. Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; 2. Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. Retention of Intellectual Property Rights; Limitations on Distribution. The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to 3

We hereby agree to indemnify. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. Special Rules. rent. and in such case. development. we agree to cooperate with CIS in its defense of such claim. and except as we may have otherwise agreed in a written agreement with CIS. (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality. or (viii) represent or claim a particular level of compliance with a CIS Benchmark. defend. or other similar mechanism or device.www. software suppliers. affiliates. without regard to whether such mechanism or device is internal or external. ftp server. lend. losses. scoring tool or other Product. directors. lease. The distribution of the NSA Security Recommendations is subject to the terms of the NSA Legal Notice and the terms contained in the NSA Security Recommendations themselves (http://nsa2. sublicense. CIS has created and will from time to time create. or alter these Agreed Terms of Use as they appear in. and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph. developers. including without limitation CIS's right. agents. authors. and hold CIS and all of its officers. newsgroup. any Product or any component of a Product. redistribute. logo. we agree that we will not (i) decompile.conxion. encumber.CIS AIX Benchmark some classes of CIS Members. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use. disassemble. at our expense. (v) remove these Agreed Terms of Use from. (iii) post any Product or any component of a Product on any website. hardware suppliers. of certain limitations in this paragraph). members. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. contributors. employees. (iv) remove or alter trademark. bulletin board. costs. information and service providers. sell. copyright or other proprietary notices. special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. (ii) distribute. licensors. CIS hereby grants each CIS Security Consulting or Software Vendor Member and each 4 . to assume the exclusive defense and control of any matter subject to this indemnification.htm). symbols or labels in any Product or any component of a Product. reverse engineer. or otherwise attempt to derive the source code for any software Product that is not already in the form of source code.com/cisco/notice. or maintenance of the Products or Recommendations ("CIS Parties") harmless from and against any and all liability. or otherwise transfer or exploit rights to any Product or any component of a Product. and all other persons who aided CIS in the creation. legends. (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product.

Jurisdiction. be modified or terminated by CIS at any time. Terms of Use Agreement Version 2.CIS AIX Benchmark CIS Organizational User Member. then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of such Member's membership arrangement with CIS and may.1 – 02/20/04 5 . or for any reason unenforceable. whether by manual or electronic means. that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. Choice of Law. therefore. void. but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use. the right to distribute the Products and Recommendations within such Member's own organization. If any of these Agreed Terms of Use shall be determined to be unlawful. that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland. Venue We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland.

..................................9 Turn off services which are not commonly used ...18 2............20 2...........................................................................................................................1 Disable standard services ......31 3................................11 1...........................................................................................................................................................21 2.............................................................................................2 Disable inetd....................................................................................2 Configure TCP wrappers to limit access .........8 Root Shell Environment Assumed .....................................................25 3............................................CIS AIX Benchmark Table of Contents CIS AIX Benchmark ...........................................................................8 Conventions .....15 2 Minimize inetd network services.............................................23 3........................................................................12 1...........................................21 2......................................1 Disable login prompts on serial ports ...............................................................................................................28 3...................................................20 2.......................................10 1 Patches and additional software......................................8 Disable GUI login if possible ...................................................................................................................................................................................9 Only enable CDE-related daemons if absolutely necessary............29 3...................................4 Only enable FTP if absolutely necessary ............................................3 Disable email server...................10 Software Package Installation...............................30 3..........27 3...........8 Only enable rquotad if absolutely necessary ...............................................................23 3...........26 3.........................9 Vulnerabilities............................12 1...........16 2................................................27 3.... if possible .....................................................................................22 3 Minimize Daemon Services....4 Disable NIS Server processes if possible ...........19 2..5 Disable NIS Client processes if possible ..............6 Disable NFS Server processes if possible ...............................................1 Apply latest OS patches................................................9 Backup Key Files...............................................4 Install TCP wrappers package ............................................................3 Configure SSH .......24 3........................11 Only enable SNMP if absolutely necessary .....................13 Only enable IPv6 if absolutely necessary ...............................................9 Software Package Removal................................................. if possible ..................30 3................................................7 Only enable Kerberos-related daemons if absolutely necessary ....................................31 6 ..................................................10 Only enable printer daemons if absolutely necessary....3 Only enable telnet if absolutely necessary....................................................5 Only enable rlogin/rsh/rcp if absolutely necessary ..................................................................................................................................................8 Applicability ...................................................................................................................................................6 Only enable TFTP Server if absolutely necessary.................................9 Reboot Required....................12 Only enable portmap if absolutely necessary...........................................................8 Executing Actions...........11 1.................................................................2 Validate your system before making changes.................26 3.................23 3..........................14 Only enable DHCP if absolutely necessary................................................................................16 2........7 Disable NFS Client processes if possible .................................17 2...............................

.................55 8................................................................44 7....1 Block system accounts....2 Configure syslogd to send logs to a remote loghost .....................1 Verify passwd and group file permissions............42 6.........................................................................49 8................................... authentication..................................................................................11 Set default umask for the FTP daemon ...............................36 5..51 8..........................38 5...................equiv.........................49 8.......45 7...................................................................6 No '.....4 Verify no legacy '+' entries exist in passwd....2 Create /etc/ftpusers .............................................................................4 Enable sar accounting .....................34 4...50 8................................47 7.......................4 Prevent X Server from listening on port 6000/tcp .............5 Find "unowned" files and directories .............................................9 Remove user .2 World-writable directories should have their sticky bit set .....42 6.43 7 System access........................3 Find unauthorized world-writable files ......................................................46 7.....10 Set Default umask for users ...........................................................................................................................................................7 Restrict at and cron to authorized users..37 5.........................................16 Only enable writesrv...50 8......................................... and group files.6 Confirm Permissions On System Log Files ......................................................................... and authorization.........33 4 Kernel tuning...........................................................36 5.44 7..................................................41 6.....8 Restrict root logins to system console .....................48 8 User Accounts and environment ..37 5............................................................2 Network parameter modifications...32 3...CIS AIX Benchmark 3......................3 Verify there are no accounts with empty password fields ..........54 8.......41 6............................................................................................................................................................49 8.............................................rhosts files......................................1 Capture messages sent to syslog (especially the AUTH facility) ...................................................................................................................46 7..........................................................................................................45 7............................................................40 6 File/directory permissions/access......12 Set...................................................................................................................................8 No user dot-files should be world-writable.............................................................................................2 Set password and account expiration on active accounts.................3 Restrict NFS Client requests to privileged ports ...............................................................................................4 Find unauthorized SUID/SGID system executables ...................3 Prevent Syslog from accepting messages from the network ...........54 8..........................................................................................5 Verify no UID 0 accounts exist other than root............5 Enable kernel-level auditing ..1 Disable core dumps .....................6 Remove empty crontab files and restrict file permissions .......... httpdlite if absolutely necessary .......................................53 8.................34 4...39 5...............7 User home directories should be mode 750 or more restrictive ..........' or group/world-writable directory in root's $PATH ..........3 Disable XDMCP port ............55 7 .......................................41 6..51 8....................35 5 Logging.............13 Removing unnecessary default user accounts ........52 8.................................1 Remove /etc/hosts..........................................netrc and ............ pmd.............5 Set default locking screensaver timeout...........50 8............................44 7................34 4......................................................15 Only enable i4ls and NCS if absolutely necessary...

.........63 SN...............................................4 Create warnings for FTP daemon..58 9....................................................... Conventions The following typographical conventions are used in this document: Roman font Courier Italics normal text used to indicate either a command or a standard Unix parameter or a file used for a question that you must evaluate before continuing Root Shell Environment Assumed The actions in this document are written with the assumption that they will be executed by the root user running the /bin/ksh shell and without noclobber set..........3..64 References ..............................61 Appendix B Additional security notes .. Also.........................................................................................64 Appendix B Additional security notes ....3.................................................................60 Appendix A File backup script................3 and AIX 5L version 5.............................................4 Limit number of failed login attempts ...............................................................62 SN.............................. 4............................................................................................2.....................2 Change default greeting string for sendmail .........................................................................................57 9............59 9....1 Create symlinks for dangerous files .......3 Create warnings for telnet daemon ......................................................59 10 Reboot .............1...............................57 9....................................................................................1 Create warnings for network and physical access services ..62 SN.2 Create warnings for GUI-based logins ..............................65 CIS AIX Benchmark Applicability This benchmark was developed and tested on AIX 4..........................................................62 SN.......................................................................................................................................................CIS AIX Benchmark 9 Warning banners............. the following directories are assumed to be in root's path: /usr/bin:/etc:/usr/sbin:/usr/ucb:/sbin 8 ..............3 Install and configure sudo.......

then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. and there has never been a problem with the service. If this step is not performed. This archive creates a "cis" subdirectory when unpacked. In many cases. the changes made in the steps below will not take effect until this reboot is performed. This is why we recommend that some services are disabled even though there is no clear way to exploit them. If mksysb is not available to you for whatever reason. Note that an executable copy of this script is also provided in the archive containing the PDF version of this document and the CIS scoring tool. which are backed up automatically by the individual items in Section 3. Backup Key Files Before performing the steps of this benchmark it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. Actions are written so that they may be copied directly from this document into a root shell window with a "cut-and-paste" operation. The script provided in Appendix A of this document will automatically back up all files that may be modified by the actions below. you could have a problem if a hole is found.ksh mksysb is the best way of performing a backup of your system prior to making the changes in this Benchmark. the do-backup. If you are running an unneeded service. Vulnerabilities In addition to any specific issues presented by a particular service or protocol. It does not make a backup of the AIX object repository – use SMIT to remove installed software packages. the command to execute the backup script would be: cis/do-backup.CIS AIX Benchmark Executing Actions The actions listed in this document are written with the assumption that they will be executed in the order presented here. so assuming the administrator is in the directory where the archive has been unpacked. Reboot Required Rebooting the system is required after completing all of the actions below in order to complete the re-configuration of the system. every service has the potential of being an entry point into a system if a vulnerability is found. 9 . Some actions may need to be modified if the order is changed. except for the boot scripts manipulated by the various items in Section 3 of this document.ksh script is provided to backup files that are changed in this Benchmark.

