CIS AIX Benchmark

AIX Benchmark v1.0.1

Copyright 2005, The Center for Internet Security http://www.CISecurity.org/

1

CIS AIX Benchmark

AIX Benchmark v1.01 October 19, 2005
Copyright 2004, 2005, The Center for Internet Security (CIS)

TERMS OF USE AGREEMENT
Background. The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. No Representations, Warranties, or Covenants. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind. User Agreements. By using the Products and/or the Recommendations, I and/or my organization ("We") agree and acknowledge that: 1. No network, system, device, hardware, software, or component can be made fully secure; 2. We are using the Products and the Recommendations solely at our own risk; 3. We are not compensating CIS to assume any liabilities associated with our use of the Products or the Recommendations, even risks that result from CIS's negligence 2

CIS AIX Benchmark or failure to perform; 4. We have the sole responsibility to evaluate the risks and benefits of the Products and Recommendations to us and to adapt the Products and the Recommendations to our particular circumstances and requirements; 5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such corrections, updates, upgrades, or bug fixes; and 6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential, or special damages (including without limitation loss of profits, loss of sales, loss of or damage to reputation, loss of customers, loss of software, data, information or emails, loss of privacy, loss of use of any computer or other equipment, business interruption, wasted management or other staff resources or claims of any kind against us from third parties) arising out of or in any way connected with our use of or our inability to use any of the Products or Recommendations (even if CIS has been advised of the possibility of such damages), including without limitation any liability associated with infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms, backdoors, Trojan horses or other harmful items. Grant of Limited Rights. CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: 1. Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer; 2. Each user may print one or more copies of any Product or any component of a Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed in full and are kept intact, including without limitation the text of this Agreed Terms of Use in its entirety. Retention of Intellectual Property Rights; Limitations on Distribution. The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to 3

copyright or other proprietary notices. directors. contributors. software suppliers. or otherwise attempt to derive the source code for any software Product that is not already in the form of source code. to assume the exclusive defense and control of any matter subject to this indemnification. sell.htm). (iv) remove or alter trademark. members. hardware suppliers. We hereby agree to indemnify. defend. and in such case. authors. and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph. The distribution of the NSA Security Recommendations is subject to the terms of the NSA Legal Notice and the terms contained in the NSA Security Recommendations themselves (http://nsa2. any Product or any component of a Product. disassemble.CIS AIX Benchmark some classes of CIS Members. and except as we may have otherwise agreed in a written agreement with CIS. lend. development. losses. or other similar mechanism or device. CIS has created and will from time to time create. CIS hereby grants each CIS Security Consulting or Software Vendor Member and each 4 . licensors. redistribute. lease. (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality. we agree that we will not (i) decompile. special rules for its members and for other persons and organizations with which CIS has a written contractual relationship. employees. (v) remove these Agreed Terms of Use from. newsgroup. or (viii) represent or claim a particular level of compliance with a CIS Benchmark. scoring tool or other Product. Those special rules will override and supersede these Agreed Terms of Use with respect to the users who are covered by the special rules. and all other persons who aided CIS in the creation. agents. without regard to whether such mechanism or device is internal or external. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product. information and service providers. including without limitation CIS's right. and hold CIS and all of its officers. rent. logo.conxion.com/cisco/notice. sublicense. or alter these Agreed Terms of Use as they appear in. reverse engineer. encumber. ftp server. or otherwise transfer or exploit rights to any Product or any component of a Product. Special Rules. (ii) distribute. affiliates. (iii) post any Product or any component of a Product on any website. at our expense. bulletin board. we agree to cooperate with CIS in its defense of such claim. of certain limitations in this paragraph). or maintenance of the Products or Recommendations ("CIS Parties") harmless from and against any and all liability.www. developers. costs. legends. symbols or labels in any Product or any component of a Product. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use.

Choice of Law. Each such Member acknowledges and agrees that the foregoing grant is subject to the terms of such Member's membership arrangement with CIS and may.CIS AIX Benchmark CIS Organizational User Member. be modified or terminated by CIS at any time. Jurisdiction. whether by manual or electronic means. If any of these Agreed Terms of Use shall be determined to be unlawful. therefore. Venue We acknowledge and agree that these Agreed Terms of Use will be governed by and construed in accordance with the laws of the State of Maryland. Terms of Use Agreement Version 2. then such terms shall be deemed severable and shall not affect the validity and enforceability of any remaining provisions.1 – 02/20/04 5 . that we hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action. void. that any action at law or in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the courts located in the State of Maryland. the right to distribute the Products and Recommendations within such Member's own organization. but only so long as such Member remains in good standing with CIS and complies with all of the terms of these Agreed Terms of Use. or for any reason unenforceable.

................................................................23 3........................................................................................................................................19 2........................................................................8 Disable GUI login if possible ..........................................................................................................................................9 Vulnerabilities.....................................3 Disable email server......7 Only enable Kerberos-related daemons if absolutely necessary ....................................26 3...................4 Only enable FTP if absolutely necessary .......................30 3.......2 Validate your system before making changes.....17 2........................12 Only enable portmap if absolutely necessary......................10 1 Patches and additional software..........................................20 2......3 Only enable telnet if absolutely necessary.18 2................................................................20 2...................................23 3....................................................14 Only enable DHCP if absolutely necessary........8 Root Shell Environment Assumed ......................................................30 3.........5 Only enable rlogin/rsh/rcp if absolutely necessary ...................................................................................................................................................................27 3............28 3.....29 3...................................................................23 3.......................................................................................................................11 Only enable SNMP if absolutely necessary ...................................................................................................21 2.............................................9 Software Package Removal................................................................2 Disable inetd.........................................21 2............................................................8 Executing Actions............................................................ if possible .............................................................................31 3....................9 Backup Key Files...........................10 Only enable printer daemons if absolutely necessary...........4 Disable NIS Server processes if possible ......................................................................................................................................................................................................................16 2..............................16 2.8 Conventions .......................................................................25 3...9 Only enable CDE-related daemons if absolutely necessary...............................................................................3 Configure SSH .........2 Configure TCP wrappers to limit access . if possible ....................................................4 Install TCP wrappers package .......................................................................................................1 Disable login prompts on serial ports ...................5 Disable NIS Client processes if possible ...............................................13 Only enable IPv6 if absolutely necessary ......................27 3................................................................................................................6 Only enable TFTP Server if absolutely necessary...................26 3........10 Software Package Installation............................................................6 Disable NFS Server processes if possible ......15 2 Minimize inetd network services...12 1.............................................................31 6 .............1 Apply latest OS patches.........................................................................11 1..11 1.................................................7 Disable NFS Client processes if possible ....................................................8 Only enable rquotad if absolutely necessary ..24 3.......................................................................................9 Reboot Required....8 Applicability ....................................9 Turn off services which are not commonly used ..................................12 1....CIS AIX Benchmark Table of Contents CIS AIX Benchmark .................................1 Disable standard services .22 3 Minimize Daemon Services.......................

...............38 5........................................50 8..............................................................................................................................................................16 Only enable writesrv........................................................43 7 System access.....................................................1 Capture messages sent to syslog (especially the AUTH facility) ...............................................5 Verify no UID 0 accounts exist other than root.........5 Find "unowned" files and directories ..........................4 Find unauthorized SUID/SGID system executables .....................................................................................................................................54 8............48 8 User Accounts and environment ..........45 7...........................................................2 World-writable directories should have their sticky bit set ........................1 Disable core dumps .................................................4 Prevent X Server from listening on port 6000/tcp ...........................35 5 Logging.....................................4 Enable sar accounting ........................................ authentication......41 6.....................................49 8.............1 Remove /etc/hosts............................50 8...40 6 File/directory permissions/access.15 Only enable i4ls and NCS if absolutely necessary.............................................................' or group/world-writable directory in root's $PATH ................................................................44 7.............. httpdlite if absolutely necessary ...............1 Block system accounts......54 8.......41 6................................................................42 6..............................................................CIS AIX Benchmark 3.......................................................................2 Network parameter modifications......46 7........................................................................37 5..............................................................3 Verify there are no accounts with empty password fields .37 5.......... and group files..............................5 Enable kernel-level auditing ..................2 Create /etc/ftpusers ....34 4.........11 Set default umask for the FTP daemon ..........3 Find unauthorized world-writable files ............49 8..............8 No user dot-files should be world-writable.......................41 6................................................................................................3 Restrict NFS Client requests to privileged ports ............................................7 User home directories should be mode 750 or more restrictive ....4 Verify no legacy '+' entries exist in passwd...........7 Restrict at and cron to authorized users.......................................................................................................53 8...................................45 7...........47 7............. and authorization.......................6 No '......52 8................51 8.36 5..............................13 Removing unnecessary default user accounts ....................12 Set................... pmd................netrc and ...............................9 Remove user ..................................................51 8......55 7 ............................................................................................44 7........................................................................5 Set default locking screensaver timeout.2 Configure syslogd to send logs to a remote loghost ......42 6..equiv........2 Set password and account expiration on active accounts....39 5..........................55 8....................33 4 Kernel tuning.......36 5...............................................................34 4.............50 8.......6 Remove empty crontab files and restrict file permissions .34 4.....................................rhosts files..............6 Confirm Permissions On System Log Files ....................44 7......................10 Set Default umask for users ..........................................................49 8.....................................................................................8 Restrict root logins to system console ....32 3.....................................3 Prevent Syslog from accepting messages from the network ..............................................................46 7.................3 Disable XDMCP port ...1 Verify passwd and group file permissions...............................................................

.........................................3................................................................................................................................................................................57 9............................. the following directories are assumed to be in root's path: /usr/bin:/etc:/usr/sbin:/usr/ucb:/sbin 8 ...............................................................................1.............64 Appendix B Additional security notes .......................59 10 Reboot ....................................... Also....59 9.......................................................................................1 Create warnings for network and physical access services ....................................................................63 SN.......................................................................................................1 Create symlinks for dangerous files .................................................................61 Appendix B Additional security notes ...........................................4 Limit number of failed login attempts ..............................2............................62 SN...........................2 Change default greeting string for sendmail ....................................58 9..............62 SN..........3...65 CIS AIX Benchmark Applicability This benchmark was developed and tested on AIX 4.................................. Conventions The following typographical conventions are used in this document: Roman font Courier Italics normal text used to indicate either a command or a standard Unix parameter or a file used for a question that you must evaluate before continuing Root Shell Environment Assumed The actions in this document are written with the assumption that they will be executed by the root user running the /bin/ksh shell and without noclobber set...4 Create warnings for FTP daemon............60 Appendix A File backup script............3 Install and configure sudo..................2 Create warnings for GUI-based logins ................................57 9...62 SN..............................64 References ............................................CIS AIX Benchmark 9 Warning banners...........3 Create warnings for telnet daemon . 4...............3 and AIX 5L version 5...................

