How to harden your AIX server?
- Configure changes for the root user to provide additional security, audit, and reliability. Make a dedicated home directory for the root user ID and change the root user ID home directory to use new directory, allowing a cleaner / directory. Change directory permissions to allow for root access only.
# mkdir /root
# chuser home=/root root
# chmod 700 /root
- Create the smit files in the tmp directory, change the file permissions to prevent unauthorized access, and link the smit files to roots home directory. This option prevents these filling the / filesystem.
# touch /tmp/smit.log
# touch /tmp/smit.script
# touch /tmp/smit.transaction
# chmod 600 /tmp/smit.*
# ln -s /tmp/smit.log /root/smit.log
# ln -s /tmp/smit.script /root/smit.script
# ln -s /tmp/smit.transaction /root/smit.transaction
- Create and configure the root users profile with preferred options. If you migrated the system, move the current /.profile to /root/.profile to maintain previous customization. Some common customizations to consider are the prompt and editor.
Note: Special characters are used in the PS1 string. Either side of the commands uname and whoami are back-quotation marks (`). Change file permissions to allow for execution, and prevent non-root access.
# vi /root/.profile
set -o vi
export PS1=`whoami`@`uname
-n`’:$PWD # ‘
# chmod 700 /root/.profile
- Increase the maximum file size to one that can be written by root UID.
fsize = 2097151 (default)
# chuser fsize=-1 root
- Increase the maximum core file size to one that can be written by a root UID.
core = 2097151 (default)
# chuser core=-1 root
- Prevent root login: Users need to login with their own ID and then su to root. Ensure that you created an administrative user before you disallow root login.
login = true (default)
# chuser login=false root
Prevent remote root login: Users need to log in at the console or with their own ID and then su to root.
rlogin = true (default)
# chuser rlogin=false root
- The number of unsuccessful login attempts allowed before locking a users account. While this is the default, set it explicitly for root so you can change the default for other users.
loginretries = 0
# chuser loginretries=0 root
- Maximum time (weeks) after the maxage a user can change their expired password. While this is the default, set it explicitly for root so you can change the default for other users.
maxexpired = -1
# chuser maxexpired=-1 root
Configure the /etc/security/login.cfg system default entries
Configure login controls, as required. These settings apply to terminal ports (ttys), with sak_enabled,
logindelay, herald, and logintimeout applying to all sessions (tty and pty). Restricting these options helps
to prevent unwelcome and automated hacking attacks. It restricts information that is displayed in the default herald (operating system and version), slowing or delaying system access after invalid login attempts.
Enable a secure attention key (SAK) on login ports.
sak_enabled = False
The times a port is allowed for login.
logintimes =
Number of failed login attempt allowed before disabling the port.
logindisable = 10
Time (seconds) in which failed login attempts must be entered.
logininterval = 200
Time (minutes) before a locked port is re-enabled.
loginreenable = 20
Time in seconds to delay port access after an unsuccessful
login attempt.
logindelay = 4
- Override the default login herald to reflect business access policy or remove clues about the operating system.
herald = “Use of this system is restricted to authorized users. User activity is\nmonitored and recorded by system personnel. Anyone using this system\nexpressly consents to such monitoring and recording. BE ADVISED: if possible\ncriminal activity is detected, system records, along with certain personal\ninformation, may be provided to law enforcement officials.\n\nAccess
Restricted\r\nlogon: ”
Time (seconds) allowing the user to enter the password.
logintimeout 60
Configure /etc/security/user
- You can use various security features by updating the user file. By tightening the password, they are more difficult to guess or crack. They should not be too difficult to remember so users don’t write them down.
Enforce use of the correct system authentication method, local (files) LDAP Kerberos etc.
registry =
Trusted path status.
tpath = nosak
File creation mask to prevent file sharing amongst users.
umask = 022
Time (days) warning a user before a password change is required.
pwdwarntime = 5
Number of unsuccessful login attempts allowed before locking a users account.
loginretries = 3
Time (weeks) before a password can be reused.
histexpire = 0
Number of previous passwords that cannot be reused.
histsize = 20
Minimum age (weeks) before a password can be changed.
minage = 1
Maximum age (weeks) before a password must be changed.
maxage =12
Maximum time (weeks) after maxage a user can change their expired password.
maxexpired = 5
Minimum number of alphabetic characters required in a password.
minalpha = 0
Minimum number of non-alphabetic characters required in a password.
minother = 1
Minimum number of characters required in a password.
minlen = 8
Minimum number of characters that must be changed from the previous password.
mindiff = 0
Maximum number or repeated characters allowed in a password.
maxrepeats = 2
Configure /etc/security/.profile
In the default environment, users using the korn shell ksh have this file copied to their home directory as
their default profile. Choosing to place these entries here allows flexibility and enforcement if you are using restricted shells. Normally the user can change this file at will. If you want to control the user’s environment, consider using a restricted shell. Enable shell command retrieval (ESC k).
export readonly
EDITOR=/usr/bin/vi
Enable a larger command history for auditing.
export readonly HISTSIZE=1000
Set the shell inactivity time-out values to 1 hour.
export readonly TMOUT=900
export readonly TIMEOUT=900
Prompt string.