10 . that vulnerability may be exploitable by a local attacker. This assumes you already installed said package(s).CIS AIX Benchmark Software Package Removal There is considerable debate over the maintenance of unused software packages. leaving it installed poses no appreciable risk. This Benchmark makes no recommendation for the removal of unused software. Software Package Installation Throughout this Benchmark. and the reader is advised to consider the effort in either its removal or maintenance and the risks thereof. verify you actually installed the software required. If vulnerable software is present on a system. If the chrctcp command fails. Others feel that unused software presents another attack vector and increases the maintenance effort for the administrators. you may be directed to enable software package init scripts using the chrctcp command. Some people feel that as long as the software is not being used.

Patches will occasionally re-enable services that you may have already disabled. It is critical to always verify the integrity of such software using file or package signatures (if provided) or at least MD5 checksums. If lppchk -c reports an unexpected value. You may wish to consider installing packages such as TripWire or AIDE. 11 . it will not notice a binary that is setUID or set-GID that should not be. see discussion.1 Apply latest OS patches Action: Update system per your Enterprise Update procedures. As a result. Discussion: Installing up-to-date vendor patches and developing a procedure for keeping up-to-date with vendor patches is critical for the security and reliability of the system. Failure to do so may result in the system being compromised by a “Trojan Horse” created by an attacker with unauthorized access to the archive site. always download the files to a nonworld-writable directory. lppchk -c checks only the size and checksums of files – it does not check file permissions. you do have a problem – the lack of errors does not guarantee that all is well. Do not use a directory such as /tmp or /var/tmp which might allow another user on the system to corrupt or interfere with the files being downloaded. Vendors will issue operating system updates when they become aware of security vulnerabilities and other serious functionality issues.CIS AIX Benchmark 1 Patches and additional software Note that the items in this section involve downloading vendor patches and third-party security software from external archive sites. (Small sites. Note that lppchk was designed to catch accidental breakage of software – it was not designed to resist intentional attack.) Verify that all patches are properly configured with lppchk -c lppchk -l lppchk -v After applying patches. The vast majority of successful attacks on systems use exploits against known vulnerabilities that have patches available. or a modified file that has been tailored to have the “correct” checksum. When downloading software packages and patches. double-check that services that were previously disabled have remained disabled. 1. but it is up to their customers to actually download and install these patches. which are designed to resist attempts to deceive it.

csh) To check if a specific APAR is installed (for example. depending on version installed) – the script below will find the correct location for you: 12 . IY25437): # instfix -ivk IY25437 IY25437 Abstract: SECURITY: Buffer overflow in CDE dtspcd Fileset X11.16 is applied on the system.1.1.shell Fileset Level State Type Description (Uninstaller) -------------------------------------------------------------bos. You should also subscribe to IBM’s Security Bulletins Digest. ksh.lib:5. which directs you to install specific security patches as they come out. Install SSH (see discussion for sources).16 A F Shells (bsh.rte.3 Configure SSH Action: 1. To check if a a specific LPP level is installed (for example.ibm. Modify /usr/local/etc/sshd_config (may be /etc/sshd_config.services.com/server/pseries. Information on subscribing to the Security Bulletins Digest is available from https://techsupport.com/servers/eserver/support/pseries/aixfixes. Examine the system and application logs using errpt -a or using smit to view them.rte.ibm.CIS AIX Benchmark Also – it is normal for lppchk -c to flag files that have been updated by an emergency fix. Applying this Benchmark to a system that already has issues makes troubleshooting very difficult and may lead you to believe the Benchmark is at fault.0. All filesets for IY25437 were found.rte. as those fixes are not packaged to update the LPP database.Dt. Resolve all issues before continuing.subscriptionSvcs Small sites that do not have an Enterprise Update process To download recommended maintenance levels or individual PTFs for AIX: http://www. 1.shell 5. 2.2 Validate your system before making changes Ensuring your system is functioning properly before you make a change is a prudent system administration best practice and will save you hours of aggravation. bos.html and follow the instructions that IBM presents on the web site. 1.0.shell): # lslpp -L bos.

next }.tmp chmod 600 ssh_config .tmp awk '/^#? *Protocol/ { print "Protocol 2". a manual edit is required.. { print }' ssh_config. /^#? *HostbasedAuthentication/ \ { print "HostbasedAuthentication no". next }. /^#? *RhostsAuthentication/ \ { print " RhostsAuthentication no". /^#? *PermitEmptyPasswords/ \ { print "PermitEmptyPasswords no". next }. next }. esac Manually edit $DIR/ssh_config to put “Protocol 2” under the “Host *” entry. then echo 'Protocol 2' >> ssh_config fi rm ssh_config. cd $DIR cp sshd_config sshd_config." . next }. /^#? *PermitRootLogin/ \ { print "PermitRootLogin no". next }. 13 . Note: The required entry may already be in place. next }. Resolve" echo "before continuing. /^#? *Banner/ \ { print "Banner /etc/motd"... next }. /^#? *RhostsRSAAuthentication/ \ { print "RhostsRSAAuthentication no". next }. *) echo "You have multiple sshd_config files.tmp awk '/^#? *Protocol/ { print "Protocol 2". /^#? *IgnoreRhosts/ \ { print "IgnoreRhosts yes". next }. 1) DIR=`find /usr /etc -type f 2>/dev/null | \ grep ssh_config$ | sed -e "s:/ssh_config::"` cd $DIR cp ssh_config ssh_config.tmp > ssh_config if [ "`grep -El ^Protocol ssh_config`" = "" ].CIS AIX Benchmark unalias cp rm mv case `find /usr /etc -type f | grep -c ssh_config$` in 0) echo "Cannot find ssh_config" . /^#? *X11Forwarding/ \ { print "X11Forwarding yes". Because of the substantially different ssh_config files in the various versions of SSH.

redbooks. For more information on OpenSSH. If SSH was previously existing. pre-compiled versions are often not compiled with the options you might find necessary. 14 .pdf. htm. However. This site also includes instructions for compiling OpenSSH on AIX. the do-backup. as security vulnerabilities have been found in the first SSH protocol.openssh. which allow secure encrypted network logins and file transfers. If you feel that you need to use a pre-compiled package for OpenSSH.CIS AIX Benchmark {print}' sshd_config. 2.ksh script will capture a backup of the configuration files. The settings in this section attempt to ensure safe defaults for both the client and the server. Failure to do so could lock you out of your machine if sshd is not running and you disable telnetd. An AIX version is supplied on the AIX Bonus Pack CD’s.boulder.ibm.2. Bull maintains a very large repository of Open Source software for AIX. such as Kerberos support.com/doc_link/en_US/a_doc_lib/aixbman/security/openssh. section 5.bullfreeware. This may cause compatibility issues at sites still using the vulnerable SSH protocol 1 these sites should endeavor to configure all systems to use only SSH protocol 2. Specifically.com/. there will be no -preCIS backup of the configuration files. see http://www. you have several options: 1. Additionally. Bull's web site is http://www.org. Note: Ensure sshd is working properly (including ability to start automatically on reboot) before proceeding with this Benchmark.ibm. we feel it is necessary to put forth this extra effort in order to stay current with OpenSSH releases and patches. both the ssh client and the sshd server are configured to use only SSH protocol 2. Install and configure SSH using the IBM Redbook at http://www. IBM maintains an installp image for AIX5L at http://publib16.com/redbooks/pdfs/sg246873.tmp chmod 600 sshd_config Discussion: OpenSSH is a popular free distribution of the standards-track SSH protocols.tmp > sshd_config rm sshd_config. 3. Compilation of OpenSSH is complicated by the fact that it is dependent upon several other freely-available software libraries which also need to be built before OpenSSH itself can be compiled. and may be more current than the software on the Bonus Pack CD's. Note: If you installed the SSH package in this step.

exe While the package is named aix43 it has been installed and tested on all versions up to AIX 5.4 Install TCP wrappers package Action: 1.com/download/aix43/tcp_wrappers-7.6. This step is optional if you already have TCP Wrappers installed.2. Download pre-compiled TCP Wrappers from http://www.bullfreeware. 2. 15 .CIS AIX Benchmark 1. Install software.1.2.0. Discussion: TCP Wrappers is installed in this section and configured in section 2.

do echo "Disabling $SVC UDP" chsubserver -d -v $SVC -p udp done refresh -s inetd Discussion: The stock /etc/inetd. do echo "Disabling $SVC TCP" chsubserver -d -v $SVC -p tcp done for SVC in ntalk rstatd rusersd rwalld sprayd pcnfsd \ echo discard chargen daytime time cmsd. 16 . Indeed. You will need to re-enable any service you find absolutely necessary to your organization. since SSH provides both a secure login mechanism and a means of transferring files to and from the system.CIS AIX Benchmark 2 Minimize inetd network services You will need to unalias the mv. rm and cp commands as some commands overwrite files and you may be prompted numerous times about overwriting these files: unalias mv rm cp 2. By disabling all inetd-based services and only re-enabling what is necessary you avoid a common mistake of simply overlooking a service which may be vulnerable.1 Disable standard services Action: for SVC in ftp telnet shell kshell login klogin exec \ echo discard chargen daytime time ttdbserver dtspc. or which have more secure alternatives. Using the above commands effectively disables all inetd-based network services.3). This will ensure that an operating system patch doesn’t reenable a service. We strongly recommend that you implement local procedures to ensure that unwanted services remain disabled. after enabling SSH (see Item 1.conf file shipped with AIX contains many services which are rarely used. it may be possible to completely do away with all inetd-based services.