The script provided in Appendix A of this document will automatically back up all files that may be modified by the actions below. In many cases. Note that an executable copy of this script is also provided in the archive containing the PDF version of this document and the CIS scoring tool. then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. so assuming the administrator is in the directory where the archive has been unpacked. which are backed up automatically by the individual items in Section 3. If you are running an unneeded service. except for the boot scripts manipulated by the various items in Section 3 of this document. This is why we recommend that some services are disabled even though there is no clear way to exploit them. the changes made in the steps below will not take effect until this reboot is performed. It does not make a backup of the AIX object repository – use SMIT to remove installed software packages. the command to execute the backup script would be: cis/do-backup. Some actions may need to be modified if the order is changed. This archive creates a "cis" subdirectory when unpacked. the do-backup. If this step is not performed.ksh mksysb is the best way of performing a backup of your system prior to making the changes in this Benchmark. and there has never been a problem with the service. Actions are written so that they may be copied directly from this document into a root shell window with a "cut-and-paste" operation. 9 .ksh script is provided to backup files that are changed in this Benchmark. Vulnerabilities In addition to any specific issues presented by a particular service or protocol.CIS AIX Benchmark Executing Actions The actions listed in this document are written with the assumption that they will be executed in the order presented here. If mksysb is not available to you for whatever reason. you could have a problem if a hole is found. Reboot Required Rebooting the system is required after completing all of the actions below in order to complete the re-configuration of the system. every service has the potential of being an entry point into a system if a vulnerability is found. Backup Key Files Before performing the steps of this benchmark it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items.

Some people feel that as long as the software is not being used. If the chrctcp command fails.CIS AIX Benchmark Software Package Removal There is considerable debate over the maintenance of unused software packages. If vulnerable software is present on a system. This Benchmark makes no recommendation for the removal of unused software. that vulnerability may be exploitable by a local attacker. Others feel that unused software presents another attack vector and increases the maintenance effort for the administrators. you may be directed to enable software package init scripts using the chrctcp command. Software Package Installation Throughout this Benchmark. 10 . verify you actually installed the software required. This assumes you already installed said package(s). leaving it installed poses no appreciable risk. and the reader is advised to consider the effort in either its removal or maintenance and the risks thereof.

double-check that services that were previously disabled have remained disabled. Discussion: Installing up-to-date vendor patches and developing a procedure for keeping up-to-date with vendor patches is critical for the security and reliability of the system. It is critical to always verify the integrity of such software using file or package signatures (if provided) or at least MD5 checksums. it will not notice a binary that is setUID or set-GID that should not be. 1. Failure to do so may result in the system being compromised by a “Trojan Horse” created by an attacker with unauthorized access to the archive site. see discussion. lppchk -c checks only the size and checksums of files – it does not check file permissions. If lppchk -c reports an unexpected value. 11 . Patches will occasionally re-enable services that you may have already disabled. The vast majority of successful attacks on systems use exploits against known vulnerabilities that have patches available. Do not use a directory such as /tmp or /var/tmp which might allow another user on the system to corrupt or interfere with the files being downloaded. or a modified file that has been tailored to have the “correct” checksum. You may wish to consider installing packages such as TripWire or AIDE.) Verify that all patches are properly configured with lppchk -c lppchk -l lppchk -v After applying patches. Vendors will issue operating system updates when they become aware of security vulnerabilities and other serious functionality issues. you do have a problem – the lack of errors does not guarantee that all is well. always download the files to a nonworld-writable directory.1 Apply latest OS patches Action: Update system per your Enterprise Update procedures. (Small sites. Note that lppchk was designed to catch accidental breakage of software – it was not designed to resist intentional attack. which are designed to resist attempts to deceive it. but it is up to their customers to actually download and install these patches. When downloading software packages and patches. As a result.CIS AIX Benchmark 1 Patches and additional software Note that the items in this section involve downloading vendor patches and third-party security software from external archive sites.

lib:5. Resolve all issues before continuing. IY25437): # instfix -ivk IY25437 IY25437 Abstract: SECURITY: Buffer overflow in CDE dtspcd Fileset X11.0. which directs you to install specific security patches as they come out. 2.rte. Modify /usr/local/etc/sshd_config (may be /etc/sshd_config.shell 5. Applying this Benchmark to a system that already has issues makes troubleshooting very difficult and may lead you to believe the Benchmark is at fault.services.16 is applied on the system. 1.Dt.ibm.ibm.16 A F Shells (bsh. Install SSH (see discussion for sources).com/server/pseries. You should also subscribe to IBM’s Security Bulletins Digest. as those fixes are not packaged to update the LPP database.rte.2 Validate your system before making changes Ensuring your system is functioning properly before you make a change is a prudent system administration best practice and will save you hours of aggravation.com/servers/eserver/support/pseries/aixfixes. csh) To check if a specific APAR is installed (for example. To check if a a specific LPP level is installed (for example. depending on version installed) – the script below will find the correct location for you: 12 . All filesets for IY25437 were found. ksh.1.1.rte.CIS AIX Benchmark Also – it is normal for lppchk -c to flag files that have been updated by an emergency fix. Examine the system and application logs using errpt -a or using smit to view them.shell Fileset Level State Type Description (Uninstaller) -------------------------------------------------------------bos. Information on subscribing to the Security Bulletins Digest is available from https://techsupport. 1.0.shell): # lslpp -L bos.html and follow the instructions that IBM presents on the web site.3 Configure SSH Action: 1. bos.subscriptionSvcs Small sites that do not have an Enterprise Update process To download recommended maintenance levels or individual PTFs for AIX: http://www.

/^#? *RhostsAuthentication/ \ { print " RhostsAuthentication no". next }. a manual edit is required.tmp chmod 600 ssh_config . /^#? *RhostsRSAAuthentication/ \ { print "RhostsRSAAuthentication no".. /^#? *IgnoreRhosts/ \ { print "IgnoreRhosts yes". Resolve" echo "before continuing. next }. /^#? *Banner/ \ { print "Banner /etc/motd"." . /^#? *PermitEmptyPasswords/ \ { print "PermitEmptyPasswords no". /^#? *PermitRootLogin/ \ { print "PermitRootLogin no". Because of the substantially different ssh_config files in the various versions of SSH. esac Manually edit $DIR/ssh_config to put “Protocol 2” under the “Host *” entry. then echo 'Protocol 2' >> ssh_config fi rm ssh_config. Note: The required entry may already be in place. next }. next }. next }.tmp awk '/^#? *Protocol/ { print "Protocol 2". *) echo "You have multiple sshd_config files. next }. next }. 13 . next }. 1) DIR=`find /usr /etc -type f 2>/dev/null | \ grep ssh_config$ | sed -e "s:/ssh_config::"` cd $DIR cp ssh_config ssh_config. { print }' ssh_config. cd $DIR cp sshd_config sshd_config. /^#? *HostbasedAuthentication/ \ { print "HostbasedAuthentication no".tmp awk '/^#? *Protocol/ { print "Protocol 2". next }..CIS AIX Benchmark unalias cp rm mv case `find /usr /etc -type f | grep -c ssh_config$` in 0) echo "Cannot find ssh_config" . next }. /^#? *X11Forwarding/ \ { print "X11Forwarding yes"..tmp > ssh_config if [ "`grep -El ^Protocol ssh_config`" = "" ].

both the ssh client and the sshd server are configured to use only SSH protocol 2.tmp chmod 600 sshd_config Discussion: OpenSSH is a popular free distribution of the standards-track SSH protocols. we feel it is necessary to put forth this extra effort in order to stay current with OpenSSH releases and patches.pdf. Note: If you installed the SSH package in this step.boulder. the do-backup. which allow secure encrypted network logins and file transfers.com/.ibm. The settings in this section attempt to ensure safe defaults for both the client and the server. Failure to do so could lock you out of your machine if sshd is not running and you disable telnetd.com/redbooks/pdfs/sg246873. If you feel that you need to use a pre-compiled package for OpenSSH. Bull's web site is http://www. Bull maintains a very large repository of Open Source software for AIX. IBM maintains an installp image for AIX5L at http://publib16. Specifically. 3. Note: Ensure sshd is working properly (including ability to start automatically on reboot) before proceeding with this Benchmark.tmp > sshd_config rm sshd_config. pre-compiled versions are often not compiled with the options you might find necessary.redbooks.CIS AIX Benchmark {print}' sshd_config.openssh. htm.ksh script will capture a backup of the configuration files.com/doc_link/en_US/a_doc_lib/aixbman/security/openssh. If SSH was previously existing. 2. as security vulnerabilities have been found in the first SSH protocol. An AIX version is supplied on the AIX Bonus Pack CD’s. Install and configure SSH using the IBM Redbook at http://www. 14 .bullfreeware. However. This may cause compatibility issues at sites still using the vulnerable SSH protocol 1 these sites should endeavor to configure all systems to use only SSH protocol 2. see http://www. section 5.org. Additionally. Compilation of OpenSSH is complicated by the fact that it is dependent upon several other freely-available software libraries which also need to be built before OpenSSH itself can be compiled. you have several options: 1. such as Kerberos support. and may be more current than the software on the Bonus Pack CD's. there will be no -preCIS backup of the configuration files.2.ibm. For more information on OpenSSH. This site also includes instructions for compiling OpenSSH on AIX.