Note: Special characters used in the PS1 string. Either side of the commands uname and whoami are back-quotation marks (`) usually below the ESC key on most keyboards. There are spaces either side of the hash sign “ $ ”.
export readonly
PS1=`whoami`@`uname
-n`’:$PWD \$ ‘
Check and lock down the available user accounts
By default, many user accounts exist on the system for specific system processes to operate. These commands check existing users, groups, passwords, and file settings. With the -y flag, they disable additional access methods to these accounts. If you are not sure, run them without automatic correction and review the suggested changes.
Check and validate all users definitions on the system.
# usrck -y ALL
Check and validate all group definitions on the system.
# grpck -y ALL
Check and validate all password definitions on the system.
# pwdck -y ALL
Audits the security state of the system.
# tcbck -y ALL
Review and disable unnecessary inittab entries
As installed, AIX provides a rich set of available services. While they do not offer specific security problems, if you are not using them, in a secure system, disable them. This makes it easier to track what services are running when you are auditing the system. NFS start script rmnfs removes the entry in the inittab file and stops NFS daemons that are currently executing. The -B flag is the default.
Disable NFS as it is not allowed for security reasons.
# rmnfs -B
Print job manager for the printer backend.
# rmitab piobe
Schedules jobs enqueued by the enq command.
# rmitab qdaemon
Allows users to send messages to and receive messages from a remote system.
# rmitab writesrv
Constructs and writes kernel messages.
# rmitab uprintfd
Review and disable unnecessary rc.tcpip entries
As with inittab, many TCP/IP services are started in the /etc/rc.tcpip startup script. Again for any services that you do not require, disable them on most systems, unless they are specifically required.
For inetd tracing start daemon with “-d” option.
# Start up socket-based daemons
start /usr/sbin/inetd “$src_running” “-d”
Sendmail
/usr/lib/sendmail
Simple Network Management Protocol
/usr/sbin/snmpd
hostmibd dpi2 sub-agentdaemon
/usr/sbin/hostmibd
hostmibd dpi2 sub-agent daemon
/usr/sbin/snmpmibd
AIX Enterprise Management Information Base (MIB) extension subagent
/usr/sbin/aixmibd
Review and disable unnecessary inetd.conf entries
Tighten security by removing most TCP/IP services started from /etc/inetd.conf. The inetd super server
starts further TCP/IP processes. They can be disabled individually. Of course, you may need some services to allow normal operation of the system, and many of these services can provide secure implementations.
All services can be turned off for this configuration.
ftp /usr/sbin/ftpd
telnet /usr/sbin/telnetd
shell /usr/sbin/rshd
kshell /usr/sbin/krshd
login /usr/sbin/rlogind
klogin /usr/sbin/krlogind
exec /usr/sbin/rexecd
ntalk /usr/sbin/talkd
daytime tcp internal
time tcp internal
daytime udp internal
time udp internal
cmsd (comment unless using X Window)
/usr/dt/bin/rpc.cmsd
ttdbserver (comment unless using X Window)
/usr/dt/bin/rpc.ttdbserver
wsmserver /usr/websm/bin/wsmserver
Disallow cron and at use by “normal” users.
In the /var/adm/cron directory create two files:
cron.allow
# touch /var/adm/cron/cron.allow
at.allow
# touch /var/adm/cron/at.allow
Now edit these files and add two users.
# vi /var/adm/cron/cron.allow
root
adm
:wq!
Turn on C2 level auditing for AIX
Audit filesystem
Create a filesystem, mounted on /audit. Use smitty lv to create a JFS2 volume called auditlv, size 1 GB, mirrored if applicable. Use smitty fs to create a filesystem from the new volume. Make sure it is mounted at boot.
Give the following commands:
# mount /audit
# chown root:audit /audit
# chmod 750 /audit
Configuration and startup files
All the configuration files for C2-level auditing are located in /etc/security/audit. First, change some of these files to prevent the auditing subsystem creating lots of unnecessary logging.
Remove the FS_Chdir and S_PASSWD_READ entries from /etc/security/audit/config. The corresponding lines should read as follows:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_C
hroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_P
ASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
Remove the S_PASSWD_READ entry from /etc/security/audit/objects. The following line is to be removed.
r = “S_PASSWD_READ”
Add the command to start up the audit subsystem upon boot in /etc/rc near the bottom. The bottom of the file will look something like this:
# Start auditing subsystem
/usr/sbin/audit start 1>&- 2>&-
dspmsg rc.cat 5 ‘Multi-user initialization completed\n’
exit 0
Turning C2-level auditing on
Run the command:
# /usr/sbin/audit start 1>&- 2>&-