IPv6 Note: The TCP Wrappers binary referenced above does not support IPv6.org. then perform the action below.conf > inetd.conf. TCP Wrappers allows the administrator to control who has access to various network services based on the IP address of the remote end of the connection.with_tcp_wrappers Test your configuration now by using the /usr/local/bin/tcpdchk command and by logging in remotely. Create /etc/hosts. If you 17 .conf. the source code is available at http://www. For Internet-connected servers that provide service to the whole Internet.conf chown root:system inetd.2 Configure TCP wrappers to limit access Question: Is there a reason to allow unlimited network access to this server? If the answer to this question is no.with_tcp_wrappers cp inetd.allow and /etc/hosts. Configuring TCP Wrappers is beyond the scope of this Benchmark. If you would rather download and compile TCP Wrappers instead of using the precompiled version. Note: Do not deny access to your system without allowing access.conf but other options exist for “wrappering” non-inetd-based software (see the documentation provided with the source code release).conf chmod 644 inetd. and workstations should limit access to only authorized networks. 2. $6 = "/usr/local/bin/tcpd" }.conf: cd /etc awk '($3 ~ /^tcp/) && ($6 !~ /(internal|tcpd)$/) \ { $7 = $6.conf.CIS AIX Benchmark 2. limited-access servers. you reduce your exposure to threats from attackers on remote systems. Action: 1. TCP Wrappers also provides logging information via Syslog about both successful and unsuccessful connections.with_tcp_wrappers inetd. \ { print }' inetd. limiting access may not make sense. TCP Wrappers are generally triggered out of /etc/inetd.deny per available documentation and to suit your particular environment. Intranet servers.conf inetd. Modify /etc/inetd.porcupine. Discussion: By limiting access to the server.

the simpler and more standard solution is to use SSH. there is a freely available SSH client for Windows called putty.html for instructions on compiling TCP Wrappers for IPv6 support. which is available from Simon Tatham (see http://www.gsi.allow and deny access to ALL in hosts. proceed with the actions below. and controls access based on the first match.de/~bio/DOCS/tcpwrapperinstall. To aid in the migration to SSH. Configuring telnet over SSL is beyond the scope of a Level 1 Benchmark and will not be addressed here. Some Enterprises are using telnet over SSL. 18 .3 Only enable telnet if absolutely necessary Question: Is there a mission-critical reason that requires users to access this system via telnet.deny. Action: chsubserver -a -v telnet -p tcp refresh -s inetd Discussion: telnet uses an unencrypted network protocol.allow and /etc/hosts. so you can use /etc/hosts. Many daemons (SSH for example) are compiled with TCP Wrapper support.CIS AIX Benchmark need IPv6 support. SSH provides encrypted network logins and should be used instead. you will block network access to all network clients.deny to limit SSH access to your systems. 2. rather than the more secure SSH protocol? If the answer to this question is yes. There are numerous commercially supported SSH clients as well – check to see if your Enterprise already has an Enterprise SSH client.org.deny.greenend. It is important to note that TCP wrappers looks at hosts.uk/~sgtatham/putty/). which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network. then hosts. please see http://www-aix.chiark. If you omit entries in hosts. however. and also that the session can be hijacked by outsiders to gain access to the remote system. Sites that are already using Kerberos may take advantage of the various Kerberos-specific options to enable encryption and stronger authentication in the telnet daemon itself ("man telnetd" for more information).allow first.

see section 7. consider requiring non-anonymous users on the system to transfer files via SSH-based protocols.CIS AIX Benchmark It is understood that large Enterprises deeply entrenched in using telnet may take considerable effort in migrating from telnet to ssh.2 below. so telnet may have to be enabled. 19 . Failure to do so may result in being denied remote access. however. or is there a mission-critical reason why data must be transferred to and from this system via an FTP server. rather than sftp or scp? If the answer to this question is yes. Action chsubserver -a -v ftp -p tcp refresh -s inetd Discussion: Like telnet. proceed with the actions below. Even if FTP is required because the local system is an anonymous FTP server.php) for a Graphical interface to putty.sourceforge. which is a part of the previously mentioned putty package. Configuring FTP over SSL is beyond the scope of a Level 1 Benchmark and will not be addressed here. Some Enterprises are using FTP over SSL. Note: Ensure you have tested an alternate remote access method for your servers before leaving telnet disabled.net/eng/index. which means passwords and other data transmitted during the session can be captured by sniffing the network. the simpler and more standard solution is to use SSH. To aid in the migration away from FTP. For further information on restricting FTP access to the system. such as WinSCP (available from http://winscp. 2. SSH provides two different encrypted file transfer mechanisms – scp and sftp – and should be used instead.4 Only enable FTP if absolutely necessary Question: Is this machine an (anonymous) FTP server. disable telnetd and refresh initd. This helps prevent an FTP server from filling a hard drive used by other services. Note: Any directory writable by an anonymous FTP server should have its own partition. When it can be disabled. the FTP protocol is unencrypted. and that the FTP session itself can be hijacked by an external attacker. there are a number of freely available scp and sftp client for Windows. and pscp.

Action: chsubserver -a -v tftp -p udp refresh -s inetd Discussion: TFTP is typically used for network booting of diskless workstations. X-terminals. and kshell). Routers and other network devices may copy configuration data to remote systems via TFTP for backup. and other similar devices. Action: chsubserver -a -v shell -p tcp chsubserver -a -v login -p tcp refresh -s inetd Discussion: SSH was designed to be a drop-in replacement for these protocols. It seems unlikely that there is ever a case where these tools cannot be replaced with SSH. IBM RS/6000 SP systems require tftp to operate. 20 .6 Only enable TFTP Server if absolutely necessary Question: Is this system a boot server or is there some other mission-critical reason why data must be transferred to and from this system via TFTP? If the answer to this question is yes. 2.CIS AIX Benchmark 2. Also. unless this system is needed in one of these roles. proceed with the actions below. Note that sites that are using the Kerberos security system may wish to look into using the "Kerberized" versions of rlogin/rsh that are provided with AIX (klogin. However. proceed with the actions below. it is best to leave the TFTP service disabled.5 Only enable rlogin/rsh/rcp if absolutely necessary Question: Is there a mission-critical reason why rlogin/rsh/rcp must be used instead of the more secure ssh/scp? If the answer to this question is yes.

it seems unlikely that there is ever a case where these tools cannot be replaced with SSH (again. proceed with the actions below. rather than the more secure SSH protocol? If the answer to these questions is yes. that password isn’t sent in the clear – but if you ‘su’ to another userid. proceed with the actions below.7 Only enable Kerberos-related daemons if absolutely necessary Question: Is the Kerberos security system in use at this site? Is there a mission-critical reason that requires users to access this system via Kerberized rlogin/remsh. For instance. 2. Action: chsubserver -a -v klogin -p tcp chsubserver -a -v kshell -p tcp refresh -s inetd Discussion: Kerberized rlogin offers a higher degree of security than traditional rlogin or telnet by eliminating many clear-text password exchanges from the network. 2. You will have to install it if you need to use it. However. which encrypts all traffic. see http://www. it is still not as secure as SSH. perform the actions above. that password is fair game for any network-sniffing programs. Action: chsubserver -a -v rquotad -p udp refresh -s inetd 21 . Given the wide availability of free SSH implementations. if you use klogin to login to a system.CIS AIX Benchmark Note: The tftp-server software is not installed by default. After installing it.openssh.8 Only enable rquotad if absolutely necessary Question: Is this system an NFS file server with disk quotas enabled? If the answer to this question is yes.org).

Action: chsubserver -a -v 100083 -p tcp refresh -s inetd Discussion: The rpc. 2. then you may leave the rquotad service disabled.CIS AIX Benchmark Discussion: rquotad allows NFS clients to enforce disk quotas on file systems that are mounted from the local system.9 Only enable CDE-related daemons if absolutely necessary Question: Is there a mission-critical reason to run a GUI on this system? If the answer to this question is yes.ttdbserverd process supports many tools and applications in the CDE windowing environment. packet filters. not only is it vital to keep up to date on vendor patches. proceed with the actions below. but has historically been a major security issue for Unix-based systems. Note that since this service uses Sun's standard RPC mechanism. and intrusion detection infrastructure). If your site does not use disk quotas. If you do plan to leave this service enabled. 22 . but also never enable this service on any system which is not well protected by a complete network security infrastructure (including network and host-based firewalls. it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on.

we make it more difficult for unauthorized users to attach modems. do echo "Disabling login from port /dev/$i" chitab "$i:2:off:/usr/sbin/getty /dev/$i" done Discussion: By disabling the getty process on the system serial ports. 3. terminals. Note that this action may safely be performed even if console access to the system is provided via the serial ports. 23 .1 Disable login prompts on serial ports Action – AIX5L only: for i in `grep ^tty /etc/inittab | cut -f1 -d:`. then echo "Turning off inetd" chrctcp -d inetd stopsrc -s inetd fi Discussion: If the actions in Section 2 of this benchmark resulted in all inetd-based services being disabled. However. it may be necessary to manually start inetd if the administrator wishes to enable some of these services without rebooting. if possible Action: if [ `grep -Evc '^[ \t]*(#|$)' /etc/inetd.conf.conf` -eq 0 ]. there is no point in running inetd at boot time. because the system console’s getty process uses /dev/console rather than a /dev/tty. The code added to the newinetsvc boot script will result in inetd automatically being restarted at boot time if services are ever enabled in inetd.2 Disable inetd.CIS AIX Benchmark 3 Minimize Daemon Services 3. and other remote access devices to these ports.

CIS AIX Benchmark

3.3 Disable email server, if possible Question:
Is this system a mail server - that is, does this machine receive and process email from other hosts? Perform the appropriate action below.

Action – No, this machine does not process mail:
stopsrc -s sendmail chrctcp -d sendmail cd /var/spool/cron/crontabs crontab -l > root.tmp if [ `grep -c "sendmail -q" root.tmp` -eq 0 ]; then echo "0 * * * * /usr/sbin/sendmail -q" >> root.tmp crontab root.tmp fi rm -f root.tmp This will make sendmail run the queue once an hour, sending out any mail that may have accumulated on the machine (from cron jobs, etc).