1.exe While the package is named aix43 it has been installed and tested on all versions up to AIX 5.com/download/aix43/tcp_wrappers-7.4 Install TCP wrappers package Action: 1.CIS AIX Benchmark 1.bullfreeware. 2. Download pre-compiled TCP Wrappers from http://www. Install software.2.6.2.0. 15 . This step is optional if you already have TCP Wrappers installed. Discussion: TCP Wrappers is installed in this section and configured in section 2.

after enabling SSH (see Item 1. or which have more secure alternatives. This will ensure that an operating system patch doesn’t reenable a service. do echo "Disabling $SVC TCP" chsubserver -d -v $SVC -p tcp done for SVC in ntalk rstatd rusersd rwalld sprayd pcnfsd \ echo discard chargen daytime time cmsd. it may be possible to completely do away with all inetd-based services. You will need to re-enable any service you find absolutely necessary to your organization. rm and cp commands as some commands overwrite files and you may be prompted numerous times about overwriting these files: unalias mv rm cp 2.3). Using the above commands effectively disables all inetd-based network services.conf file shipped with AIX contains many services which are rarely used. 16 . do echo "Disabling $SVC UDP" chsubserver -d -v $SVC -p udp done refresh -s inetd Discussion: The stock /etc/inetd. By disabling all inetd-based services and only re-enabling what is necessary you avoid a common mistake of simply overlooking a service which may be vulnerable.1 Disable standard services Action: for SVC in ftp telnet shell kshell login klogin exec \ echo discard chargen daytime time ttdbserver dtspc. since SSH provides both a secure login mechanism and a means of transferring files to and from the system. We strongly recommend that you implement local procedures to ensure that unwanted services remain disabled. Indeed.CIS AIX Benchmark 2 Minimize inetd network services You will need to unalias the mv.

TCP Wrappers also provides logging information via Syslog about both successful and unsuccessful connections. Modify /etc/inetd.porcupine.conf chmod 644 inetd. If you 17 .conf chown root:system inetd. \ { print }' inetd. If you would rather download and compile TCP Wrappers instead of using the precompiled version.with_tcp_wrappers Test your configuration now by using the /usr/local/bin/tcpdchk command and by logging in remotely. Create /etc/hosts.conf. and workstations should limit access to only authorized networks.conf but other options exist for “wrappering” non-inetd-based software (see the documentation provided with the source code release). TCP Wrappers allows the administrator to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers are generally triggered out of /etc/inetd. limited-access servers. Action: 1. Note: Do not deny access to your system without allowing access. $6 = "/usr/local/bin/tcpd" }.2 Configure TCP wrappers to limit access Question: Is there a reason to allow unlimited network access to this server? If the answer to this question is no.conf inetd.conf: cd /etc awk '($3 ~ /^tcp/) && ($6 !~ /(internal|tcpd)$/) \ { $7 = $6.CIS AIX Benchmark 2. For Internet-connected servers that provide service to the whole Internet.allow and /etc/hosts.with_tcp_wrappers inetd. the source code is available at http://www.with_tcp_wrappers cp inetd.deny per available documentation and to suit your particular environment. then perform the action below. Discussion: By limiting access to the server.org. you reduce your exposure to threats from attackers on remote systems. Intranet servers. limiting access may not make sense.conf. IPv6 Note: The TCP Wrappers binary referenced above does not support IPv6.conf > inetd.conf. Configuring TCP Wrappers is beyond the scope of this Benchmark. 2.

chiark. proceed with the actions below.allow and deny access to ALL in hosts. so you can use /etc/hosts.deny to limit SSH access to your systems. and controls access based on the first match.gsi. please see http://www-aix. Some Enterprises are using telnet over SSL. which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network. you will block network access to all network clients. It is important to note that TCP wrappers looks at hosts. To aid in the migration to SSH. which is available from Simon Tatham (see http://www. however. then hosts. and also that the session can be hijacked by outsiders to gain access to the remote system.allow first. Action: chsubserver -a -v telnet -p tcp refresh -s inetd Discussion: telnet uses an unencrypted network protocol.html for instructions on compiling TCP Wrappers for IPv6 support.3 Only enable telnet if absolutely necessary Question: Is there a mission-critical reason that requires users to access this system via telnet. Configuring telnet over SSL is beyond the scope of a Level 1 Benchmark and will not be addressed here.allow and /etc/hosts.uk/~sgtatham/putty/). Sites that are already using Kerberos may take advantage of the various Kerberos-specific options to enable encryption and stronger authentication in the telnet daemon itself ("man telnetd" for more information).deny. there is a freely available SSH client for Windows called putty.greenend. There are numerous commercially supported SSH clients as well – check to see if your Enterprise already has an Enterprise SSH client. If you omit entries in hosts.CIS AIX Benchmark need IPv6 support.org.de/~bio/DOCS/tcpwrapperinstall. rather than the more secure SSH protocol? If the answer to this question is yes. 18 .deny. Many daemons (SSH for example) are compiled with TCP Wrapper support. SSH provides encrypted network logins and should be used instead. the simpler and more standard solution is to use SSH. 2.

Configuring FTP over SSL is beyond the scope of a Level 1 Benchmark and will not be addressed here. For further information on restricting FTP access to the system. the FTP protocol is unencrypted. see section 7. 2.sourceforge. SSH provides two different encrypted file transfer mechanisms – scp and sftp – and should be used instead. or is there a mission-critical reason why data must be transferred to and from this system via an FTP server.4 Only enable FTP if absolutely necessary Question: Is this machine an (anonymous) FTP server. Note: Any directory writable by an anonymous FTP server should have its own partition. however. When it can be disabled. there are a number of freely available scp and sftp client for Windows. To aid in the migration away from FTP. consider requiring non-anonymous users on the system to transfer files via SSH-based protocols. so telnet may have to be enabled. Even if FTP is required because the local system is an anonymous FTP server. rather than sftp or scp? If the answer to this question is yes. This helps prevent an FTP server from filling a hard drive used by other services.2 below.php) for a Graphical interface to putty. and pscp. Some Enterprises are using FTP over SSL. such as WinSCP (available from http://winscp. Action chsubserver -a -v ftp -p tcp refresh -s inetd Discussion: Like telnet.CIS AIX Benchmark It is understood that large Enterprises deeply entrenched in using telnet may take considerable effort in migrating from telnet to ssh. which is a part of the previously mentioned putty package. Note: Ensure you have tested an alternate remote access method for your servers before leaving telnet disabled. 19 . proceed with the actions below. the simpler and more standard solution is to use SSH. Failure to do so may result in being denied remote access.net/eng/index. disable telnetd and refresh initd. and that the FTP session itself can be hijacked by an external attacker. which means passwords and other data transmitted during the session can be captured by sniffing the network.

Note that sites that are using the Kerberos security system may wish to look into using the "Kerberized" versions of rlogin/rsh that are provided with AIX (klogin. 2. It seems unlikely that there is ever a case where these tools cannot be replaced with SSH. X-terminals. However. and other similar devices.6 Only enable TFTP Server if absolutely necessary Question: Is this system a boot server or is there some other mission-critical reason why data must be transferred to and from this system via TFTP? If the answer to this question is yes. Action: chsubserver -a -v tftp -p udp refresh -s inetd Discussion: TFTP is typically used for network booting of diskless workstations.5 Only enable rlogin/rsh/rcp if absolutely necessary Question: Is there a mission-critical reason why rlogin/rsh/rcp must be used instead of the more secure ssh/scp? If the answer to this question is yes. Also. it is best to leave the TFTP service disabled. 20 .CIS AIX Benchmark 2. IBM RS/6000 SP systems require tftp to operate. unless this system is needed in one of these roles. Action: chsubserver -a -v shell -p tcp chsubserver -a -v login -p tcp refresh -s inetd Discussion: SSH was designed to be a drop-in replacement for these protocols. proceed with the actions below. and kshell). Routers and other network devices may copy configuration data to remote systems via TFTP for backup. proceed with the actions below.

that password isn’t sent in the clear – but if you ‘su’ to another userid. Action: chsubserver -a -v rquotad -p udp refresh -s inetd 21 .org). which encrypts all traffic.7 Only enable Kerberos-related daemons if absolutely necessary Question: Is the Kerberos security system in use at this site? Is there a mission-critical reason that requires users to access this system via Kerberized rlogin/remsh. if you use klogin to login to a system. After installing it. it seems unlikely that there is ever a case where these tools cannot be replaced with SSH (again. perform the actions above. Given the wide availability of free SSH implementations. However. it is still not as secure as SSH.CIS AIX Benchmark Note: The tftp-server software is not installed by default.8 Only enable rquotad if absolutely necessary Question: Is this system an NFS file server with disk quotas enabled? If the answer to this question is yes.openssh. 2. For instance. that password is fair game for any network-sniffing programs. proceed with the actions below. 2. proceed with the actions below. You will have to install it if you need to use it. see http://www. Action: chsubserver -a -v klogin -p tcp chsubserver -a -v kshell -p tcp refresh -s inetd Discussion: Kerberized rlogin offers a higher degree of security than traditional rlogin or telnet by eliminating many clear-text password exchanges from the network. rather than the more secure SSH protocol? If the answer to these questions is yes.

Action: chsubserver -a -v 100083 -p tcp refresh -s inetd Discussion: The rpc.ttdbserverd process supports many tools and applications in the CDE windowing environment. but also never enable this service on any system which is not well protected by a complete network security infrastructure (including network and host-based firewalls. Note that since this service uses Sun's standard RPC mechanism. 22 . If your site does not use disk quotas. and intrusion detection infrastructure). proceed with the actions below. 2.9 Only enable CDE-related daemons if absolutely necessary Question: Is there a mission-critical reason to run a GUI on this system? If the answer to this question is yes.CIS AIX Benchmark Discussion: rquotad allows NFS clients to enforce disk quotas on file systems that are mounted from the local system. but has historically been a major security issue for Unix-based systems. If you do plan to leave this service enabled. packet filters. not only is it vital to keep up to date on vendor patches. then you may leave the rquotad service disabled. it is important that the system's RPC portmapper (rpcbind) also be enabled when this service is turned on.

2 Disable inetd. 3. there is no point in running inetd at boot time. if possible Action: if [ `grep -Evc '^[ \t]*(#|$)' /etc/inetd. Note that this action may safely be performed even if console access to the system is provided via the serial ports.conf. and other remote access devices to these ports. because the system console’s getty process uses /dev/console rather than a /dev/tty.CIS AIX Benchmark 3 Minimize Daemon Services 3. do echo "Disabling login from port /dev/$i" chitab "$i:2:off:/usr/sbin/getty /dev/$i" done Discussion: By disabling the getty process on the system serial ports. However.1 Disable login prompts on serial ports Action – AIX5L only: for i in `grep ^tty /etc/inittab | cut -f1 -d:`.conf` -eq 0 ]. The code added to the newinetsvc boot script will result in inetd automatically being restarted at boot time if services are ever enabled in inetd. we make it more difficult for unauthorized users to attach modems. 23 . then echo "Turning off inetd" chrctcp -d inetd stopsrc -s inetd fi Discussion: If the actions in Section 2 of this benchmark resulted in all inetd-based services being disabled. it may be necessary to manually start inetd if the administrator wishes to enable some of these services without rebooting. terminals.