Action – Yes, this machine processes mail:
Sendmail is preconfigured to allow relaying from outside your domain. CIS is preparing a Sendmail Benchmark that will replace this section and address other Sendmail issues. In the interim, please follow the guidelines presented by Sandor Sklar at http://www.securitymap.net/sdm/docs/systemsec/Securing%20AIX%20Network%20Services.htm.

Discussion:
It is possible to run a Unix system with the Sendmail daemon disabled and still allow users (and programs such as ‘cron’) on that system to send email out from that machine. Running Sendmail in “daemon mode” (with the -bd command-line option) is only required on machines that act as mail servers, receiving and processing email from other hosts on the network. Note that after disabling the -bd option on the local mail server on AIX 5L (or any system running Sendmail v8.12 or later) it is also necessary to modify the /etc/mail/submit.cf file. Find the line that reads "D{MTAHost}localhost" and change localhost to the name of some other local mail server for the organization. This will cause email generated on the local system to be relayed to that mail server for 24

CIS AIX Benchmark further processing and delivery. Closing AIX Sendmail Open Relay The default behavior of Sendmail in AIX 4.3.3 allows open relaying - the mail server will accept and process mail sent from outside your organization to addresses that are also outside your organization. This defect is commonly used by "spammers" to send e-mail to thousands of addresses, all originating from your mail server. Before enabling sendmail in daemon mode, the sendmail configuration file must be modified to prevent this misuse of your system. The above steps explain how to update the sendmail.cf configuration file.

3.4 Disable NIS Server processes if possible Question:
Is this machine an NIS (Network Information Service) server? If the answer to this question is no, then perform the action below.

Action:
Use the SMIT fast-path smit remove to remove the bos.net.nis.server fileset or use the command: [ `lslpp -L bos.net.nis.server 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.server'

Discussion:
This service must be enabled if the local site is using the NIS naming service to distribute system and user configuration information. NIS services are a convenient method to manage user accounts and home directories across a large network of servers, however they are also a favored entry point for attackers. If the NIS software is installed but not configured, an attacker can cripple a machine by starting NIS. In addition, tools like ypsnarf allow an attacker to grab the contents of your NIS maps, providing large amounts of information about your site. Use the /etc/yp/securenets file to restrict what machines your NIS server will talk to. Also utilize secure NIS to encrypt communication between the client and server.

25

CIS AIX Benchmark

3.5 Disable NIS Client processes if possible Question:
Is this machine an NIS (Network Information Service) client? If the answer to this question is no, then perform the action below.

Action:
Use the SMIT fast-path smit remove to remove the bos.net.nis.client fileset or use the command: [ `lslpp -L bos.net.nis.client 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.client'

Discussion:
NIS services are a convenient method to manage user accounts and home directories across a large network of servers, however they are also a favored entry point for attackers. For this reason, many organizations choose not to use NIS. If you do not need NIS, remove it from the system.

3.6 Disable NFS Server processes if possible Question:
Is this machine an NFS file server? If the answer to this question is no, then perform the action below.

Action:
[ -f /etc/exports ] && rm -f /etc/exports

Discussion:
NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need to run the NFS server-related daemons on hosts that are not NFS servers. If the machine is an NFS server, the administrator should take reasonable precautions when exporting file systems, including restricting NFS access to a specific range of local 26

then perform the action below. NIS is also started in /etc/rc.CIS AIX Benchmark IP addresses and exporting file systems “read-only” and “nosuid” where appropriate. so do not run rmnfs if your site uses NIS. 27 . You should also strongly consider using the AIX Secure NFS facility. Note that other file transfer schemes (such as rdist via SSH) can often be preferable to NFS for certain applications. Action: rmnfs -B Discussion: While this action disables the standard NFS client processes.8 Disable GUI login if possible Question: Is there a mission-critical reason to run a GUI on this system? If the answer to this question is no. it is important to note that it is still possible for the superuser to mount remote file systems on the local machine via NFS. 3. but these packages will have to be re-installed and repatched if NFS is to be re-enabled at a later date. you must ensure that all of the UID/GID on the server and clients systems are unique. 3. Also. This facility uses DES encryption and public key cryptography to identify users and servers. The administrator can completely disable NFS client access by removing the NFS client software packages.7 Disable NFS Client processes if possible Question: Is there a mission-critical reason why this system must access file systems from remote servers via NFS (or uses NIS)? If the answer to this question is no.nfs. there is a possibility of unauthorized file access. The use of secure RPC or Kerberos can significantly improve NFS security. then perform the action below. NFS file access is based on the UID/GID pair so if there are conflicting UID/GID pairs between the servers and clients.

do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe httpdlite pmd writesrv.8). do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe i4ls httpdlite pmd writesrv.9 Turn off services which are not commonly used Action (AIX 4. Never run any GUI-oriented service or application on a system unless that machine is protected by a strong network security infrastructure. do echo "Turning off $SVC" rmitab $SVC done Action (AIX 5): for SVC in routed gated named timed rwhod mrouted \ snmpd hostmibd dpid2 lpd portmap autoconf6 \ ndpd-router ndpd-host. it is also necessary to enable the rpcbind process (see Item 3.ttdbserverd process (see Item 2. as well as the rpcbind and rpc. do echo "Turning off $SVC" 28 .3.ttdbserverd processes have had a history of security issues.3): for SVC in routed gated named timed rwhod \ snmpd dpid2 lpd portmap ndpd-router ndpd-host. 3.CIS AIX Benchmark Action: chmod ug-s /usr/dt/bin/dtaction \ /usr/dt/bin/dtappgather /usr/dt/bin/dtprintinfo /usr/dt/bin/dtsession /usr/dt/bin/dtconfig -d Discussion: Note that for the CDE GUI to function properly.11) and the rpc. The X Windows-based CDE GUI systems.

3. then it is safe to disable these services.it is always a good idea to check the System Resource Controller using lssrc -a for any resources that may have been added by the patch installation process. Note that the RFC 1179 service is a BSD-compatible print spooler. Action: mkitab -i cron \ "piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit >/dev/null 2>&1" chrctcp -a lpd Discussion: PIOBE stands for Printer IO Back End. Rather than disabling and then re-enabling these services. In most cases. If users will never print files from this machine and the system will never be used as a print server by other hosts on the network. experienced administrators may wish to simply disable only those services that they know are unnecessary for their systems. The resources are made inoperative (rather than removed outright) so that the local administrator can easily "restore" any of these resources if they discover a mission-critical need for one of these services. or is there a mission-critical reason why users must submit print jobs from this system? If the answer to the question is yes. 29 . this RFC 1179 service is not necessary and should not be enabled.10 Only enable printer daemons if absolutely necessary Question: Is this system a print server. the services that are disabled. then perform the action below. The rest of the actions in this section give the administrator the option of re-enabling certain services in particular.CIS AIX Benchmark stopsrc -s $SVC rmitab $SVC done Discussion: Disabling these services in the System Resource Controller will disable a wide variety of infrequently used subsystems. which only has to be enabled if the machine is being used as a network print server by machines that require a BSD-style remote printer interface. Note also that vendor patches may restore some of the original entries in the System Resource Controller .

3. If any of the answers to these questions is yes..conf to change the community strings. then perform the action below. Action: chrctcp -a snmpd chrctcp -a dpid2 chrctcp -a hostmibd Discussion: If you are using SNMP to monitor the hosts on your network. use the address/netmask and permissions parameters on the community statement to restrict SNMP access to only your management stations. then proceed with the actions below. This machine is an NIS (YP) or NIS+ client or server.12 Only enable portmap if absolutely necessary Question: Are any of the following statements true? • • • • This machine is an NFS client or server. MRTG.g. IBM OpenView.CIS AIX Benchmark 3. Action: chrctcp -a portmap 30 . Use the community and view statements in /etc/snmpd. The machine runs a third-party software application which is dependent on RPC support.11 Only enable SNMP if absolutely necessary Question: Does a tool (e. This machine runs the CDE GUI. Cricket) that relies on SNMP remotely monitor this system? If the answer to the question is yes. In addition. it is prudent to change the default community string used to access data via SNMP.

running the IPv6 daemons is pointless (and can allow other hosts on the same physical subnet to connect via IPv6 even when the network doesn’t support it).CIS AIX Benchmark Discussion: RPC-based services typically use very weak or non-existent authentication and yet may share very sensitive information. 3.14 Only enable DHCP if absolutely necessary Question: Does the system in question function as a DHCP client. if the answer is yes. it is best to disable RPC-based tools completely. then perform the following action. If you are unsure whether or not a particular third-party application requires RPC services. Action: chrctcp -a autoconf6 chrctcp -a ndpd-router chrctcp -a ndpd-host Discussion: Although IPv6 is being deployed at many sites. AIX’s support of IPv6 (for instance. server. in inetd) does not require these daemons to be running unless you want to communicate with another machine using IPv6 – the IPv6-aware software works just fine in IPv4-only or standalone mode without these daemons. Unless one of the services listed above is required on this machine. 31 . consult with the application vendor. then perform the applicable action below (shown in the comment to the right of the command). 3. or relay agent? For each of the three cases. Unless your network already has IPv6 support. it is still not widespread.13 Only enable IPv6 if absolutely necessary Question: Does the system in question use the IPv6 protocol? If the answer is yes.

the IBM VisualAge compilers can be installed with a nodelocked license in /var/ifor/nodelock.CIS AIX Benchmark Action: DHCP client chrctcp -a dhcpcd # client daemon DHCP server chrctcp -a dhcpsd # server daemon DHCP relay agent chrctcp -a dhcprd # relay daemon Discussion: DHCP is a popular protocol for dynamically assigning IP addresses and other network information to systems on the network (rather than having administrators manually manage this information on each host). there is no need to be running this service. 32 . then perform the following action. However. 3. Action: mkitab -i cron "i4ls:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv Discussion: As a particular special-case.15 Only enable i4ls and NCS if absolutely necessary Question: Does the system require the i4ls licensing software? If the answer is yes. or a DHCP relay agent. a DHCP client. if this system is not a DHCP server for the network. eliminating the requirement for the i4ls daemons. This in turn will probably result in the Network Computing System (NCS) daemons not being started either. as i4ls is one of the few products that uses NCS.

CIS AIX Benchmark 3. pmd – Power management service that turns your machine off if it has been idle a specific amount of time. or httpdlite services required? If the answer is yes. httpdlite if absolutely necessary Question: Are the writesrv. pmd. This is only needed for the “search” function for web-browsable documentation. The following services are started by inittab and can be removed if not needed: ● ● writesrv – allows users to chat using the system write facility on a terminal. ● 33 .conf & >/dev/console 2>&1" chrctcp -a httpdlite Discussion: These services are started from the /etc/inittab file. httpdlite – Lite NetQuestion Web server software for online documentation. Action: writesrv mkitab -i cron "writesrv:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv pmd mkitab -i cron "pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon" chrctcp -a pmd httpdlite mkitab -i cron "httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite. pmd. The ‘man’ command does not need this to work correctly. The rmitab command removes a specified service. then perform the corresponding action below.16 Only enable writesrv.

CIS AIX Benchmark 4 Kernel tuning 4.net-tune #!/bin/ksh # Deal with SYN-flood attacks as best we can.1 Disable core dumps Action: Edit /etc/security/limits and change the core value in the default stanza to: core 0 Add the following line below it: core_hard = 0 Execute these commands: echo "# Added by CISecurity Benchmark" >> /etc/profile echo "ulimit -c 0" >> /etc/profile chdev -l sys0 -a fullcore=false Discussion: Some vulnerabilities attempt to cause a core dump. 4. /usr/sbin/no -o ipsrcrouteforward=0 /usr/sbin/no -o ipsrcrouterecv=0 34 . /usr/sbin/no -o ipignoreredirects=1 /usr/sbin/no -o ipsendredirects=0 # Refuse to have anything to do with source-routed packets. # ICMP Redirect is a poor excuse for a routing protocol. /usr/sbin/no -o directed_broadcast=0 # Don't allow other machines to reset our netmask /usr/sbin/no -o icmpaddressmask=0 # Ignore redirects.2 Network parameter modifications Action: cat <<EOF > /etc/rc. don't send them ourselves. /usr/sbin/no -o clean_partial_conns=1 # Do not allow SMURF broadcast attacks. sensitive information can be contained in the core file and be extracted by attackers. Since applications can dump the entire contents of that application's memory at the time of the fault.

3 Restrict NFS Client requests to privileged ports Action: cat <<EOF >> /etc/rc.net-tune # Require NFS to use privileged ports /usr/sbin/nfso -o portcheck=1 -o nfs_use_reserved_ports=1 EOF Discussion: Setting this parameter causes the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged port range (ports less than 1024). so the four ‘srcroute’ options should be omitted in those environments. Note also that support for source-routed packets is needed in some cluster configurations.net-tune > \ /dev/console 2>&1" Discussion: We are creating a new script that will be executed at boot time to reconfigure various network parameters.net-tune mkitab -i rctcpip "rcnettune:2:wait:/etc/rc. to be in line with current best practices.CIS AIX Benchmark /usr/sbin/no -o ipsrcroutesend=0 /usr/sbin/no -o nonlocsrcroute=0 EOF chmod +x /etc/rc. 4. This should not hinder normal NFS operations but may block some NFS attacks that are run by unprivileged users. 35 .

edu/~eta/swatch/) and Logcheck (http://sourceforge.ntp.CIS AIX Benchmark 5 Logging The items in this section cover enabling various different forms of system logging in order to keep track of activity on the system. More information on NTP can be found at http://publib. In addition to the local log files created by the steps in this section.ucsb.1\n\ auth. Not only does centralized logging help sites correlate events that may be occurring on multiple systems.conf touch /var/adm/authlog /var/adm/syslog chown root:system /var/adm/authlog chmod 600 /var/adm/authlog chmod 640 /var/adm/syslog stopsrc -s syslogd startsrc -s syslogd 36 .ibm. which is supported by most network-ready devices.info\t\t/var/adm/authlog\n\ *.auth. ‘logwatch’ from http://www.org.com/infocenter/pseries/index.1 Capture messages sent to syslog (especially the AUTH facility) Action: printf "### Following lines added by CISecurity \ AIX Benchmark Section 5.aix. 5.info. Note: These tools are not officially supported by IBM.logcheck.doc/cmds/a ixcmds6/xntpd.jsp?topic=/com. It also has the more mundane benefit of ensuring that you still have access to a copy of the logs for debugging system crashes as the local copy may not be accessible if the system is refusing to boot or the buffers were not flushed first. it is also recommended that sites collect copies of their system logs on a secure. Swatch (http://www. Tools such as ‘logcheck’ from http://www.htm and http://www.ibm.org/.none\t\t/var/adm/syslog\n" \ >> /etc/syslog. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP). centralized log server.com/.boulder. but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s).psionic.net/projects/sentrytools/) can be used to automatically monitor logs for intrusion attempts and other suspicious system behavior. Because it is often necessary to correlate log information from many different systems (particularly after a security incident) we recommend establishing some form of time synchronization among systems and devices connected to the local network.oit.

change the above script to reflect /var/log instead of /var/adm.emerg\t\t@loghost\n\ local7. This file should be reviewed and archived on a regular basis. 5. you don’t have any way of knowing what is going on.none\t\t@loghost *. Note: Some AIX administrators prefer to log syslog events to /var/log – if this is your preference. An intruder – once he/she has obtained root – can edit the system logs to remove all traces of the attack. which is only readable by the superuser. In addition. AIX systems do not capture logging information sent to syslogd. If this data is not logged. 5.CIS AIX Benchmark Discussion: By default.3 Prevent Syslog from accepting messages from the network Question: Is this machine a log server. The above action causes this information to be captured in the /var/adm/authlog file.2 Configure syslogd to send logs to a remote loghost Action: In the script below. failed login attempts. since a great deal of important security-related information (successful and failed su attempts. or does it need to receive Syslog messages via the network 37 .conf stopsrc -s syslogd startsrc -s syslogd Discussion: Remote logging is essential in detecting intrusion and monitoring several servers operating in concert. messages sent to syslog channels other than LOG_AUTH are sent to /var/adm/syslog (which should also be reviewed). those logs can be analyzed for anomalies and used for prosecuting the attacker.info\t\t@loghost *.auth. replace loghost with the proper name (FQDN. This is unfortunate. etc.) is sent via the LOG_AUTH channel.*\t\t@loghost\n" >> /etc/syslog. if necessary) of your loghost.info. If the logs are stored off the machine. root login attempts.2\n\ auth. printf "### Following lines added by CISecurity \ AIX Benchmark Section 5.

You need to adjust the times of the report and the period the data is collected. then perform the action below. Note that it is considered good practice to set up one or more machines as central "log servers" to aggregate log traffic from all machines at a site. the protocol used to transfer these messages does not include any form of authentication.adm" cat << EOF >> /tmp/crontab.CIS AIX Benchmark from other systems? If the answer to this question is no.acct not installed. listens for log messages from other systems on network port 514/udp. it should not be listening on 514/udp for incoming log messages. then echo "bos.acct fileset as it is required when making use of the sar utility. Unfortunately.4 Enable sar accounting Action: Install the bos. syslogd. cannot proceed" else su .adm -c "crontab -l > /tmp/crontab. Action: chssys -s syslogd -a "-r" stopsrc -s syslogd startsrc -s syslogd Discussion: By default the system logging daemon. unless a system is set up to be one of these "log server" systems. Note: The following crontab entries are an example only. However.6 /usr/lib/sa/sa1 & 0 18-7 * * 1-5 /usr/lib/sa/sa1 & 5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 3600 -A & EOF mkdir -p /var/adm/sa 38 .acct >/dev/null 2>&1 if [ "$?" != 0 ]. or to fill up the local system's logging file systems so that subsequent attacks will not be logged. Refer to sar documentation. so a malicious outsider could simply barrage the local system's Syslog port with spurious traffic either as a denial-ofservice attack on the system. lslpp -i bos.adm 0 8-17 * * 1-5 /usr/lib/sa/sa1 1200 3 & 0 * * * 0. 5.

ibm. see http://www. Thus. or by reviewing the nightly report files named /var/adm/sa/sar*. 5. You need to adjust the times of the report and the period the data is collected. Note: The above crontab entries are an example only. Once a normal baseline for the system has been established. Note that this data is only archived for one week before being automatically removed by the regular nightly cron job.adm" fi Discussion: System accounting gathers baseline system data (CPU utilization. 39 . Refer to sar documentation. disk I/O.5 Enable kernel-level auditing Action: To activate auditing: audit on To start auditing automatically at next boot: mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 /dev/console" telinit q echo "audit shutdown" >> /usr/sbin/shutdown > Discussion: For information on auditing.adm -c "crontab /tmp/crontab.) every few minutes.pdf.redbooks.CIS AIX Benchmark chown adm:adm /var/adm/sa chmod 755 /var/adm/sa su . Administrators may wish to archive the /var/adm/sa/ directory on a regular basis to preserve this data for longer periods. individual account. and activity outside of normal usage hours) may be detected due to departures from the normal system performance curve. the auditing subsystem provides a means of tracing and recording what is happening on your system.com/redbooks/pdfs/sg246020. The data may be accessed with the sar command. note chapter 2. Quote from chapter of note: An audit is defined as an examination of a group. etc. or activity. unauthorized activity (password crackers and other CPUintensive jobs.