CIS AIX Benchmark

3.3 Disable email server, if possible Question:
Is this system a mail server - that is, does this machine receive and process email from other hosts? Perform the appropriate action below.

Action – No, this machine does not process mail:
stopsrc -s sendmail chrctcp -d sendmail cd /var/spool/cron/crontabs crontab -l > root.tmp if [ `grep -c "sendmail -q" root.tmp` -eq 0 ]; then echo "0 * * * * /usr/sbin/sendmail -q" >> root.tmp crontab root.tmp fi rm -f root.tmp This will make sendmail run the queue once an hour, sending out any mail that may have accumulated on the machine (from cron jobs, etc).

Action – Yes, this machine processes mail:
Sendmail is preconfigured to allow relaying from outside your domain. CIS is preparing a Sendmail Benchmark that will replace this section and address other Sendmail issues. In the interim, please follow the guidelines presented by Sandor Sklar at http://www.securitymap.net/sdm/docs/systemsec/Securing%20AIX%20Network%20Services.htm.

Discussion:
It is possible to run a Unix system with the Sendmail daemon disabled and still allow users (and programs such as ‘cron’) on that system to send email out from that machine. Running Sendmail in “daemon mode” (with the -bd command-line option) is only required on machines that act as mail servers, receiving and processing email from other hosts on the network. Note that after disabling the -bd option on the local mail server on AIX 5L (or any system running Sendmail v8.12 or later) it is also necessary to modify the /etc/mail/submit.cf file. Find the line that reads "D{MTAHost}localhost" and change localhost to the name of some other local mail server for the organization. This will cause email generated on the local system to be relayed to that mail server for 24

CIS AIX Benchmark further processing and delivery. Closing AIX Sendmail Open Relay The default behavior of Sendmail in AIX 4.3.3 allows open relaying - the mail server will accept and process mail sent from outside your organization to addresses that are also outside your organization. This defect is commonly used by "spammers" to send e-mail to thousands of addresses, all originating from your mail server. Before enabling sendmail in daemon mode, the sendmail configuration file must be modified to prevent this misuse of your system. The above steps explain how to update the sendmail.cf configuration file.

3.4 Disable NIS Server processes if possible Question:
Is this machine an NIS (Network Information Service) server? If the answer to this question is no, then perform the action below.

Action:
Use the SMIT fast-path smit remove to remove the bos.net.nis.server fileset or use the command: [ `lslpp -L bos.net.nis.server 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.server'

Discussion:
This service must be enabled if the local site is using the NIS naming service to distribute system and user configuration information. NIS services are a convenient method to manage user accounts and home directories across a large network of servers, however they are also a favored entry point for attackers. If the NIS software is installed but not configured, an attacker can cripple a machine by starting NIS. In addition, tools like ypsnarf allow an attacker to grab the contents of your NIS maps, providing large amounts of information about your site. Use the /etc/yp/securenets file to restrict what machines your NIS server will talk to. Also utilize secure NIS to encrypt communication between the client and server.

25

CIS AIX Benchmark

3.5 Disable NIS Client processes if possible Question:
Is this machine an NIS (Network Information Service) client? If the answer to this question is no, then perform the action below.

Action:
Use the SMIT fast-path smit remove to remove the bos.net.nis.client fileset or use the command: [ `lslpp -L bos.net.nis.client 2>&1 | \ grep -c "not installed"` -eq 0 ] && \ /usr/lib/instl/sm_inst installp_cmd -u \ -f'bos.net.nis.client'

Discussion:
NIS services are a convenient method to manage user accounts and home directories across a large network of servers, however they are also a favored entry point for attackers. For this reason, many organizations choose not to use NIS. If you do not need NIS, remove it from the system.

3.6 Disable NFS Server processes if possible Question:
Is this machine an NFS file server? If the answer to this question is no, then perform the action below.

Action:
[ -f /etc/exports ] && rm -f /etc/exports

Discussion:
NFS is frequently exploited to gain unauthorized access to files and systems. Clearly there is no need to run the NFS server-related daemons on hosts that are not NFS servers. If the machine is an NFS server, the administrator should take reasonable precautions when exporting file systems, including restricting NFS access to a specific range of local 26

you must ensure that all of the UID/GID on the server and clients systems are unique.CIS AIX Benchmark IP addresses and exporting file systems “read-only” and “nosuid” where appropriate.8 Disable GUI login if possible Question: Is there a mission-critical reason to run a GUI on this system? If the answer to this question is no. This facility uses DES encryption and public key cryptography to identify users and servers. Action: rmnfs -B Discussion: While this action disables the standard NFS client processes. 3. then perform the action below. then perform the action below. 27 . The use of secure RPC or Kerberos can significantly improve NFS security.nfs. it is important to note that it is still possible for the superuser to mount remote file systems on the local machine via NFS. Note that other file transfer schemes (such as rdist via SSH) can often be preferable to NFS for certain applications. so do not run rmnfs if your site uses NIS. there is a possibility of unauthorized file access. NFS file access is based on the UID/GID pair so if there are conflicting UID/GID pairs between the servers and clients. NIS is also started in /etc/rc. but these packages will have to be re-installed and repatched if NFS is to be re-enabled at a later date. Also. The administrator can completely disable NFS client access by removing the NFS client software packages. 3.7 Disable NFS Client processes if possible Question: Is there a mission-critical reason why this system must access file systems from remote servers via NFS (or uses NIS)? If the answer to this question is no. You should also strongly consider using the AIX Secure NFS facility.

8). The X Windows-based CDE GUI systems. 3. do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe httpdlite pmd writesrv. do echo "Turning off $SVC" 28 . as well as the rpcbind and rpc. do echo "Turning off $SVC" stopsrc -s $SVC chrctcp -d $SVC done for SVC in piobe i4ls httpdlite pmd writesrv.9 Turn off services which are not commonly used Action (AIX 4. it is also necessary to enable the rpcbind process (see Item 3.ttdbserverd processes have had a history of security issues.ttdbserverd process (see Item 2. Never run any GUI-oriented service or application on a system unless that machine is protected by a strong network security infrastructure.CIS AIX Benchmark Action: chmod ug-s /usr/dt/bin/dtaction \ /usr/dt/bin/dtappgather /usr/dt/bin/dtprintinfo /usr/dt/bin/dtsession /usr/dt/bin/dtconfig -d Discussion: Note that for the CDE GUI to function properly.11) and the rpc.3): for SVC in routed gated named timed rwhod \ snmpd dpid2 lpd portmap ndpd-router ndpd-host.3. do echo "Turning off $SVC" rmitab $SVC done Action (AIX 5): for SVC in routed gated named timed rwhod mrouted \ snmpd hostmibd dpid2 lpd portmap autoconf6 \ ndpd-router ndpd-host.

which only has to be enabled if the machine is being used as a network print server by machines that require a BSD-style remote printer interface. 3.10 Only enable printer daemons if absolutely necessary Question: Is this system a print server. then perform the action below. Note also that vendor patches may restore some of the original entries in the System Resource Controller . or is there a mission-critical reason why users must submit print jobs from this system? If the answer to the question is yes. In most cases. Action: mkitab -i cron \ "piobe:2:wait:/usr/lib/lpd/pio/etc/pioinit >/dev/null 2>&1" chrctcp -a lpd Discussion: PIOBE stands for Printer IO Back End. Rather than disabling and then re-enabling these services. If users will never print files from this machine and the system will never be used as a print server by other hosts on the network. The rest of the actions in this section give the administrator the option of re-enabling certain services in particular. Note that the RFC 1179 service is a BSD-compatible print spooler. The resources are made inoperative (rather than removed outright) so that the local administrator can easily "restore" any of these resources if they discover a mission-critical need for one of these services. then it is safe to disable these services.it is always a good idea to check the System Resource Controller using lssrc -a for any resources that may have been added by the patch installation process. 29 .CIS AIX Benchmark stopsrc -s $SVC rmitab $SVC done Discussion: Disabling these services in the System Resource Controller will disable a wide variety of infrequently used subsystems. the services that are disabled. this RFC 1179 service is not necessary and should not be enabled. experienced administrators may wish to simply disable only those services that they know are unnecessary for their systems.

use the address/netmask and permissions parameters on the community statement to restrict SNMP access to only your management stations. 3. then proceed with the actions below. Action: chrctcp -a snmpd chrctcp -a dpid2 chrctcp -a hostmibd Discussion: If you are using SNMP to monitor the hosts on your network. In addition. If any of the answers to these questions is yes. The machine runs a third-party software application which is dependent on RPC support. Use the community and view statements in /etc/snmpd. IBM OpenView. Action: chrctcp -a portmap 30 .CIS AIX Benchmark 3. This machine is an NIS (YP) or NIS+ client or server.. This machine runs the CDE GUI.11 Only enable SNMP if absolutely necessary Question: Does a tool (e. MRTG.conf to change the community strings. it is prudent to change the default community string used to access data via SNMP. then perform the action below.12 Only enable portmap if absolutely necessary Question: Are any of the following statements true? • • • • This machine is an NFS client or server. Cricket) that relies on SNMP remotely monitor this system? If the answer to the question is yes.g.

server. 31 . Unless your network already has IPv6 support.14 Only enable DHCP if absolutely necessary Question: Does the system in question function as a DHCP client. or relay agent? For each of the three cases.13 Only enable IPv6 if absolutely necessary Question: Does the system in question use the IPv6 protocol? If the answer is yes. AIX’s support of IPv6 (for instance. Unless one of the services listed above is required on this machine. if the answer is yes. then perform the following action. running the IPv6 daemons is pointless (and can allow other hosts on the same physical subnet to connect via IPv6 even when the network doesn’t support it). 3. it is best to disable RPC-based tools completely. Action: chrctcp -a autoconf6 chrctcp -a ndpd-router chrctcp -a ndpd-host Discussion: Although IPv6 is being deployed at many sites. consult with the application vendor. If you are unsure whether or not a particular third-party application requires RPC services. it is still not widespread. 3.CIS AIX Benchmark Discussion: RPC-based services typically use very weak or non-existent authentication and yet may share very sensitive information. then perform the applicable action below (shown in the comment to the right of the command). in inetd) does not require these daemons to be running unless you want to communicate with another machine using IPv6 – the IPv6-aware software works just fine in IPv4-only or standalone mode without these daemons.

eliminating the requirement for the i4ls daemons. then perform the following action. or a DHCP relay agent. if this system is not a DHCP server for the network. 3.CIS AIX Benchmark Action: DHCP client chrctcp -a dhcpcd # client daemon DHCP server chrctcp -a dhcpsd # server daemon DHCP relay agent chrctcp -a dhcprd # relay daemon Discussion: DHCP is a popular protocol for dynamically assigning IP addresses and other network information to systems on the network (rather than having administrators manually manage this information on each host). However.15 Only enable i4ls and NCS if absolutely necessary Question: Does the system require the i4ls licensing software? If the answer is yes. This in turn will probably result in the Network Computing System (NCS) daemons not being started either. a DHCP client. as i4ls is one of the few products that uses NCS. the IBM VisualAge compilers can be installed with a nodelocked license in /var/ifor/nodelock. there is no need to be running this service. 32 . Action: mkitab -i cron "i4ls:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv Discussion: As a particular special-case.

httpdlite – Lite NetQuestion Web server software for online documentation.16 Only enable writesrv. The rmitab command removes a specified service. httpdlite if absolutely necessary Question: Are the writesrv.CIS AIX Benchmark 3. The following services are started by inittab and can be removed if not needed: ● ● writesrv – allows users to chat using the system write facility on a terminal. Action: writesrv mkitab -i cron "writesrv:2:wait:/usr/bin/startsrc -swritesrv" chrctcp -a writesrv pmd mkitab -i cron "pmd:2:wait:/usr/bin/pmd > /dev/console 2>&1 # Start PM daemon" chrctcp -a pmd httpdlite mkitab -i cron "httpdlite:2:once:/usr/IMNSearch/httpdlite/httpdlite -r /etc/IMNSearch/httpdlite/httpdlite. pmd. or httpdlite services required? If the answer is yes. The ‘man’ command does not need this to work correctly. pmd – Power management service that turns your machine off if it has been idle a specific amount of time. then perform the corresponding action below. ● 33 .conf & >/dev/console 2>&1" chrctcp -a httpdlite Discussion: These services are started from the /etc/inittab file. This is only needed for the “search” function for web-browsable documentation. pmd.

2 Network parameter modifications Action: cat <<EOF > /etc/rc. 4.1 Disable core dumps Action: Edit /etc/security/limits and change the core value in the default stanza to: core 0 Add the following line below it: core_hard = 0 Execute these commands: echo "# Added by CISecurity Benchmark" >> /etc/profile echo "ulimit -c 0" >> /etc/profile chdev -l sys0 -a fullcore=false Discussion: Some vulnerabilities attempt to cause a core dump. sensitive information can be contained in the core file and be extracted by attackers.net-tune #!/bin/ksh # Deal with SYN-flood attacks as best we can. Since applications can dump the entire contents of that application's memory at the time of the fault.CIS AIX Benchmark 4 Kernel tuning 4. /usr/sbin/no -o ipignoreredirects=1 /usr/sbin/no -o ipsendredirects=0 # Refuse to have anything to do with source-routed packets. # ICMP Redirect is a poor excuse for a routing protocol. don't send them ourselves. /usr/sbin/no -o ipsrcrouteforward=0 /usr/sbin/no -o ipsrcrouterecv=0 34 . /usr/sbin/no -o clean_partial_conns=1 # Do not allow SMURF broadcast attacks. /usr/sbin/no -o directed_broadcast=0 # Don't allow other machines to reset our netmask /usr/sbin/no -o icmpaddressmask=0 # Ignore redirects.

so the four ‘srcroute’ options should be omitted in those environments.CIS AIX Benchmark /usr/sbin/no -o ipsrcroutesend=0 /usr/sbin/no -o nonlocsrcroute=0 EOF chmod +x /etc/rc. 4.net-tune mkitab -i rctcpip "rcnettune:2:wait:/etc/rc. 35 . Note also that support for source-routed packets is needed in some cluster configurations.3 Restrict NFS Client requests to privileged ports Action: cat <<EOF >> /etc/rc.net-tune > \ /dev/console 2>&1" Discussion: We are creating a new script that will be executed at boot time to reconfigure various network parameters.net-tune # Require NFS to use privileged ports /usr/sbin/nfso -o portcheck=1 -o nfs_use_reserved_ports=1 EOF Discussion: Setting this parameter causes the NFS server process on the local system to ignore NFS client requests that do not originate from the privileged port range (ports less than 1024). to be in line with current best practices. This should not hinder normal NFS operations but may block some NFS attacks that are run by unprivileged users.

conf touch /var/adm/authlog /var/adm/syslog chown root:system /var/adm/authlog chmod 600 /var/adm/authlog chmod 640 /var/adm/syslog stopsrc -s syslogd startsrc -s syslogd 36 .org/. it is also recommended that sites collect copies of their system logs on a secure. More information on NTP can be found at http://publib.ucsb. Not only does centralized logging help sites correlate events that may be occurring on multiple systems.org.auth.ibm.1\n\ auth. It also has the more mundane benefit of ensuring that you still have access to a copy of the logs for debugging system crashes as the local copy may not be accessible if the system is refusing to boot or the buffers were not flushed first.com/.oit. Because it is often necessary to correlate log information from many different systems (particularly after a security incident) we recommend establishing some form of time synchronization among systems and devices connected to the local network.1 Capture messages sent to syslog (especially the AUTH facility) Action: printf "### Following lines added by CISecurity \ AIX Benchmark Section 5.doc/cmds/a ixcmds6/xntpd.com/infocenter/pseries/index.none\t\t/var/adm/syslog\n" \ >> /etc/syslog.info.logcheck.boulder.psionic.jsp?topic=/com. Tools such as ‘logcheck’ from http://www. centralized log server.edu/~eta/swatch/) and Logcheck (http://sourceforge. but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s). which is supported by most network-ready devices. In addition to the local log files created by the steps in this section.htm and http://www. Swatch (http://www. ‘logwatch’ from http://www. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP).CIS AIX Benchmark 5 Logging The items in this section cover enabling various different forms of system logging in order to keep track of activity on the system.ibm. Note: These tools are not officially supported by IBM.aix.net/projects/sentrytools/) can be used to automatically monitor logs for intrusion attempts and other suspicious system behavior.info\t\t/var/adm/authlog\n\ *. 5.ntp.

This is unfortunate.2\n\ auth. An intruder – once he/she has obtained root – can edit the system logs to remove all traces of the attack. If the logs are stored off the machine. or does it need to receive Syslog messages via the network 37 .none\t\t@loghost *. If this data is not logged. failed login attempts. This file should be reviewed and archived on a regular basis. those logs can be analyzed for anomalies and used for prosecuting the attacker.CIS AIX Benchmark Discussion: By default.emerg\t\t@loghost\n\ local7. The above action causes this information to be captured in the /var/adm/authlog file.info\t\t@loghost *. etc. root login attempts.conf stopsrc -s syslogd startsrc -s syslogd Discussion: Remote logging is essential in detecting intrusion and monitoring several servers operating in concert.3 Prevent Syslog from accepting messages from the network Question: Is this machine a log server. messages sent to syslog channels other than LOG_AUTH are sent to /var/adm/syslog (which should also be reviewed). In addition.info. change the above script to reflect /var/log instead of /var/adm. AIX systems do not capture logging information sent to syslogd. if necessary) of your loghost. Note: Some AIX administrators prefer to log syslog events to /var/log – if this is your preference. replace loghost with the proper name (FQDN. since a great deal of important security-related information (successful and failed su attempts.) is sent via the LOG_AUTH channel. printf "### Following lines added by CISecurity \ AIX Benchmark Section 5. 5. which is only readable by the superuser.auth. you don’t have any way of knowing what is going on.*\t\t@loghost\n" >> /etc/syslog. 5.2 Configure syslogd to send logs to a remote loghost Action: In the script below.

5.adm -c "crontab -l > /tmp/crontab. so a malicious outsider could simply barrage the local system's Syslog port with spurious traffic either as a denial-ofservice attack on the system. syslogd. or to fill up the local system's logging file systems so that subsequent attacks will not be logged. Note that it is considered good practice to set up one or more machines as central "log servers" to aggregate log traffic from all machines at a site. unless a system is set up to be one of these "log server" systems. You need to adjust the times of the report and the period the data is collected. Note: The following crontab entries are an example only.adm" cat << EOF >> /tmp/crontab.adm 0 8-17 * * 1-5 /usr/lib/sa/sa1 1200 3 & 0 * * * 0.acct >/dev/null 2>&1 if [ "$?" != 0 ]. cannot proceed" else su .6 /usr/lib/sa/sa1 & 0 18-7 * * 1-5 /usr/lib/sa/sa1 & 5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 3600 -A & EOF mkdir -p /var/adm/sa 38 . then echo "bos. Refer to sar documentation.4 Enable sar accounting Action: Install the bos.acct not installed.CIS AIX Benchmark from other systems? If the answer to this question is no.acct fileset as it is required when making use of the sar utility. it should not be listening on 514/udp for incoming log messages. the protocol used to transfer these messages does not include any form of authentication. lslpp -i bos. Unfortunately. listens for log messages from other systems on network port 514/udp. However. Action: chssys -s syslogd -a "-r" stopsrc -s syslogd startsrc -s syslogd Discussion: By default the system logging daemon. then perform the action below.

5.CIS AIX Benchmark chown adm:adm /var/adm/sa chmod 755 /var/adm/sa su . Thus.ibm. Refer to sar documentation. note chapter 2.redbooks. etc. disk I/O.pdf.adm -c "crontab /tmp/crontab. or by reviewing the nightly report files named /var/adm/sa/sar*. Quote from chapter of note: An audit is defined as an examination of a group.adm" fi Discussion: System accounting gathers baseline system data (CPU utilization. Once a normal baseline for the system has been established. Administrators may wish to archive the /var/adm/sa/ directory on a regular basis to preserve this data for longer periods. You need to adjust the times of the report and the period the data is collected. individual account. 39 . unauthorized activity (password crackers and other CPUintensive jobs. Note: The above crontab entries are an example only. the auditing subsystem provides a means of tracing and recording what is happening on your system. The data may be accessed with the sar command. or activity.com/redbooks/pdfs/sg246020. see http://www. and activity outside of normal usage hours) may be detected due to departures from the normal system performance curve. Note that this data is only archived for one week before being automatically removed by the regular nightly cron job.5 Enable kernel-level auditing Action: To activate auditing: audit on To start auditing automatically at next boot: mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 /dev/console" telinit q echo "audit shutdown" >> /usr/sbin/shutdown > Discussion: For information on auditing.) every few minutes.