Depending on your environment. then echo "Fixing log file permissions on $FILE" chmod o-rw $FILE fi done Discussion: It is critical to protect system log files from being modified by unauthorized individuals. When you start the audit subsystem. It is a decision you have to make. It may be unnecessary for you to start auditing if you just let the files sit in your busy system.log \ /var/tmp/snmpd.log \ /var/adm/cron/log \ /var/tmp/dpid2. 5.log \ /var/adm/ras/* /var/ct/RMstart. We recommended that you explore kernel level auditing before implementing it in your startup scripts.log \ /var/tmp/hostmibd. If you should add any of the services that affect the above logs. it gathers information depending on your configuration file.6 Confirm Permissions On System Log Files Action: for FILE in \ /smit. 40 . certain logs contain sensitive data that should only be available to the system administrator.CIS AIX Benchmark By default. Also. please revisit this section to ensure the logs have the correct/secure permissions.log do if [ -f $FILE ]. auditing is not activated in AIX. What is important is for you to be able to interpret an auditing record. it may or may not be necessary for auditing to run every time.

whether accidentally or maliciously. then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file). Administrators who wish to obtain a list of these directories may execute the following commands: for part in `mount | grep dev | awk '{print $2}' | \ grep -Ev 'cdrom|nfs'`. 6.1 Verify passwd and group file permissions Action: chown chown chmod chmod chmod -R root:security /etc/passwd /etc/group /etc/security -R root:audit /etc/security/audit 644 /etc/passwd /etc/group 750 /etc/security -R go-w. do echo "Searching $part" find $part -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print done Discussion: When the so-called “sticky bit” is set on a directory.CIS AIX Benchmark 6 File/directory permissions/access 6. 41 . Setting the sticky bit prevents users from overwriting each other’s files. consult appropriate vendor documentation before blindly applying the sticky bit to any world writable directories found in order to avoid breaking any application dependencies on a given directory.o-r /etc/security Discussion: These are the proper owners and access permissions for these files. However.2 World-writable directories should have their sticky bit set Action: The automated tool supplied with this benchmark will flag world-writable directories that do not have the sticky bit set. and is generally appropriate for most world-writable directories.

Administrators who wish to obtain a list of the set-UID and set-GID programs currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`.4 Find unauthorized SUID/SGID system executables Action: The automated testing tool supplied with this benchmark will flag unexpected set-UID and set-GID applications on the system. 6. Discussion: Data in world-writable files can be modified and compromised by any user on the system.3 Find unauthorized world-writable files Action: The automated testing tool supplied with this benchmark will flag unexpected worldwritable files on the system. Generally removing write access for the "other" category (chmod o-w <filename>) is advisable. Administrators who wish to obtain a list of the world-writable files currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`. do echo "Searching $part" find $part \( -perm -04000 -o -perm -02000 \) \ -type f -xdev -ls done 42 . World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity.CIS AIX Benchmark 6. but always consult relevant vendor documentation in order to avoid breaking any application dependencies on a given file. do echo "Searching $part" find $part -xdev -type f \ \( -perm -0002 -a ! -perm -1000 \) -print done There should be no entries returned.

It is a good idea to locate files that are owned by users or groups not listed in the system configuration files. A new user who is assigned the deleted user's user ID or group ID may then end up “owning” these files.CIS AIX Benchmark Discussion: The administrator should take care to ensure that no rogue set-UID programs have been introduced into the system. 43 . if possible. In addition. the administrator should attempt a Set-UID audit and reduction.5 Find “unowned” files and directories Action: The automated testing tool supplied with this benchmark will flag files and directories where the user or group owner of the file is not listed in the /etc/passwd or /etc/group files. and thus have more access on the system than was intended. Administrators who wish to locate these files on their system may run the following command: find / \( -nouser -o -nogroup \) -ls Discussion: Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system. and make sure to reset the ownership of these files to some active user on the system as appropriate. 6.

If a machine listed is compromised. 7. only normal users should ever access the system via FTP – there should be no reason for “system” type accounts to transfer information via this mechanism. If a system userid is allowed to FTP files into the system.1 Remove /etc/hosts.new fi done sort -u /etc/ftpusers. (Of course. Certainly.new > /etc/ftpusers rm /etc/ftpusers. do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ]. and authorization 7.CIS AIX Benchmark 7 System access. there is probably no reason for FTP to be 44 .equiv ] && rm -f /etc/hosts. the root account should never be allowed to transfer files directly via FTP. Consider also adding the names of other privileged or shared accounts which may exist on your system such as user oracle and the account under which your Web server process runs. that userid can be used to upload malicious software and store it with the system userid’s permissions (which are probably higher than a normal user’s).equiv Action: [ -f /etc/hosts. which work in an analogous fashion to .equiv Discussion: The /etc/hosts. /etc/hosts. the attacker can immediately get full access to your machine.new chown root:system /etc/ftpusers chmod 600 /etc/ftpusers Discussion: /etc/ftpusers contains a list of users who are not allowed to access the system via FTP. Generally. then echo "Adding $NAME to /etc/ftpusers" echo $NAME >> /etc/ftpusers.equiv file provides total trust in any machines listed. authentication.equiv sets up global trust relationships for all accounts on the system.rhosts files in user home directories.2 Create /etc/ftpusers Action: lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME. See the discussion of .rhosts files in the items below.

Setting Dtlogin.requestPort to zero in the Xconfig file prevents the login GUI from ever hearing requests for remote login services.requestPort:/ \ { print "Dtlogin.CIS AIX Benchmark enabled at all – this is mostly “defense in depth” in case FTP accidentally becomes reenabled.new mv Xconfig. next } \ { print }' Xconfig > Xconfig. which blocks all system account from being used for FTP 7. 7. next }.4 Prevent X Server from listening on port 6000/tcp Action: if [ -f /etc/dt/config/Xservers ].requestPort: 0".new mkdir -p /etc/dt/config mv $file.new Xconfig chown root:bin Xconfig chmod 444 Xconfig Discussion: The standard GUI login provided on most Unix systems can act as a remote login server to other devices (including X terminals and other workstations). then file=/etc/dt/config/Xservers else file=/usr/dt/config/Xservers fi awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \ { print $0 " -nolisten tcp". or if it’s required for some function that is unable to use SSH instead). The above script places all users those user id is less than 200 in the /etc/ftpusers file. \ { print }' $file > $file. then mkdir -p /etc/dt/config cp /usr/dt/config/Xconfig /etc/dt/config fi cd /etc/dt/config awk '/Dtlogin.3 Disable XDMCP port Action: if [ ! -f /etc/dt/config/Xconfig ].new /etc/dt/config/Xservers 45 .

7. Invoking the “-nolisten tcp” option causes the X server not to listen on port 6000/tcp by default. then 46 . However. The above action reduces this default timeout value to 10 minutes. X Windows uses a relatively insecure authentication protocol—an attacker who is able to gain unauthorized access to the local X server can easily compromise the system. This does prevent authorized remote X clients from displaying windows on the local system as well. do lines=`grep -Ev '^[ \t]*#' $file | wc -l | sed 's/ //g'` if [ $lines -eq 0 ]. the forwarding of X events via SSH will still happen normally. 7.resources done Discussion: The default timeout is 30 minutes of keyboard/mouse inactivity before a password protected screen saver is invoked by the CDE session manager.resources echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources. do dir=`dirname $file | sed -e s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 10' >> $dir/sys.6 Remove empty crontab files and restrict file permissions Action: cd /var/spool/cron/crontabs for file in *. This is the preferred and more secure method transmitting results from remote X clients in any event. although this setting can still be overridden by individual users in their own environment.5 Set default locking screensaver timeout Action: for file in /usr/dt/config/*/sys. However.CIS AIX Benchmark chown root:bin /etc/dt/config/Xservers chmod 444 /etc/dt/config/Xservers Discussion: X servers listen on port 6000/tcp for messages from remote clients running on other systems.

These users and their jobs are found in 47 .allow chown root:sys cron.allow.CIS AIX Benchmark echo "Removing $file" rm $file fi done chgrp -R cron /var/spool/cron/crontabs chmod -R o= /var/spool/cron/crontabs chmod 770 /var/spool/cron/crontabs Discussion: The system crontab files are accessed only by the cron daemon (which runs with superuser privileges) and the crontab command (which is set-UID to root).allow at. This includes administrative accounts – all users will be denied until explicitly defined in cron.allow. 7.deny echo root > cron.allow at.allow cat cron.deny # this should fail Discussion: The cron.allow cat at.allow.deny at.allow or at. To prevent an unintentional impact to the existing system.deny removed.allow chmod 400 cron.allow ls /var/spool/cron/crontabs | grep -v root >> cron.allow files are a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals.7 Restrict at and cron to authorized users Action: cd /var/adm/cron rm -f cron.allow or at. Note that with cron.allow cat at. their cron jobs will not be executed.deny cron.deny or at.allow echo root > at.allow and at.allow ls /var/spool/cron/atjobs | grep -v root >> at. On many systems. only the system administrator needs the ability to schedule jobs. Allowing unprivileged users to read or (even worse) modify system crontab files can create the potential for a local user on the system to gain elevated privileges.allow and at. if a given user is not listed in cron. the above script adds the currently existing users to cron.