It is a decision you have to make. auditing is not activated in AIX. It may be unnecessary for you to start auditing if you just let the files sit in your busy system. When you start the audit subsystem.6 Confirm Permissions On System Log Files Action: for FILE in \ /smit.log \ /var/tmp/snmpd. If you should add any of the services that affect the above logs. it gathers information depending on your configuration file.log \ /var/tmp/hostmibd. it may or may not be necessary for auditing to run every time.log \ /var/adm/ras/* /var/ct/RMstart. 40 . then echo "Fixing log file permissions on $FILE" chmod o-rw $FILE fi done Discussion: It is critical to protect system log files from being modified by unauthorized individuals.log do if [ -f $FILE ]. Also. certain logs contain sensitive data that should only be available to the system administrator. please revisit this section to ensure the logs have the correct/secure permissions. We recommended that you explore kernel level auditing before implementing it in your startup scripts. Depending on your environment. What is important is for you to be able to interpret an auditing record. 5.log \ /var/adm/cron/log \ /var/tmp/dpid2.CIS AIX Benchmark By default.

o-r /etc/security Discussion: These are the proper owners and access permissions for these files.2 World-writable directories should have their sticky bit set Action: The automated tool supplied with this benchmark will flag world-writable directories that do not have the sticky bit set. do echo "Searching $part" find $part -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print done Discussion: When the so-called “sticky bit” is set on a directory. and is generally appropriate for most world-writable directories. 6.CIS AIX Benchmark 6 File/directory permissions/access 6. However. then only the owner of a file may remove that file from the directory (as opposed to the usual behavior where anybody with write access to that directory may remove the file).1 Verify passwd and group file permissions Action: chown chown chmod chmod chmod -R root:security /etc/passwd /etc/group /etc/security -R root:audit /etc/security/audit 644 /etc/passwd /etc/group 750 /etc/security -R go-w. Administrators who wish to obtain a list of these directories may execute the following commands: for part in `mount | grep dev | awk '{print $2}' | \ grep -Ev 'cdrom|nfs'`. Setting the sticky bit prevents users from overwriting each other’s files. whether accidentally or maliciously. consult appropriate vendor documentation before blindly applying the sticky bit to any world writable directories found in order to avoid breaking any application dependencies on a given directory. 41 .

World-writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. 6. but always consult relevant vendor documentation in order to avoid breaking any application dependencies on a given file. do echo "Searching $part" find $part \( -perm -04000 -o -perm -02000 \) \ -type f -xdev -ls done 42 .CIS AIX Benchmark 6. do echo "Searching $part" find $part -xdev -type f \ \( -perm -0002 -a ! -perm -1000 \) -print done There should be no entries returned. Discussion: Data in world-writable files can be modified and compromised by any user on the system.4 Find unauthorized SUID/SGID system executables Action: The automated testing tool supplied with this benchmark will flag unexpected set-UID and set-GID applications on the system.3 Find unauthorized world-writable files Action: The automated testing tool supplied with this benchmark will flag unexpected worldwritable files on the system. Generally removing write access for the "other" category (chmod o-w <filename>) is advisable. Administrators who wish to obtain a list of the set-UID and set-GID programs currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`. Administrators who wish to obtain a list of the world-writable files currently installed on the system may run the following commands: for part in `mount | grep dev | awk '{print $2}' | \ egrep -v 'cdrom|nfs'`.

43 . In addition. if possible. Administrators who wish to locate these files on their system may run the following command: find / \( -nouser -o -nogroup \) -ls Discussion: Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system.CIS AIX Benchmark Discussion: The administrator should take care to ensure that no rogue set-UID programs have been introduced into the system. and make sure to reset the ownership of these files to some active user on the system as appropriate. It is a good idea to locate files that are owned by users or groups not listed in the system configuration files. A new user who is assigned the deleted user's user ID or group ID may then end up “owning” these files. and thus have more access on the system than was intended. the administrator should attempt a Set-UID audit and reduction.5 Find “unowned” files and directories Action: The automated testing tool supplied with this benchmark will flag files and directories where the user or group owner of the file is not listed in the /etc/passwd or /etc/group files. 6.

7. only normal users should ever access the system via FTP – there should be no reason for “system” type accounts to transfer information via this mechanism.equiv ] && rm -f /etc/hosts.1 Remove /etc/hosts. authentication. (Of course.new fi done sort -u /etc/ftpusers.new chown root:system /etc/ftpusers chmod 600 /etc/ftpusers Discussion: /etc/ftpusers contains a list of users who are not allowed to access the system via FTP.equiv sets up global trust relationships for all accounts on the system. which work in an analogous fashion to .2 Create /etc/ftpusers Action: lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME. and authorization 7.rhosts files in user home directories. See the discussion of . the attacker can immediately get full access to your machine.CIS AIX Benchmark 7 System access.equiv Discussion: The /etc/hosts. that userid can be used to upload malicious software and store it with the system userid’s permissions (which are probably higher than a normal user’s).new > /etc/ftpusers rm /etc/ftpusers.rhosts files in the items below. If a system userid is allowed to FTP files into the system. there is probably no reason for FTP to be 44 .equiv file provides total trust in any machines listed. /etc/hosts. Consider also adding the names of other privileged or shared accounts which may exist on your system such as user oracle and the account under which your Web server process runs. Generally. do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ].equiv Action: [ -f /etc/hosts. the root account should never be allowed to transfer files directly via FTP. then echo "Adding $NAME to /etc/ftpusers" echo $NAME >> /etc/ftpusers. If a machine listed is compromised. Certainly.

requestPort: 0". 7.new mkdir -p /etc/dt/config mv $file. then mkdir -p /etc/dt/config cp /usr/dt/config/Xconfig /etc/dt/config fi cd /etc/dt/config awk '/Dtlogin. The above script places all users those user id is less than 200 in the /etc/ftpusers file.requestPort to zero in the Xconfig file prevents the login GUI from ever hearing requests for remote login services. next } \ { print }' Xconfig > Xconfig.new /etc/dt/config/Xservers 45 .CIS AIX Benchmark enabled at all – this is mostly “defense in depth” in case FTP accidentally becomes reenabled.new mv Xconfig.new Xconfig chown root:bin Xconfig chmod 444 Xconfig Discussion: The standard GUI login provided on most Unix systems can act as a remote login server to other devices (including X terminals and other workstations). Setting Dtlogin.3 Disable XDMCP port Action: if [ ! -f /etc/dt/config/Xconfig ].4 Prevent X Server from listening on port 6000/tcp Action: if [ -f /etc/dt/config/Xservers ]. which blocks all system account from being used for FTP 7.requestPort:/ \ { print "Dtlogin. or if it’s required for some function that is unable to use SSH instead). next }. then file=/etc/dt/config/Xservers else file=/usr/dt/config/Xservers fi awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \ { print $0 " -nolisten tcp". \ { print }' $file > $file.

then 46 . This does prevent authorized remote X clients from displaying windows on the local system as well. do lines=`grep -Ev '^[ \t]*#' $file | wc -l | sed 's/ //g'` if [ $lines -eq 0 ]. However.6 Remove empty crontab files and restrict file permissions Action: cd /var/spool/cron/crontabs for file in *. although this setting can still be overridden by individual users in their own environment. The above action reduces this default timeout value to 10 minutes. However. Invoking the “-nolisten tcp” option causes the X server not to listen on port 6000/tcp by default.resources. 7.5 Set default locking screensaver timeout Action: for file in /usr/dt/config/*/sys. 7.resources done Discussion: The default timeout is 30 minutes of keyboard/mouse inactivity before a password protected screen saver is invoked by the CDE session manager. the forwarding of X events via SSH will still happen normally. X Windows uses a relatively insecure authentication protocol—an attacker who is able to gain unauthorized access to the local X server can easily compromise the system. do dir=`dirname $file | sed -e s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 10' >> $dir/sys. This is the preferred and more secure method transmitting results from remote X clients in any event.CIS AIX Benchmark chown root:bin /etc/dt/config/Xservers chmod 444 /etc/dt/config/Xservers Discussion: X servers listen on port 6000/tcp for messages from remote clients running on other systems.resources echo 'dtsession*lockTimeout: 10' >> $dir/sys.

the above script adds the currently existing users to cron. 7. Allowing unprivileged users to read or (even worse) modify system crontab files can create the potential for a local user on the system to gain elevated privileges. These users and their jobs are found in 47 .allow echo root > at.allow chmod 400 cron. if a given user is not listed in cron.allow at.allow files are a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals.deny or at.deny echo root > cron.deny at.allow and at.allow or at. To prevent an unintentional impact to the existing system.allow or at.allow and at.CIS AIX Benchmark echo "Removing $file" rm $file fi done chgrp -R cron /var/spool/cron/crontabs chmod -R o= /var/spool/cron/crontabs chmod 770 /var/spool/cron/crontabs Discussion: The system crontab files are accessed only by the cron daemon (which runs with superuser privileges) and the crontab command (which is set-UID to root).allow.allow cat at.deny removed.allow chown root:sys cron.deny cron. their cron jobs will not be executed. On many systems.deny # this should fail Discussion: The cron. This includes administrative accounts – all users will be denied until explicitly defined in cron.7 Restrict at and cron to authorized users Action: cd /var/adm/cron rm -f cron.allow at. only the system administrator needs the ability to schedule jobs.allow. Note that with cron.allow ls /var/spool/cron/atjobs | grep -v root >> at.allow cat cron.allow cat at.allow ls /var/spool/cron/crontabs | grep -v root >> cron.allow.