These mechanisms provide at least some limited audit trail in the event of problems.allow and cron. or the freely-available sudo package) to gain additional privilege. the administrator should access the system via an unprivileged account and use some authorized mechanism (such as the su command. You should review these users and jobs before adding them to your at.CIS AIX Benchmark /var/spool/cron/atjobs and /var/spool/cron/cronjobs.8 Restrict root logins to system console Action: chuser rlogin=false login=true su=true sugroups=system root Discussion: Anonymous root logins should never be allowed. making it harder for an attacker to use a stolen root password (as they will first have to get access to a ‘system’ userid). 7.allow files. Note: Ensure you have at least one user account in the system group that can log in remotely. The command above additionally restricts ‘su’ to root to members of the ‘system’ group. except on the system console in emergency situations. 48 . At all other times. Failure to do so will prevent any remote user from becoming root.

but are also available for free download from http://www. The commands above will set all active accounts (except the root account) to force password changes every 91 days (13 weeks).org/. 8.2 Set password and account expiration on active accounts Action (AIX 4. The automated hostbased scanning tools provided from the Center for Internet Security can be used for this purpose. Sites also have the option of expiring idle accounts after a certain number of days 49 .3. Users will begin receiving warnings 28 days (4 weeks) before their password expires.CISecurity. ongoing basis perhaps in an automated fashion via cron. These scanning tools are typically provided with this document. They can even be deleted if the machines does not use the daemon/service that each is responsible for. To deactivate them. do chuser rlogin=false login=false "$user" done Discussion: These accounts are non-human system accounts that should be made less useful to an attacker by locking them. It is a good idea to force users to change passwords on a regular basis. and then prevent password changes for seven days (one week) thereafter.1 Block system accounts Action: for user in daemon bin sys adm uucp nuucp printq guest nobody lpd sshd.3): chsec chsec chsec chsec -f -f -f -f /etc/security/user /etc/security/user /etc/security/user /etc/security/user -s -s -s -s default default default default -a -a -a -a maxage=13 minlen=6 minage=1 pwdwarntime=28 Discussion: The above command adds a number of restrictions to enforce password changing and the use of more complicated passwords. though it is safest to simply deactivate them as is done here.CIS AIX Benchmark 8 User Accounts and environment Note that the items in this section are tasks that the local administrator should undertake on a regular. 8. use chuser to disable remote and local logins.

These entries may provide an avenue for attackers to gain privileged access on the system. but sites may choose to make them more restrictive depending on local policies.CIS AIX Benchmark (see the on-line manual page for the usermod command. 8. particularly the f option). and group files Action: The command: grep ^+: /etc/passwd /etc/group should return no lines of output.3 Verify there are no accounts with empty password fields Action: pwdck -n ALL Discussion: An account with an empty password field means that anybody may log in as that user without providing a password at all. 8. The pwdck command will verify a number of other items for correctness. 8. Discussion: '+' entries in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These are recommended starting values. and should be deleted if they exist. A complete list of the options can be found in /etc/security/passwd file. Note that pwdck won’t flag null passwords unless the minlen attribute is set to a non-zero value.4 Verify no legacy '+' entries exist in passwd. The ‘-n’ flag will tell it to report errors but not change anything (running with ‘-t’ instead will prompt you for each proposed fix – the ‘-y’ and ‘-p’ flags are dangerous).5 Verify no UID 0 accounts exist other than root Action: The command: 50 . All accounts should have strong passwords or should be locked by using a password string like "*".

Finer granularity access control for administrative access can be obtained by using the freely-available sudo program (http://www.com/sudo/).' or group/world-writable directory in root's $PATH Action: The automated testing tool supplied with this benchmark will alert the administrator if action is required. 8.') or other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a Trojan horse program. 8. do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ].or world-writable directories in $PATH: find `echo $PATH | tr ':' ' '` -type d \ \( -perm -002 -o -perm -020 \) -ls These commands should produce no output.courtesan. Discussion: Any account with UID 0 has superuser privileges on the system. Discussion: Including the current working directory ('.’ in $PATH: echo $PATH | grep -E '(^|:)(\. and it should be accessed by logging in as an unprivileged user and using the su command (or equivalent) to gain additional privilege.7 User home directories should be mode 750 or more restrictive Action: NEW_PERMS=750 lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME. The only superuser account on the machine should be the root account.6 No '. To find ‘.|:|$)' To find group.CIS AIX Benchmark lsuser -a id ALL | grep "id=0" | awk '{print $1}' should return only the word "root". then 51 .

8.sys chmod 750 /usr/lib/security/mkuser. While the above modifications are relatively benign. If you need more restrictive permissions on the home directories.$|^. set the appropriate permissions in the variable NEW_PERMS.sys fi Discussion: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. then ls -a $HOMEDIR | grep -Ev "^.sys` -eq 0 ]. then sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \ /usr/lib/security/mkuser.sys > /tmp/mkuser.$" | \ while read FILE. then echo "Adjusting $FILE" chmod go-w $FILE fi done else echo "No home dir for $HOMEDIR" fi done 52 . do if [ -f $FILE ].. do echo "Examining $HOMEDIR" if [ -d $HOMEDIR ].CIS AIX Benchmark HOME=`lsuser -a home $NAME | cut -f 2 -d =` echo "Changing $NAME homedir $HOME" chmod $NEW_PERMS $HOME fi done if [ `grep -c "chmod $NEW_PERMS $1" \ /usr/lib/security/mkuser.tmp mv /tmp/mkuser. Disabling "read" and "execute" access for users who are not members of the same group (the "other" access category) allows for appropriate use of discretionary access control by each user.tmp /usr/lib/security/mkuser. making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users.8 No user dot-files should be world-writable Action: lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR.

rhosts" rm -f "$HOME/. 53 . While the above modifications are relatively benign.CIS AIX Benchmark Discussion: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. so no additional work is needed after a new account is created. then echo "Removing $HOME/.login upon creation of accounts with csh as default shell.sys issues a chmod go-w $1/. 8. Note: /usr/lib/security/mkuser. making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users.netrc and .rhosts" ]. While the above modifications are relatively benign.netrc" ].netrc" rm -f "$HOME/. do if [ -e "$HOME/.rhosts files Action: find / -name .rhosts Stop!!! Read the discussion before proceeding. If the first command returns any results. carefully evaluate the ramifications of removing those files before executing the remaining commands as you may end up impacting an application that has not had time to revise its architecture to a more secure design. lsuser -a home ALL |cut -f2 -d= | while read HOME. remsh.9 Remove user .netrc files may contain unencrypted passwords that may be used to attack other systems. then echo "Removing $HOME/.netrc" fi if [ -e "$HOME/.netrc find / -name .rhosts" fi done Discussion: .rhosts files used in conjunction with the BSD-style “r-commands” (rlogin. making global modifications to user home directories without alerting your user community can result in unexpected outages and unhappy users. rcp) implement a weak form of authentication based on the network address or host name of the remote computer (which can be spoofed by a potential attacker to exploit the local system). while .

Discussion: The above actions change the default umask for existing users. do chuser umask=077 $user done Change default profile To set a system-wide default. A simple fix to this problem is to manually issue a less restrictive umask (such as umask 022) for the shell session doing the installation.10 Set Default umask for users Action: Change existing users lsuser -a home ALL | awk '{print $1}' | while read user.cshrc.) in their home directories. 8. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. edit the file /etc/security/user and replace the default umask value in the umask line entry for the default stanza with 077. while a umask of 022 would make files readable by every user on the system. Note: This is been shown to cause problems with the installation of software packages where the installation script uses the default umask – the directories are owned by root with 700 permissions. and then the application and/or daemon cannot read its files.CIS AIX Benchmark 8. or place such a umask command (in the beginning of the installation script) to a less restrictive value before the installation. or in the beginning of the installation script. . With a default umask setting of 077 – a setting agreed to as part of the consensus process with DISA and NSA – files and directories created by users will not be readable by any other user on the system. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (. and then it changes the default profile.profile.11 Set default umask for the FTP daemon Action: chsubserver -c -v ftp -p tcp "ftpd -l -u077" refresh -s inetd 54 . which applies to all newly created users. A umask of 027 would make files and directories readable by users in the same Unix group. etc.

the incremental security increase is worth the loss of functionality.login Discussion: "mesg n" blocks attempts to use the write or talk commands to contact the user at their terminal.CIS AIX Benchmark Discussion: This command changes the umask of the FTP user to 077. 8.13 Removing unnecessary default user accounts Action: Note: Read discussion first!!! # Remove users LIST="uucp nuucp lpd guest printq" for USERS in $LIST. Note: If ftpd is disabled. 8. Start the subsystem and try your command again. you will receive the following error: 0513-036 The request could not be passed to the inetd subsystem. do rmgroup $USERS done 55 .conf Note: If inetd is disabled. Since write and talk are no longer widely used at most sites.12 Set “mesg n” as the default for all users Action: echo "mesg n" >> /etc/profile echo "mesg n" >> /etc/csh. you will receive the following error: chsubserver: ftp not in /etc/inetd. The umask should be set to at least 027 in order to prevent the FTP daemon process from creating world-writable files by default. but has the side effect of slightly strengthening permissions on the user's tty device. do rmuser -p $USERS rmgroup $USERS done # Remove groups LIST="uucp printq" for USERS in $LIST.

ibm. and files. these group ID's may be removed if your system does not need them: Group ID Description uucp printq Group to which uucp and nuucp users belong Group to which lpd user belongs Note: You may get one or more errors stating the group or user does not exist. which is a group of commands.3 Security Guide (http://publib.doc/aixbm an/security/security. nuucp Owner of hidden files used by uucp protocol. that allows the user to communicate with another AIX system over a dedicated line or a telephone line.ibm. present on most AIX systems. The uucp user account is used for the UNIX-to-UNIX Copy Program.CIS AIX Benchmark Discussion: Removing the users that your system does not need is a prudent security precaution. This is harmless and may be ignored. programs. The AIX 5L Version 5.boulder.com/infocenter/pseries/index.aix.jsp?topic=/com. lpd guest Owner of files used by printing subsystem Allows access to users who do not have access to accounts In addition. 56 .htm) lists these accounts as candidates for removal: User ID Description uucp.

1 Create warnings for network and physical access services Action: Edit the banner currently in /etc/motd as required by your Enterprise.gov/criminal/cybercrime/s&sappendix2002. as these warning messages are inherently site-specific. recorded. More information (including citations of relevant case law) can be found at http://www. corporate or government. as well as authorized officials of government agencies. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system (though there are other mechanisms available for acquiring this information). monitored. Clearly. By using this system. audited. and that use of the system implies consent to such monitoring. government. It is for authorized use only. the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes.usdoj. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. copied. The following script is a template taken from the Bastille Linux project: Important: You need to change “The Company” in the text below to an appropriate value for your organization cd /etc # Remember to enter name of your company here: COMPANYNAME="its owner" cat <<EOM \ | sed -e "s/its owner/${COMPANYNAME}/g" > /etc/motd *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner. 57 . Any or all uses of this system and all files on this system may be intercepted. the organization's local legal counsel and/or site security administrator should review the content of all messages before any system modifications are made. and law enforcement personnel.CIS AIX Benchmark 9 Warning banners Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. 9. inspected. Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system. the user consents to such interception. to authorized site. whether individual. monitoring.htm. and disclosed to your employer. both domestic and foreign.