You should review these users and jobs before adding them to your at.8 Restrict root logins to system console Action: chuser rlogin=false login=true su=true sugroups=system root Discussion: Anonymous root logins should never be allowed.allow and cron. 7. 48 . At all other times. making it harder for an attacker to use a stolen root password (as they will first have to get access to a ‘system’ userid). These mechanisms provide at least some limited audit trail in the event of problems.allow files. Failure to do so will prevent any remote user from becoming root. except on the system console in emergency situations. the administrator should access the system via an unprivileged account and use some authorized mechanism (such as the su command.CIS AIX Benchmark /var/spool/cron/atjobs and /var/spool/cron/cronjobs. The command above additionally restricts ‘su’ to root to members of the ‘system’ group. Note: Ensure you have at least one user account in the system group that can log in remotely. or the freely-available sudo package) to gain additional privilege.

2 Set password and account expiration on active accounts Action (AIX 4.1 Block system accounts Action: for user in daemon bin sys adm uucp nuucp printq guest nobody lpd sshd. 8. These scanning tools are typically provided with this document. They can even be deleted if the machines does not use the daemon/service that each is responsible for. Sites also have the option of expiring idle accounts after a certain number of days 49 .3. The automated hostbased scanning tools provided from the Center for Internet Security can be used for this purpose. 8. Users will begin receiving warnings 28 days (4 weeks) before their password expires. To deactivate them. use chuser to disable remote and local logins.3): chsec chsec chsec chsec -f -f -f -f /etc/security/user /etc/security/user /etc/security/user /etc/security/user -s -s -s -s default default default default -a -a -a -a maxage=13 minlen=6 minage=1 pwdwarntime=28 Discussion: The above command adds a number of restrictions to enforce password changing and the use of more complicated passwords. and then prevent password changes for seven days (one week) thereafter. The commands above will set all active accounts (except the root account) to force password changes every 91 days (13 weeks). ongoing basis perhaps in an automated fashion via cron. do chuser rlogin=false login=false "$user" done Discussion: These accounts are non-human system accounts that should be made less useful to an attacker by locking them.org/. but are also available for free download from http://www.CIS AIX Benchmark 8 User Accounts and environment Note that the items in this section are tasks that the local administrator should undertake on a regular. It is a good idea to force users to change passwords on a regular basis.CISecurity. though it is safest to simply deactivate them as is done here.

CIS AIX Benchmark (see the on-line manual page for the usermod command. and should be deleted if they exist. 8. and group files Action: The command: grep ^+: /etc/passwd /etc/group should return no lines of output. Note that pwdck won’t flag null passwords unless the minlen attribute is set to a non-zero value. The ‘-n’ flag will tell it to report errors but not change anything (running with ‘-t’ instead will prompt you for each proposed fix – the ‘-y’ and ‘-p’ flags are dangerous).3 Verify there are no accounts with empty password fields Action: pwdck -n ALL Discussion: An account with an empty password field means that anybody may log in as that user without providing a password at all. A complete list of the options can be found in /etc/security/passwd file.4 Verify no legacy '+' entries exist in passwd. 8. Discussion: '+' entries in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. particularly the f option). These are recommended starting values. The pwdck command will verify a number of other items for correctness. 8. All accounts should have strong passwords or should be locked by using a password string like "*". These entries may provide an avenue for attackers to gain privileged access on the system.5 Verify no UID 0 accounts exist other than root Action: The command: 50 . but sites may choose to make them more restrictive depending on local policies.

|:|$)' To find group. do if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ].7 User home directories should be mode 750 or more restrictive Action: NEW_PERMS=750 lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME. To find ‘.’ in $PATH: echo $PATH | grep -E '(^|:)(\. 8.' or group/world-writable directory in root's $PATH Action: The automated testing tool supplied with this benchmark will alert the administrator if action is required. and it should be accessed by logging in as an unprivileged user and using the su command (or equivalent) to gain additional privilege. Finer granularity access control for administrative access can be obtained by using the freely-available sudo program (http://www. Discussion: Any account with UID 0 has superuser privileges on the system.') or other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a Trojan horse program.6 No '. 8. Discussion: Including the current working directory ('.com/sudo/).courtesan.CIS AIX Benchmark lsuser -a id ALL | grep "id=0" | awk '{print $1}' should return only the word "root". then 51 . The only superuser account on the machine should be the root account.or world-writable directories in $PATH: find `echo $PATH | tr ':' ' '` -type d \ \( -perm -002 -o -perm -020 \) -ls These commands should produce no output.

then echo "Adjusting $FILE" chmod go-w $FILE fi done else echo "No home dir for $HOMEDIR" fi done 52 .8 No user dot-files should be world-writable Action: lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR. making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users..sys` -eq 0 ].tmp mv /tmp/mkuser. While the above modifications are relatively benign.CIS AIX Benchmark HOME=`lsuser -a home $NAME | cut -f 2 -d =` echo "Changing $NAME homedir $HOME" chmod $NEW_PERMS $HOME fi done if [ `grep -c "chmod $NEW_PERMS $1" \ /usr/lib/security/mkuser.sys fi Discussion: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. Disabling "read" and "execute" access for users who are not members of the same group (the "other" access category) allows for appropriate use of discretionary access control by each user.$" | \ while read FILE. If you need more restrictive permissions on the home directories.tmp /usr/lib/security/mkuser. do if [ -f $FILE ].$|^. then sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \ /usr/lib/security/mkuser. 8. then ls -a $HOMEDIR | grep -Ev "^. do echo "Examining $HOMEDIR" if [ -d $HOMEDIR ].sys chmod 750 /usr/lib/security/mkuser. set the appropriate permissions in the variable NEW_PERMS.sys > /tmp/mkuser.

while .netrc files may contain unencrypted passwords that may be used to attack other systems.netrc" fi if [ -e "$HOME/. While the above modifications are relatively benign. remsh. do if [ -e "$HOME/. Note: /usr/lib/security/mkuser.rhosts" rm -f "$HOME/. If the first command returns any results. making global modifications to user home directories without alerting your user community can result in unexpected outages and unhappy users.sys issues a chmod go-w $1/. making global modifications to user home directories without alerting the user community can result in unexpected outages and unhappy users.netrc" ].netrc" rm -f "$HOME/. While the above modifications are relatively benign. 53 . then echo "Removing $HOME/.rhosts files used in conjunction with the BSD-style “r-commands” (rlogin.rhosts Stop!!! Read the discussion before proceeding. so no additional work is needed after a new account is created. then echo "Removing $HOME/. rcp) implement a weak form of authentication based on the network address or host name of the remote computer (which can be spoofed by a potential attacker to exploit the local system).rhosts" ].rhosts files Action: find / -name .login upon creation of accounts with csh as default shell. 8.netrc find / -name .rhosts" fi done Discussion: .9 Remove user . carefully evaluate the ramifications of removing those files before executing the remaining commands as you may end up impacting an application that has not had time to revise its architecture to a more secure design.CIS AIX Benchmark Discussion: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. lsuser -a home ALL |cut -f2 -d= | while read HOME.netrc and .

A simple fix to this problem is to manually issue a less restrictive umask (such as umask 022) for the shell session doing the installation. etc.) in their home directories. Note: This is been shown to cause problems with the installation of software packages where the installation script uses the default umask – the directories are owned by root with 700 permissions.CIS AIX Benchmark 8. and then it changes the default profile.10 Set Default umask for users Action: Change existing users lsuser -a home ALL | awk '{print $1}' | while read user. Discussion: The above actions change the default umask for existing users. while a umask of 022 would make files readable by every user on the system. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (. . or place such a umask command (in the beginning of the installation script) to a less restrictive value before the installation. which applies to all newly created users.cshrc. and then the application and/or daemon cannot read its files. do chuser umask=077 $user done Change default profile To set a system-wide default. or in the beginning of the installation script. With a default umask setting of 077 – a setting agreed to as part of the consensus process with DISA and NSA – files and directories created by users will not be readable by any other user on the system.11 Set default umask for the FTP daemon Action: chsubserver -c -v ftp -p tcp "ftpd -l -u077" refresh -s inetd 54 . edit the file /etc/security/user and replace the default umask value in the umask line entry for the default stanza with 077. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. 8. A umask of 027 would make files and directories readable by users in the same Unix group.profile.

The umask should be set to at least 027 in order to prevent the FTP daemon process from creating world-writable files by default.13 Removing unnecessary default user accounts Action: Note: Read discussion first!!! # Remove users LIST="uucp nuucp lpd guest printq" for USERS in $LIST. Since write and talk are no longer widely used at most sites. you will receive the following error: 0513-036 The request could not be passed to the inetd subsystem. but has the side effect of slightly strengthening permissions on the user's tty device. 8.12 Set “mesg n” as the default for all users Action: echo "mesg n" >> /etc/profile echo "mesg n" >> /etc/csh. the incremental security increase is worth the loss of functionality.CIS AIX Benchmark Discussion: This command changes the umask of the FTP user to 077.login Discussion: "mesg n" blocks attempts to use the write or talk commands to contact the user at their terminal.conf Note: If inetd is disabled. you will receive the following error: chsubserver: ftp not in /etc/inetd. do rmuser -p $USERS rmgroup $USERS done # Remove groups LIST="uucp printq" for USERS in $LIST. 8. Note: If ftpd is disabled. do rmgroup $USERS done 55 . Start the subsystem and try your command again.

lpd guest Owner of files used by printing subsystem Allows access to users who do not have access to accounts In addition. these group ID's may be removed if your system does not need them: Group ID Description uucp printq Group to which uucp and nuucp users belong Group to which lpd user belongs Note: You may get one or more errors stating the group or user does not exist.jsp?topic=/com.ibm.ibm.aix. The AIX 5L Version 5.CIS AIX Benchmark Discussion: Removing the users that your system does not need is a prudent security precaution. nuucp Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program.doc/aixbm an/security/security.com/infocenter/pseries/index. that allows the user to communicate with another AIX system over a dedicated line or a telephone line. 56 . present on most AIX systems. which is a group of commands. programs. This is harmless and may be ignored. and files.3 Security Guide (http://publib.htm) lists these accounts as candidates for removal: User ID Description uucp.boulder.

recorded. 57 .gov/criminal/cybercrime/s&sappendix2002. 9. copied. the organization's local legal counsel and/or site security administrator should review the content of all messages before any system modifications are made.htm. to authorized site.1 Create warnings for network and physical access services Action: Edit the banner currently in /etc/motd as required by your Enterprise. inspected. Changing some of these login banners also has the side effect of hiding OS version information and other detailed system information from attackers attempting to target specific attacks at a system (though there are other mechanisms available for acquiring this information). government. and law enforcement personnel.usdoj. as these warning messages are inherently site-specific. the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes. the user consents to such interception. Clearly. Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system. as well as authorized officials of government agencies. It is for authorized use only. More information (including citations of relevant case law) can be found at http://www. audited. and disclosed to your employer. both domestic and foreign. By using this system. monitoring. Any or all uses of this system and all files on this system may be intercepted. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. The following script is a template taken from the Bastille Linux project: Important: You need to change “The Company” in the text below to an appropriate value for your organization cd /etc # Remember to enter name of your company here: COMPANYNAME="its owner" cat <<EOM \ | sed -e "s/its owner/${COMPANYNAME}/g" > /etc/motd *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner.CIS AIX Benchmark 9 Warning banners Presenting some sort of statutory warning message prior to the normal user logon may assist the prosecution of trespassers on the computer system. whether individual. monitored. and that use of the system implies consent to such monitoring. corporate or government.

Recall that we edited sshd_conf to display the /etc/motd banner. as appropriate. inspection. The Dtlogin*greeting. perslabelString is the message on the second dialog box. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action. All activity may be monitored and reported. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.persLabelString: $WARN" >>$dir/Xresources done chown root:sys /etc/dt/config/*/Xresources chmod 644 /etc/dt/config/*/Xresources Discussion: The standard graphical login program for AIX requires the user to enter their username in one dialog box and their password in a second separate dialog. auditing. 58 . then cp $file $dir/Xresources fi WARN="Authorized uses only. do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]. but the site has the option of using different messages on each screen.. copying. no matter where the user is logging in from." echo "Dtlogin*greeting.labelString: $WARN" >>$dir/Xresources echo "Dtlogin*greeting. and . **************************************************************************** EOM chown bin:bin /etc/motd chmod 644 /etc/motd Discussion: The contents of /etc/motd is displayed after all successful logins.2 Create warnings for GUI-based logins Action: for file in /usr/dt/config/*/Xresources.. so it will appear before and after login. 9. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.CIS AIX Benchmark recording. and disclosure at the discretion of such personnel or officials. The commands above set the warning message on both to be the same message.labelString is the message for the first dialog where the user is prompted for their username.

CIS AIX Benchmark 9.\"/\"\%s Authorized uses only. 9. All activity may be monitored and reported\"/" \ /tmp/ftpd.tmp > /tmp/ftpd.cat /tmp/ftpd.cfg -s default -a herald="Authorized uses only.cat > /tmp/ftpd.tmp sed "s/\"\%s FTP server (\%s) ready.3 Create warnings for telnet daemon Action: chsec -f /etc/security/login.1 and later): echo “herald: /etc/ftpmotd” >> /etc/ftpaccess.1 and later gives you the option of editing /etc/ftpmotd with the text of your choice.msg gencat ftpd.msg Additional Action (AIX 5. All activity may be monitored and reported EOF Discussion: This item configures ftpd's "authorized users only" banner messages by replacing the default “FTP server ready” message. AIX 5. 59 . All activity may be monitored and reported\n\r\nlogin: " Discussion: This item configures telnetd's "authorized users only" banner message.4 Create warnings for FTP daemon Action: dspcat -g /usr/lib/nls/msg/en_US/ftpd.ctl cat << EOF >> /etc/ftpmotd Authorized uses only.

The root cause was an init problem that would have been detected had the reboot taken place while the change was fresh in the mind of the administrator. Some System Administrators believe any change to the init scripts warrant a reboot to ensure the system comes up as expected. reboot.CIS AIX Benchmark 10 Reboot Action: shutdown -Fr Discussion: Whenever you make substantial changes to a system. Hours of lost productivity with extensive troubleshooting (not to mention lost revenue) have occurred because a system did not start up as expected. 60 .

tar xpf -) done 61 .sys \ /etc/motd /etc/csh.net-tune /etc/syslog.conf \ /usr/sbin/shutdown /etc/passwd /etc/group \ /etc/hosts.allow \ /etc/sendmail.login /etc/profile \ /etc/ftpd. then echo Making backup of file ${FILE} cp -p ${FILE} ${FILE}-preCIS-${EXT} chmod 700 ${FILE}-preCIS-${EXT} fi done # Backup directories that are changed for DIR in \ /etc/security /var/spool/cron/crontabs do echo Making backup of directory ${DIR} mkdir -p -m 0700 ${DIR}-preCIS-${EXT} cd ${DIR} tar cpf .cf \ /etc/exports /etc/inittab \ /etc/profile \ /etc/rc.cat \ /etc/rc.equiv /etc/ftpusers \ /etc/dt/config/Xconfig /etc/dt/config/Xservers \ /usr/dt/config/Xservers \ /usr/lib/security/mkuser.CIS AIX Benchmark Appendix A File backup script #!/bin/ksh # Create date-specific backup timestamp extension EXT=`date '+%Y%m%d-%H:%M:%S'` # Backup individual files for FILE in \ /etc/ssh_config /etc/sshd_config \ /etc/openssh/ssh_config /etc/openssh/sshd_config \ /etc/inetd.conf do if [ -f ${FILE} ].conf /etc/hosts.tcpip \ /etc/syslog.cw /etc/sendmail.* | (cd ${DIR}-preCIS-${EXT}.deny /etc/hosts.

rhosts files above).cf. Attackers will often target these files as part of their exploit scripts. given the other settings in the benchmark document.cf > sendmail. SN. By linking these files to /dev/null.CIS AIX Benchmark Appendix B Additional security notes The items in this section are security configuration settings that have been suggested by several other resources and system hardening tools.new mv -f sendmail.rhosts. and some sites may feel that the slight security enhancement of these settings outweighs the (sometimes minimal) administrative cost of performing them. None of these settings will be checked by the automated scoring tool provided with the benchmark document.cf chown root:bin sendmail.1 Create symlinks for dangerous files Action: for FILE in /.cf chmod 444 sendmail.shosts /etc/hosts.rhosts /. do [ -e $FILE ] && rm -f $FILE ln -s /dev/null $FILE done Discussion: The /.2 Change default greeting string for sendmail Action: cd /etc/mail awk '/O SmtpGreetingMessage=/ \ { print "O SmtpGreetingMessage=mailer ready". and /etc/hosts. any data that an attacker writes to these files is simply discarded (though an astute attacker can still remove the link prior to writing their malicious data). the settings presented here provide relatively little incremental security benefit.equiv files enable a weak form of access control (see the discussion of .equiv \ /etc/shosts. none of these settings should have a significant impact on the functionality of the system.new sendmail.equiv. However. They are purely optional and may be applied or not at the discretion of local site administrators. Nevertheless.shosts.cf 62 .cf. /. next} { print }' sendmail. SN.

For convenience.3 Install and configure sudo Action: Using your Enterprise process. install sudo. the actions in the benchmark document completely disable Sendmail on the system. Note: The visudo command is located in /usr/local/sbin. /etc/environment.profile.profile includes the existing $PATH vice defining a new $PATH. sudo allows the Administrator to delegate just that one task using root authority without allowing that group of users any other root capability. you may want to update your global profile $PATH (/etc/profile. 63 . However. Discussion: sudo is a package that allows the System Administrator to delegate activities to groups of users.CIS AIX Benchmark Discussion: The default SMTP greeting string displays the version of the Sendmail software running on the remote system. recovery may become very difficult. Experience has shown that if sudoers gets botched (from using vi without visudo's error checking feature). Hiding this information is generally considered to be good practice. If frequent web server configuration changes are taking place (or you have a bug and the web server keeps crashing). so changing this default greeting string is something of a moot point unless the machine happens to be an email server. since it can help attackers target attacks at machines running a vulnerable version of Sendmail. Once sudo is installed. you may want to update root's profile $PATH with this new directory. Note: The sudo command is located in /usr/local/bin. These activities are normally beyond the administrative capability of that user – restarting the web server. it becomes very cumbersome to continually engage the SysAdmin just to restart the web server. SN. for example. For convenience. /etc/tsh_profile – please follow your site's policies) with this new directory. update /etc/security/. or ensure /etc/security/. To make the change take effect for all new users. configure it using visudo – do not vi the config file. visudo has error checking built in.

and is easily implemented in this Benchmark. The above value (loginretries=3) will cause the account to be locked out after 3 successive failed login attempts. This value is chosen as it is a common value used in some Federally-regulated industries – you are free to increase it if desired.CIS AIX Benchmark SN. Appendix C: Revision History Version 1.01:  Item 3.16: removed text from title of item  Formatting and style changes  Added revision history 64 .4 Limit number of failed login attempts Action: chsec -f /etc/security/user -s default -a loginretries=3 Discussion: A system policy of locking out an account that fails several successive authentication attempts is an industry best practice.

services.pdf OpenSSH (secure encrypted network logins): http://www.ibm.efixmgmt/ ftp://aix.org TCP Wrappers source distribution: ftp.ibm.org/ http://www.ibm.porcupine.ibm.jsp?topic=/com.com/server/aix.ibm.html Information on Sendmail and DNS: http://www.3 Security Guide http://publib.com/server/pseries.com/servers/eserver/support/pseries/aixfixes.org/ Information on MIT Kerberos: http://web.com/aix/efixes/security/ https://techsupport.openssh.ibm.org 65 .mit.com/~hal/dns-sendmail/DNSandSendmail.org/ AIX Software Patches and related documentation: http://www.services.subscriptionSvcs AIX 5L Version 5.htm Other Misc Documentation Primary source for information on NTP http://www.ntp.org/docs-2.doc/aixbma n/security/security.sendmail.CIS AIX Benchmark References The Center for Internet Security Free benchmark documents and security tools for various OS platforms and applications: http://www.html http://techsupport.aix.edu/kerberos/www/ Apache "Security Tips" document: http://httpd.software.apache.deer-run.cisecurity.boulder.0/misc/security_tips.com/infocenter/pseries/index.

tripwire.org/ LPRng (Open Source replacement printing system for Unix): http://www.CIS AIX Benchmark PortSentry and Logcheck (port and log monitoring tools): http://sourceforge.org/ sudo (provides fine-grained access controls for superuser activity): http://www.ucsb.sendmail.org 66 .net/projects/sentrytools/ Swatch (log monitoring tool): http://www.edu/~eta/swatch/ Open Source Sendmail (email server) distributions: ftp://ftp.oit.lprng.courtesan.com/sudo/ Tripwire – file modification utility http://www.

Sign up to vote on this title
UsefulNot useful