. copying.labelString is the message for the first dialog where the user is prompted for their username. do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]." echo "Dtlogin*greeting. but the site has the option of using different messages on each screen. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.CIS AIX Benchmark recording. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. inspection. All activity may be monitored and reported. **************************************************************************** EOM chown bin:bin /etc/motd chmod 644 /etc/motd Discussion: The contents of /etc/motd is displayed after all successful logins. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action. Recall that we edited sshd_conf to display the /etc/motd banner.persLabelString: $WARN" >>$dir/Xresources done chown root:sys /etc/dt/config/*/Xresources chmod 644 /etc/dt/config/*/Xresources Discussion: The standard graphical login program for AIX requires the user to enter their username in one dialog box and their password in a second separate dialog. 9. The commands above set the warning message on both to be the same message. The Dtlogin*greeting. then cp $file $dir/Xresources fi WARN="Authorized uses only.labelString: $WARN" >>$dir/Xresources echo "Dtlogin*greeting. as appropriate.. so it will appear before and after login. no matter where the user is logging in from. and disclosure at the discretion of such personnel or officials.2 Create warnings for GUI-based logins Action: for file in /usr/dt/config/*/Xresources. 58 . auditing. and . perslabelString is the message on the second dialog box.

All activity may be monitored and reported EOF Discussion: This item configures ftpd's "authorized users only" banner messages by replacing the default “FTP server ready” message.4 Create warnings for FTP daemon Action: dspcat -g /usr/lib/nls/msg/en_US/ftpd.CIS AIX Benchmark 9.\"/\"\%s Authorized uses only. All activity may be monitored and reported\"/" \ /tmp/ftpd.cat /tmp/ftpd.cfg -s default -a herald="Authorized uses only. 59 .tmp sed "s/\"\%s FTP server (\%s) ready.1 and later): echo “herald: /etc/ftpmotd” >> /etc/ftpaccess. AIX 5. 9. All activity may be monitored and reported\n\r\nlogin: " Discussion: This item configures telnetd's "authorized users only" banner message.msg Additional Action (AIX 5.3 Create warnings for telnet daemon Action: chsec -f /etc/security/login.tmp > /tmp/ftpd.ctl cat << EOF >> /etc/ftpmotd Authorized uses only.msg gencat ftpd.cat > /tmp/ftpd.1 and later gives you the option of editing /etc/ftpmotd with the text of your choice.

reboot. 60 . Hours of lost productivity with extensive troubleshooting (not to mention lost revenue) have occurred because a system did not start up as expected. Some System Administrators believe any change to the init scripts warrant a reboot to ensure the system comes up as expected. The root cause was an init problem that would have been detected had the reboot taken place while the change was fresh in the mind of the administrator.CIS AIX Benchmark 10 Reboot Action: shutdown -Fr Discussion: Whenever you make substantial changes to a system.

equiv /etc/ftpusers \ /etc/dt/config/Xconfig /etc/dt/config/Xservers \ /usr/dt/config/Xservers \ /usr/lib/security/mkuser.deny /etc/hosts.tcpip \ /etc/syslog.cf \ /etc/exports /etc/inittab \ /etc/profile \ /etc/rc. tar xpf -) done 61 .net-tune /etc/syslog.allow \ /etc/sendmail.cw /etc/sendmail. then echo Making backup of file ${FILE} cp -p ${FILE} ${FILE}-preCIS-${EXT} chmod 700 ${FILE}-preCIS-${EXT} fi done # Backup directories that are changed for DIR in \ /etc/security /var/spool/cron/crontabs do echo Making backup of directory ${DIR} mkdir -p -m 0700 ${DIR}-preCIS-${EXT} cd ${DIR} tar cpf .* | (cd ${DIR}-preCIS-${EXT}.conf do if [ -f ${FILE} ].CIS AIX Benchmark Appendix A File backup script #!/bin/ksh # Create date-specific backup timestamp extension EXT=`date '+%Y%m%d-%H:%M:%S'` # Backup individual files for FILE in \ /etc/ssh_config /etc/sshd_config \ /etc/openssh/ssh_config /etc/openssh/sshd_config \ /etc/inetd.login /etc/profile \ /etc/ftpd.conf /etc/hosts.conf \ /usr/sbin/shutdown /etc/passwd /etc/group \ /etc/hosts.sys \ /etc/motd /etc/csh.cat \ /etc/rc.

cf.cf. Nevertheless. Attackers will often target these files as part of their exploit scripts.2 Change default greeting string for sendmail Action: cd /etc/mail awk '/O SmtpGreetingMessage=/ \ { print "O SmtpGreetingMessage=mailer ready".equiv files enable a weak form of access control (see the discussion of . SN. the settings presented here provide relatively little incremental security benefit.cf > sendmail. do [ -e $FILE ] && rm -f $FILE ln -s /dev/null $FILE done Discussion: The /.cf 62 .new mv -f sendmail. /.shosts /etc/hosts. However. any data that an attacker writes to these files is simply discarded (though an astute attacker can still remove the link prior to writing their malicious data).CIS AIX Benchmark Appendix B Additional security notes The items in this section are security configuration settings that have been suggested by several other resources and system hardening tools. next} { print }' sendmail. None of these settings will be checked by the automated scoring tool provided with the benchmark document.cf chmod 444 sendmail.shosts.rhosts /. and /etc/hosts. By linking these files to /dev/null.equiv \ /etc/shosts. given the other settings in the benchmark document. SN.cf chown root:bin sendmail.equiv. none of these settings should have a significant impact on the functionality of the system.rhosts. and some sites may feel that the slight security enhancement of these settings outweighs the (sometimes minimal) administrative cost of performing them. They are purely optional and may be applied or not at the discretion of local site administrators.new sendmail.1 Create symlinks for dangerous files Action: for FILE in /.rhosts files above).

you may want to update root's profile $PATH with this new directory. For convenience. To make the change take effect for all new users. /etc/tsh_profile – please follow your site's policies) with this new directory. install sudo. Hiding this information is generally considered to be good practice.profile. update /etc/security/. Note: The visudo command is located in /usr/local/sbin. visudo has error checking built in. for example. configure it using visudo – do not vi the config file.CIS AIX Benchmark Discussion: The default SMTP greeting string displays the version of the Sendmail software running on the remote system. /etc/environment. 63 . For convenience. so changing this default greeting string is something of a moot point unless the machine happens to be an email server.profile includes the existing $PATH vice defining a new $PATH. If frequent web server configuration changes are taking place (or you have a bug and the web server keeps crashing). it becomes very cumbersome to continually engage the SysAdmin just to restart the web server. sudo allows the Administrator to delegate just that one task using root authority without allowing that group of users any other root capability. SN. Discussion: sudo is a package that allows the System Administrator to delegate activities to groups of users. These activities are normally beyond the administrative capability of that user – restarting the web server. the actions in the benchmark document completely disable Sendmail on the system.3 Install and configure sudo Action: Using your Enterprise process. Note: The sudo command is located in /usr/local/bin. or ensure /etc/security/. you may want to update your global profile $PATH (/etc/profile. recovery may become very difficult. since it can help attackers target attacks at machines running a vulnerable version of Sendmail. However. Experience has shown that if sudoers gets botched (from using vi without visudo's error checking feature). Once sudo is installed.

Appendix C: Revision History Version 1. This value is chosen as it is a common value used in some Federally-regulated industries – you are free to increase it if desired.16: removed text from title of item  Formatting and style changes  Added revision history 64 . The above value (loginretries=3) will cause the account to be locked out after 3 successive failed login attempts. and is easily implemented in this Benchmark.01:  Item 3.CIS AIX Benchmark SN.4 Limit number of failed login attempts Action: chsec -f /etc/security/user -s default -a loginretries=3 Discussion: A system policy of locking out an account that fails several successive authentication attempts is an industry best practice.

com/infocenter/pseries/index.doc/aixbma n/security/security.subscriptionSvcs AIX 5L Version 5.apache.org TCP Wrappers source distribution: ftp.mit.ibm.org/ Information on MIT Kerberos: http://web.pdf OpenSSH (secure encrypted network logins): http://www.org/ http://www.services.com/server/pseries.org/docs-2.aix.ibm.3 Security Guide http://publib.software.ibm.sendmail.htm Other Misc Documentation Primary source for information on NTP http://www.com/server/aix.deer-run.cisecurity.jsp?topic=/com.0/misc/security_tips.org/ AIX Software Patches and related documentation: http://www.boulder.ibm.services.edu/kerberos/www/ Apache "Security Tips" document: http://httpd.html Information on Sendmail and DNS: http://www.openssh.CIS AIX Benchmark References The Center for Internet Security Free benchmark documents and security tools for various OS platforms and applications: http://www.efixmgmt/ ftp://aix.ibm.com/aix/efixes/security/ https://techsupport.ntp.com/~hal/dns-sendmail/DNSandSendmail.com/servers/eserver/support/pseries/aixfixes.ibm.html http://techsupport.porcupine.org 65 .

org/ sudo (provides fine-grained access controls for superuser activity): http://www.ucsb.org 66 .edu/~eta/swatch/ Open Source Sendmail (email server) distributions: ftp://ftp.CIS AIX Benchmark PortSentry and Logcheck (port and log monitoring tools): http://sourceforge.com/sudo/ Tripwire – file modification utility http://www.sendmail.net/projects/sentrytools/ Swatch (log monitoring tool): http://www.oit.lprng.courtesan.org/ LPRng (Open Source replacement printing system for Unix): http://www.tripwire.

Sign up to vote on this title
UsefulNot useful